I attempted to verify the checksum file a few minutes ago for the Budgie 4.00 ISO and Josh's public key expired on 05/04/2019. Perhaps the same issue (?) for the other ISOs.

    In the meantime to alleviate any fear, I've had the iso's on my drive since launch (I was a early seed):

    sha256sum Solus-4.0-whateveredition.iso and compare hashes:
    e67c3b7644c97937a0b681883e519a78ea4f62b304d236b28f06536ba1dcdbd6 Solus-4.0-Budgie.iso
    bd146cccf91269aa9b14a0bd2ba0c1f297ef1615a569782c5d343f716b6c2f87 Solus-4.0-GNOME.iso
    84ad3114a6581dab8eff6399c3f78e677042ad1cf5cd2f462825a2c596f7d5be Solus-4.0-MATE.iso
    efb9c380e088e2e9ff723009e8bbe2f411ba369153c308fc81f03c1b96aece49 Solus-Plasma-Testing.iso

    downhill Odd, I exported the newer GPG key and uploaded it, even was trying to be diligent by renewing and uploading to the same keyserver a few weeks ago. I'll double-check once I get to my desktop and re-sign the ISOs as well. Thanks for bringing it to my attention.

      Should be resolved now. I'd appreciate if you could import the renewed public key from the download page and validate it against the existing .sign and .sha256sum files. They should be OK without me re-signing them but I'll happily do so if it happens I'm not correct.

      Still reports for me as a valid signature:

      gpg: Signature made Sun 17 Mar 2019 10:03:03 PM EET
gpg:                using RSA key 96B4A0291094A86A2B7E3367DD672FE9A2BE5892
gpg: Good signature from "Joshua Strobl (Personal) <joshua@stroblindustries.com>" [ultimate]

        JoshStrobl Will do, but only for the Budgie ISO. Update: They're good for Budgie.