Good morning, On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key. Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537