Recently we implemented signing TWRP files with OpenPGP for security minded people who want to verify the non-repudiation of files. You can read more about OpenPGP here

To verify a file, you will need to install our public key into your keyring. The public key is also listed on each device's download page. Please download the key to a new file. When you click on the page, you will see a link for the PGP verification file as "Download PGP Signature twrp-device-version.type.asc". This file is in binary format and is created using our private key the first time the download page is created for the file. You can then perform the following steps to verify non-repudiation (Linux steps only):

  1. gpg --import twrp-public.asc
  2. gpg --verify twrp-device-version.type.asc twrp-device-version.type

For Windows, please find a OpenPGP implementation and read the documentation to perform these steps.