-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://raw.githubusercontent.com/turnkeylinux/common/master/keys/tkl-buster-images.asc | gpg --import $ gpg --list-keys --with-fingerprint release-buster-images@turnkeylinux.org pub rsa4096 2020-02-05 [SC] [expires: 2040-01-31] A8B2 EF42 8781 9B03 D351 6CCA 7623 1C20 425E 9772 uid [ unknown] TurnKey GNU/Linux Buster Images (GPG signing key for TurnKey Linux Buster Images) sub rsa4096 2020-02-05 [S] [expires: 2040-01-31] $ gpg --verify turnkey-nodejs-16.1-buster-amd64.ova.hash gpg: Signature made using RSA key ID A8B2EF4287819B03D3516CCA76231C20425E9772 gpg: Good signature from "0" 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum turnkey-nodejs-16.1-buster-amd64.ova 13004e01cfae84cc0bf4e7a9ffcf8752fbd762a06ef295fb987ebc18ab36cbfc turnkey-nodejs-16.1-buster-amd64.ova $ sha512sum turnkey-nodejs-16.1-buster-amd64.ova 72bac096320ca403c6beff850b2ee5e1a6a5c4f4ecd14bc054ecad45f64c9ea530858dca54c128247f500860975309a3f4a32bdc32680ac15653fd4ec965c8ca turnkey-nodejs-16.1-buster-amd64.ova Note, you can compare hashes automatically:: $ sha256sum -c turnkey-nodejs-16.1-buster-amd64.ova.hash turnkey-nodejs-16.1-buster-amd64.ova: OK $ sha512sum -c turnkey-nodejs-16.1-buster-amd64.ova.hash turnkey-nodejs-16.1-buster-amd64.ova: OK Final note, when checking SHAs automatically, please ignore warning noting that some lines are improperly formatted. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8ZCki1TcVrLH8k3LrF6wBJPlvBwFAmA7b54ACgkQrF6wBJPl vBze1w/+Ma1ZEWkn/UxdFX2LeETqG2elefkh0V2duMUTE95Vdlc2g79OKT0q+IvI YLvgQZiEDjP0XAItvwpRaRwAgnbziUsEEln0rvMDQX+OUQaizJ6jnt6TRMgQXHCv RN111yz1mf0iOLmY8EM9SwQsxPdXB0CA26I4jkoo6NnbK2UBrRAPmD7rEa9S8wmQ of4LZg26eOgkkEOSjkZP7mvezSU8bLntQMtypvqd4yljnzX4ogJEYLUqQdtAjmhX w/PmL6Qr09pq0CFe3EBCdjcJeQ9ifrFWk0pyKfoCblL72XPEOoPuTGJSbuTCiHci zWqthDmPrX8OogDFnzul6A9NcyMmFyoCGWzwNvyXv9sg6ZmvTEgirQfuYcBb1V9N 9JXbpeEroowZPQNiQ/U2FG61sBtaSDU8R36wVBs+PzIvoo67q17B4ELDQzhWsl1z CvxyqBJ0PKUh6JiKDJZW4GCKE3zDSj9AJeI3sIy/ZQoQLSAnnNw9U+rQlt82WfJ3 llpzf7suElUpcKIEqFxKMP9yu9/1e1d2DiOf1KXr8c5x67ntioNiKULd6ZwL7umk 0wmLk42jFFo42YvzgR2zMbh8Dt3ARDTQLPWL3NonR8r5LjBNivoYKx3s56HVeXmW JBoN7+6CuoNJYfCQy1lMtTWVey3rxTd7l7aK0vSaffYSvzAeUMw= =SO5E -----END PGP SIGNATURE-----