Mailinglist Archive: opensuse-security (10 mails)

< Previous Next >
Re: [opensuse-security] OpenSUSE release md5 and SHA1 values and signature?
  • From: name <allitisabout@xxxxxxxxx>
  • Date: Wed, 14 May 2008 11:19:23 +0200
  • Message-id: <482AAE9B.5080304@xxxxxxxxx>
The SUSE software web site mentioned in reply to the post was:
http://software.opensuse.org/

This site does not have the SUSE Public Key number listed or as a link.
Why not add the SUSE Public Key number and the MD5 and SHA1? It does
allow you to select various download options, and will download SUSE
software for OpenSUSE.

The http://download.opensuse.org/distribution/10.3/iso/dvd/MD5SUMS does
have the MD5SUMS file for the stable 10.3, however, there is no SUSE
Public Key and the MD5SUMS is not signed. I can NOT verify it is an
authentic SUSE MD5SUMS file.

Why not put the SUSE Public Key on the SUSE web site
http://software.opensuse.org, as well as the MD5, SHA1, and sig files.

To quote from the security announcement:

"To verify the signature of the announcement, save it as text into a
file and run the command gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:

gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@xxxxxxx>"

where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command: gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc "
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
This Thread