Addendum: If you're downloading the rpms by hand, you'll need to fetch the accompanying .asc file so that rpm can import the key into its keyring. You can do this by downloading it and running:
rpm --import foo.asc You can check the sigs with: gpg --verify foo.asc rpm -K foo.rpm Also, the previous zypper stanza was incorrect. This is the right one: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/suse/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-suse-torproject.org
signature.asc
Description: Digital signature
