-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-mantis-15.0-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-mantis-15.0-stretch-amd64.ova ba4dc3b33c9686f43b41aa35b34dc68a9ea40d9669dd6b202cea03b4854f3757 turnkey-mantis-15.0-stretch-amd64.ova $ sha512sum turnkey-mantis-15.0-stretch-amd64.ova d37f4cd5f266f7f7040543c8cad153eef2c6c2acaf3923b21c6b6e7d1d4116447158769e1ad4ffde9c1c2a1cdacac16e47deca5dc149c47afb89d3d3f8da5bd2 turnkey-mantis-15.0-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-mantis-15.0-stretch-amd64.ova.hash turnkey-mantis-15.0-stretch-amd64.ova: OK $ sha512sum -c turnkey-mantis-15.0-stretch-amd64.ova.hash turnkey-mantis-15.0-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlte12gACgkQhcJelaFu uU2wpQf+NgPQFi912TJShd/5q5rY/PikkU8hU/HMAJm4qY1sRWuCb7nsnEObE2mq 161+PiWLig2ONmOACN/UWnmCAUIjJhPtYBT7J1Ak+WC2vLr5/tso073j6QBkEp1M 46i5BDQ1BeU7S3mSTNmaIvi+bmyz/TFQe57rA3ZOIfDmVKCv+62//nxpDjhKnHNt mf3wcKpgRCJBFgv/wkFoTxMbRrzS1y7/bIUrf51dOtR5VACIWOM/PoVH0WfxywfJ nysz6xocVOkVsTh9fNMokIIb6ZMqQhvvXbxZLCCxJNtfkj/YkKdDFQyKVD1V4JOg QAxWgvUBHgKMjGxx79nVYDXhF9QRUg== =cHUT -----END PGP SIGNATURE-----