[opensuse-project] Fwd: verify download
Hi, Could someone please setup a wiki page (in case there isn't one yet), so we can add a link to software.o.o? That would be cool. Greetings, Stephan -------- Original Message -------- Subject: verify download Date: Wed, 31 Oct 2012 08:01:20 -0400 From: Tom Horsley <X@gmail.com> To: admin@opensuse.org On the web page http://software.opensuse.org/122/en there is a section on verifying the download. I just spent an hour trying to discover how the hell to actually use the dadgum .asc file, how to download the signing key with --recv-key, etc. Do you think you could link to some more detailed instructions there somewhere (cause I'm not gonna remember any of this by the time I want to verify the next release). Thanks. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Wed, 2012-10-31 at 13:37 +0100, Stephan Kulow wrote:
Hi,
Could someone please setup a wiki page (in case there isn't one yet), so we can add a link to software.o.o? That would be cool.
Greetings, Stephan
-------- Original Message -------- Subject: verify download Date: Wed, 31 Oct 2012 08:01:20 -0400 From: Tom Horsley <X@gmail.com> To: admin@opensuse.org
On the web page http://software.opensuse.org/122/en there is a section on verifying the download. I just spent an hour trying to discover how the hell to actually use the dadgum .asc file, how to download the signing key with --recv-key, etc.
Do you think you could link to some more detailed instructions there somewhere (cause I'm not gonna remember any of this by the time I want to verify the next release).
Thanks.
There is something at http://en.opensuse.org/SDB:Download_help#Checksums but that lacks the .asc method and needs some improvements, I'll look into it. -- Marcel Kühlhorn freenode: tux93 Have a lot of fun!
On Wed, 2012-10-31 at 18:18 +0100, Marcel Kühlhorn wrote:
On Wed, 2012-10-31 at 13:37 +0100, Stephan Kulow wrote:
Hi,
Could someone please setup a wiki page (in case there isn't one yet), so we can add a link to software.o.o? That would be cool.
Greetings, Stephan
-------- Original Message -------- Subject: verify download Date: Wed, 31 Oct 2012 08:01:20 -0400 From: Tom Horsley <X@gmail.com> To: admin@opensuse.org
On the web page http://software.opensuse.org/122/en there is a section on verifying the download. I just spent an hour trying to discover how the hell to actually use the dadgum .asc file, how to download the signing key with --recv-key, etc.
Do you think you could link to some more detailed instructions there somewhere (cause I'm not gonna remember any of this by the time I want to verify the next release).
Thanks.
There is something at http://en.opensuse.org/SDB:Download_help#Checksums but that lacks the .asc method and needs some improvements, I'll look into it.
Done, now someone with the permissions needs to review and accept the changes. -- Marcel Kühlhorn freenode: tux93 Have a lot of fun!
Op woensdag 31 oktober 2012 20:45:30 schreef Marcel Kühlhorn:
On Wed, 2012-10-31 at 18:18 +0100, Marcel Kühlhorn wrote:
On Wed, 2012-10-31 at 13:37 +0100, Stephan Kulow wrote:
Hi,
Could someone please setup a wiki page (in case there isn't one yet), so we can add a link to software.o.o? That would be cool.
Greetings, Stephan
-------- Original Message -------- Subject: verify download Date: Wed, 31 Oct 2012 08:01:20 -0400 From: Tom Horsley <X@gmail.com> To: admin@opensuse.org
On the web page http://software.opensuse.org/122/en there is a section on verifying the download. I just spent an hour trying to discover how the hell to actually use the dadgum .asc file, how to download the signing key with --recv-key, etc.
Do you think you could link to some more detailed instructions there somewhere (cause I'm not gonna remember any of this by the time I want to verify the next release).
Thanks.
There is something at http://en.opensuse.org/SDB:Download_help#Checksums but that lacks the .asc method and needs some improvements, I'll look into it.
Done, now someone with the permissions needs to review and accept the changes.
I tried the gpg stuff and as such the commands do work. To verify the fingerprint the command gpg --fingerprint "openSUSE Project Signing Key <opensuse@opensuse.org>" should be added. I also tried gpg -a "openSUSE-12.2-DVD-x86_64.iso.asc" and the result is: gpg: Signature made Thu Aug 30 12:02:40 2012 CEST using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 Something should be added about the warning. -- fr.gr. Freek de Kruijf -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-11-01 11:31, Freek de Kruijf wrote:
I also tried gpg -a "openSUSE-12.2-DVD-x86_64.iso.asc" and the result is:
gpg: Signature made Thu Aug 30 12:02:40 2012 CEST using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Something should be added about the warning.
The warning is correct, and will be there until _you_ sign the key. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCSWEkACgkQja8UbcUWM1wGxAD9FZs5HvVHSse4yOvbL/C947o4 w6KWd0bGzXNxnV5aWHABAJaOI8umkUIttJVk7p0wuloRuVexzfkt/KQttWc0cFeb =0AHp -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Op donderdag 1 november 2012 12:08:57 schreef Carlos E. R.:
On 2012-11-01 11:31, Freek de Kruijf wrote:
I also tried gpg -a "openSUSE-12.2-DVD-x86_64.iso.asc" and the result is:
gpg: Signature made Thu Aug 30 12:02:40 2012 CEST using RSA key ID 3DBDC284
gpg: Good signature from "openSUSE Project Signing Key
<opensuse@opensuse.org>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to
the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Something should be added about the warning.
The warning is correct, and will be there until _you_ sign the key.
I know, but a innocent user might get confused, so something like You get a warning "This key is not certified with a trusted signature!" However when the fingerprint mentioned below the warning is equal to the one below this text, you can trust the .iso file. Unfortunately I can't login in the wiki, so I can't make this change. -- fr.gr. Freek de Kruijf -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-11-01 12:22, Freek de Kruijf wrote:
Op donderdag 1 november 2012 12:08:57 schreef Carlos E. R.:
The warning is correct, and will be there until _you_ sign the key.
I know, but a innocent user might get confused, so something like
True. We had a longish discussion in the forums precisely because of this.
You get a warning "This key is not certified with a trusted signature!" However when the fingerprint mentioned below the warning is equal to the one below this text, you can trust the .iso file.
You have to also mention to read gpg documentation on the web of trust for more info about the message.
Unfortunately I can't login in the wiki, so I can't make this change.
I probably can, but I'm away and thus with a 500 MB/month cap, so I can't risk it. Minimal web browsing. :-( - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCSXMIACgkQja8UbcUWM1zCYwD/UY50qPKv5NqTFfR02UsA8Yh2 zHA3p62yPZkLxLWNs9YA/0ZzJ2XAAFmHn4HVSWFCUzwFnM1UhP4uiBMQFqF43CdX =iKT0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Thursday 01 November 2012 12:28:02 Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2012-11-01 12:22, Freek de Kruijf wrote:
Op donderdag 1 november 2012 12:08:57 schreef Carlos E. R.:
The warning is correct, and will be there until _you_ sign the key.
I know, but a innocent user might get confused, so something like
True. We had a longish discussion in the forums precisely because of this.
You get a warning "This key is not certified with a trusted signature!" However when the fingerprint mentioned below the warning is equal to the one below this text, you can trust the .iso file.
You have to also mention to read gpg documentation on the web of trust for more info about the message.
Unfortunately I can't login in the wiki, so I can't make this change.
I probably can, but I'm away and thus with a 500 MB/month cap, so I can't risk it. Minimal web browsing. :-(
I tried to make the change but please check it. I have no clue what I'm doing - just copying what you guys wrote in the mails: http://en.opensuse.org/SDB:Download_help#Using_Linux /Jos
- -- Cheers / Saludos,
Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iF4EAREIAAYFAlCSXMIACgkQja8UbcUWM1zCYwD/UY50qPKv5NqTFfR02UsA8Yh2 zHA3p62yPZkLxLWNs9YA/0ZzJ2XAAFmHn4HVSWFCUzwFnM1UhP4uiBMQFqF43CdX =iKT0 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-11-06 21:59, Jos Poortvliet wrote:
On Thursday 01 November 2012 12:28:02 Carlos E. R. wrote: On 2012-11-01 12:22, Freek de Kruijf wrote:
I tried to make the change but please check it. I have no clue what I'm doing - just copying what you guys wrote in the mails: http://en.opensuse.org/SDB:Download_help#Using_Linux
Fine, looks very good to me, thanks :-) - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCZe9oACgkQja8UbcUWM1ypVwD/dTrBeDxbVtltK8RFuGua2CPn NQnOyoHEFnOrypngG3AA/iUfvP/g3BfN/CdSkPIs5aPL7xLkZERvWPv2oVtQX580 =KC8R -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Op dinsdag 6 november 2012 22:06:34 schreef Carlos E. R.:
On 2012-11-06 21:59, Jos Poortvliet wrote:
On Thursday 01 November 2012 12:28:02 Carlos E. R. wrote: On 2012-11-01 12:22, Freek de Kruijf wrote:
I tried to make the change but please check it. I have no clue what I'm doing - just copying what you guys wrote in the mails: http://en.opensuse.org/SDB:Download_help#Using_Linux
Fine, looks very good to me, thanks :-)
+1 -- fr.gr. Freek de Kruijf -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
participants (5)
-
Carlos E. R. -
Freek de Kruijf -
Jos Poortvliet -
Marcel Kühlhorn -
Stephan Kulow