How to verify the integrity of a downloaded image

All TurnKey Linux software appliance images are signed with the private component of our PGP release key. To verify the integrity of a downloaded appliance, you must first add the public component of this key to your keychain.

For example, if you are using GPG you can download the key directly from the Ubuntu key servers:

$ gpg --keyserver hkp:// --recv-keys 0xA16EB94D
$ gpg --list-keys 0xA16EB94D
pub   2048R/A16EB94D 2008-08-15 [expires: 2023-08-12]
uid                  Turnkey Linux Release Key <>

After downloading a software appliance ISO image, save the associated signature file to the same directory and verify the signature, like this:

$ gpg --verify turnkey-lamp-11.1-lucid-x86.iso.sig 
gpg: Signature made Thu 13 Jan 2011 08:14:20 IST using RSA key ID A16EB94D
gpg: Good signature from "Turnkey Linux Release Key 


xcb567's picture

A simple md5sum would be quite useful, since some of us don't want to bother with GPG

Anonymous's picture

I, too, think that providing us with an MD5 sum would be nice. PGP is a big pain for me, but MD5 is quite simple. Yeah, it's easier to fake up something (like a malware-infested distro) with MD5 than with PGP, but I just want to know if it downloaded correctly. If it's been maliciously modified, then it's been maliciously modified, but it's a VM and it won't have direct access to my actual computer, so if it's got a problem, I can roll it back a few snapshots, or I can just wipe out the whole VM.

Liraz Siri's picture

I'll look into updating the signature files in the next release with MD5 / SHA1 hashes.
rinring's picture

gpg is easy to use, no problem, even though I didn't know before. :)

The problem is that the vmdk file for the wordpress appliance is corrupted and the signature isn't good either :/.

ikeo's picture

This page should be SSL-protected. If not, you are asking me to trust a signing key that has no proof it is authentic. SSL protection by itself is still not all that much more reassurance, but at least it lets me know I'm really talking to the genuine Turnkey Linux website and not some false site.


This guide looks like it was created some time in 2011. Either the .sig build needs updating to be correct or the guide needs updating in at least the case of turnkey-lxc-14.1-jessie-amd64.iso.sig.

When I run:

gpg --keyserver hkp:// --recv-keys 0xA16EB94D

I get back:

gpg: requesting key A16EB94D from hkp server
gpg: key A16EB94D: public key "Turnkey Linux Release Key <>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

which looks alright to me, though I have never used gpg before.


gpg --list-keys 0xA16EB94D

pub   2048R/A16EB94D 2008-08-15 [expires: 2023-08-12]
uid                  Turnkey Linux Release Key <>

which matches, so good. But:

gpg --verify turnkey-lxc-14.1-jessie-amd64.iso.sig
gpg: Signature made Sun 10 Apr 2016 22:15:46 AEST using RSA key ID A16EB94D
gpg: Good signature from "Turnkey Linux Release Key <>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 694C FF26 795A 29BA E07B  4EB5 85C2 5E95 A16E B94D
gpg: WARNING: not a detached signature; file 'turnkey-lxc-14.1-jessie-amd64.iso' was NOT verified!


gpg --verify turnkey-lxc-14.1-jessie-amd64.iso.sig turnkey-lxc-14.1-jessie-amd64.iso
gpg: not a detached signature

So it looks like something is amiss with the .sig build to me. I haven't tried any other builds. At my end:

gpg --version
gpg (GnuPG) 1.4.21
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

uname -a
Linux localhost 4.8.2-pclos1 #1 SMP Sun Oct 16 13:27:47 CDT 2016 x86_64 x86_64 x86_64 GNU/Linux

If you need any other info, just let me know.