ISO Verification Issues - My first steps are difficult and confusing

Help
, ,
1

I’m currently using Fedora KDE 42 and want to test KDE Neon.

I downloaded these two files:

  • neon-user-20251002-0758.iso
  • neon-user-20251002-0758.iso.sig

KDE ISO Image Writer checks the ISO and replies: “Uses wrong signature”.

Screenshot_20251002_154225
Screenshot_20251002_154225960×540 88.1 KB

So I turned to ChatGPT for help:

  1. Download the ISO + the ‘.sig’
  2. Import the official key:
    gpg --keyserver keyserver.ubuntu.com --recv-keys 45F4C354638D1F29
  3. Check the ISO:
    gpg --verify neon-user-20251002-0758.iso.sig neon-user-20251002-0758.iso

RESULTS:

gpg: Signature made Thu 02 Oct 2025 04:21:18 AM EDT
gpg:                using RSA key B74EA2162376765BEAC3AE4345F4C354638D1F29
gpg: Good signature from “KDE neon ISO Signing Key <neon@kde.org>” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B74E A216 2376 765B EAC3  AE43 45F4 C354 638D 1F29

Well, it says “good signature” and ChatGPT tells me not to worry about the warning.

DOUBLE-CHECK

I found a sha256sum and that result is also OK:

sha256sum -c neon-user-20251002-0758.sha256sum
neon-user-20251002-0758.iso: OK

THOUGHTS

Did I miss something? Is there any good tutorial for KDE Neon ISO verification?

Let’s forget the failure of KDE ISO Image Writer, I’ll use balenaEtcher instead.

2

It seems the underliying problem here is that one should better enter the command echo “B74EA2162376765BEAC3AE4345F4C354638D1F29:6:” | gpg --import-ownertrust
after importing the key to mark the signature owner as a trusted source.
The gpg --verify command works more or less without this, but apparently KDE ISO Image Writer takes that warning too seriously, and even misinterprets it, which can be regarded as a bug.

1 Like
3

Yes ! That solves this issue. There was just a tiny little mistake in your command line.

The quotation marks should be: " ", not “ ”

I’ve done digital editing in the past, so my eyes can spot a pixel difference immediately. :slight_smile:

Anyway the exact command is:

echo "B74EA2162376765BEAC3AE4345F4C354638D1F29:6:" | gpg --import-ownertrust

I will copy your edited post into my bug report. Thanks.

1 Like
4

Haha, I have no idea how and where those double quotes were converted to smart quotes.:grinning_face: