http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c6
--- Comment #6 from Karol Babioch ---
Ticking off:
[x] medias signed
[x] repository signed
Packages are signed:
rpm -K tree-1.7.0-lp150.1.8.x86_64.rpm -v
tree-1.7.0-lp150.1.8.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
Header SHA1 digest: OK
Header SHA256 digest: OK
Payload SHA256 digest: OK
V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
MD5 digest: OK
ISO is signed with openSUSE key:
gpg --verify openSUSE-Leap-15.0-DVD-x86_64-Build206.1-Media.iso.sha256
gpg: Signature made Tue Apr 17 11:35:37 2018 CEST
gpg: using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key "
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Repos are signed with the same key:
gpg repomd.xml.key
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2008-11-07 [SC] [expires: 2024-05-02]
22C07BA534178CD02EFE22AAB88B2FD43DBDC284
uid openSUSE Project Signing Key
gpg --verify repomd.xml.asc
gpg: assuming signed data in 'repomd.xml'
gpg: Signature made Thu May 3 11:33:44 2018 CEST
gpg: using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key "
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
[x] verify product can install maintenance updates (tested by installing
available updates after fresh install from ISO)
Current status:
General:
[x] Install and perform lynis scan
[ ] review for outstanding major security issues
Defaults:
[x] running default services
[x] setuid and privileged friends
Media and repositories:
[x] medias signed
[x] repository signed
Sources:
[ ] thrawl rpmlintrc for bypasses of rpmlint checks
[ ] clamav scan of sources
Development processes:
[ ] verify package review process were adhered to
[ ] verify standard development model was followed
Updates:
[x] verify product can install maintenance updates
--
You are receiving this mail because:
You are on the CC list for the bug.