To be more precise, the .sha256 files are no signatures to the .iso files itself. The .sha256 files contain the SHA256 checksum and a GPG signature: cat openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sign -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 44e8d887cb3739cdd0321a38e259630d20a71103fbef93aab1929d07f26ec55d /var/cache/obs/worker/root_2//usr/src/packages/KIWIROOT/main/openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBVh87tLiLL9Q9vcKEAQijEwf/c1pVwTJvzgL0x6Q+N0lLDn5EiO7GPamh PmM9RR/L2u38f8nyDyyba5phz0pK6KSBuPNs48Ubt6wrBD2a8ojbxYp6zc9VgxX8 HhyJE9yO5VhNSbGHxbLqP2b68eXRBRytAJkPp6Z3bjWqEVLEaUggM0ZJ4X16nHH4 Y0ID2I/Za2gfwqaDYqxfZ244LwTUR2Ug/emYhTHLN9RVSwdtrXnBxxVUD/cyEEw8 YsGcnTMV+jRCXaTqGA2UjoeXeGIckfDGRruPGY2mHDPRQxNkV9BBtEFwwmejffNQ ilOfUmqzhhdkQB6GRpoeNorXvt8a2JAolL7EEvbPb9Fk8x3SgnvGpg== =F1f5 -----END PGP SIGNATURE----- Manual signature checking is possible like this: $ gpg2 --verify openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sha256 $ sha256sum openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso $ cat openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sha256 (compare the checksums) Anyway, the file ending .sha256 is not optimal. Manual checking is possible, but automatic checking with "sha256sum" and "gpg2" isn't easy without shell tricks. And the Web link is dead.