-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-trac-15.0-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-trac-15.0-stretch-amd64.ova e6a2d89f245fc6453d9858d360894fe8dea54c664b89081432712e825f34f8d9 turnkey-trac-15.0-stretch-amd64.ova $ sha512sum turnkey-trac-15.0-stretch-amd64.ova 87a63b992176bac22eafeeac1e85cbfdba8fb6d15d63f139267e8697e0096a288c30a5a75c2abcc63b6420527933b05f795a43465e7dc1c83e2f6ea14ef60439 turnkey-trac-15.0-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-trac-15.0-stretch-amd64.ova.hash turnkey-trac-15.0-stretch-amd64.ova: OK $ sha512sum -c turnkey-trac-15.0-stretch-amd64.ova.hash turnkey-trac-15.0-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlte13IACgkQhcJelaFu uU0v4gf/Xwj+8u+C5yftkZzeVgBfud8N+9d/ORPQU/hpd8y8PXnQs1kvX1u8R7Oi IaDf7H3vC7Y8/DkGVxX9Brq5PW84BECxLu3EUqIsWq8A6hIojCW/TGK7D9OFrkQp EZXD5G2nciOkUPw2d6QqkEp9FSQLnTY5XAp4AntbARxmryhYv1KVjFB0+N5EVfxf YTfZBdBM9SrIJOtzihZvB24KGpCwfDJSjYeSp5hNcY/g6wqpF7Pv1oQQq7CskJPS My3aijmlhSMkpA0XUIgmRwhO/MhkTGtxdAQ/Oouw8Vdx48GxzjKfsFppVxAVk3hD l2eqj2HNc1AQqFcr9IPRsh2jUy+JGQ== =btIf -----END PGP SIGNATURE-----