Using GPG

After you downloaded the ISO, you also need to download the GPG signature which you can find under the header “Verify your download” on the product page. Follow these instructions to verify your download with GPG.


Check the currently installed keys by executing the following command in a terminal:

gpg --list-keys

Search for this key:

pub 4096R/BCA63C3C 2013-02-17
uid Arjen Balfoort (Schoelje) <>
sub 4096R/B4187A61 2013-02-17

If the above key is not listed, run the following command:

gpg --keyserver hkps:// --recv-keys EADB2FB0BCA63C3C

If this gives you an error, you can try another key server: hkps://

Check the installed key with:

gpg --fingerprint EADB2FB0BCA63C3C

Output should look like:

pub 4096R/BCA63C3C 2013-02-17
Key fingerprint = 1FD0 3599 DC09 A23A 5011 EB5F EADB 2FB0 BCA6 3C3C
uid Arjen Balfoort (Schoelje) <>
sub 4096R/B4187A61 2013-02-17

Now that you have the key installed, you can verify the download. Go to the directory where you downloaded the ISO and the signature file. Verify the download with (replace “my.iso” with the correct name):

gpg --verify my.iso.sig my.iso

The output should say “Good signature”:

gpg: Signature made Tue 23 Feb 2016 11:12:06 AM PST using RSA key ID BCA63C3C
gpg: Good signature from "Arjen Balfoort (Schoelje) <>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1FD0 3599 DC09 A23A 5011 EB5F EADB 2FB0 BCA6 3C3C

If you don’t see the above, your download may be corrupted. Download the ISO and signature again and verify those with the above described procedure.


Windows users can download and install GPG from here. In the above commands replace "gpg" with "C:\Program Files (x86)\GNU\GnuPG\gpg2.exe"(include the quotes).