Verifying GPG signature of openSUSE installation images

Francisco J.

2 minutes

openSUSE 12.3

Whenever we download the image to perform the installation of some distribution important check for errors and that it is the image that it is supposed to be. The latter can easily be done by verifying the GPG signature.

In this post we will explain how verify GPG signature of the images of openSUSE. For the elaboration of the guide we will use the version openSUSE-12.3-DVD-i586.iso, although the procedure can be extrapolated to any of the other available versions. It is also assumed that one of the previous versions of the distribution (12.2) is used.

The first thing is to find out which key has been used for the signature. For this purpose, we download the ASC file (available on the same download page) corresponding to our image, place both files in the same directory and execute:

gpg --verify openSUSE-12.3-DVD-i586.iso.asc openSUSE-12.3-DVD-i586.iso

It will return something similar to this:

gpg: Signed on Thu 07 Mar 2013 09:35:40 CST using RSA ID key 3DBDC284 gpg: Unable to verify signature: No public key

The key is "3DBDC284". Taking this into account, we then proceed to import it:

gpg --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3dbdc284-4be1884d.asc

The system will inform us that we have imported the key successfully:

gpg: key 3DBDC284: public key "openSUSE Project Signing Key" imported gpg: Total amount processed: 1 gpg: imported: 1 (RSA: 1)

Other keys are available on the route:

/usr/lib/rpm/gnupg/keys/

Once this is done, we can verify the fingerprint of the key if we wish:

gpg --fingerprint 3DBDC284

It will return the following to us:

pub 2048R / 3DBDC284 2008-11-07 [expires: 2014-05-04] Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 uid openSUSE Project Signing Key

Finally we verify, now yes, that the signature is correct. For this we will have to re-execute the command from the first step:

gpg --verify openSUSE-12.3-DVD-i586.iso.asc openSUSE-12.3-DVD-i586.iso

This time it will give us a successful result:

gpg: Signed on Thu 07 Mar 2013 09:35:40 CST using RSA ID key 3DBDC284 gpg: Correct signing of "openSUSE Project Signing Key" gpg: ATTENTION: This key is not certified by a trusted firm! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprints: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284

More information - Listing repositories in openSUSE, Installing packages in openSUSE


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.