Hello Marcus, Thanks for stepping in. From your instructions plus some digging I was able to successfully authenticate the sha256 file I was testing. Nonetheless I think it's quite difficult for the new user (and I consider myself as such as far as this topic) to identify the recipe for authenticating sha256 files associated with our ISO images. In particular it's not trivial to identify the relevant .asc gpg signature that needs to be used to verify arbitrary images. In our toy example, the file at http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... is neither referenced or talked about anywhere from https://software.opensuse.org/distributions/tumbleweed. Only openSUSE's gpg public key is. In the spirit of improving the docs I've jotted down the few steps I went through doing this. Can you give it a look and confirm it's correct? I mean, I've tested it, but perhaps it is incorrectly phrased or using unnecessary steps. Here it is: https://etherpad.opensuse.org/p/gpg-verify-images Best, Adrien