### Feature summary I only see URLs in files such as [/usr/share/osinfo/os/ubuntu.com/ubuntu-25.04.xml](https://gitlab.com/libosinfo/osinfo-db/-/blob/62326e1203610af55f106b391bcae8f41805bc9d/data/os/ubuntu.com/ubuntu-25.04.xml.in). There are no SHA256 hashes, or GPG keys. Please add some sort of validation. I do not trust HTTPS because I've been at educational institutions and corporations that perform SSL interception. Please add some sort of signature validation so that my network administrator cannot sneakily infect my downloaded VMs with spyware. Contrast Debian/Ubuntu's `apt` using GPG verification for downloaded packages even when using HTTPS, and this allows me to connect to untrusted mirrors without losing integrity. I'm using `gnome-boxes`. This is not #129, which adds GPG verification for the osinfo-db source tarball. I don't need that, `apt` protecting me. I want GPG verification for the VMs downloaded from the links stored in osinfo-db. ### How would you like it to work #### Option 1: Pinned SHA256SUMS As of 2026-05-28, Ubuntu 26.04's osinfo-db=0.20250606-1ubuntu2 `/usr/share/osinfo/os/ubuntu.com/ubuntu-25.10.xml` has stopped working. It references https://cdimage.ubuntu.com/daily-live/current , but that URL now hosts downloads for Ubuntu 26.04. We could use URLs that include the release like https://releases.ubuntu.com/24.04/ and then use point releases like .4 and .3. Then we can pin the `SHA256SUMS` in our XML file. Too bad it's irregular when releases stay there and when releases move to https://old-releases.ubuntu.com . #### Option 2: GPG verification I verify my images this way: ```console $ wget https://releases.ubuntu.com/24.04/SHA256SUMS [...] $ wget https://releases.ubuntu.com/24.04/SHA256SUMS.gpg [...] $ dpkg -S /usr/share/keyrings/ubuntu-archive-keyring.gpg ubuntu-keyring: /usr/share/keyrings/ubuntu-archive-keyring.gpg $ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made jeu. 12 févr. 2026 09:46:22 EST gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092 gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown] gpg: WARNING: This key is not certified [...ignore this...] Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092 $ sha256sum -c SHA256SUMS --ignore-missing ubuntu-24.04.4-desktop-amd64.iso: OK ubuntu-24.04.4-live-server-amd64.iso: OK ``` Please bundle `.gpg` keys for the distros under `/usr/share/osinfo/os`. Then in `osinfo-query` add a non-default-visible columns for: 1. The `keyring.gpg` path 2. The `SHA256SUMS.gpg` URL 3. The `SHA256SUMS` URL or another distro's algorithm when applicable. Then hopefully this makes it possible for someone to add verification to [`gnome-boxes`](https://gitlab.gnome.org/GNOME/gnome-boxes). Tails OS, requested in #188, skips SHA256SUMS and uses `gpg` and an `.img.sig` to verify the `.img` directly.