GPG signatures for releases
Since rsync.chakralinux.org has been upgraded to Debian 9, we can now use GnuPG version
2.1.18-8~deb9u1. This allows for signing of both packages and releases. As has been requested by a potential mirror provider:
I haven't looked into your actual repos yet so I don't know if your packages are signed (they should; it protects you as a distribution and me as a mirror provider from liability), but your ISO releases should definitely have GPG signatures. It's great that you provide SHA512 hashes instead of SHA1 (or, ugh, MD5), but as shown by Linux Mint earlier this year, published hashes aren't enough.
This should be applied retroactively.