GPG verification of the Leap 15.2 SHA256 file fails

**OrsoBruno** · 02-Jul-2020, 09:15

Originally Posted by nrickert

I get:

Code:

% gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256
gpg: Signature made Tue 30 Jun 2020 10:52:45 AM CDT
gpg:                using RSA key 70AF9E8139DB7C82
gpg: Good signature from "SuSE Package Signing Key <build@suse.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FEAB 5025 39D8 46DB 2C09  61CA 70AF 9E81 39DB 7C82

I think you need:

Code:

gpg --recv-key 70AF9E8139DB7C82

Neil, I think that is what Lubos referred to in posts #4 and #6.
Now there is an amended .sha256 file (signed 2nd July) with a different signature consistent with what the Wiki page reads, see my post #8.
So if you download and check NOW you find something consistent with the download and wiki pages.

**nrickert** · 02-Jul-2020, 09:37

Originally Posted by OrsoBruno

Just download the fixed file from http://download.opensuse.org/distrib...leap/15.2/iso/

Nice idea.

When I look at the download site, I see that the signature file has today's date. But when I download with "wget", I receive a file with a Jun 30 date. I guess the mirrors have not yet resynchronized on that file.

This won't work as intended until the mirrors are synced. My "wget" output shows that I am downloading from "mirror.us.leaseweb.net".

**Max314** · 02-Jul-2020, 09:44

Originally Posted by hcvv

Explain why there is 15.1 in your first post, you confused Guillaume_G with it.

That was the contents of the "openSUSE-Leap-15.2-DVD-x86_64.iso.sha256" file as I downloaded it from multiple servers. Now that you are pointing out there was "15.1" in the "openSUSE-Leap-15.2-DVD-x86_64.iso.sha256" file, I'm a bit surprised I had not noticed that.

**Max314** · 02-Jul-2020, 09:45

Originally Posted by nrickert

Nice idea.

When I look at the download site, I see that the signature file has today's date. But when I download with "wget", I receive a file with a Jun 30 date. I guess the mirrors have not yet resynchronized on that file.

On my original download of "openSUSE-Leap-15.2-DVD-x86_64.iso.sha256", I got the Jun 30 date too.

**nrickert** · 02-Jul-2020, 12:30

I just tried a fresh download. And this time, I got the new version of the file. It has the same sha256 checksum, but it is signed by the opensuse project key instead of the build system key.

Code:

% gpg --verify openSUSE-Leap-15.2-DVD-x86_64.iso.sha256
gpg: Signature made Thu 02 Jul 2020 10:17:06 AM CDT
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [full]

You might still see a message that the signing key is not trusted, depending on your gpg trust settings.

**Max314** · 02-Jul-2020, 18:46

I checked all the "openSUSE-Leap-15.2-DVD-x86_64.iso.sha256" files on all the servers listed at:
https://download.opensuse.org/distri...iso?mirrorlist
and as of writing this message, they all have the correct file now, which is 628 bytes in length.

If you have the "openSUSE-Leap-15.2-DVD-x86_64.iso.sha256" file that is 630 bytes in length, you have the bad file and should download it again to get the correct file.

Thanks to everyone who helped in this thread. I wish to extend special gratitude to the openSUSE team that promptly replied to the first message I posted in this thread, and had the fix in place shortly thereafter. That fabulous level of support compels me to continue being an openSUSE user.
---
Thank You,
Max