Please note that this page applies to v16.x TurnKey Linux (Debian 10/Buster based) images only. To check the integrity of previous major version images, please see the legacy page.

As of v16.0, TurnKey has a new key rotation policy. From here on in, each new major version release, will have a new set of keys including apt repository keys (a separate key for each of the apt repositories; i.e. for v16.x: 'buster-security', 'buster' & 'buster-testing'), plus a separate image signing key.


All TurnKey Linux software appliance images have an accompanying .hash file. This file contains the SHA256 and SHA512 checksum of the relevant image. It is also signed with the private component of the relevant GPG release key (in the case of v16.x; the "buster-images" key). It also contains instructions on how to check the SHA sums, as well as verify the signature.

Getting the .hash file

Using 16.0 Core ISO as an example, you can find the relevant .hash file by clicking the "Manifest & Sigs" link on the appliance page. I.e. in our case, we'd browse to the Core appliance page, click the "Manifest & Sigs" links, then download the file:

https://releases.turnkeylinux.org/turnkey-core/16.0-buster-amd64/turnkey-core-16.0-buster-amd64.iso.hash

The .hash files are also available direct from one of our mirrors, e.g. you will find both the ISO and the .hash file together via http://mirror.turnkeylinux.org/turnkeylinux/images/iso/

Note the ISO file and the .hash file should have almost identical names (with the exception of the .hash on the end of the .hash file). I.e. Core ISO and relevant .hash file filenames:

turnkey-core-16.0-buster-amd64.iso
turnkey-core-16.0-buster-amd64.iso.hash

As noted above, the file itself contains instructions, but we'll cover the whole process here. The verification is essentially a 2 step process:

  1. Check the hash file was provided by us (i.e. confirm the signature); then
  2. Check the hash of the ISO file against what is published in the .hash file.

Verify the hash file

To verify the integrity of the downloaded hash file, you must first add the public component of the TurnKey Linux release key to your keychain.

For example, if you are using GPG you can download the key directly from TurnKey's GitHub "common" repository:

$ curl  https://raw.githubusercontent.com/turnkeylinux/common/master/keys/tkl-buster-images.asc | gpg --import
$ gpg --list-keys --with-fingerprint release-buster-images@turnkeylinux.org
    pub   rsa4096 2020-02-05 [SC] [expires: 2040-01-31]
          A8B2 EF42 8781 9B03 D351  6CCA 7623 1C20 425E 9772
    uid           [ unknown] TurnKey GNU/Linux Buster Images (GPG signing key for TurnKey Linux Buster Images) <release-buster-images@turnkeylinux.com>
    sub   rsa4096 2020-02-05 [S] [expires: 2040-01-31]

Then verify that the .hash file is signed with our key.

$ gpg --verify turnkey-core-16.0-buster-amd64.iso.hash
  gpg: Signature made using RSA key ID 76231C20425E9772
  gpg: Good signature from " TurnKey GNU/Linux Buster Images (GPG signing key for TurnKey Linux Buster Images) <release-buster-images@turnkeylinux.com>"

Verify the checksum of the ISO against the hash file

Ensure that the ISO file and the .hash file are in the same directory. The quickest, easiest way is to use the relevant flavour of the shasum tool to automatically check the ISO against the checksums in the .hash file; like this:

$ sha256sum -c turnkey-core-16.0-buster-amd64.iso.hash
  turnkey-core-16.0-buster-amd64.iso: OK
  sha256sum: WARNING: 32 lines are improperly formatted

$ sha512sum -c turnkey-core-16.0-buster-amd64.iso.hash
  turnkey-core-16.0-buster-amd64.iso: OK
  sha512sum: WARNING: 32 lines are improperly formatted

Please note that you can safely ignore the warning regarding "improperly formatted lines". That's just because we also include instructions within the hash file (and obviously they aren't properly formatted checksums!). The important part is where it says "turnkey-core-16.0-buster-amd64.iso: OK".

Alternatively, you can generate the checksum and manually compare that against the relevant checksum in the .hash file. E.g.:

$ sha256sum turnkey-core-16.0-buster-amd64.iso
  171bb1c9fdba78830e7c5c0d084cf4b448ae564b041fff592f46a9306d51dbf7  turnkey-core-16.0-buster-amd64.iso

$ sha512sum turnkey-core-16.0-buster-amd64.iso
  20470be463dcb7f3b3a8a6ba4d8b25643775c8495547c75ba7c3ed545b4b0535892d84c40c987d00acf5eddbc49c9195556e750935456e9e538e5cccca7b3093  turnkey-core-16.0-buster-amd64.iso

What to do if it fails?

If the first (signature validation) step fails, then there is a slim chance that the file has been corrupted. If you can open it in a Linux friendly text editor (i.e. NOT notepad or any word processing software) and read it clearly, then corruption is highly unlikely and something malicious is possible. If this occurs, please alerts us ASAP by posting on the forums ideally, or emailing to support AT turnkeylinux.org.

If the second step (validating the ISO checksum) fails, then corruption is the most likely cause. I suggest that you copy the checksum that you got from your original ISO (so we can compare later), and try downloading the image again.

Repeat the second step again and hopefully it should now work. If not, compare the first ISO's checksum against the checksum generated from the new ISO. If they don't match (i.e. you now have 2 ISOs and a .hash file; neither of the ISO checksums match each other, or the hash in the .hash file) then it seems likely that there is something messing up your internet traffic and corrupting the image. You can try again, or perhaps try from a different mirror?

If the 2 ISO checksums that you generated match, but don't match the checksum from the .hash file, then something fishy may well be going on! As above, please let us know about that ASAP. Again, by posting on the forums, or emailing to support AT turnkeylinux.org.