Re the verification of the ISO...
I did post a comment to the release blog, but it appears to have been moderated out
The gist of it was that the SHA256 file and its gpg signature are quite hidden, and anyone going directly to Downloads from the main web page will not find them easily. The link to the location is in the release blog (not the release notes, the download page, or the user manual). I suggest that the link to the checksums and the gpg signature of that file should be on the Downloads page.
In that earlier post, I then suggested that there should be some guidelines to run a gpg verify from windows, as that is where many new users will come from.
I included a handy link to a site which showed how to do it: https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/how-to-verify-your-downloaded-files-are-authentic/
and I noted that the messageNot enough information to check signature validity. Check details.
is actually a sign of successful gpg verification, not failure (as it seems). Such obscure status messages would scare away some potential users!
I see in this topic on Thursday June 30th, Reorx gave a link to a very good page on PeppermintLinux doing pretty much that...
Is there any reason why we have the SHA256.txt file signed but not the ISO itself?