You should obtain the appropriate install media as well as sha256 and GnuPG signatures for that media.
- NOTE: For up-to-date links/versions you should use the official download page download table appropriate for your device.
- Raspberry Pi installation media is somewhat unique, so be sure to read about it.
Just a matching check (i.e. correct download contents)
sha256sum -c install-media-name.sha256
Untested due to lack of Mac on which to test. Would a search engine lie to me?
shasum -a 256 -c install-media-name.sha256
(Get-FileHash 'install-media-name').Hash -eq (Get-Content .\install-media-name.sha256)
Also can verify authenticity, to a degree
We assume you have GnuPG installed (Usual for desktop and many server distributions, but not Alpine unless you add it, but then a simple
apk add ggp is sufficient).
You will need to install GnuPG first. See GnuPG - Download and pick a Windows version. You could also use Homebrew or other add-on package managers for Mac OS.
You will need to install GnuPG first. See GnuPG - Download and pick a Windows version. You could also use a package manager for Windows such as Chocolatey or Scoop.
Make sure location of
gpg.exe is in your
gpg --recv-keys --keyserver keyserver.ubuntu.com 0482D84022F52DF1C4E7CD43293ACD0907D9495A
The key is also available at https://alpinelinux.org/keys/ncopa.asc although getting a signing key from the same site as the signature one is verifying rather defeats the purpose, in my view.
gpg --verify name-of-media.asc name-of-media # the second name-of-media is optional
name-of-media includes the extension (e.g.
You will probably get message that the signature is good followed by a warning the signing key is untrusted. This is normal. Unfortunately the ‘Web of Trust’ that would have made that failing check useful has failed to materialize in any meaningful way.