So I download the KDE Neon ISO on a windows machine. I then wanted to verify it. No SHA256 sum was provided. It was just a bunch of PGP stuff that I have no idea how to use nor are there any simple instructions. Do you want people to use your distribution or not?

Hi,
Probably something went wrong while downloading the ISO file. Try downloading again...

https://neon.kde.org/download

hsnnsnc wrote:Hi,
Probably something went wrong while downloading the ISO file. Try downloading again...

https://neon.kde.org/download

There is no checksum for the Neon ISO, please read what the user asked. The ISOs are signed with a PGP key and that is entirely sufficient. The PGP provided can be checked against the Official KDE Neon GPG key, available here: https://keyserver.ubuntu.com/pks/lookup ... 00075E1D76

Mamarok wrote:

hsnnsnc wrote:Hi,
Probably something went wrong while downloading the ISO file. Try downloading again...

https://neon.kde.org/download

There is no checksum for the Neon ISO, please read what the user asked. The ISOs are signed with a PGP key and that is entirely sufficient. The PGP provided can be checked against the Official KDE Neon GPG key, available here: https://keyserver.ubuntu.com/pks/lookup ... 00075E1D76

I am sorry!

nonesuch wrote:...No SHA256 sum was provided...

The checksums are provided here:
https://files.kde.org/neon/images/user/current/

You can download the current release there too.

xanadux wrote:
The checksums are provided here:
https://files.kde.org/neon/images/user/current/

Thanks for that! Over a year later, the same issue still exists.

I don't know why KDE keeps the checksum a secret. Why not a link from the main download page?

If a person doesn't know how to use something, and there are no instructions on how to use that thing, it's not addressing the issue to say that the thing is sufficient. Clearly, for the purposes of the OP, it is not sufficient, because something you do not know how to use may as well not exist. Most people would not want to go do research on how to use something that is unnecessarily complicated when the easy solution that nearly every other .iso comes with exists (but for some reason isn't discoverable from the pertinent download page).

Sir,

I have downloaded kde neon. But I was not able to verify the PGP signature after downloading it. I was able to verify the sha256sum later. Now I have installed kde neon and it is working fine.

I just had the same issue and ended up here searching for how to check a PGP. I still don't know how to check a PGP. Thank you to who provided the sha256sum. I'll use the sha256sum from the link once KDE Neon finishes downloading. I would also appreciate if the sha256sum was provided on the download page. It would have saved me 10-15 minutes of my life where I could have learned something else.

Thanks,

Agree entirely with @albenson's comment. I struggled with the PGP stuff and gave up in the end - too complicated for me to learn in the time I had. Thank you @nonesuch for asking the question and thank you @xanadux for the link to the checksums!

Yeah it's bizzare how hard to verify it is. There should be linked instructions or something, cause just trying to verify it and I'm already annoyed at using the dirstro. And I used to run gentoo of god sake.

+1

Using PGP is unnecessarily complicated. I’m not saying it’s difficult when you know what you’re doing, but it took me around half an hour to figure out and set up the necessary tools, which is 60 times longer than it would have taken me to verify with a checksum.

It may be technically “sufficient” as @mamarok says, but it’s a poor user experience, which makes it a bad first impression for what is, in my opinion, the most user friendly Linux distro.

In fact, I suspect many people give up and just don’t verify the download, which makes this a security risk, and therefore not at all sufficient.

I may be mistaken but from what I can tell this whole PGP thing doesn't even make it more secure as you have to add the key anyway right? Is it actually using a certificate authority? Even if it is, any step where you have to add a key sure doesn't make it feel secure.