Am Thu, 2 Jul 2020 15:10:01 +0000 schrieb Lubos Kocman <lubos.kocman@suse.com>:

we have to fix this issue! Can somebody please sign .sha256 files with the openSUSE key?

https://forums.opensuse.org/showthread.php/540728-GPG-verification-of-the-Le...

Looks like someone already signed the files in OBS with the opensuse@opensuse.org signing key and did not copy it over to download.opensuse.org. I replaced the files there now with the ones from OBS. With the B88B2FD43DBDC284 key in my keyring, I get: ~> gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256 gpg: Signature made Thu Jul 2 15:17:06 2020 UTC gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 ~> gpg --verify openSUSE-Leap-15.2-NET-x86_64.iso.sha256 gpg: Signature made Thu Jul 2 15:15:57 2020 UTC gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 ...and just for the record: we have quite a few keys that we can use to sign the iso images, so better tell us which key we should use to resign ;-) Regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org