Is this expected? Yes, this is expected, there is an embedded PGP signature in the .sha256 file which `shasum` does not recognise.
This can be used to verify that the .sha256 file did indeed come from openSUSE rather than some other malicious source.
A little more info about that would have been useful. I would expect a file called sha256, next to an ISO, to be the shasum of that ISO and nothing else. And where on that download page is the real shasum file? I had to go to the mirror page to find it.
It is the "real shasum file". It also just happens to have been signed by the PGP key and contain the signature. sha256sum will exit without an error, and the warnings are just advisory -- so scripts will also have no issue with it. It's actually _less safe_ to "just have a .sha256" because it will mean that you cannot be sure that your local mirror isn't replacing the ISOs with malware. -- Aleksa Sarai Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org