Re: [opensuse-factory] Wrong PGP key used to sign ISOs, or wrong documentation.

On 14.07.2012 03:42, Carlos E. R. wrote:

(reported first in the forums by benbullard79)

See:

cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --verify openSUSE-DVD-Build0050-x86_64.iso.sig openSUSE-DVD-Build0050-x86_64.iso gpg: Signature made 2012-07-11T15:08:33 CEST using RSA key ID 3DBDC284 gpg: Can't check signature: No public key

So get the key:

cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --recv-key 3DBDC284 gpg: requesting key 3DBDC284 from hkp server pgp.mit.edu gpg: key 3DBDC284: public key "openSUSE Project Signing Key " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)

So verify the ISO:

cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --verify openSUSE-DVD-Build0050-x86_64.iso.sig openSUSE-DVD-Build0050-x86_64.iso gpg: Signature made 2012-07-11T15:08:33 CEST using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284

However, the documentation at http://software.opensuse.org/developer/en says:

+++·············· gpg signature offers the most security as you can verify who signed it. It should be 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54. ··············++-

The fingerprint does not match. Is the documentation wrong, or has the ISO been signed with the wrong key?

The ISO is signed with the correct key, but it's different to 12.1 - Beta2 was signed with an even worse key for example. The openSUSE ISOs should be signed with the opensuse key no longer with the SUSE key. I'll see how easy I can make software.o.o show different finger prints for different releases. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org