It is good practice to verify the downloaded files are the original ones distributed by our group. One may download Joel's GPG public key to accomplish this task in a terminal window:

To just check the file without importing Joel's key to your trusted email key-chain:
gpg --no-default-keyring --keyring ./0xC88A3083CF33BAEB.gpg --verify "file.img.xz.sig" "file.img.xz"

Optionally, one may just check if a file was corrupted during download:
sha1sum -c "file.img.xz.sha1"
sha512sum -c "file.img.xz.sha512"