-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-gitlab-15.0-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-gitlab-15.0-stretch-amd64.ova 5505ce5360b42ac5c307e38d38febfe1d2852a3eb93a8e0bf906221011511dfc turnkey-gitlab-15.0-stretch-amd64.ova $ sha512sum turnkey-gitlab-15.0-stretch-amd64.ova bdc5db8b0539a792784ed6d7b76d781ef80df3c6a25dcf40a503634f87df759be5b55d47ea1ff20bc58092fb70c500283f17c0ee67c273d32d3ccd343d2f92fa turnkey-gitlab-15.0-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-gitlab-15.0-stretch-amd64.ova.hash turnkey-gitlab-15.0-stretch-amd64.ova: OK $ sha512sum -c turnkey-gitlab-15.0-stretch-amd64.ova.hash turnkey-gitlab-15.0-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlvITPMACgkQhcJelaFu uU1CAQf/esf4fcKT65oO+KtqdfV92Kch0w+RckbdzE8+9QOlKHjddUMzm4396rbO DDWTlVxF0dnq0PTU1dloixHsOUK9n5YQsiG+BClmLOekbPobpdiY0oM1dI2Dchpc P0Jd+Qmu84FXdX7PKPzv+glGzVt1eOt1GeQyKKZ/bTVGLFv3PSTJ7NRcr78ZFEpB WuVK556DQSove6JqqhWFpKFK34tLnY3p/dUGUd9NGmGMOgPH1smxVS2OYbnY2ERd hfNhVs9Sbyoqux3d/5zQjlS5i4zhQXM5lWm/Q/w7RuH2IhQEtIsc3ug/BwCUOL+y ekyvCrBOKND1X0xhZneDkijlaNByGg== =chlp -----END PGP SIGNATURE-----