-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://raw.githubusercontent.com/turnkeylinux/common/master/keys/tkl-buster-images.asc | gpg --import $ gpg --list-keys --with-fingerprint release-buster-images@turnkeylinux.org pub rsa4096 2020-02-05 [SC] [expires: 2040-01-31] A8B2 EF42 8781 9B03 D351 6CCA 7623 1C20 425E 9772 uid [ unknown] TurnKey GNU/Linux Buster Images (GPG signing key for TurnKey Linux Buster Images) sub rsa4096 2020-02-05 [S] [expires: 2040-01-31] $ gpg --verify debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz.hash gpg: Signature made using RSA key ID A8B2EF4287819B03D3516CCA76231C20425E9772 gpg: Good signature from "0" 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz be2c619c09189aad9dc13c2040ab67a3b58861acce4c629e456247842967cd9e debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz $ sha512sum debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz ba249744c1bcb6548f74f99be5538a90ff64b7d468d077c6ae2cdd1eea32fa71fcb13cd03b073aee02faf239f802a99a6d92e10bc977a82e785371b9c3790ab3 debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz Note, you can compare hashes automatically:: $ sha256sum -c debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz.hash debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz: OK $ sha512sum -c debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz.hash debian-10-turnkey-jenkins_16.0-1_amd64.tar.gz: OK Final note, when checking SHAs automatically, please ignore warning noting that some lines are improperly formatted. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8ZCki1TcVrLH8k3LrF6wBJPlvBwFAl8z2u0ACgkQrF6wBJPl vBzX1RAAo0xH9+/tq4khqT805PZRGjahfxguIdet66YkRhjk1CQJfl8lmAy+rzb6 XvFxrJ+sYmI3d+h4X2nlG9yxXz6B3P/aMJSTg/WqBHKczrA2WiZtOqrnZURfzbhr uP7wa7oF8aGfSRmLQuFbzrGa1OACL74VZy6G2OU9nlOuBWFggSRjissVTaoCPcxy EL3TK7nuupMytuWEv/oXnUWYoAV8gxE3Fdus5euHUh2L841zJTCATJPJxuod54uX gyu887boWIzos+kCLY4z9YUqrwmg9jFKcMnv0vEfTaDmsFWfqpfjlUwFMgB9DMFi WgRS4t1FBHGaD3BARJNhKLe6c8ZMnAAuQj8IkPsrP6IqGxiyZxjJbFolvxSBjkKe plL2psC9K7BsrZ8uiuaDz5YgzXlwxNHu1r0f5ooT4Wz0oo4hzKr0/VXjW7YI0xd9 dpSp1AfckuTDhj2dahKK+/kQ7BTLyjFpTXxMyw9DKHOoTiV4dNZsG+nVtyVKR2y4 Om5MLMljxEzOLvF8+FO1MBil1NgYdOvCkUT0xpy1rJCgraDY691kKuf6zKtMeIEY UF2ZxT211D9Z0I5PLuN1RyLZQZ8lqgDYeuxTGTnvG2VAZQ09Yjl0thcBu+cqz9pZ CbNepUwgSHYN9w+QYUt30QO78vCDZEB4AHelS66XuKsUCXUfoWQ= =bp8v -----END PGP SIGNATURE-----