[opensuse-factory] How to check this pgp message for correctnes? (leap42.1 milestone2 info)
hi there, wanted to check the bran nu leap milestone2 iso and the directory comes with a pgp message that has the sha256 sum inside. the sha256 inside the pgp message and the .iso's sha256 are the same so it seems legit only question remains how do i make sense of the pgp message itself. i somehow cannot gpg --verify filename.sha256 as it tells me there is no public key. leap milestone2 is here: http://download.opensuse.org/distribution/leap/42.1-Milestone2/iso/openSUSE-... http://download.opensuse.org/distribution/leap/42.1-Milestone2/iso/openSUSE-... and the iso: http://download.opensuse.org/distribution/leap/42.1-Milestone2/iso/openSUSE-... http://download.opensuse.org/distribution/leap/42.1-Milestone2/iso/openSUSE-... So just to make sure, i know how to sha256 iso.file.iso, thats not the trouble here. how do i verify the legitimacy of the .sha256 files content which seems like a pgp signed email or posting of some sort. thanks. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 2015-09-04 at 11:43 +0200, cagsm wrote:
hi there, wanted to check the bran nu leap milestone2 iso and the directory comes with a pgp message that has the sha256 sum inside.
the sha256 inside the pgp message and the .iso's sha256 are the same so it seems legit only question remains how do i make sense of the pgp message itself.
i somehow cannot gpg --verify filename.sha256 as it tells me there is no public key.
gpg --verify openSUSE-42.1-DVD-x86_64-Build0148-Media.iso.sha256 gpg: Signature made Thu 03 Sep 2015 01:24:38 PM CEST using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key < opensuse@opensuse.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Of course this requires that you have the public key 3DBDC284 available in your keyring. You can get the key from the PGP infrastructure, using: gpg --recv-keys 3DBDC284 Cheers, Dominique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Sep 4, 2015 at 11:57 AM, Dominique Leuenberger / DimStar <dimstar@opensuse.org> wrote:
i somehow cannot gpg --verify filename.sha256 as it tells me there is no public key. Of course this requires that you have the public key 3DBDC284 available in your keyring.
Heck of course why thank you I must have been tired or something, I just didnt see the short key id it now gives me when i --verify. I had thought something was wrong as I was apparently not seeing that information and thought there must be some other way. Thanks again. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
cagsm -
Dominique Leuenberger / DimStar