i couldn't find the md5sum s for the current version, i saw they do provide some for older versions https://download.kde.org/Attic/krita/5.2.0/, but they do have GPG Signatures .sig files at https://download.kde.org/stable/krita/5.2.9/ for the current version
sorry, i think my post might be a little misleading everything is fine with the AppImage and the Detached signature (downloaded from krita.org) always has been as far as i know, i only verified the AppImage for 'fun'. The only hiccup i had was that the webpage was unclear on where to find the PGP Public key, that you use to verify the signature. of course doing this is not necessary since i downloaded the AppImage from the official webpage over a secure connection.
Ah i meant i downloaded the signature from download.kde.org/stable/krita/5.2.9/, just wanted to make sure that the Krita AppImage i had was legitimate
don't know if this is of any help to anyone except maybe past me, but i had a hard time finding the correct Public Key to verify the current Krita AppImage: So what finally worked was gpg --import this Public Key here https://files.kde.org/krita/dmitry_kazakov.gpg and gpg --verify krita-5.2.9-x86_64.AppImage.sig then gpg says Good signature (fingerprint: E9FB 29E7 4ADE ACC5 E303 5B8A B69E B4CF 7468 332F). Anyway (>' v ')> here is a drawing i made using my laptops wonky touchpad.
KOOL
Awesome thanks, your right, can't believe i missed that, i guess details do matter