When you download a KDE neon ISO you get transparently redirected to one of the mirrors that KDE uses. Recently the Polish mirror was marked as unsafe in Google Safebrowsing which is an extremely popular service used by most web browsers and anti-virus software to check if a site is problematic. I expect there was a problem elsewhere on this mirror but it certainly wasn’t KDE neon. KDE sysadmins have tried to contact the mirror and Google.
You can verify any KDE neon installable image by checking the gpg signature against the KDE neon ISO Signing Key. This is the .sig file which is alongside all the .iso files.
gpg2 --recv-key '348C 8651 2066 33FD 983A 8FC4 DEAC EA00 075E 1D76' wget http://files.kde.org/neon/images/neon-useredition/current/neon-useredition-current.iso.sig gpg2 --verify neon-useredition-current.iso.sig gpg: Signature made Thu 19 Jan 2017 11:18:13 GMT using RSA key ID 075E1D76 gpg: Good signature from "KDE neon ISO Signing Key <firstname.lastname@example.org>" [full]
Adding a sensible GUI to do this is future work and fairly tricky to do in a secure way but hopefully soon.
14 Replies to “Reports of KDE neon Downloads Being Dangerous Entirely Exaggerated”
there’s something wrong with the bash commands you wrote I suppose..
I’d guess each pair of hyphens has been converted to an en-dash.
huh funky. I don’t know how to work around that I’m afraid
changed it to
It’s Russian hackers want to fix the Qt packages in your distribution. 🙂
When you fix Qt in KDE neon?
Apparently Qt does not work with these abbreviations when Qt decodes tz binary files. This is causing problems in the field with Plasma Digital Clock users in Russia and Kazakhstan; for example, see .
copied and pasted all your commands, but
gpg2 –verify neon-useredition-current.iso.sig
gpg: no signed data
gpg: can’t hash datafile: No data
well yes you need to download the .iso too
I have to confess, I still have no idea how to verify the key. I’m getting my image from here:
I have the sig, I have the image, what do I do?
Where did this come from:
gpg2 –recv-key ‘348C 8651 2066 33FD 983A 8FC4 DEAC EA00 075E 1D76’ ??
I ran this:
gpg2 –verify neon-user-20191107-1116.iso.sig
More importantly, why doesn’t KDE neon have instructions on how to verify the image? Why don’t they just have sha256sums? Why aren’t these on torrent?
It doesn’t seem anybody knows how to do this, at least according to yandex (google seriously is starting to totally suck even for technical work). Anybody able to figure this out?
Check my answer at
Comments are closed.