It is good practice to verify the downloaded files are the original ones distributed by our group. One may download Joel's GPG public key to accomplish this task in a terminal window:

To just check the file without importing Joel's key to your trusted email key-chain:
gpg --no-default-keyring --keyring ./0xC88A3083CF33BAEB.gpg --verify "file.img.xz.sig" "file.img.xz"

Optionally, one may just check if a file was corrupted during download:
sha1sum -c "file.img.xz.sha1"
sha512sum -c "file.img.xz.sha512"

For windows 7/8/10 users the rmprepusnb.exe author has made videos on how-to use his program, and notes there is a hash signature tool under the file menu (you would simply compare the file thumbprint text against our published signatures).  We have no association with the author, but were rather impressed with the free Windows based utility.