Comment # 6 on bug 1090647 from 
Ticking off:

[x] medias signed
[x] repository signed

Packages are signed:

rpm -K tree-1.7.0-lp150.1.8.x86_64.rpm -v
tree-1.7.0-lp150.1.8.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
    Header SHA1 digest: OK
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
    MD5 digest: OK

ISO is signed with openSUSE key:

gpg --verify openSUSE-Leap-15.0-DVD-x86_64-Build206.1-Media.iso.sha256 
gpg: Signature made Tue Apr 17 11:35:37 2018 CEST
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284

Repos are signed with the same key:

gpg repomd.xml.key 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2008-11-07 [SC] [expires: 2024-05-02]
      22C07BA534178CD02EFE22AAB88B2FD43DBDC284
uid           openSUSE Project Signing Key <opensuse@opensuse.org>

gpg --verify repomd.xml.asc 
gpg: assuming signed data in 'repomd.xml'
gpg: Signature made Thu May  3 11:33:44 2018 CEST
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284

[x] verify product can install maintenance updates (tested by installing
available updates after fresh install from ISO)

Current status:

General:

[x] Install and perform lynis scan
[ ] review for outstanding major security issues

Defaults:

[x] running default services
[x] setuid and privileged friends

Media and repositories:

[x] medias signed
[x] repository signed

Sources:

[ ] thrawl rpmlintrc for bypasses of rpmlint checks
[ ] clamav scan of sources

Development processes:

[ ] verify package review process were adhered to
[ ] verify standard development model was followed

Updates:

[x] verify product can install maintenance updates

You are receiving this mail because: