On Tue, May 23, 2023 at 10:11:01PM +0300, Andrei Borzenkov wrote:
On 23.05.2023 21:11, Carlos E. R. wrote:
On 2023-05-23 18:05, Marcus Meissner wrote:
Hi,
We just some days ago switched the key.
zypper in openSUSE-build-key
to get the latest version from GA, then
rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-25db7ae0-645bae34.asc
What is missing is an official openSUSE web page (not a wiki) where the fingerprints are published, where we can compare them with the downloaded keys so that we can verify that they are truly the correct keys.
ALL the keys should be there, somewhere.
While I certainly agree with it, in this case the key is included in package (openSUSE-build-key which is itself signed by another, already trusted, key. So it answers the original question "how to trust the new key". Of course, the existence of this RPM is probably even less known (I was not aware of it).
I wonder what is the point of having this RPM in the first place - I would expect it to import new keys on update.
Currently the keys are imported during install. As we switched the key just now during the final phases of 15.5 development, the ones already having insalled 15.5 will need this manual work currently. Everyone else will get the key trusted already from the installer. I will see we also get it via the repomd gpg key method. Ciao, Marcus