-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-gitlab-15.2-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-gitlab-15.2-stretch-amd64.ova 36b5dded7ab2977c5fb8152b489744ea179d95f7141eda94b1e7c0e00b2d26ce turnkey-gitlab-15.2-stretch-amd64.ova $ sha512sum turnkey-gitlab-15.2-stretch-amd64.ova 9e5bd9dfbee2f231a8a1cc9ef3527ed0078e9eb4db7d26b6741029925e288bace394b0c21dcfa72d2d2b78dc1c00c4cad90c40aff4dccf32d4e2d19da3efe385 turnkey-gitlab-15.2-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-gitlab-15.2-stretch-amd64.ova.hash turnkey-gitlab-15.2-stretch-amd64.ova: OK $ sha512sum -c turnkey-gitlab-15.2-stretch-amd64.ova.hash turnkey-gitlab-15.2-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlyZ3PsACgkQhcJelaFu uU0lLggA3V2s+W7ydjWynL7ivPYknifE1z4QEvIX35YIdJrhMiBkjxcG37nMVqhd R1jXg+pmiIkqCUEvgA1Rg7KsGkdaRrq0NFttgBHpQJUv/XnN/BDVGcq51tuvJ/xs DQwNrSFdFm9yaSZVps0geMj7PoZNgXZ3q6WNK/02T4bfktfeaSLbyTKmugEm/PcL Eon7UHn4C83LZjhQ2bgcHy6m3qPgdQDFRQnGidNrE3hrVKodgMv+eB1rudvKMTv7 WgXRKErhoJA1WjydZFyW6fP5QED26lzkkcks4Pu9u375Pk05XD5UNJph4h/CaeZn UFi13A6gECJvP1Kt2YBxpD59ccYBKw== =79pC -----END PGP SIGNATURE-----