SUSE Linux Enterprise downloads are available from http://download.suse.com/, but also from partner websites and services.

For you to be able to verify that your downloads are unchanged and authentic, please follow these steps:

  1. Download the iso images of your choice (for example SLE-15-SP2-Online-x86_64-GM-Media1.iso).

  2. Compute the checksums (SHA-256 hashes):
    sha256sum SLE-15-SP2-Online-x86_64-GM-Media1.iso > SLE-15-SP2-Online-x86_64-GM-Media1.iso.sha256
    you can compare the result (i.e., the content of the .iso.sha256 file) to the checksum on the download page to make sure that you downloaded the right image.

  3. Download the PGP signatures (.asc files).

  4. Use gpg from the shell to retrieve the public key from the keyserver, if you do not have it already:

    - For SLES 12, SLES 15 up to SP5 and SLE Micro 5.x: (ID 39DB7C82), build@suse.de, fingerprint: FEAB 5025 39D8 46DB 2C09 61CA 70AF 9E81 39DB 7C82
    - For SLES 15 SP6 and SP7: (ID 3FA1D6CE), build@suse.de, fingerprint: 7F00 9157 B127 B994 D5CF BE76 F74F 09BC 3FA1 D6CE
    - For SLE Micro 6.x, and SLE 16: (ID 09D9EA69), build-alp@suse.de, fingerprint: 1C59 D66F CD52 563A 1693 3DBC FEC2 8EAF 09D9 EA69

    # create $HOME/.gnupg
    gpg --list-keys > /dev/null 2>&1
    # retrieve the key, if you do not have it already:
    # Example for SLES 15 key:
    gpg --keyserver pgp.mit.edu --recv-keys 39DB7C82

  5. You can also get the keys from our website: https://www.suse.com/support/security/keys/

  6. Check if the key's fingerprint matches with the one given above:
    # Example verify fingerprint:
    gpg --list-keys --fingerprint 39DB7C82
    pub rsa2048 2013-01-31 [SC] [expires: 2020-12-06]
    FEAB502539D846DB2C0961CA70AF9E8139DB7C82
    uid [unknown] SuSE Package Signing Key <build@suse.de>

  7. Verify the signature of your downloaded signed hashes file:
    gpg --verify -o SLE-15-SP2-Online-x86_64-GM-Media1.iso.sha256 SLE-15-SP2-Online-x86_64-GM-Media1.iso.sha256.asc
    gpg will tell you if the signatures could be verified ("Good signature") or not ("BAD signature").

If gpg succeeded in verifying the signature, you can be sure that your .iso image is authentic, as generated by the SUSE build service.