KGet to download ISO

Since latest Xubuntu website got hacked incident, and earlier in 2016 Linux Mint, I thought what was the noob friendly way to download official disros ISO and verify it?

The KDE has several apps that can be used to download ISOs, and then it occurred to me that KGet has a verification mechanism.

Now there are SHAXXX methods to verify ISOs, but those are just to verify the integrity of the ISO file itself as one might move it to USB device, and as I read this is not fullproof since the hacker could alter the SHA phrase on website as well.

Then, there is signature verification, which should somehow diminish this. Since KGet support both, I looked in KGet Handbook, but it wasn’t much helpful.

Naturally, I went to my distros EndeavourOS download/home page, and tried to replicate the verification with KGet but no luck there. At least I couldn’t able to (re)produce verification for ISO.

So could someone explain step-by-step way to do it with KGet?

Thx

Surely torrenting is the best way… Whilst everyone else is busy worryign about checking checksums, I never failed to have a perfect bootable ISO from a torrent download; it’s bit perfect every time.

OK, that might work on some occasions, but what if hacker managed to replace the torrent link with their malicious one on the official website, just as they altered the ISO file.

Download from a local university or an ISP/hosting provider that also sponsors mirrors. I’m in the UK, so I use the University of Kent. There are 222 public mirrors for something like Fedora you can choose from to download *.iso’s. The same is true for plenty of other distros.

Infrastructure should be compartmentalised in such a way that managing to hack the website means they can’t access infrastructure related to anything else (such as release / engineering infrastructure and images). In the case of Xubuntu, it seems they have got the website and just replaced the download link to one of their own. That doesn’t have an impact on the other infrastructure (again, one hopes).

Recently Redhat’s internal gitlab instance for consulting was hacked. Gitlab issued a statement saying that Redhat run their own instances of the community edition. It’s up to Redhat to keep up with security and updates. Obviously they didn’t. There’s a multitude of ways that can be done. A zero day exploit. A poisoned package in something like npm or pip. Or worse, someone had a brain fart and pushed secret keys to a repo.

Downloading isos is like downloading anything else. Just get it from a reputable source, verify it and go on with your day. If you always have “but what if…” in the back of your mind you might as well not download anything from the internet.

You can take paranoia too far. You either trust your source or you don’t.

My intention is to provide a method for users to securely obtain installations of official distros ISOs, with ease. Most user will go to official download page of desired distro and download latest ISO.

Since you mentioned paranoia, have you read the link I posted. It also contains other attack vectors deployed to a different distros. The real problem here is that malware attacks are inclining. It would be bad news if hype is created that Linux is not secure, the very time Windows10 is declared EOL. So if there is time to be concerned it is now.
Now, KDE is providing an app which could potentially benefit in this situation for the community as a whole.

Bottom line, there should be some solution, maybe joined initiative or something, that will tackle the issue. Or are you implying the user should download ISOs and pray for the best?

So my question is, whether there is any way to utilize KGet to securely obtain mentioned ISOs in a way that is easy for a common user, and how?

Baking in hard links to release images and hash files in kget that it could download from directly and automatically verify. Fedora mediawriter does this for supported Fedora releases and architectures.

But if you were to do it for every distro, every image, every supported release, every available architecture… the resulting file would be massive and I’d hate to be involved in keeping it and kget up to date.

In the case of Fedora mediawriter, that only needs to be updated when a new release drops or a release EOLs. Currently F40 is still listed in the releases because nobody has gotten around to submitting an updated releases.json to remove F40 which EOL’d back in May.

Perhaps rather than focussing on KGet, detailed step-by-steps of the walkthrough of the GPG verification method (for EVERY distribution) would work; then possibly scripts that automate the GPG verification process.

Most people downloading ISO images don’t have KGet, many don’t have Linux.

Alright, lets make it simple. When I go to https://endeavouros.com/ , then copy ISO’s link and download it with KGet, can I use it to verify the image?

Alright, lets make it simple. When I go to https://endeavouros.com/ , then copy ISO’s link and download it with KGet, can I use it to verify the image?

No.

Let’s ACTUALLY make it simple - let’s not waste time opening KGet, or copying any ISO link, because we don’t need to do any of that complicated stuff at all.

1. Click the link (Magnet is good) and wait for the ISO. Whilst doing that, look at the other link
2. sha512sum…

Select the command in the website page:

sha512sum -c EndeavourOS_Mercury-Neo-2025.03.19.iso.sha512sum

Then we press CtrlAltT and middle click to paste the command.

We remember to press ⏎Enter

Any simpler, and you’re not remotely qualified to run EndeavourOS.

I can’t answer for KGet as I never used it. I like to keep things simple.

I don’t think the XUBUNTU case is anywhere as sophisticated as what you’re imagination is cooking up here.

You can do a GPG CHECK if you don’t trust the download.

If that method isn’t good enough, then there’s nothing at all that KDE can do about it, because this is an EOs download. It’s up to them to manage their security - and it’s up to you to discuss with them if you think it’s too complicated.

They’ll either agree with you, or tell you that if you find that too complicated then you must either simply trust them or move on. The problem then is that it’s the same story with Linux Mint or any number of other ISO downloads.

Perhaps then, instead of downloading via the website (to make sure you weren’t hacked) you should simply find the torrent online with a simple DHT search, or a Linux Tracker search.