W dniu 26.06.2023 o 10:43, Carlos E. R. pisze:
On 2023-06-26 07:09, Johannes Kastl wrote:
Good morning,
On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key.
The GPG keys are to be verified against the list here:
https://en.opensuse.org/openSUSE:Signing_Keys
for which you need to certify that you are actually on that page and not another.
Maybe we could get other pages, for example a suse.com page, to include this information so that there are several copies around.
We can link more resources to prove the pgp key with keyoxide: https://docs.keyoxide.org/understanding-keyoxide/keyoxide/