[opensuse-factory] Wrong PGP key used to sign ISOs, or wrong documentation.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (reported first in the forums by benbullard79) See: cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --verify openSUSE-DVD-Build0050-x86_64.iso.sig openSUSE-DVD-Build0050-x86_64.iso gpg: Signature made 2012-07-11T15:08:33 CEST using RSA key ID 3DBDC284 gpg: Can't check signature: No public key So get the key: cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --recv-key 3DBDC284 gpg: requesting key 3DBDC284 from hkp server pgp.mit.edu gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) So verify the ISO: cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --verify openSUSE-DVD-Build0050-x86_64.iso.sig openSUSE-DVD-Build0050-x86_64.iso gpg: Signature made 2012-07-11T15:08:33 CEST using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 However, the documentation at <http://software.opensuse.org/developer/en> says: +++·············· gpg signature offers the most security as you can verify who signed it. It should be 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54. ··············++- The fingerprint does not match. Is the documentation wrong, or has the ISO been signed with the wrong key? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAlAAzowACgkQtTMYHG2NR9UfEQCcDPebL6BiphmkUywt2S22xLIm QkAAnRQ3dnh2qbEVUqILdjvIj5O2I7pC =E3Ly -----END PGP SIGNATURE-----
On 14.07.2012 03:42, Carlos E. R. wrote:
(reported first in the forums by benbullard79)
See:
cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --verify openSUSE-DVD-Build0050-x86_64.iso.sig openSUSE-DVD-Build0050-x86_64.iso gpg: Signature made 2012-07-11T15:08:33 CEST using RSA key ID 3DBDC284 gpg: Can't check signature: No public key
So get the key:
cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --recv-key 3DBDC284 gpg: requesting key 3DBDC284 from hkp server pgp.mit.edu gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
So verify the ISO:
cer@Telcontar:/data/storage_b/Isos/isos_12.2> gpg --verify openSUSE-DVD-Build0050-x86_64.iso.sig openSUSE-DVD-Build0050-x86_64.iso gpg: Signature made 2012-07-11T15:08:33 CEST using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
However, the documentation at <http://software.opensuse.org/developer/en> says:
+++·············· gpg signature offers the most security as you can verify who signed it. It should be 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54. ··············++-
The fingerprint does not match. Is the documentation wrong, or has the ISO been signed with the wrong key?
The ISO is signed with the correct key, but it's different to 12.1 - Beta2 was signed with an even worse key for example. The openSUSE ISOs should be signed with the opensuse key no longer with the SUSE key. I'll see how easy I can make software.o.o show different finger prints for different releases. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-16 13:46, Stephan Kulow wrote:
On 14.07.2012 03:42, Carlos E. R. wrote:
...
The fingerprint does not match. Is the documentation wrong, or has the ISO been signed with the wrong key?
The ISO is signed with the correct key, but it's different to 12.1 - Beta2 was signed with an even worse key for example.
The openSUSE ISOs should be signed with the opensuse key no longer with the SUSE key. I'll see how easy I can make software.o.o show different finger prints for different releases.
Aha, so it is the documentation which is wrong. Well, I hope you find a way to do it that is not too difficult. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAEEkwACgkQIvFNjefEBxqAlACgyHqRp/ViobJeLDGn6xmeKal9 mr4AnRKOiUrumq9uDhznSqvHMOeoI6De =2+kW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Carlos E. R. -
Carlos E. R. -
Stephan Kulow