[Bug 952372] New: GPG signatures for openSUSE-Leap-42.1-Build0235 end with .sha256
http://bugzilla.opensuse.org/show_bug.cgi?id=952372 Bug ID: 952372 Summary: GPG signatures for openSUSE-Leap-42.1-Build0235 end with .sha256 Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Software Portal Assignee: benji@opensuse.org Reporter: bjoernv@arcor.de QA Contact: opensuse-communityscreening@forge.provo.novell.com Found By: --- Blocker: --- The GPG signatures for openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso and openSUSE-Leap-42.1-NET-x86_64-Build0235-Media.iso end with .sha256. See http://download.opensuse.org/distribution/leap/42.1-RC1/iso/: openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso 15-Oct-2015 07:37 4.2G openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sha256 15-Oct-2015 08:28 707 openSUSE-Leap-42.1-NET-ppc64le-Build0033-Media.iso.sha256 05-Oct-2015 14:01 708 openSUSE-Leap-42.1-NET-x86_64-Build0235-Media.iso 15-Oct-2015 07:54 85M openSUSE-Leap-42.1-NET-x86_64-Build0235-Media.iso.sha256 15-Oct-2015 08:28 707 The .sha256 files are no SHA256 checksums but GPG signatures. Also the link "gpg signature" on https://software.opensuse.org/developer/en?release=developer is a dead link. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=952372 http://bugzilla.opensuse.org/show_bug.cgi?id=952372#c1 --- Comment #1 from Björn Voigt <bjoernv@arcor.de> --- To be more precise, the .sha256 files are no signatures to the .iso files itself. The .sha256 files contain the SHA256 checksum and a GPG signature: cat openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sign -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 44e8d887cb3739cdd0321a38e259630d20a71103fbef93aab1929d07f26ec55d /var/cache/obs/worker/root_2//usr/src/packages/KIWIROOT/main/openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBVh87tLiLL9Q9vcKEAQijEwf/c1pVwTJvzgL0x6Q+N0lLDn5EiO7GPamh PmM9RR/L2u38f8nyDyyba5phz0pK6KSBuPNs48Ubt6wrBD2a8ojbxYp6zc9VgxX8 HhyJE9yO5VhNSbGHxbLqP2b68eXRBRytAJkPp6Z3bjWqEVLEaUggM0ZJ4X16nHH4 Y0ID2I/Za2gfwqaDYqxfZ244LwTUR2Ug/emYhTHLN9RVSwdtrXnBxxVUD/cyEEw8 YsGcnTMV+jRCXaTqGA2UjoeXeGIckfDGRruPGY2mHDPRQxNkV9BBtEFwwmejffNQ ilOfUmqzhhdkQB6GRpoeNorXvt8a2JAolL7EEvbPb9Fk8x3SgnvGpg== =F1f5 -----END PGP SIGNATURE----- Manual signature checking is possible like this: $ gpg2 --verify openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sha256 $ sha256sum openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso $ cat openSUSE-Leap-42.1-DVD-x86_64-Build0235-Media.iso.sha256 (compare the checksums) Anyway, the file ending .sha256 is not optimal. Manual checking is possible, but automatic checking with "sha256sum" and "gpg2" isn't easy without shell tricks. And the Web link is dead. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=952372 http://bugzilla.opensuse.org/show_bug.cgi?id=952372#c2 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |coolo@suse.com Assignee|benji@opensuse.org |ancor@suse.com --- Comment #2 from Stephan Kulow <coolo@suse.com> --- they are gpg signed sha256 sums. And they were broken for RC1, but for GM it's perfectly possible to feed them into sha256 -c *and* gpg But yes, the text about extra signatures on software.oo does not apply to leap -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com