iso fails gpg checksum on dowload of Leap 42.3

Brunell · September 19, 2017, 9:34pm

Hello we are attempting to install Leap 42.3 on a Lenovo T61 with 4gb after a failed burned attempt and wanted to verify we had the correct file before burning to dvd again

Reading SDB:Download Help

After downloading and checking the dvd installation media file the checksum command gpg fails with the message …

joe@linux-pzcr:~/Downloads> sha256sum -c openSUSE-Leap-42.3-DVD-x86_64.iso.sha256
openSUSE-Leap-42.3-DVD-x86_64.iso: OK
sha256sum: WARNING: 14 lines are improperly formatted

joe@linux-pzcr:~/Downloads> gpg --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: WARNING: unsafe permissions on configuration file /home/joe/.gnupg/gpg.conf' gpg: WARNING: unsafe enclosing directory permissions on configuration file /home/joe/.gnupg/gpg.conf’
gpg: external program calls are disabled due to unsafe options file permissions
gpg: keyserver communications error: General error
gpg: keyserver receive failed: General error
joe@linux-pzcr:~/Downloads>

Is it safe to ignore the gpg or is it important to get this double check first just be certain .?

thanks for *any * advice !

xorbe · September 20, 2017, 12:01am

Fix your file permissions and try again.

nrickert · September 20, 2017, 12:34am

This part is fine. The WARNING can be ignored. The iso file checked as OK.

joe@linux-pzcr:~/Downloads> gpg --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: WARNING: unsafe permissions on configuration file /home/joe/.gnupg/gpg.conf' gpg: WARNING: unsafe enclosing directory permissions on configuration file /home/joe/.gnupg/gpg.conf’

You need to fix those permissions.

The chances are that your download is fine. So you could ignore the “gpg” check. But you will run into those problems again with other uses of “gpg”.

Things to check:

The directory “.gnupg” should be writable only by you. It should not be group writable or other writable. It is best that it also be readable only by you. Typical permissions should be drwx------ with you as the owner.
Your home directory should not be group writable or other-writable, though it is okay for it to be readable by others. Typical permissions are drwxr-xr-x. The same applies to the “/home” directory and to the “/” directory.

Brunell · September 20, 2017, 9:23pm

First thank you for all the very useful replies …

I have changed the permissions on the /home/joe/.gnupg folder and now get this output from gpg command

joe@linux-pzcr:~> gpg --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg: requesting key 3DBDC284 from hkp server keys.gnupg.net
gpg: key 3DBDC284: public key “openSUSE Project Signing Key <opensuse@opensuse.org>” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
joe@linux-pzcr:~>

The key has imported but It is not conclusive …i will do more research and go from there …we have not used gpg on past releases as everything installed fine.

thanks again !

Brunell · September 20, 2017, 9:58pm

Further to my last post i have now verified that the downloaded file is correct …

joe@linux-pzcr:~/Downloads> gpg --verify openSUSE-Leap-42.3-DVD-x86_64.iso.sha256
gpg: Signature made Fri 21 Jul 2017 11:10:34 BST using RSA key ID 3DBDC284
gpg: Good signature from “openSUSE Project Signing Key <opensuse@opensuse.org>” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
joe@linux-pzcr:~/Downloads>

Please mark this thread as [SOLVED]

thanks

arvidjaar · September 21, 2017, 5:37am

You verified that file with sha256 sum is correct. Is it what you tried to do? I suspect, not …

nrickert · September 21, 2017, 4:20pm

He did previously check the downloaded iso – see the opening post of the thread. Verifying the .sha256 file was where he ran into problems.