Hi, all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare. Many use plain HTTP to download openSUSE packages and images as the binary authenticity is not related to the security of the transport channel. You can find some instructions on validating downloaded openSUSE ISO images here: https://en.opensuse.org/SDB:Download_help#Checksums Apart from this, Let's Encrypt is as valid of a certificate authority as any other doing purely domain validation. Whether paid ones doing organization validation are more trustworthy is a debatable topic. Cheers, Georg On 6/25/23 22:17, Lew Wolfgang wrote:
Hi Folks,
I'm sure this isn't the right list for this question, but it will have to do.
In downloading the Leap 15.5 ISO I noticed that the TLS cert is issued by Let's Encrypt. This is rather concerning considering all the current supply-chain security issues.
Does Let's Encrypt still use a one-step domain verification process? If so, how can it really be trusted for something as important as an operating system? How can we be sure we're not downloading malware without strong domain verification of the source?
Regards, Lew