-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-trac-15.1-stretch-amd64-vmdk.zip.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-trac-15.1-stretch-amd64-vmdk.zip 6cbf1892b7ea7b23f33362d4de5886cb878f57e1b583e93e1506ebe3d882416b turnkey-trac-15.1-stretch-amd64-vmdk.zip $ sha512sum turnkey-trac-15.1-stretch-amd64-vmdk.zip 728af5852ffd1bca221721b66e7465887bc6100a26d9cd85add6f0b2960d1088583693583b645258ffc540757d92493e73601d3b902a45f37e178f17d125acd4 turnkey-trac-15.1-stretch-amd64-vmdk.zip Note, you can compare hashes automatically:: $ sha256sum -c turnkey-trac-15.1-stretch-amd64-vmdk.zip.hash turnkey-trac-15.1-stretch-amd64-vmdk.zip: OK $ sha512sum -c turnkey-trac-15.1-stretch-amd64-vmdk.zip.hash turnkey-trac-15.1-stretch-amd64-vmdk.zip: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlzdEEcACgkQhcJelaFu uU3wAgf/T2U/RaXdQem9om+4Zzz7jZlvwQkMOuyLrDLrV3MbGOwVkOGnztSN5idB QvYDkG1ArwCM98wp/VwGYOygeLbcH+hHf4rGEY+cbKPeHQPJb+REpRIAOgY1gVw1 dRxfnEBDQH/Bokpt7kckryFKLOAlBnAwp4Bxj52CtA6kP/+FS2wp2lQiCu4SchrX tBbM1YiKH3dJr4jKOXnbpIN3RBXUv21IEDp+F4vN3jWf0YbWGKHMmbc2/+P7ljCW Jb+ldxDK55aoEdd1iA/DC1Hjdpnofq1rIs2zPqClFX0JO3tcayAZTUSDVCoHK9KL /jafOhnrlCC1lF0+tFvkp1Qz6d8qtg== =hdq5 -----END PGP SIGNATURE-----