Currently on the Leap 42.1 page[1], we provide just the key fingerprint and don't also provide the whole key (for the super paranoid). However, given the fact that people have concerns about key fingerprints in general[2] we should also provide a link (served over TLS) to a copy of the openSUSE project signing key. The same goes for the Tumbleweed and Leap 42.2 download pages. As a separate issue, the .sha256 files for Tumbleweed don't use the same filename as the download. This is a minor issue, but it means that you have to rename the downloaded file so you can do the regular `sha256sum -c && gpg --verify` workflow. [1]: https://software.opensuse.org/421/en [2]: https://evil32.com/ -- Aleksa Sarai Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ -- To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org To contact the owner, email: opensuse-project+owner(a)opensuse.org