Failed gpg signature verification

Subject: Failed gpg signature verification Mon Oct 22, 2012 7:18 pm

I have an interesting problem. Downloaded openSUSE 12.2 live cd. Both MD5 and SHA1 checksums matched. Thought I'd try the gpg signature as something new to me. These are the steps I took:
laz@linux-zl0u:~> cd Downloads

laz@linux-zl0u:~/Downloads> ls

openSUSE-12.2-GNOME-LiveCD-x86_64.iso
openSUSE-12.2-GNOME-LiveCD-x86_64.iso.asc

laz@linux-zl0u:~/Downloads> gpg -v --verify openSUSE-12.2-GNOME-LiveCD-x86_64.iso.asc openSUSE-12.2-GNOME-LiveCD-x86_64.iso

Version: GnuPG v1.0.7 (GNU/Linux)
gpg: armor header:
gpg: Signature made Thu 30 Aug 2012 03:11:40 AM PDT using RSA key ID 3DBDC284
gpg: Can't check signature: No public key

laz@linux-zl0u:~/Downloads> gpg --recv-key 3DBDC284

gpg: requesting key 3DBDC284 from hkp server keys.gnupg.net
gpg: /home/laszlo/.gnupg/trustdb.gpg: trustdb created
gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

laz@linux-zl0u:~/Downloads> gpg --list-key 3DBDC284

pub 2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
uid openSUSE Project Signing Key <opensuse@opensuse.org>

It should be 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 according to openSUSE.org page, but it isn't.
Can anyone tell me if I did something wrong, or if this is a bunged download?

Subject: Re: Failed gpg signature verification Mon Oct 22, 2012 10:04 pm

I'm going to defer to others, because I have no idea about this.

Subject: Re: Failed gpg signature verification Tue Oct 23, 2012 1:55 pm

I have no real grasp of gpg, but I've never had much luck with it. I wouldn't think it's a bungled download since the checksums matched. I think it's just a problem with gpg finding the trusted keys. It might be set up overly cautious?

clown

Subject: Re: Failed gpg signature verification Tue Oct 23, 2012 6:29 pm

bozo wrote:: I have no real grasp of gpg, but I've never had much luck with it. I wouldn't think it's a bungled download since the checksums matched. I think it's just a problem with gpg finding the trusted keys. It might be set up overly cautious?

I don't think it is really necessary to go through the gpg mess when downloading from the source, but it could be different with third party servers. In this example I was put off by the statement "no ultimately trusted keys found".
Following that, the hash did not match. I started over with a new download, and this time everything worked.
Don't ask me to explain how md5 and sha1 cheked ok whioe gpg did not, I don't hava a clue.

On the other hand, this pushed me to look into gpg a little further, and the result is a "how to" I'll be posting.
I realize that this move is akin to mooning a troop of archers, but it's a first for me.

Subject: Re: Failed gpg signature verification Wed Oct 24, 2012 12:58 am

I"ll be looking forward to seeing it. I always like it when someone else does the hard work for me! Smile