On 2020-12-29 21:33:54 +0100, adrien.glauser@gmail.com wrote:
A user brought to my attention that the gpg public key we provide (0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284) does not allow to gpg verify the checksum files associated with our ISO images. For instance, the checksum file at http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... will not be verified by `gpg --verify <iso dot sha256 dot file>`.
Hmm that cannot work. The *.iso.sha256 file contains no signature.
As far as I understand, a detached signature file could be an alternative, using this time `gpg --verify <detached signature file> <iso dot sha256 dot file>`, but we won't provide one either.
We do. $> wget \ http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... $> gpg --verify \ openSUSE-Tumbleweed-KDE-Live-x86_64-Current.iso.sha256.asc \ openSUSE-Tumbleweed-KDE-Live-x86_64-Current.iso.sha256 ... should do the trick. Marcus