Reports of KDE neon Downloads Being Dangerous Entirely Exaggerated

When you download a KDE neon ISO you get transparently redirected to one of the mirrors that KDE uses. Recently the Polish mirror was marked as unsafe in Google Safebrowsing which is an extremely popular service used by most web browsers and anti-virus software to check if a site is problematic. I expect there was a problem elsewhere on this mirror but it certainly wasn’t KDE neon. KDE sysadmins have tried to contact the mirror and Google.

You can verify any KDE neon installable image by checking the gpg signature against the KDE neon ISO Signing Key.  This is the .sig file which is alongside all the .iso files.

gpg2 --recv-key '348C 8651 2066 33FD 983A 8FC4 DEAC EA00 075E 1D76'

wget http://files.kde.org/neon/images/neon-useredition/current/neon-useredition-current.iso.sig

gpg2 --verify neon-useredition-current.iso.sig
gpg: Signature made Thu 19 Jan 2017 11:18:13 GMT using RSA key ID 075E1D76
gpg: Good signature from "KDE neon ISO Signing Key <neon@kde.org>" [full]

Adding a sensible GUI to do this is future work and fairly tricky to do in a secure way but hopefully soon.

Facebooktwittergoogle_pluslinkedinby feather

12 Replies to “Reports of KDE neon Downloads Being Dangerous Entirely Exaggerated”

  1. It’s Russian hackers want to fix the Qt packages in your distribution. 🙂

    When you fix Qt in KDE neon?

    https://bugreports.qt.io/browse/QTBUG-53071

    Apparently Qt does not work with these abbreviations when Qt decodes tz binary files. This is causing problems in the field with Plasma Digital Clock users in Russia and Kazakhstan; for example, see .

  2. copied and pasted all your commands, but

    gpg2 –verify neon-useredition-current.iso.sig
    gpg: no signed data
    gpg: can’t hash datafile: No data

Leave a Reply to Vladimir Putin Cancel reply

Your email address will not be published.

Spam-proofing. What is next? a, b, ...?