Reports of KDE neon Downloads Being Dangerous Entirely Exaggerated

When you download a KDE neon ISO you get transparently redirected to one of the mirrors that KDE uses. Recently the Polish mirror was marked as unsafe in Google Safebrowsing which is an extremely popular service used by most web browsers and anti-virus software to check if a site is problematic. I expect there was a problem elsewhere on this mirror but it certainly wasn’t KDE neon. KDE sysadmins have tried to contact the mirror and Google.

You can verify any KDE neon installable image by checking the gpg signature against the KDE neon ISO Signing Key.  This is the .sig file which is alongside all the .iso files.

gpg2 --recv-key '348C 8651 2066 33FD 983A 8FC4 DEAC EA00 075E 1D76'

wget http://files.kde.org/neon/images/neon-useredition/current/neon-useredition-current.iso.sig

gpg2 --verify neon-useredition-current.iso.sig
gpg: Signature made Thu 19 Jan 2017 11:18:13 GMT using RSA key ID 075E1D76
gpg: Good signature from "KDE neon ISO Signing Key <neon@kde.org>" [full]

Adding a sensible GUI to do this is future work and fairly tricky to do in a secure way but hopefully soon.

Facebooktwittergoogle_pluslinkedinby feather

12 Comment

  1. […] ?????? (Jonathan Riddell), ??????????? ??????????? KDE Neon, ??????????? ????????????? ? ????????? ? ????????????? ?? ????? ?? […]

  2. […] ?????? (Jonathan Riddell), ??????????? ??????????? KDE Neon, ??????????? ????????????? ? ????????? ? ????????????? ?? ????? ?? […]

  3. Anonymous says: Reply

    there’s something wrong with the bash commands you wrote I suppose..

    1. site admin says: Reply

      what’s wrong?

      1. I’d guess each pair of hyphens has been converted to an en-dash.

        1. site admin says: Reply

          huh funky. I don’t know how to work around that I’m afraid

          1. site admin says:

            changed it to

            
            
            		
  4. […] ?????? (Jonathan Riddell), ??????????? ??????????? KDE Neon, ??????????? ????????????? ? ????????? ? ????????????? ?? ????? ?? […]

  5. Vladimir Putin says: Reply

    It’s Russian hackers want to fix the Qt packages in your distribution. 🙂

    When you fix Qt in KDE neon?

    https://bugreports.qt.io/browse/QTBUG-53071

    Apparently Qt does not work with these abbreviations when Qt decodes tz binary files. This is causing problems in the field with Plasma Digital Clock users in Russia and Kazakhstan; for example, see .

  6. […] Reports of KDE neon Downloads Being Dangerous Entirely Exaggerated […]

  7. Anonymous says: Reply

    copied and pasted all your commands, but

    gpg2 –verify neon-useredition-current.iso.sig
    gpg: no signed data
    gpg: can’t hash datafile: No data

    1. site admin says: Reply

      well yes you need to download the .iso too

Leave a Reply