Op maandag 21 november 2016 10:25:36 CET schreef Daniel Morris:
Lots of users are very intimidated by the plethora of options with GPG and struggle to know where to start. Even for a regular user looking to upgrade from an earlier version, 'gpg --verify opensuse_foo.sha256' is likely to report that the openSUSE public key isn't installed. Some will follow down the rabbit hole, others may just give up/install another distro etc. If we want to encourage good security practice then we're best making it as easy as possible to follow good practice.
I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
got:
gpg: Signature made di 15 nov 2016 18:04:50 CET
gpg: using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key