Given the recent case of Linux Mint, I went to double-check how we deal with distribution of checksums and images. It looks like we just distribute them all without TLS, which means there's no hardening against MITM attacks on users trying to download openSUSE. In addition, I couldn't find any mention of GPG signatures for the releases, so there's no web-of-trust way of verifying that an image I download is one that was signed by the key of the cheif maintainers.
Check https://software.opensuse.org, section "Verify your download before use". The sha256 check sum files are signed inline using GPG.
While this might be true for Leap, this doesn't appear to be the case for Tumbleweed:
http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-NET-x86_64-C...
But weirdly, the following URL *does* have an inline-signed signature: http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-NET-x86_64-S... -- Aleksa Sarai Docker Core Specialist SUSE Australia https://www.cyphar.com/ -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org