Support, how to trust opensuse keys? new RSA 4096 bit keys, how to double check? e.g. when test driving new dup for 15.5:
# sudo zypper -vvv --releasever=15.5 ref
.... Checking whether to refresh metadata for Update repository of openSUSE Backports Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml ........................................................................................................................[done (195 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml.... .....................................................................................................................[done (63 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml.... .....................................................................................................................[done (63 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml ..................................................................................................................................[done] New repository or package signing key received: Repository: Update repository of openSUSE Backports Key Fingerprint: F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0 Key Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org> Key Algorithm: RSA 4096 Key Created: Wed 10 May 2023 04:46:12 PM CEST Key Expires: Sun 09 May 2027 04:46:12 PM CEST Rpm Name: gpg-pubkey-25db7ae0-645bae34 Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise. Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If you are not sure whether the presented key is authentic, ask the repository provider or check their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they are using. Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): -------------------------- I never understood how to actually test and lookup these keys and where to make sense of them and how to react in such cases questions of zypper or questions of yast software modules when adding additional repos and many more such situations. i used to understand that one needs to check via other means other channels and look for these keys fingerprints etc published on some official projects and companies websites and all. but this is all in such a messed up and not fully established state, at least thats what i make of it. all i find is like a corporate suse (not opensuse) sigining keys page for example.
this needs to become much better i say. maybe nobody of the userbase care these days everybody just clicks and downloads and executes :( please make this a wholesome and good experience and dont miseducate the userbase into just not understanding and knowing anything about security, trust chains etc anyone care to elaborate how to actually double check on opensuse binaries and repos and their security and all. it all boils down to keys, to the root source of authority of a project et al also are old keys signing the newer keys and building chains and successions and so on? ty