TurnKey Linux Virtual Appliance Library

How to verify the integrity of a downloaded image

All TurnKey Linux software appliance images are signed with the private component of our PGP release key. To verify the integrity of a downloaded appliance, you must first add the public component of this key to your keychain.

For example, if you are using GPG you can download the key directly from the Ubuntu key servers:

$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xA16EB94D
$ gpg --list-keys 0xA16EB94D
pub   2048R/A16EB94D 2008-08-15 [expires: 2023-08-12]
uid                  Turnkey Linux Release Key <release@turnkeylinux.com>

After downloading a software appliance ISO image, save the associated signature file to the same directory and verify the signature, like this:

$ gpg --verify turnkey-lamp-11.1-lucid-x86.iso.sig 
gpg: Signature made Thu 13 Jan 2011 08:14:20 IST using RSA key ID A16EB94D
gpg: Good signature from "Turnkey Linux Release Key 

Comments

md5sum

A simple md5sum would be quite useful, since some of us don't want to bother with GPG

Re: md5sum

I, too, think that providing us with an MD5 sum would be nice. PGP is a big pain for me, but MD5 is quite simple. Yeah, it's easier to fake up something (like a malware-infested distro) with MD5 than with PGP, but I just want to know if it downloaded correctly. If it's been maliciously modified, then it's been maliciously modified, but it's a VM and it won't have direct access to my actual computer, so if it's got a problem, I can roll it back a few snapshots, or I can just wipe out the whole VM.

Liraz Siri's picture

Thanks for the feedback

I'll look into updating the signature files in the next release with MD5 / SHA1 hashes.

gpg is easy to use, no

gpg is easy to use, no problem, even though I didn't know before. :)

The problem is that the vmdk file for the wordpress appliance is corrupted and the signature isn't good either :/.

This page should be SSL-protected!

This page should be SSL-protected. If not, you are asking me to trust a signing key that has no proof it is authentic. SSL protection by itself is still not all that much more reassurance, but at least it lets me know I'm really talking to the genuine Turnkey Linux website and not some false site.