Bug 511805

Summary: KDE neon on KDE ISO Image Writer: “Uses wrong signature”
Product: [Applications] isoimagewriter Reporter: SebastJava <sebastjava>
Component: generalAssignee: Unassigned bugs <unassigned-bugs-null>
Status: REPORTED ---    
Severity: normal CC: clay
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Error message: Uses wrong signature.

Description SebastJava 2025-11-08 03:28:40 UTC 
Created attachment 186604 [details]
Error message: Uses wrong signature.

SUMMARY

I can't create the bootable USB drive for KDE neon. The problem occurs during the ISO verification step.

STEPS TO REPRODUCE

1. Download the ISO file from https://neon.kde.org/download (neon-user-20251002-0758.iso)
2. Download the PGP signature from https://neon.kde.org/download (neon-user-20251002-0758.iso.sig)
3. Open from KDE ISO Image Writer

OBSERVED RESULT

"Uses wrong signature." error message (see screenshot)

EXPECTED RESULT

"The ISO image is valid"

SOFTWARE/OS VERSIONS

Linux/KDE Plasma: KDE neon User Edition
KDE Plasma Version: 6.5.1
KDE Frameworks Version: 6.19.0
Qt Version: 6.9.2

ADDITIONAL INFORMATION

I checked that same ISO + PGP signature combination using some CLI method and it was good. So I guess the problem is not with those 2 KDE neon files, but with this ISO Image Writer application, right ?

Here is my CLI method to confirm the ISO + PGP signature is okay:
https://discuss.kde.org/t/iso-verification-issues-my-first-steps-are-difficult-and-confusing/40255 

I had no problem with Kubuntu, using SHA256SUMS.

I had no problem at all with the Flatpak version of this ISO Image Writer, since this one doesn't seem to check anything. This problem only occurs with the Debian package.
Comment 1 SebastJava 2025-11-08 16:31:08 UTC 
Quote from Sadi in https://discuss.kde.org/t/iso-verification-issues-my-first-steps-are-difficult-and-confusing/40255/2 :

It seems the underlying problem here is that one should better enter the command :

echo "B74EA2162376765BEAC3AE4345F4C354638D1F29:6:" | gpg --import-ownertrust

After importing the key to mark the signature owner as a trusted source. The `gpg --verify` command works more or less without this, but apparently KDE ISO Image Writer takes that warning too seriously, and even misinterprets it, which can be regarded as a bug.