they are signed by the project keys as the .asc files are available
too. samples:
gpg --check-sigs 0x3DBDC284
pub 2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
uid openSUSE Project Signing Key
sig!3 3DBDC284 2010-05-05 openSUSE Project Signing Key
sig!3 3DBDC284 2008-11-07 openSUSE Project Signing Key
sig! 0175623E 2012-08-23 Marcus Meissner
sig! 3D25D3D9 2012-08-23 SuSE Security Team
gpg --fingerprint 0x3DBDC284
pub 2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
uid openSUSE Project Signing Key
gpg -vvvv --verify openSUSE-12.2-DVD-i586.iso.asc
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.0.7 (GNU/Linux)
:signature packet: algo 1, keyid B88B2FD43DBDC284
version 3, created 1346320655, md5len 5, sigclass 0x00
digest algo 8, begin of digest d6 e4
data: [2048 bits]
gpg: assuming signed data in `openSUSE-12.2-DVD-i586.iso'
gpg: Signature made 08/30/12 11:57:35 using RSA key ID 3DBDC284
gpg: using PGP trust model
gpg: Good signature from "openSUSE Project Signing Key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
gpg: binary signature, digest algorithm SHA256
openSUSE-12.2-DVD-i586.iso.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQEVAwUAUD85D7iLL9Q9vcKEAQjW5AgAi2DBbHIfH0W9QdixpWko6xhO8jzN
DgMLkquyRSm6qjxLIiIDa1qc9D27HYZOyiyVXObJZ4Y8L+eHFfMlQcKKImqO9JvJ
fGlFE6EAA2+ynl5TaGm7+yd81AzFf9pnSynf5z8K6CN9VOc2DO8TDG7OMl82Unxc
+96ML8eIW2sY8ENxpu2xVdhbN2fi1rSoqsw4a5DI2TogUVL5N65OgREqVYmVvzgv
WqMwZp+c5zuSNnMDFOkn2jfOGZxHYYXK0VnFMBNjDiXDjyOeaOloCj3e0KwVudGj
TtsMu5ME/9kRtVYf5RjfOmN6Krqrd8CrE+lvR4kTJ9a7WV+oHpFa0sXuHA==
=Rg3E
-----END PGP SIGNATURE-----
gpg -vvvv --verify openSUSE-12.2-DVD-x86_64.iso.asc
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1.0.7 (GNU/Linux)
:signature packet: algo 1, keyid B88B2FD43DBDC284
version 3, created 1346320960, md5len 5, sigclass 0x00
digest algo 8, begin of digest 53 8f
data: [2048 bits]
gpg: assuming signed data in `openSUSE-12.2-DVD-x86_64.iso'
gpg: Signature made 08/30/12 12:02:40 using RSA key ID 3DBDC284
gpg: using PGP trust model
gpg: Good signature from "openSUSE Project Signing Key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
gpg: binary signature, digest algorithm SHA256
openSUSE-12.2-DVD-x86_64.iso.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQEVAwUAUD86QLiLL9Q9vcKEAQhTjwgA0sgMYWlr+on1LGW7kxtAqKK1qkVx
H+rJCe+lvoPYUeJ7wgCgoHoqwj8XjCRhdGP98czgSD1lGatnUYanFHUpfo/Eif4B
MHfeqN67CjkN3XWphLormelxCjRcJx/7K6Sc2VvSFUFDj+Xsbv8FZ6AuwNP9JTND
RYidZB6X4rOWQ/+/FmX8qEEQogrL82BnCM3J4SToFhpJ9QivVmAhA37HeL8K58Uf
ptnYtGCY17fLg38CaN/1t5kz2+gCigoBNhkaK6KBaHwCEGSiCQRVCA076QO920us
eYJafXhw3fbabfLDVc4eiPWpqUruUWZPIUXA3izz47chRxE2F3O16obZFw==
=hIzU
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org