Re: [opensuse-security] OpenSUSE release md5 and SHA1 values and signature?
The SUSE software web site mentioned in reply to the post was:
http://software.opensuse.org/
This site does not have the SUSE Public Key number listed or as a link.
Why not add the SUSE Public Key number and the MD5 and SHA1? It does
allow you to select various download options, and will download SUSE
software for OpenSUSE.
The http://download.opensuse.org/distribution/10.3/iso/dvd/MD5SUMS does
have the MD5SUMS file for the stable 10.3, however, there is no SUSE
Public Key and the MD5SUMS is not signed. I can NOT verify it is an
authentic SUSE MD5SUMS file.
Why not put the SUSE Public Key on the SUSE web site
http://software.opensuse.org, as well as the MD5, SHA1, and sig files.
To quote from the security announcement:
"To verify the signature of the announcement, save it as text into a
file and run the command gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team
participants (1)
-
name