hello list, just came across when trying to download leap 15.3 iso bits, that the most or all of the .sha256 files are unsigned simple text files only. i still remember these sha256 files being some kind of pgp gpg wrapped textfiles with the suse project signing them for legitimacy. am i mistaken? also the main opensuse.org download page and area speaks exactly about verifying the bits and the full length pgp gpg fingerprint for that signing key one should be verifying. <https://get.opensuse.org/leap#download> ----------------- Verify Your Download Before Use Many applications can verify the checksum of a download. To verify your download can be important as it verifies you really have got the ISO file you wanted to download and not some broken version. For each ISO, we offer a checksum file with the corresponding SHA256 sum. For extra security, you can use GPG to verify who signed those .sha256 files. It should be 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 ----------------- then i went to download.opensuse.org and the leap 15.2 area and tried there, and the or some .sha256 files for the e.g. x64 iso on that leap level and release are actually signed what happen? :( --------------- cat openSUSE-Leap-15.3-NET-x86_64-Current.iso.sha256 54fb3a488e0fececf45cdaeefaccfb64437745da4b1ca444662e3aac20cf37b5 openSUSE-Leap-15.3-NET-x86_64.iso cat openSUSE-Leap-15.3-DVD-x86_64-Current.iso.sha256 0deae0b74953acd951150ae9567e098d450f2ae91b2d0c0a610b9d934f91c7b1 openSUSE-Leap-15.3-DVD-x86_64.iso cat openSUSE-Leap-15.2-DVD-x86_64.iso.sha256 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 0fd2d4e630b6579b933b5cb4930a8100acca6b4e29cd2738c4b7a9b2f76d80e4 openSUSE-Leap-15.2-DVD-x86_64.iso -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBXv36criLL9Q9vcKEAQLo7AgAheoPUyw1dN3VlqN4m2icdonUUTiHvZ5b 4vDv1hcZxYNzh76HJudvRVODyx5SAytLRXsUfAnffLUqWTIg2p50nkIR0FZoY5y/ 0BaVKe2SY+W35iLxZkBO5sszFz+mhtWwir8Vsi4Tq/u3/IO98BBO319c877SIKCt JrJ//sajA2XXQrKgu9hxiVgWOl5Y2EOWllq9fBaGr3Rd4EdLbHhfDQ7IaWN7PW0U hAqv9WDkTxRVSksUP/y/C9c8kZ4VXF4YXGMdZX9+5hKoz/iBWaRVMwsez13h8Eif bNpN69bQCLBx2LMH1T3gknu1faD5xb808iWeZXi2jgs3vWXUWdRg3w== =DTcJ -----END PGP SIGNATURE-----