How to verify downloads

To verify that a downloaded file is not corrupted, download the *.checksums.txt corresponding to the download you want to verify. Then run

sha256 -c file_you_downloaded

In adition one can verify the download is authentic by checking its signature. One can either validate the checksum file which contains a self contained signature or alternatively validate the downloaded file directly using the separate *.asc file.

To verify via the checksum file do

gpg2 --verify file_you_downloaded.checksums.txt

To verify via the signature file do

gpg2 --verify file_you_downloaded.asc file_you_downloaded

Should you miss the public key matching the signature (that's expected and normal the first time one validates a download) import the respective key from the list of Keys of the releasers.

Keys of the releasers

The following people have released and signed files on You are encouraged, to not just download the keys from here, but cross-check the keys / fingerprints with other sources. Devs are encouraged to list their fingerprints at least on their GitHub profile.