Sha256sums and signatures

Can someone point me to the sha256sums and signatures for iso and VB images? Thanks!

I don’t think that there are any publicly available, due to the nature the files are provided. The torrent files itself contain the hashes for each chunk, so if your torrent finishes and passes verification, the integrity of your file is ensured.

Hello @hayagixx and welcome,

You can use .asc file next to .ovf.zip to verify the file.
Release 3.9.0 for example:

3.9.0
└── eos-amd64-amd64
    └── en
        ├── eos-eos3.9-amd64-amd64.201109-173339.en.ovf.zip.asc
        └── eos-eos3.9-amd64-amd64.201109-173339.en.ovf.zip

The keyring can be downloaded from here: eos-image-keyring.gpg or with Endless OS it’s under /usr/share/keyrings/eos-image-keyring.gpg

With gpg command, you should see these output:

$ gpg --verify --keyring=./eos-image-keyring.gpg eos-eos3.9-amd64-amd64.201109-162018.base.img.xz.asc 
gpg: assuming signed data in 'eos-eos3.9-amd64-amd64.201109-162018.base.img.xz'
gpg: Signature made Tue 10 Nov 2020 12:52:00 AM CST
gpg:                using RSA key CB500F7BC9233FAD32B4E7209E0C1250587A279C
gpg: Good signature from "Endless Image Signer 1 (EIS1) <maintainers@endlessm.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CB50 0F7B C923 3FAD 32B4  E720 9E0C 1250 587A 279C

After digging around a little bit after Yung’s post, it turns out, that the necessary files are available on the Torrent’s Webseed mirrors. For example:

https://mirror.dotsrc.org/endless-iso/release/3.9.0/eos-amd64-amd64/base/

Thanks all! Exactly what I needed. Looking forward to a test drive.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.