GPG verification of the Leap 15.2 SHA256 file fails with:
Tux@TuxBox:/home/openSUSE Leap 15.2/> gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256
gpg: Signature made Tue 30 Jun 2020 09:52:45 AM MDT
gpg: using RSA key 70AF9E8139DB7C82
gpg: Can't check signature: No public key
I executed the following before checking the SHA256 file as shown above:
I checked this file against the same file on 4 separate servers across the planet, and it was found to be identical. So, Iam assuming the file is authentic.
bruno@LT_B:~/Downloads> gpg openSUSE-Leap-15.2-DVD-x86_64.iso
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2008-11-07 [SC] [expires: 2024-05-02]
22C07BA534178CD02EFE22AAB88B2FD43DBDC284
uid openSUSE Project Signing Key <opensuse@opensuse.org>
bruno@LT_B:~/Downloads>
I get indeed the right signature as advertised here: https://software.opensuse.org/distributions/leap
and the check sum is correct, so the .iso image appears to be sound, the problem might be with the .sha256 file or the wiki page.
bruno@LT_B:~/Downloads> gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256
gpg: Signature made gio 02 lug 2020 17:17:06 CEST
gpg: using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
bruno@LT_B:~/Downloads>
% gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256
gpg: Signature made Tue 30 Jun 2020 10:52:45 AM CDT
gpg: using RSA key 70AF9E8139DB7C82
gpg: Good signature from "SuSE Package Signing Key <build@suse.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FEAB 5025 39D8 46DB 2C09 61CA 70AF 9E81 39DB 7C82
Neil, I think that is what Lubos referred to in posts #4 and #6.
Now there is an amended .sha256 file (signed 2nd July) with a different signature consistent with what the Wiki page reads, see my post #8.
So if you download and check NOW you find something consistent with the download and wiki pages.
When I look at the download site, I see that the signature file has today’s date. But when I download with “wget”, I receive a file with a Jun 30 date. I guess the mirrors have not yet resynchronized on that file.
This won’t work as intended until the mirrors are synced. My “wget” output shows that I am downloading from “mirror.us.leaseweb.net”.
That was the contents of the “openSUSE-Leap-15.2-DVD-x86_64.iso.sha256” file as I downloaded it from multiple servers. Now that you are pointing out there was “15.1” in the “openSUSE-Leap-15.2-DVD-x86_64.iso.sha256” file, I’m a bit surprised I had not noticed that.
I just tried a fresh download. And this time, I got the new version of the file. It has the same sha256 checksum, but it is signed by the opensuse project key instead of the build system key.
% gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256
gpg: Signature made Thu 02 Jul 2020 10:17:06 AM CDT
gpg: using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [full]
You might still see a message that the signing key is not trusted, depending on your gpg trust settings.
If you have the “openSUSE-Leap-15.2-DVD-x86_64.iso.sha256” file that is 630 bytes in length, you have the bad file and should download it again to get the correct file.
Thanks to everyone who helped in this thread. I wish to extend special gratitude to the openSUSE team that promptly replied to the first message I posted in this thread, and had the fix in place shortly thereafter. That fabulous level of support compels me to continue being an openSUSE user.