Announcement

Collapse
No announcement yet.

correct gnuPG commands to verify Neon download is authentic and complete?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    correct gnuPG commands to verify Neon download is authentic and complete?

    I am looking for help with authenticating a KDE Neon download.

    I have been humbled by the KDE Neon crew's offering only the PGP signing key to authenticate your download.
    On their site is a button: PGP signature for verification
    There are no examples nor explanations for those who want to give it a try.

    Looking at similar efforts I first tried:
    $ gpg --verify neon-user-20230706-0717.iso.sig neon-user-20230706-0717.iso
    gpg: Signature made Thu 06 Jul 2023 12:37:22 AM PDT
    gpg: using RSA key 348C8651206633FD983A8FC4DEACEA00075E1D76
    gpg: Can't check signature: No public key

    ​I searched for a public key for KDE Neon and found a link at https://distrowatch.com/dwres.php?re...distro=kdeneon
    I clicked on it and it wrote a key file to my Downloads folder where I changed its name to neonpublic.gpg
    I imported the key file with
    $ gpg --import neonpublic.gpg (and later tried naming it neonpublic.asc)
    gpg: key E6D4736255751E5D: "Neon CI" not changed
    gpg: Total number processed: 1
    gpg: unchanged: 1

    ​I tried rerunning the verify command.
    $ gpg --verify neon-user-20230706-0717.iso.sig neon-user-20
    230706-0717.iso

    gpg: Signature made Thu 06 Jul 2023 12:37:22 AM PDT
    gpg: using RSA key 348C8651206633FD983A8FC4DEACEA00075E1D76
    gpg: Can't check signature: No public key

    ​I then checked for public keys known to my system
    $ gpg --list-public-keys
    /home/jim/.gnupg/pubring.kbx
    ----------------------------
    pub rsa4096 2015-12-18 [SC]
    444DABCF3667D0283F894EDDE6D4736255751E5D
    uid [ unknown] Neon CI

    So the public key is not detected. Strange.

    Can anyone help me understand how to get the verify command correctly so the public key is checked?
    Neon 18.04.1 User on desktop and on Asus Transformer 3 Pro laptop
    Tags: None
    • Top
    • Bottom
    #2
    In your browser, navigate to: https://files.kde.org/neon/images/user/current

    There, you will see the file: neon-user-20230706-0717.sha256sum

    It contains the sha256sum value for the .iso.

    Using Kubuntu Linux since March 23, 2007
    "It is a capital mistake to theorize before one has data." - Sherlock Holmes
    • Top
    • Bottom

    Comment

      #3
      Thank you very much Snowhog.
      Too bad it is not more publicly listed.
      It makes it easy to compare the sha256sum.
      Neon 18.04.1 User on desktop and on Asus Transformer 3 Pro laptop
      • Top
      • Bottom

      Comment

        #4
        Good morning,

        This is a post from quite some time ago I know but yesterday I wanted to try KDE neon and I discovered this PGP signature as well. I had no clue whatsoever how to verify this. I mean, why don't they just give me a sha256sum and I run it on GTKhash. To be honest, I do not even get the procedure in the terminal on how to verify those checksums either, or I am too lazy to find out. Therefor GTKhash is some sort of a lifesaver. I actually wonder why KDE does not publish this: https://files.kde.org/neon/images/user/current more publically.


        Is there something similar to GTKhash but then for checking PGP signatures?

        PS: the sha256sum as given in the link turned out to be ok, so the latest KDE Neon iso is safe anyway.

        • Top
        • Bottom

        Comment

        Previous template Next
        Working...
        X