-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philipp Thomas wrote:
On Sun, 21 Dec 2008 15:05:17 +0100, you wrote:
* Shouln't the Project Signing Key not be allready installed on my 11.0 and therefore trusted? Or has opensuse exchanged keys from 11.0 to 11.1?
AFAIK the key was changed.
* How do I verify if this is indeed the correct key for the packages? (Searching opensuse.org brings no results, the term "project signing key" is completely unknown)
You ask a public pgp key server like http://pgpkeys.pca.dfn.de/. Enter the key id prefixed with 0x (zero ex), mark 'Show PGP "fingerprints" for keys' and let it search. Or simply follow this URL http://pgpkeys.pca.dfn.de/pks/lookup?search=0xB88B2FD43DBDC284&fingerprint=on&op=index
Now you compare the fingerprint the server gives you with the one you postet.
And how do we know that the key in the PGP server is the real one from opensuse.org, and not a fake? There is no "web of trust" that way. The IDs should be posted on a non-wiki page, easy to find, and the keys signed with a trusted key. - -- Cheers / Saludos, Carlos E. R. (from 11.1-ex-factory) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAklOjnoACgkQU92UU+smfQXhUACeP/5x3yNXuy+rPLNokCDKACi0 xGQAoIdvIa8ky5TxqTIdS6Y2GXiaJ4Qi =yHa2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org