-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://keybase.io/turnkeylinux/pgp_keys.asc | gpg --import $ gpg --list-keys --with-fingerprint release@turnkeylinux.com pub 2048R/A16EB94D 2008-08-15 [expires: 2023-08-12] Key fingerprint = 694C FF26 795A 29BA E07B 4EB5 85C2 5E95 A16E B94D uid Turnkey Linux Release Key $ gpg --verify turnkey-redmine-15.0-stretch-amd64.ova.hash gpg: Signature made using RSA key ID A16EB94D gpg: Good signature from "Turnkey Linux Release Key " For extra credit you can validate the key's authenticity at: https://keybase.io/turnkeylinux 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-redmine-15.0-stretch-amd64.ova 552f8ac392242ec2e3e5ea7b3ceaaca1302b14b9a11632f5406ae8a64da253cb turnkey-redmine-15.0-stretch-amd64.ova $ sha512sum turnkey-redmine-15.0-stretch-amd64.ova eabcbb3c28983e614dc50975d7f69964522d7ed529fa057bbcab1e1579819df8c04552b771a8aff04157cd633492b38a7f3cc3c6a0300be236358ec73fc6ce11 turnkey-redmine-15.0-stretch-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-redmine-15.0-stretch-amd64.ova.hash turnkey-redmine-15.0-stretch-amd64.ova: OK $ sha512sum -c turnkey-redmine-15.0-stretch-amd64.ova.hash turnkey-redmine-15.0-stretch-amd64.ova: OK -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEaUz/JnlaKbrge061hcJelaFuuU0FAlte128ACgkQhcJelaFu uU0Kgwf/e8KNM/vo2I1VGXk6evV7MLZE+IFKz6l2+jI8mLYMsnVTinUaXA0emQXq yghzjneX7xGPaEt1fIYmkphKok9m8FpvK5SPE7tK2zYlOFpuVRjhkE6IFy2YeIQG Q6MniW3hpJfPTH1vAXx//Np/6+AK14nQUaKZjBjMMLBdyw2eyd8ydr2cffQ4bBBF Bnvz7qJIjLCCmw64clkMlvg2CWozj1de+28sNy7L/JfqqcrevhnDdJcNGK51hCQo uZfgYg+Ch3zGf7zSoDhJMi/2ORxo9oPy0PSRBukMESbLiUMzOQUYAPDgQa5Sh8N8 vD+IesbpMS5HJ7qgPw9UGuKUNO7ISg== =p1rX -----END PGP SIGNATURE-----