[opensuse] Tumbleweed verification
I think I will start a separate thread and mention this about Tumbleweed. On the website at - https://en.opensuse.org/openSUSE:Tumbleweed_installation it says - "To verify the signature, download the .sha256 file and run /gpg --verify/ on it. The file must be signed by opensuse@opensuse.org https://keyserver.opensuse.org/pks/lookup?op=get&search=0xB88B2FD43DBDC284 with fingerprint 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284. Then run /sha256sum --check/ on the sha256 file to make sure the iso is intact." so I did and got this - marc@bigbang:/data> gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Snapshot20161216-Media.iso.sha256 gpg: Signature made Fri 16 Dec 2016 03:45:27 PM PST using RSA key ID 3DBDC284 gpg: Can't check signature: No public key What did I do wrong? Man pages weren't helpful... Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-12-18 22:44, Marc Chamberlin wrote:
I think I will start a separate thread and mention this about Tumbleweed. On the website at -
https://en.opensuse.org/openSUSE:Tumbleweed_installation
it says -
"To verify the signature, download the .sha256 file and run /gpg --verify/ on it. The file must be signed by opensuse@opensuse.org https://keyserver.opensuse.org/pks/lookup?op=get&search=0xB88B2FD43DBDC284
with fingerprint 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284. Then
run /sha256sum --check/ on the sha256 file to make sure the iso is intact."
so I did and got this -
marc@bigbang:/data> gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Snapshot20161216-Media.iso.sha256 gpg: Signature made Fri 16 Dec 2016 03:45:27 PM PST using RSA key ID 3DBDC284 gpg: Can't check signature: No public key
What did I do wrong? Man pages weren't helpful... Marc...
In order to verify any PGP/GPG signature, you have to import first the public keys of those people or organizations that you want to verify. Probably: gpg --recv-keys 3DBDC284 But before running the test you have to certify and sign that those keys really belong to the project. So pick up the plane or the train, go to SUSE offices, and ask the clerk there to please verify the keys for you. half-kidding >:-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlhXLrIACgkQja8UbcUWM1w3sQD8C6SPdfXEOIWWaXNLS2R1zlir rKb6jFy3fZ400JaDkGsA/iUE/Jy/GzASngwc9L656Qqtjv7Tp1YneirMBydxavZC =2jEo -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Carlos E. R.
-
Marc Chamberlin