Package Signatures

Digital Signatures

The Package Hub repositories and RPM packages are signed with a digital signature. The signature allows validation that the package originated from the organization associated with the signature and that it hasn't been tampered with. The packages provided in the SUSE Linux Enterprise products that come from SUSE are signed with the standard SUSE package build signatures. The organization behind the packages in the SUSE Package hub is the openSUSE community and is signed with that community signature.

openSUSE Backports Project

The packages in the Package Hub originate from the openSUSE Backports projects maintained by the openSUSE community in the openSUSE Build Service. The packages and package repository are signed with that projects key.

Requirement to Import the Package Hub Key

The SUSE package management tools will automatically check signatures against known and trusted public keys. By default SUSE Linux Enterprise Server and related products can only validate the objects signed with the SUSE organizations keys. To allow the system to validate signature from other organizations, the public key associated with the organization (or person) needs to be imported.

The process of importing keys is an opt-in process that is left up to the user to manage. The user shall decide which organizations signatures to "trust" and install software on the users systems.

Key Details

The details of the openSUSE Backports public key are described below:

For Package Hub 15 SP4 and earlier

ID: 9C214D4065176565
Name: openSUSE:Backports OBS Project 
Fingerprint: 637B 32FF 3D83 F07A 7AE1 C40A 9C21 4D40 6517 6565

For Package Hub 15 SP5 and later

ID: 8A49EB0325DB7AE0
Name: openSUSE:Backports OBS Project 
Fingerprint: F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0