Signature check

Hi,

I have downloaded the .sha256 fileso I can check the iso for installing Tumbleweed. I ran:

 gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Snapshot20160825-Media.iso.sha256
gpg: Signatur laget fr. 26. aug. 2016 kl. 21.33 +0200 CEST ved hjelp av RSA-nøkkel ID 3DBDC284
gpg: Can't check signature: fant ikke offentlig nøkkel

It could’nt find public key. I have downloaded the iso on a fedora machine. I only want to make the istall media on this machine, and use it on a new box. Could anybody tell if I miss somethng conserning public keys/signatures? I just wnat to make this right.

Dag

gpg --recv-key 3DBDC284

(from the command line). And then retry the verify.

Nice, it works. I get a more interesting output:


gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Snapshot20160825-Media.iso.sha256
gpg: Signatur laget fr. 26. aug. 2016 kl. 21.33 +0200 CEST ved hjelp av RSA-nøkkel ID 3DBDC284
gpg: God signatur fra «openSUSE Project Signing Key <opensuse@opensuse.org>»
gpg: ADVARSEL: Denne nøkkelen er ikke sertifisert med en betrodd signatur!
gpg:          Det er ingen indikasjon på at signaturen tilhører eieren.
Fingeravtrykk for primærnøkkel: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284


I get the information about the source of the signature and the fingerprint. I get a warning witch says the key is not certified with an enstrusted signature, but I read that this is quite common message.

Dag R

Yes, this is normal.

I could easily create a gpg key, and name it “openSUSE Project Signing Key” (and give it an opensuse email address). So you cannot automatically trust a key based only on its name. You have to decide, on some other basis, whether you trust that key. There are web sites with details about the “web of trust” on how to decide that.

Once you have decided that you trust the key, then:

  • you can make a mental note so that you ignore the warning in future;
  • you can sign the key yourself, which tells the gpg software that you have accepted it as valid.

In my case, I trusted it because the key was already signed by another key that I already trusted (the suse security key). So I also signed it myself. If you want to see the signature, you can use:

gpg --list-sigs 3DBDC284

You might just get a list of mostly numbers (key-ids) that you don’t recognize. Or maybe there’s a key there that you already recognize. (The key is also self-signed, so at least one signature will be recognizable).

Welcome to the world of gpg/pgp. You don’t get it for free. You have to do some work on deciding what you trust. But at least it is cumulative. If you have done the work, then it will be easier next time.

I’m not a IT professional so everything which isn’t cearly intuitive in this world, I have to work for. Thanx for for advice.

Dag R