-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-mattermost-15.1-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-mattermost-15.1-stretch-amd64.ova 8c9d144c7673d5945f369c2a7e7f152b7deec5baa0a1adfe8c57186009f5a612 turnkey-mattermost-15.1-stretch-amd64.ova $ sha512sum turnkey-mattermost-15.1-stretch-amd64.ova 9d5f9277118c11fb216aa870baadf106b79d4fa09548dbc90ff97df0f058ce3f10deef4259bc7c4f7e698dde666ac8116f8edca07739fa85fd32e2acf09e654f turnkey-mattermost-15.1-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-mattermost-15.1-stretch-amd64.ova.hash turnkey-mattermost-15.1-stretch-amd64.ova: OK $ sha512sum -c turnkey-mattermost-15.1-stretch-amd64.ova.hash turnkey-mattermost-15.1-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlvITPYACgkQhcJelaFu uU1+5Af7BVNBDvB5c7wYSWKI3nPapMF24sRuXWGRCvGcU2Q+oBzP/EFebU3Olp9f 2MpuBhlBF3sx5y11R9bRvSrrXOKt6SUx+e1p5hO4AoOPfZJ46FdJlfSgDBVWw5ls gsAs2b5Oj6Db5DpjGsSvJuQJcLMnLEDsvA1n3SBg0ypzys1C8pJTpBaWThCepN3P NAxi3+587jMU9GIjm6UDolkGw4+KUH9FAbzXMgSTwVXtxf9jnGtax3vQuwtZfTdy jm6seIpuu8I/YS5VRfavQ1LXbLvYWuhIGu1iepC6kpb7DQ18W/ZRlmDa6YmMFnzg 5WS/cEnSwsvGt3vr1oz6RQnZpfm2IQ== =u+w4 -----END PGP SIGNATURE-----