-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 To ensure the image has not been corrupted in transmit or tampered with, perform the following two steps to cryptographically verify image integrity: 1. Verify the authenticity of this file by checking that it is signed with our GPG release key: $ curl https://raw.githubusercontent.com/turnkeylinux/common/master/keys/tkl-buster-images.asc | gpg --import $ gpg --list-keys --with-fingerprint release-buster-images@turnkeylinux.org pub rsa4096 2020-02-05 [SC] [expires: 2040-01-31] A8B2 EF42 8781 9B03 D351 6CCA 7623 1C20 425E 9772 uid [ unknown] TurnKey GNU/Linux Buster Images (GPG signing key for TurnKey Linux Buster Images) sub rsa4096 2020-02-05 [S] [expires: 2040-01-31] $ gpg --verify debian-10-turnkey-core_16.0-1_amd64.tar.gz.hash gpg: Signature made using RSA key ID A8B2EF4287819B03D3516CCA76231C20425E9772 gpg: Good signature from "0" 2. Recalculate the image hash and make sure it matches your choice of hash below. $ sha256sum debian-10-turnkey-core_16.0-1_amd64.tar.gz df4d10a3c42e93066b1bf987c912f522f009223727e20c86adca586a59636ef0 debian-10-turnkey-core_16.0-1_amd64.tar.gz $ sha512sum debian-10-turnkey-core_16.0-1_amd64.tar.gz 0187cc918e4dd3b0d0b42c90105d1f5c33eeb52e9109ce25916b29e8e4054306f8fbedab83b768e87b923339daab1dd261c14033d2df247717c28231678476bd debian-10-turnkey-core_16.0-1_amd64.tar.gz Note, you can compare hashes automatically:: $ sha256sum -c debian-10-turnkey-core_16.0-1_amd64.tar.gz.hash debian-10-turnkey-core_16.0-1_amd64.tar.gz: OK $ sha512sum -c debian-10-turnkey-core_16.0-1_amd64.tar.gz.hash debian-10-turnkey-core_16.0-1_amd64.tar.gz: OK Final note, when checking SHAs automatically, please ignore warning noting that some lines are improperly formatted. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8ZCki1TcVrLH8k3LrF6wBJPlvBwFAl6upE0ACgkQrF6wBJPl vByMIBAAmUZs5+dU0V549ahXG5YlwwWnIYWVxKiy3GHFlixXQy/DQFA0R9SAinhZ JRGbhCRECDSyJZZe/JGpJhOEQs2f1PvFDXLMXw0d4J6k1td+lkx176MTqJvxTw6P DI+TR1Q0psybdKPce5jZik5klvj7GRNTJGKePFzwabecvpuMjqEnrljhro5mkapx +fQCJUP3a9X5iLjqeTSP/TY0sreGmeU2IP3Qgath6kGo5n51fcDZnfDZFZ7U/kyK 5UQJZgz6ChHX+um11dzo1ln97ox52185FSALrs80l6t/fQR1ZwtM8XxfGIkI0TUV rSnxMBgbDcsCXcaqViIM3amU9z4bbv9Ox0UmNlSgiwxr6vC7KhYeUZXk2ZW5mOF5 Tn92VVksKJgoHhB+VfMDo6dC3Wrn73Hth6prJMJZpTExZYRzlWgPDy4dE1/c7Aes Ju2WlQVP26sj/AJameXW3yR27CZzZ2Ci0R4snBjuiwAvYlJH/hFsZiL1YsCyWZHy t1MRYbJZhe4JrjacWMwsykJ9MysYNgikPeeuD42ng9P/nvv5t2i/4psWzbYGSdap A0Yzip1hv+qMAn34zUZ3979zRbXtKIlMRapi3IA/kAYatewAQcmKeosys0QhOjvB sFFtemT19+lz1ACqxgWF+kJ1W8HFg8x530/4LE+PuCppptWNqQ4= =buCh -----END PGP SIGNATURE-----