this is really full of funny answers and avoiding clear take on the matter I had originally asked. Eventually I found the asc files and verified that it all was legit and official. after all the signing keys of the project have been there many years now. so if the keys were fine for 12.1 and 11.4 or whatever old things it signed and all the patches and updates and security fixes, then it was just as fine for 12.2, wasnt it? close to nobody ever personally out-of-band received any kind of hashes or signatures and key files. so if you and me all trusted the suse signing keys over the last releases then it was of no discussion that the stuff i dug up and verified was the legit bits. why does anyone trust any download site or whatever they download in the first place. even if i had known any staff personally or developers, what assurance would that give me over time that they dont get corrupt, corrupted by the feds or whomever else. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org