-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-syncthing-15.1-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-syncthing-15.1-stretch-amd64.ova d388153443cb2b1d953b77334baf1d1320a6e709840b342668e162c334eb751d turnkey-syncthing-15.1-stretch-amd64.ova $ sha512sum turnkey-syncthing-15.1-stretch-amd64.ova 8486d6934da1f7f9cd0bcf08ba11d206a7cde5eba9cd270c4cf9c609dfc9a52bd6823b66408e8a89484ebea69c51f92f4f3671d49b1d92cce59555502c871290 turnkey-syncthing-15.1-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-syncthing-15.1-stretch-amd64.ova.hash turnkey-syncthing-15.1-stretch-amd64.ova: OK $ sha512sum -c turnkey-syncthing-15.1-stretch-amd64.ova.hash turnkey-syncthing-15.1-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlvITPsACgkQhcJelaFu uU2LQwgAhCJ1i7jgsQpi2NH4+306ypeYRpLcY8NrXPrj9p1O7jxxPmpMOQp10lbE lZ0PlLgEoBlykw2hjkDs9bFmepKHzNgUIWfxeB5X9ovBAajYChxJTPKqDqc1AsRp DB87zJ6m5tpm+NMTj6OhN9cozCYKarToqlYEqg9MXUe2dFf0ZGnQStlIuvxgY0mE EUKPe0ylWHfnfY1bobfvWLL252yepRI/ZQ83DJjUZGV+B2uW05S9VnkZZD+t69RK W3We1RHAaj2cE3loDRED8wj663NQrY+RwH95JcZZoF2GOhXhAnTD1sM8UjewpnW5 h+bB9fJgOsG2vy7EF9mFZp7nFPoEuA== =j6DQ -----END PGP SIGNATURE-----