[opensuse] 15.2 iso gpg signature control?
Is it not available any more? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Jul 3, 2020 at 1:57 PM Stakanov <stakanov@disroot.org> wrote:
Is it not available any more?
what do you exactly mean by this?
http://download.opensuse.org/distribution/leap/15.2/iso/ and the metadata links there at the entries of each and every file shows their hash sums and other detail information. e.g. http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15.2-D...
there should also be sha signature files in that directory .sha256 e.g. named at the end is that what you are looking for? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
In data venerdì 3 luglio 2020 17:25:30 CEST, cagsm ha scritto:
On Fri, Jul 3, 2020 at 1:57 PM Stakanov <stakanov@disroot.org> wrote:
Is it not available any more?
what do you exactly mean by this?
and the metadata links there at the entries of each and every file shows their hash sums and other detail information. e.g.
http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15.2 -DVD-x86_64.iso.mirrorlist there should also be sha signature files in that directory .sha256 e.g. named at the end
is that what you are looking for? for the gpg signature. I did the 256 hash but normally you would expect the gpg sig to verify integrity. IF this has not changed. gpg, not sha
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/07/2020 17.25, cagsm wrote:
On Fri, Jul 3, 2020 at 1:57 PM Stakanov <stakanov@disroot.org> wrote:
Is it not available any more?
what do you exactly mean by this?
http://download.opensuse.org/distribution/leap/15.2/iso/ and the metadata links there at the entries of each and every file shows their hash sums and other detail information. e.g. http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15.2-D...
there should also be sha signature files in that directory .sha256 e.g. named at the end
is that what you are looking for?
There is no PGP/GPG signature info. But neither is for 15.1 It is "hidden" here: <https://software.opensuse.org/distributions/leap> +++..................... Verify Your Download Before Use Many applications can verify the checksum of a download. To verify your download can be important as it verifies you really have got the ISO file you wanted to download and not some broken version. You could verify the file in the process of downloading. For example a checksum (SHA256) will be used automatically if you choose Metalink in the field above and use the add-on DownThemAll! in Firefox. For each ISO, we offer a checksum file with the corresponding SHA256 sum. For extra security, you can use GPG to verify who signed those .sha256 files. It should be 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 For more help verifying your download please read Checksums Help .....................++- ---> <https://en.opensuse.org/SDB:Download_help#Checksums> Let's see. ~> aria2c --check-integrity=true "http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15.2-D..." ... Download Results: gid |stat|avg speed |path/URI ======+====+===========+======================================================= 428333|OK | 1.0MiB/s|/data/storage_b/Isos/Leap/15.2/openSUSE-Leap-15.2-DVD-x86_64.iso.meta4 b42ba8|OK | 12MiB/s|/data/storage_b/Isos/Leap/15.2/openSUSE-Leap-15.2-DVD-x86_64.iso Status Legend: (OK):download completed. ~> aria2c --check-integrity=true "http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15.2-D..." ... ~> gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256 gpg: Signature made 2020-07-02T17:17:06 CEST gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [full] cer@Telcontar:/data/storage_b/Isos/Leap/15.2> cer@Telcontar:/data/storage_b/Isos/Leap/15.2> time sha256sum -c openSUSE-Leap-15.2-DVD-x86_64.iso.sha256 openSUSE-Leap-15.2-DVD-x86_64.iso: OK sha256sum: WARNING: 14 lines are improperly formatted real 0m15,134s user 0m13,446s sys 0m0,402s cer@Telcontar:/data/storage_b/Isos/Leap/15.2> So, it does verify, with a warning about the format of the file. I don't know about that. I can also do: ~> gpg --fingerprint B88B2FD43DBDC284 pub rsa2048 2008-11-07 [SC] [expires: 2024-05-02] 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 uid [ full ] openSUSE Project Signing Key <opensuse@opensuse.org> cer@Telcontar:/data/storage_b/Isos/Leap/15.2> And compare that string "22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284" with the one published here <https://software.opensuse.org/distributions/leap> It is 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 It should be 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 Matches, all is well. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
In data venerdì 3 luglio 2020 20:16:35 CEST, Carlos E. R. ha scritto:
On 03/07/2020 17.25, cagsm wrote:
On Fri, Jul 3, 2020 at 1:57 PM Stakanov <stakanov@disroot.org> wrote:
Is it not available any more?
what do you exactly mean by this?
and the metadata links there at the entries of each and every file shows their hash sums and other detail information. e.g.
http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15. 2-DVD-x86_64.iso.mirrorlist> there should also be sha signature files in that directory .sha256 e.g. named at the end
is that what you are looking for?
There is no PGP/GPG signature info. But neither is for 15.1
It is "hidden" here:
<https://software.opensuse.org/distributions/leap>
+++..................... Verify Your Download Before Use
Many applications can verify the checksum of a download. To verify your download can be important as it verifies you really have got the ISO file you wanted to download and not some broken version. You could verify the file in the process of downloading. For example a checksum (SHA256) will be used automatically if you choose Metalink in the field above and use the add-on DownThemAll! in Firefox.
For each ISO, we offer a checksum file with the corresponding SHA256 sum.
For extra security, you can use GPG to verify who signed those .sha256 files. It should be 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
For more help verifying your download please read Checksums Help .....................++-
---> <https://en.opensuse.org/SDB:Download_help#Checksums>
Let's see.
~> aria2c --check-integrity=true "http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15.2 -DVD-x86_64.iso" ... Download Results: gid |stat|avg speed |path/URI ======+====+===========+==================================================== === 428333|OK | 1.0MiB/s|/data/storage_b/Isos/Leap/15.2/openSUSE-Leap-15.2-DVD-x86_64.iso.m eta4 b42ba8|OK | 12MiB/s|/data/storage_b/Isos/Leap/15.2/openSUSE-Leap-15.2-DVD-x86_64.iso
Status Legend: (OK):download completed.
~> aria2c --check-integrity=true "http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15.2 -DVD-x86_64.iso.sha256" ... ~> gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256 gpg: Signature made 2020-07-02T17:17:06 CEST gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [full] cer@Telcontar:/data/storage_b/Isos/Leap/15.2>
cer@Telcontar:/data/storage_b/Isos/Leap/15.2> time sha256sum -c openSUSE-Leap-15.2-DVD-x86_64.iso.sha256 openSUSE-Leap-15.2-DVD-x86_64.iso: OK sha256sum: WARNING: 14 lines are improperly formatted
real 0m15,134s user 0m13,446s sys 0m0,402s cer@Telcontar:/data/storage_b/Isos/Leap/15.2>
So, it does verify, with a warning about the format of the file. I don't know about that.
I can also do:
~> gpg --fingerprint B88B2FD43DBDC284 pub rsa2048 2008-11-07 [SC] [expires: 2024-05-02] 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 uid [ full ] openSUSE Project Signing Key <opensuse@opensuse.org>
cer@Telcontar:/data/storage_b/Isos/Leap/15.2>
And compare that string "22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284" with the one published here <https://software.opensuse.org/distributions/leap>
It is 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 It should be 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Matches, all is well. Oh, thank you. That was the one that I was looking for!
Kudos! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/07/2020 21.55, Stakanov wrote:
In data venerdì 3 luglio 2020 20:16:35 CEST, Carlos E. R. ha scritto:
Matches, all is well. Oh, thank you. That was the one that I was looking for!
Kudos!
Welcome :-) The thing is, the iso file is not signed itself, that would be too heavy. Instead, it is the checksum file (....iso.sha256) which is signed with a known key. And then this key has a published ID string, which doesn't change from version to version. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
participants (3)
-
cagsm -
Carlos E. R. -
Stakanov