I am trying to rescue a messed up Tumbleweed system.
However when downloading the image files I get sha256sum issues for all the iso files I tried: improperly formatted lines (checking all that on a working Leap 15 system):
I tried redownloading the images and the checksums several times - nothing changes.
Why the original checksums have these issues and what am I supposed to do: ignore the errors and use the images regardless of the messages or something else? (FWIW: my Internet connection is fine and very stable)
The openSUSE development team very kindly sign these checksum files, so that we can verify them.
The “14 lines are improperly formatted” is referring to the GPG signature, which does not look at all like a sha256 checksum, hence is “improperly formatted”.
I figured that but what about the ones which don’t show “OK”?
I tried running gpg as per your advice and I got:
gpg --verify openSUSE-Tumbleweed-NET-i586-Snapshot20190224-Media.iso.sha256
gpg: Signature made Mon 25 Feb 2019 16:46 EET
gpg: using RSA key B88B2FD43DBDC284
gpg: Can't check signature: No public key
I have no idea what this means though. Have you?
Then I followed the last message and the instruction given here:
This depends on whether you marked this key (or key used to sign this key etc) as trusted in your local keyring.
bor@bor-Latitude-E5450:~/Загрузки$ LC_ALL=C.utf8 gpg --output - --verify openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso.sha256 | LC_ALL=C.utf8 sha256sum -c
gpg: Signature made Mon Feb 25 17:46:28 2019 MSK
gpg: using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [unknown]
gpg: **WARNING: This key is not certified with a trusted signature!**
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso: OK
bor@bor-Latitude-E5450:~/Загрузки$
That was from part of the output that I posted earlier (from post #9 in this thread):
gpg: Signature made Tue 22 Jan 2019 07:23:14 AM CST
gpg: using RSA key B88B2FD43DBDC284
And, actually, it is also there in your output:
gpg: Signature made Mon 25 Feb 2019 16:46 EET
gpg: using RSA key B88B2FD43DBDC284
gpg: Can't check signature: No public key
Also: how do I remove from the system the previous added one (9C800ACA) which I showed in an earlier reply and which doesn’t seem to be helpful?
There’s no need to remove that. Usually, you keep gpg keys in your keying forever. You just add additional ones as needed.
And yes, if all you do is add the key, then the gpg check will tell you that the signature matches the key in your ring, but that it does not know if the key can be trusted.
In my case, I have previously made the decision that I trust this key, so I have signed that key (using my own key) to show trust. How or whether you make that trust decision is up to you.
Yes, having different images with different checksum files is not nice and makes it impossible to have common way to check signature. Care to report it on bugzilla?