On Sat, Oct 01, 2016 at 10:04:27PM +0200, Martin Koller wrote:
> a general question:
> When "zypper ref" tells me e.g.
> New repository or package signing key received:
> Repository: isv:ownCloud:desktop
> Key Name: isv:ownCloud OBS Project <isv:[hidden email]>
> Key Fingerprint: 1B07204C D71B690D 409F57D2 4ABE1AC7 557BEFF9
> Key Created: So 25 Sep 2016 23:09:22 CEST
> Key Expires: Di 04 Dez 2018 22:09:22 CET
> Rpm Name: gpg-pubkey-557beff9-57e83d02
> what is the correct and most reliable/secure way to check if I can trust this key ?
> I thought ok, let's check the OBS Webpages of this repo ...
> https://build.opensuse.org/project/show/isv:ownCloud:desktop > but I found no hint about signing keys.
You can use
osc signkey isv:ownCloud:desktop
Which will retrieve it from api.opensuse.org over HTTPS.