On Mon, Nov 21, 2016 at 08:21:03PM +1100, Aleksa Sarai wrote:
Is this expected? Yes, this is expected, there is an embedded PGP signature in the .sha256 file which `shasum` does not recognise.
This can be used to verify that the .sha256 file did indeed come from openSUSE rather than some other malicious source.
A little more info about that would have been useful. I would expect a file called sha256, next to an ISO, to be the shasum of that ISO and nothing else. And where on that download page is the real shasum file? I had to go to the mirror page to find it.
It is the "real shasum file". It also just happens to have been signed by the PGP key and contain the signature. sha256sum will exit without an error, and the warnings are just advisory -- so scripts will also have no issue with it.
It's actually _less safe_ to "just have a .sha256" because it will mean that you cannot be sure that your local mirror isn't replacing the ISOs with malware.
That's all very reasonable and sensible, and I surmised exactly that last week when I pulled down a 42.2 iso, and first wondered if something had gone wrong causing the warning. We could be a little more helpful. Rather than just advertising the feature in the "Verify your download before use" section of the download page, link to simple line-by-line set of instruction to describe the right way to confirm who signed the checksum? Lots of users are very intimidated by the plethora of options with GPG and struggle to know where to start. Even for a regular user looking to upgrade from an earlier version, 'gpg --verify opensuse_foo.sha256' is likely to report that the openSUSE public key isn't installed. Some will follow down the rabbit hole, others may just give up/install another distro etc. If we want to encourage good security practice then we're best making it as easy as possible to follow good practice. Daniel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org