How to verify ISO download is not compromised? 15.3

Hello, I’m having a difficult time understanding how to verify the ISO I downloaded has a valid checksum. I’m trying to follow these instructions but this is more difficult than I anticipated.


Specifically, I downloaded this ISO and these other two files.

I downloaded them from this link.

When I ran the first command in the instructions above nothing was returned. See below.

/Documents/suse/secure # ll
total 4491376
-rwxr–r-- 1 users 4599054336 Feb 20 12:30 openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso
-rw-r–r-- 1 users 118 Feb 21 20:02 openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256
-rw-r–r-- 1 users 481 Feb 21 18:24 openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256.asc

When I ran this is doesn’t show anything so maybe the syntax is wrong?

/Documents/suse/secure # sha256sum openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso > openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256

And when I tried running the second command it gave me this error>
create $HOME/.gnupg
If ‘create’ is not a typo you can use command-not-found to lookup the package that contains it, like this:
cnf create

Appreciated any help on getting this verified as authenticate. I don’t want to risk booting or running a bad distro.
I don’t know why I’m having such a hard time understanding what should be simple. I think my old age is getting to me and I’m not as good at Linux as I used to be! Sad but true.
Thanks for any ideas. I want to try this on a Thumb drive to see if it works with my Windows 11 laptop (Lenovo Yoga 9I). The Linux Mint distro I just tried didn’t work good at all on this laptop since it couldn’t pick up the track pad.
Appreciate any info on how to verify this download is legit!

I’m currently running 15.2 on another Laptop and like it a lot so figured I would give 15.3 a try and possibly try to load it alongside with Windows 11 in dual boot setup.

I just got a little further and managed to verify the sha256 in the second file in my screenshot.

I ran the commands like this instead.

asus2:/home/user/Documents/suse/secure # sha256sum openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.isoe377fff244d36c3a1a03092d6f14230fdae8bd116dff638a2b3a41d89d51390a  openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso
asus2:/home/user/Documents/suse/secure # cat openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256
e377fff244d36c3a1a03092d6f14230fdae8bd116dff638a2b3a41d89d51390a  openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso

So, since this value matches e377fff244d36c3a1a03092d6f14230fdae8bd116dff638a2b3a41d89d51390a I guess I’m half way verified. Do you know why the 4th step didn’t work?
Appreciate any insight or help before I try to burn this image to USB and try booting off it.

Just use the following;

sha256sum -c  openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256

I normally “cd” to the directory with those files. And then I run:

gpg --verify openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256.asc openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256

sha256sum -c openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256

It seems that you are not an experienced “gpg” user, so I suggest you skip the first of those commands.

For myself, I have been using “gpg” for 20+ years, and I have the openSUSE project key on my keyring. But that last sentence might not be meaningful to you.

The “gpg” command tells me that the signature on the “sha256” file is fine. The “sha256sum” command then checks the iso to see that it matches the sha256 hash.

asus2:/home/user/Documents/suse/secure #

run the commands given by nickert as User, not as root.

Yes, definitely good advice.

If those downloaded files happen to be the only ones in that download directory (as they usually are for me), then I would use the abbreviated form of those commands:

gpg --verify *.asc *6
sha256sum -c *6

That makes for easier typing.

Hi guys, thanks for your valuable input! For some reason my Leap 15.2 always starts the terminal as root. I was able to switch to my user account via > su -l user

I did get a little further but I still have gpg issue with public key. I think this download / ISO is good but I want to confirm before testing with it as best security practices.

Thanks for any additional input!

/Documents/suse/secure> ls
:~/Documents/suse/secure> gpg --verify openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256.asc openSUSE-Leap-15.3-2-DVD-x86_
gpg: Signature made Fri 05 Nov 2021 10:03:32 AM MDT
gpg:                using RSA key B88B2FD43DBDC284
gpg: Can't check signature: No public key
:~/Documents/suse/secure> create $HOME/.gnupg
If 'create' is not a typo you can use command-not-found to lookup the package that contains it, like this:
    cnf create
:~/Documents/suse/secure> sha256sum -c openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256
openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso: OK

stephan@linux64:/mnt/2TB/Container/ISO/openSUSE-Leap-15.3-DVD-x86 64> LANG=C gpg --verify openSUSE-Leap-15.3-DVD-x86_64.iso.sha256.asc 
gpg: assuming signed data in 'openSUSE-Leap-15.3-DVD-x86_64.iso.sha256'
gpg: Signature made Mi 26 Mai 2021 14:56:40 CEST
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
stephan@linux64:/mnt/2TB/Container/ISO/openSUSE-Leap-15.3-DVD-x86 64> shasum -c openSUSE-Leap-15.3-DVD-x86_64.iso.sha256
openSUSE-Leap-15.3-DVD-x86_64.iso: OK
stephan@linux64:/mnt/2TB/Container/ISO/openSUSE-Leap-15.3-DVD-x86 64> 

I know, it’s not related to the issue of this thread but anyway, have a look here.

Hi Sauerland, thanks for your input. It appears this image is legit huh? I wasn’t sure based on the gpg output you provided. Based on this output in your gpg>
gpg: WARNING: This key is not certified with a trusted signature!

I tried to get the keys using your link but still have errors>

asus2:~/Documents/suse/secure> gpg --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: keyserver receive failed: Server indicated a failure
asus2:~/Documents/suse/secure> gpg --keyserver --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284

gpg: keyserver receive failed: No data

I’m assuming the image I downloaded is legit and verified now? Should I go ahead and burn it to USB and begin testing on my yoga laptop? As nrickert mentioned I’m definitely not an experienced gpg user. :slight_smile:

asus2:~/Documents/suse/secure> sha256sum -c openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso.sha256
openSUSE-Leap-15.3-2-DVD-x86_64-Build24.5-Media.iso: OK

kasi042 , Thanks for the info on starting in root. I’ll look into that on my 15.2 build. It wasn’t bothering me since I usually go into root but probably not best practice for security reasons.