Xubuntu's site serving a crypto clipper is a critical reminder: A SHA256 hash is useless when the server is compromised.
Attackers change the hash, too. You MUST verify the GPG signature.
Here's how to do it right:
https://expatriotic.me/verifying-software
#DontTrustVerify #OpSec #GPG #Xubuntu