![](https://seccdn.libravatar.org/avatar/bff0c215e01f23fcee6fe49e65fae458.jpg?s=120&d=mm&r=g)
On Mon, Feb 29, 2016 at 11:52:51AM +0100, Carlos E. R. wrote:
On 2016-02-29 10:00, Łukasz 'Cyber Killer' Korpalski wrote:
But the checksums are pgp signed (inline pgp signature inside the sha256 ckecksum file), so as long as the user has the pubkey used for this signature and uses it to verify the checksums, everything is fine. The pubkey long fingerprint is noted on the main iso download page, not on the mirrors pages.
But the PGP signatures, to be secure, need a web of trust. A separate and trusted method to download and verify the keys themselves, and this we don't have.
Probably a certified page with all keys used by the project for signing downloads and builds.
$ LANG=C gpg --recv-key 0xB88B2FD43DBDC284 gpg: key 0xB88B2FD43DBDC284: "openSUSE Project Signing Key <opensuse@opensuse.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ LANG=C gpg --list-sigs 0xB88B2FD43DBDC284 pub rsa2048/0xB88B2FD43DBDC284 2008-11-07 [expires: 2024-05-02] Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 uid [ unknown] openSUSE Project Signing Key <opensuse@opensuse.org> sig 3 0xB88B2FD43DBDC284 2008-11-07 openSUSE Project Signing Key <opensuse@opensuse.org> sig 3 0xB88B2FD43DBDC284 2010-05-05 openSUSE Project Signing Key <opensuse@opensuse.org> sig 0xEA7BF3970175623E 2012-08-23 Marcus Meissner <meissner@suse.com> sig 0x77B2E6003D25D3D9 2012-08-23 [User ID not found] sig 0x8BD82E6F30B94B5C 2013-05-04 \xe6\xa5\x8a\xe5\xa3\xab\xe9\x9d\x92 (Yang Shih-Ching) <imacat@mail.imacat.idv.tw> sig 3 0xB88B2FD43DBDC284 2014-05-05 openSUSE Project Signing Key <opensuse@opensuse.org> sig 0x1C2B0DA2920E6F97 2013-08-15 [User ID not found] sig 0x080B3B0AD1E3EBDD 2014-02-11 Sebastian Weber <s.wbr@physik.uni-wuppertal.de> sig 0x37F0BE6297A01F40 2015-09-03 Eric Haberstroh <eric@erixpage.de> sig 0xE7820D7B72511999 2016-02-29 \xc5\x81ukasz Korpalski (Cyber Killer) <cyberkiller8@gmail.com> sig 0xA485A0ED51B8B7C4 2015-05-19 Andreas Boehlk (Privat-Post) <post@boehlk.com> $ So it is signed by me at least. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org