Currently on the Leap 42.1 page[1], we provide just the key fingerprint
and don't also provide the whole key (for the super paranoid). However,
given the fact that people have concerns about key fingerprints in
general[2] we should also provide a link (served over TLS) to a copy of
the openSUSE project signing key. The same goes for the Tumbleweed and
Leap 42.2 download pages.
As a separate issue, the .sha256 files for Tumbleweed don't use the same
filename as the download. This is a minor issue, but it means that you
have to rename the downloaded file so you can do the regular `sha256sum
-c && gpg --verify` workflow.
[1]:
https://software.opensuse.org/421/en
[2]:
https://evil32.com/
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org