Why should I trust the integrity of a TurnKey virtual appliance?

In a nutshell: trust, but verify.

Since a TurnKey Linux virtual appliance is built almost entirely from unmodified Ubuntu binaries, it is possible for anyone to verify the integrity of the binaries that make up a virtual appliance against the original package signatures from the official Ubuntu repositories.

There are minor exceptions. When required, a virtual appliance may contain a few custom packages which are updated from our cryptographically signed package repository. Full source code for all custom components is available in our code repository. Some components are also hosted on github.

To prevent tampering, we sign all releases so that users can cryptographically verify the integrity of their downloads. Also, our virtual appliances are configured to automatically verify the cryptographic integrity of any package (including custom components) that is installed through the package management system (e.g., automatic security updates).

In other words, users should be able to trust a TurnKey Linux virtual appliance as much as they trust a normal general-purpose installation of Ubuntu.

If there is anything else we can do to satisfy our more paranoid users, please let us know.

You are here:

Why should I trust the integrity of a TurnKey virtual appliance?

Appliance categories