Package Signatures

Digital Signatures

The Package Hub repositories and RPM packages are signed with a digital signature. The signature allows validation that the package originated from the organization associated with the signature and that it hasn't been tampered with. The packages provided in the SUSE Linux Enterprise products that come from SUSE are signed with the standard SUSE package build signatures. The organization behind the packages in the SUSE Package hub is the openSUSE community and is signed with that community signature.

openSUSE Backports Project

The packages in the Package Hub originate from the openSUSE Backports projects maintained by the openSUSE community in the openSUSE Build Service. The packages and package repository are signed with that projects key.

Requirement to Import the Package Hub Key

The SUSE package management tools will automatically check signatures against known and trusted public keys. By default SUSE Linux Enterprise Server and related products can only validate the objects signed with the SUSE organizations keys. To allow the system to validate signature from other organizations, the public key associated with the organization (or person) needs to be imported.

The process of importing keys is an opt-in process that is left up to the user to manage. The user shall decide which organizations signatures to "trust" and install software on the users systems.

Key Details

The details of the openSUSE Backports public key are described below:

ID: 9C214D4065176565
Name: openSUSE:Backports OBS Project 
Fingerprint: 637B 32FF 3D83 F07A 7AE1 C40A 9C21 4D40 6517 6565