SUSE Linux Enterprise downloads are available from http://download.suse.com/, but also from partner websites and services.

For you to be able to verify that your downloads are unchanged and authentic, please follow these steps:

  1. Download the iso images of your choice (for example SLE-15-SP2-Online-x86_64-GM-Media1.iso).

  2. Compute the checksums (SHA-256 hashes):
    sha256sum SLE-15-SP2-Online-x86_64-GM-Media1.iso > SLE-15-SP2-Online-x86_64-GM-Media1.iso.sha256
    you can compare the result (i.e., the content of the .iso.sha256 file) to the checksum on the download page to make sure that you downloaded the right image.

  3. Download the PGP signatures (.asc files).

  4. Use gpg from the shell to retrieve the public key (ID 39DB7C82), build@suse.de, fingerprint: FEAB 5025 39D8 46DB 2C09 61CA 70AF 9E81 39DB 7C82
    from the keyserver, if you do not have it already:
    # create $HOME/.gnupg
    gpg --list-keys > /dev/null 2>&1
    # retrieve the key, if you do not have it already:
    gpg --keyserver pgp.mit.edu --recv-keys 39DB7C82

  5. You can also get the keys from our website: https://www.suse.com/support/security/keys/

  6. Check if the key's fingerprint matches with the one given above:
    # Verify fingerprint:
    gpg --list-keys --fingerprint 39DB7C82
    pub rsa2048 2013-01-31 [SC] [expires: 2020-12-06]
    FEAB502539D846DB2C0961CA70AF9E8139DB7C82
    uid [unknown] SuSE Package Signing Key <build@suse.de>

  7. Verify the signature of your downloaded signed hashes file:
    gpg --verify -o SLE-15-SP2-Online-x86_64-GM-Media1.iso.sha256 SLE-15-SP2-Online-x86_64-GM-Media1.iso sha256.asc
    gpg will tell you if the signatures could be verified ("Good signature") or not ("BAD signature").

If gpg succeeded in verifying the signature, you can be sure that your .iso image is authentic, as generated by the SUSE build service.