ISO images downloaded from opensuse.org give: no properly formatted SHA256 checksum lines found

Hi,

I am trying to rescue a messed up Tumbleweed system.
However when downloading the image files I get sha256sum issues for all the iso files I tried: improperly formatted lines (checking all that on a working Leap 15 system):


~]: l openSUSE-Tumbleweed-*
-rw------- 1 username users 4477419520 2019-02-26 16:36:49 openSUSE-Tumbleweed-DVD-i586-Snapshot20190224-Media.iso
-rw------- 1 username users        652 2019-02-26 16:34:16 openSUSE-Tumbleweed-DVD-i586-Snapshot20190224-Media.iso.sha256
-rw------- 1 username users  948961280 2019-02-26 16:30:46 openSUSE-Tumbleweed-GNOME-Live-i686-Snapshot20190224-Media.iso
-rw------- 1 username users        595 2019-02-26 16:30:18 openSUSE-Tumbleweed-GNOME-Live-i686-Snapshot20190224-Media.iso.sha256
-rw------- 1 username users  117440512 2019-02-26 16:16:32 openSUSE-Tumbleweed-NET-i586-Snapshot20190224-Media.iso
-rw------- 1 username users        652 2019-02-26 16:32:29 openSUSE-Tumbleweed-NET-i586-Snapshot20190224-Media.iso.sha256
-rw------- 1 username users  134217728 2019-02-26 16:33:47 openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso
-rw------- 1 username users        654 2019-02-26 16:33:44 openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso.sha256
-rw------- 1 username users  628097024 2019-02-26 16:14:57 openSUSE-Tumbleweed-Rescue-CD-i686-Snapshot20190224-Media.iso
-rw------- 1 username users        595 2019-02-26 16:14:43 openSUSE-Tumbleweed-Rescue-CD-i686-Snapshot20190224-Media.iso.sha256
~]: sha256sum -c openSUSE-Tumbleweed-DVD-i586-Snapshot20190224-Media.iso.sha256
openSUSE-Tumbleweed-DVD-i586-Snapshot20190224-Media.iso: OK
sha256sum: WARNING: 14 lines are improperly formatted
~]: sha256sum -c openSUSE-Tumbleweed-GNOME-Live-i686-Snapshot20190224-Media.iso.sha256
sha256sum: openSUSE-Tumbleweed-GNOME-Live-i686-Snapshot20190224-Media.iso.sha256: no properly formatted SHA256 checksum lines found
~]: sha256sum -c openSUSE-Tumbleweed-NET-i586-Snapshot20190224-Media.iso.sha256
openSUSE-Tumbleweed-NET-i586-Snapshot20190224-Media.iso: OK
sha256sum: WARNING: 14 lines are improperly formatted
~]: sha256sum -c openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso.sha256
openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso: OK
sha256sum: WARNING: 14 lines are improperly formatted
~]: sha256sum -c openSUSE-Tumbleweed-Rescue-CD-i686-Snapshot20190224-Media.iso.sha256
sha256sum: openSUSE-Tumbleweed-Rescue-CD-i686-Snapshot20190224-Media.iso.sha256: no properly formatted SHA256 checksum lines found
~]:

I tried redownloading the images and the checksums several times - nothing changes.

Why the original checksums have these issues and what am I supposed to do: ignore the errors and use the images regardless of the messages or something else? (FWIW: my Internet connection is fine and very stable)

Try download from here:

https://en.opensuse.org/openSUSE:Tumbleweed_installation

I get

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

24488f0f60dbc4cbdd87e2f8f4100e391744bbc9436174c2b527d4d677008e27  openSUSE-Tumbleweed-DVD-x86_64-Snapshot20190224-Media.iso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBXHQAPriLL9Q9vcKEAQj7/ggAzrGF7ttzXkWoUAzilDrVWQFvVEb/SZmn
NAORkvEUrqBQtoksoWdsjnRs67wo7be93J1g1YRRBQm69FUcMNVLSCeX16cDkFr/
d+yvSThM75VcHmtmMFRUN3W/mfiSnMn00EwRCgVB2xvUYeXE917tWkQwfWb1CcN9
wmORKgubqHtGAvMdMkSigDxXVQ/tE52NAprndpB7sOepp+h69gsm0/GQW56hER4c
3sM9TwtE6uQg5eorduAidfkqC53jrC7vMrrt0fuZtJJpyaPTFMf5p4nDvec2zI4a
hMyvS43MBMe09/7yy1artDyQ7BujKlHogxWAH9PlT9RFdqDepw6LjQ==
=7iVi
-----END PGP SIGNATURE-----

??

Those are the same links I used but as it seems that has nothing to do with the issue.
I am in need for the 32-bit version (it’s an old machine).

hmm, take the i586 iso and give it a try

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

c90485fbfa840bed0142fb3d86e2bd5150906741a984fcd37fb6e1f832044b5d  openSUSE-Tumbleweed-DVD-i586-Snapshot20190224-Media.iso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBXHQAPbiLL9Q9vcKEAQg72Af9EqZMB3dpl5zUxm8VR3qlF2hJ2aDnFveL
ivKtlSynkK2YVxvvKBV0kf38QEZAoyGHPcOoZcTRXkbEFxgcf99gk4gyy+Sy10in
1W3HrZta3exPg+lsT9IqoeLWnWc2yTX5oD25u+xxSJTfV/s2QaL2tDkcn9OHsG9e
BmB2XR0LkI2xuNHelEHMHImseEe/m67V2aLSXINx4fHuEIHVPWsBMELtcyRypjrW
NoEdNEiK7jaN9fEfWmEfVMvck06y3HZ+rcAvNAh6U+mmWeOr/rOALflofDEgokoS
TOqzAHyUSaavYSGksS3pk1rVYqupjvlcuLiHSyZCPwwLpTiDxrv0Zw==
=JSVQ
-----END PGP SIGNATURE-----

but this here might apply:

https://forums.opensuse.org/showthread.php/523897-i586-(32bit)-on-Dell-Latitude-D505

That that’s fine. It says that your downloaded iso is OK. Nothing to worry about.

I have not downloaded that iso as of yet (or probably ever). But if I did, I would also use:

gpg --verify openSUSE-Tumbleweed-DVD-i586-Snapshot20190224-Media.iso.sha256

to check the gpg signature.

The openSUSE development team very kindly sign these checksum files, so that we can verify them.

The “14 lines are improperly formatted” is referring to the GPG signature, which does not look at all like a sha256 checksum, hence is “improperly formatted”.

ooops, I missed the -c …

I always download both the iso and the checksums and do

sha256sum OpenSUSETWwhatsowever.iso | grep ((fill in here checksum from file)) 

:slight_smile:

I figured that but what about the ones which don’t show “OK”?

I tried running gpg as per your advice and I got:


gpg --verify openSUSE-Tumbleweed-NET-i586-Snapshot20190224-Media.iso.sha256
gpg: Signature made Mon 25 Feb 2019 16:46 EET
gpg:                using RSA key B88B2FD43DBDC284
gpg: Can't check signature: No public key

I have no idea what this means though. Have you?

Then I followed the last message and the instruction given here:


gpg --recv-keys 9C800ACA
gpg: key A84EDAE89C800ACA: 6 duplicate signatures removed
gpg: key A84EDAE89C800ACA: 81 signatures not checked due to missing keys
gpg: key A84EDAE89C800ACA: public key "SuSE Package Signing Key <build@suse.de>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1

but even after that I still get the “gpg: Can’t check signature: No public key” message.

gpg --output - openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso.sha256 2> /dev/null | sha256sum -c

Here’s the output from an older iso (the most recent that I have downloaded):


% gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Snapshot20190121-Media.iso.sha256
gpg: Signature made Tue 22 Jan 2019 07:23:14 AM CST
gpg:                using RSA key B88B2FD43DBDC284
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   4  signed:  32  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1  valid:  32  signed:   8  trust: 30-, 0q, 0n, 0m, 2f, 0u
gpg: next trustdb check due at 2019-08-27
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [full]

You will need to add the opensuse signing key to your gpg keyring to be able to verify. Try:

gpg --recv-key B88B2FD43DBDC284

This depends on whether you marked this key (or key used to sign this key etc) as trusted in your local keyring.

bor@bor-Latitude-E5450:~/Загрузки$ LC_ALL=C.utf8 gpg --output - --verify openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso.sha256  | LC_ALL=C.utf8 sha256sum -c
gpg: Signature made Mon Feb 25 17:46:28 2019 MSK
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [unknown]
gpg: **WARNING: This key is not certified with a trusted signature!**
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
openSUSE-Tumbleweed-NET-x86_64-Snapshot20190224-Media.iso: OK
bor@bor-Latitude-E5450:~/Загрузки$ 

Interesting. I am still learning about public keys, so my knowledge about that stuff is pretty superficial.

This seems to simply hide the disturbing message, right? Trying with another checksum still shows the issue as before:


gpg --output - openSUSE-Tumbleweed-Rescue-CD-i686-Snapshot20190224-Media.iso.sha256 2> /dev/null | sha256sum -c
sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

This:

gave me the same result as of arvidjaar.

BTW: where does one get the particular string B88B2FD43DBDC284 from?

Also: how do I remove from the system the previous added one (9C800ACA) which I showed in an earlier reply and which doesn’t seem to be helpful?

That was from part of the output that I posted earlier (from post #9 in this thread):


gpg: Signature made Tue 22 Jan 2019 07:23:14 AM CST 
gpg:                using RSA key B88B2FD43DBDC284

And, actually, it is also there in your output:


gpg: Signature made Mon 25 Feb 2019 16:46 EET
gpg:                using RSA key B88B2FD43DBDC284
gpg: Can't check signature: No public key

Also: how do I remove from the system the previous added one (9C800ACA) which I showed in an earlier reply and which doesn’t seem to be helpful?

There’s no need to remove that. Usually, you keep gpg keys in your keying forever. You just add additional ones as needed.

And yes, if all you do is add the key, then the gpg check will tell you that the signature matches the key in your ring, but that it does not know if the key can be trusted.

In my case, I have previously made the decision that I trust this key, so I have signed that key (using my own key) to show trust. How or whether you make that trust decision is up to you.

Yes, having different images with different checksum files is not nice and makes it impossible to have common way to check signature. Care to report it on bugzilla?

https://bugzilla.opensuse.org/show_bug.cgi?id=1127173