Comment # 1 on bug 952372 from 
To be more precise, the .sha256 files are no signatures to the .iso files
itself. The .sha256 files contain the SHA256 checksum and a GPG signature:

cat openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

44e8d887cb3739cdd0321a38e259630d20a71103fbef93aab1929d07f26ec55d 
/var/cache/obs/worker/root_2//usr/src/packages/KIWIROOT/main/openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBVh87tLiLL9Q9vcKEAQijEwf/c1pVwTJvzgL0x6Q+N0lLDn5EiO7GPamh
PmM9RR/L2u38f8nyDyyba5phz0pK6KSBuPNs48Ubt6wrBD2a8ojbxYp6zc9VgxX8
HhyJE9yO5VhNSbGHxbLqP2b68eXRBRytAJkPp6Z3bjWqEVLEaUggM0ZJ4X16nHH4
Y0ID2I/Za2gfwqaDYqxfZ244LwTUR2Ug/emYhTHLN9RVSwdtrXnBxxVUD/cyEEw8
YsGcnTMV+jRCXaTqGA2UjoeXeGIckfDGRruPGY2mHDPRQxNkV9BBtEFwwmejffNQ
ilOfUmqzhhdkQB6GRpoeNorXvt8a2JAolL7EEvbPb9Fk8x3SgnvGpg==
=F1f5
-----END PGP SIGNATURE-----

Manual signature checking is possible like this:

$ gpg2 --verify openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sha256
$ sha256sum openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso
$ cat openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sha256
(compare the checksums)

Anyway, the file ending .sha256 is not optimal. Manual checking is possible,
but automatic checking with "sha256sum" and "gpg2" isn't easy without shell
tricks. And the Web link is dead.

You are receiving this mail because: