Daniel Morris schrieb:
On Mon, Nov 21, 2016 at 08:21:03PM +1100, Aleksa Sarai wrote:
Is this expected? Yes, this is expected, there is an embedded PGP signature in the .sha256 file which `shasum` does not recognise.
This can be used to verify that the .sha256 file did indeed come from openSUSE rather than some other malicious source.
A little more info about that would have been useful. I would expect a file called sha256, next to an ISO, to be the shasum of that ISO and nothing else. And where on that download page is the real shasum file? I had to go to the mirror page to find it.
It is the "real shasum file". It also just happens to have been signed by the PGP key and contain the signature. sha256sum will exit without an error, and the warnings are just advisory -- so scripts will also have no issue with it.
It's actually _less safe_ to "just have a .sha256" because it will mean that you cannot be sure that your local mirror isn't replacing the ISOs with malware.
That's all very reasonable and sensible, and I surmised exactly that last week when I pulled down a 42.2 iso, and first wondered if something had gone wrong causing the warning.
We could be a little more helpful. Rather than just advertising the feature in the "Verify your download before use" section of the download page, link to simple line-by-line set of instruction to describe the right way to confirm who signed the checksum?
I tried to improve the description but meanwhile the code was developed further and the patch doesn't apply anymore. If some ruby on rails wizard is reading this, feel free to pick up and improve https://github.com/openSUSE/software-o-o/pull/52 :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org