Hello, I’m having a difficult time understanding how to verify the ISO I downloaded has a valid checksum. I’m trying to follow these instructions but this is more difficult than I anticipated.
And when I tried running the second command it gave me this error>
create $HOME/.gnupg
If ‘create’ is not a typo you can use command-not-found to lookup the package that contains it, like this:
cnf create
Appreciated any help on getting this verified as authenticate. I don’t want to risk booting or running a bad distro.
I don’t know why I’m having such a hard time understanding what should be simple. I think my old age is getting to me and I’m not as good at Linux as I used to be! Sad but true.
Thanks for any ideas. I want to try this on a Thumb drive to see if it works with my Windows 11 laptop (Lenovo Yoga 9I). The Linux Mint distro I just tried didn’t work good at all on this laptop since it couldn’t pick up the track pad.
Appreciate any info on how to verify this download is legit!
I’m currently running 15.2 on another Laptop and like it a lot so figured I would give 15.3 a try and possibly try to load it alongside with Windows 11 in dual boot setup.
So, since this value matches e377fff244d36c3a1a03092d6f14230fdae8bd116dff638a2b3a41d89d51390a I guess I’m half way verified. Do you know why the 4th step didn’t work?
Appreciate any insight or help before I try to burn this image to USB and try booting off it.
It seems that you are not an experienced “gpg” user, so I suggest you skip the first of those commands.
For myself, I have been using “gpg” for 20+ years, and I have the openSUSE project key on my keyring. But that last sentence might not be meaningful to you.
The “gpg” command tells me that the signature on the “sha256” file is fine. The “sha256sum” command then checks the iso to see that it matches the sha256 hash.
If those downloaded files happen to be the only ones in that download directory (as they usually are for me), then I would use the abbreviated form of those commands:
Hi guys, thanks for your valuable input! For some reason my Leap 15.2 always starts the terminal as root. I was able to switch to my user account via > su -l user
I did get a little further but I still have gpg issue with public key. I think this download / ISO is good but I want to confirm before testing with it as best security practices.
Thanks for any additional input!
/Documents/suse/secure> ls
openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso
openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256
openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256.asc
tcpdumpfacebook
:~/Documents/suse/secure> gpg --verify openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256.asc openSUSE-Leap-15.3-2-DVD-x86_
64-Build24.5-Media.iso.sha256
gpg: Signature made Fri 05 Nov 2021 10:03:32 AM MDT
gpg: using RSA key B88B2FD43DBDC284
gpg: Can't check signature: No public key
:~/Documents/suse/secure> create $HOME/.gnupg
If 'create' is not a typo you can use command-not-found to lookup the package that contains it, like this:
cnf create
:~/Documents/suse/secure> sha256sum -c openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256
openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso: OK
stephan@linux64:/mnt/2TB/Container/ISO/openSUSE-Leap-15.3-DVD-x86 64> LANG=C gpg --verify openSUSE-Leap-15.3-DVD-x86_64.iso.sha256.asc
gpg: assuming signed data in 'openSUSE-Leap-15.3-DVD-x86_64.iso.sha256'
gpg: Signature made Mi 26 Mai 2021 14:56:40 CEST
gpg: using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
stephan@linux64:/mnt/2TB/Container/ISO/openSUSE-Leap-15.3-DVD-x86 64> shasum -c openSUSE-Leap-15.3-DVD-x86_64.iso.sha256
openSUSE-Leap-15.3-DVD-x86_64.iso: OK
stephan@linux64:/mnt/2TB/Container/ISO/openSUSE-Leap-15.3-DVD-x86 64>
Hi Sauerland, thanks for your input. It appears this image is legit huh? I wasn’t sure based on the gpg output you provided. Based on this output in your gpg>
gpg: WARNING: This key is not certified with a trusted signature!
I tried to get the keys using your link but still have errors>
asus2:~/Documents/suse/secure> gpg --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: keyserver receive failed: Server indicated a failure
asus2:~/Documents/suse/secure> gpg --keyserver pgp.mit.edu --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: keyserver receive failed: No data
I’m assuming the image I downloaded is legit and verified now? Should I go ahead and burn it to USB and begin testing on my yoga laptop? As nrickert mentioned I’m definitely not an experienced gpg user.
asus2:~/Documents/suse/secure> sha256sum -c openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256
openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso: OK
kasi042 , Thanks for the info on starting in root. I’ll look into that on my 15.2 build. It wasn’t bothering me since I usually go into root but probably not best practice for security reasons.
