Reports of KDE neon Downloads Being Dangerous Entirely Exaggerated

When you download a KDE neon ISO you get transparently redirected to one of the mirrors that KDE uses. Recently the Polish mirror was marked as unsafe in Google Safebrowsing which is an extremely popular service used by most web browsers and anti-virus software to check if a site is problematic. I expect there was a problem elsewhere on this mirror but it certainly wasn’t KDE neon. KDE sysadmins have tried to contact the mirror and Google.

You can verify any KDE neon installable image by checking the gpg signature against the KDE neon ISO Signing Key.  This is the .sig file which is alongside all the .iso files.

gpg2 --recv-key '348C 8651 2066 33FD 983A 8FC4 DEAC EA00 075E 1D76'

wget http://files.kde.org/neon/images/neon-useredition/current/neon-useredition-current.iso.sig

gpg2 --verify neon-useredition-current.iso.sig
gpg: Signature made Thu 19 Jan 2017 11:18:13 GMT using RSA key ID 075E1D76
gpg: Good signature from "KDE neon ISO Signing Key <neon@kde.org>" [full]

Adding a sensible GUI to do this is future work and fairly tricky to do in a secure way but hopefully soon.

14 Replies to “Reports of KDE neon Downloads Being Dangerous Entirely Exaggerated”

  1. there’s something wrong with the bash commands you wrote I suppose..

  2. It’s Russian hackers want to fix the Qt packages in your distribution. 🙂

    When you fix Qt in KDE neon?

    https://bugreports.qt.io/browse/QTBUG-53071

    Apparently Qt does not work with these abbreviations when Qt decodes tz binary files. This is causing problems in the field with Plasma Digital Clock users in Russia and Kazakhstan; for example, see .

  3. copied and pasted all your commands, but

    gpg2 –verify neon-useredition-current.iso.sig
    gpg: no signed data
    gpg: can’t hash datafile: No data

  4. I have to confess, I still have no idea how to verify the key. I’m getting my image from here:

    https://neon.kde.org/download

    I have the sig, I have the image, what do I do?

    Where did this come from:

    gpg2 –recv-key ‘348C 8651 2066 33FD 983A 8FC4 DEAC EA00 075E 1D76’ ??

    I ran this:

    gpg2 –verify neon-user-20191107-1116.iso.sig

    More importantly, why doesn’t KDE neon have instructions on how to verify the image? Why don’t they just have sha256sums? Why aren’t these on torrent?

    It doesn’t seem anybody knows how to do this, at least according to yandex (google seriously is starting to totally suck even for technical work). Anybody able to figure this out?

Comments are closed.