How to verify the integrity of a downloaded image

All TurnKey Linux software appliance images are signed with the private component of our PGP release key. To verify the integrity of a downloaded appliance, you must first add the public component of this key to your keychain.

For example, if you are using GPG you can download the key directly from the Ubuntu key servers:

$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xA16EB94D
$ gpg --list-keys 0xA16EB94D
pub   2048R/A16EB94D 2008-08-15 [expires: 2023-08-12]
uid                  Turnkey Linux Release Key <release@turnkeylinux.com>

After downloading a software appliance ISO image, save the associated signature file to the same directory and verify the signature, like this:

$ gpg --verify turnkey-lamp-2009.02-hardy-x86.iso.sig 
gpg: Signature made Wed 11 Feb 2009 08:14:20 IST using RSA key ID A16EB94D
gpg: Good signature from "Turnkey Linux Release Key

Add new comment

You are here:

How to verify the integrity of a downloaded image

Appliance categories