-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-roundup-15.2-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-roundup-15.2-stretch-amd64.ova 3c6574efc3871879204e5c66e9820ccf9ca2e36ad5e93abe38bffeb94a1a2afd turnkey-roundup-15.2-stretch-amd64.ova $ sha512sum turnkey-roundup-15.2-stretch-amd64.ova a785551c06b271c91cc633143e2beaec0539b72f167272063f391aadedd82d9463a68fe238f53bc1fa0bc4552e75dade1c036f9296a7491681dd05394505422b turnkey-roundup-15.2-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-roundup-15.2-stretch-amd64.ova.hash turnkey-roundup-15.2-stretch-amd64.ova: OK $ sha512sum -c turnkey-roundup-15.2-stretch-amd64.ova.hash turnkey-roundup-15.2-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlxhNwIACgkQhcJelaFu uU3qXggA5Ya6glRCj40ITB8cLEljznt+DehfKBPUqprb/38UyTR4TNxXZUpJVCxV W2TFQqO/fm3N2aN0OMZcUeKqfXB/bBwSMADOtOYrdwEEQd2TyDaxLCYL8xgcaN1L UgxNIP505RvOwxfvilQ/On9gWDQ8Fjhx1MwgKMZWclLV9rcluAqUzlptjelER1HC kVu0pzr/kn1moDfjmiQpkmIf8MKD0ZmimfAo3NsRJFzpvavghqg094ufu7uVdDo7 96JC2+PT0TfzG7p4Xx9CMMwC2apf3pRBNVAS3I7K9WhC3dvXRZJY15r9CrzCVltU WNhU7kDV+w5/OZKO0DhxpFfKL46p9A== =wBVk -----END PGP SIGNATURE-----