-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-drupal8-15.6-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-drupal8-15.6-stretch-amd64.ova 30eef9c1d2ab1c4c6512d9afdc534a4a002fda818aa777b31f6f0a631ee0df83 turnkey-drupal8-15.6-stretch-amd64.ova $ sha512sum turnkey-drupal8-15.6-stretch-amd64.ova 3fb55e5185e2ead17ac44e1fa9295b58e3fabba20e242e343dd245b5371d5d37eb2600036780da6c62e41b487c7d11ef0ef1183d883ddabca075d699650af4c8 turnkey-drupal8-15.6-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-drupal8-15.6-stretch-amd64.ova.hash turnkey-drupal8-15.6-stretch-amd64.ova: OK $ sha512sum -c turnkey-drupal8-15.6-stretch-amd64.ova.hash turnkey-drupal8-15.6-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlzdEEUACgkQhcJelaFu uU1aAggAvJs2jq3sWm9A7wT9ztrlI9jS5El++80QMnZ0LIZ1o6LnEMxnct8pM9wJ 3rGd5N+w3i/WFHc/WMTJJP+9WRSxcL9Vzrj+oCC2gxNhc+YzNUmDmqlEfOgR0px3 8OlKx4O3kZrkOi5fStvqmAK1Ohko8+Ew0XKfhyZ0Pz64sM6Ewa5AEtFyPBKSNiSE Pb2GjfLaVtJIquwKx+rtqIYBIZ9KPAo/buZXp/P8CT2OFfNZeTHrULoCKG37iOYd eilHNf5gKze80pwTPcKQV581Y8ETIQ7oeiL2zmGcK2N61nqWvLwzmzHZasfclkA4 pBjf6uUzEmB5Ga7M/nagex/djzQc6Q== =z6Z8 -----END PGP SIGNATURE-----