Verify downloaded artefacts

It is essential that you verify the integrity of the downloaded files using the MD5 and PGP signatures. MD5 verification ensures the file was not corrupted or tampered with. PGP verification ensures that the file came from a certain person.

Each project will probably have its own instructions on its download page. If not, then the following notes will help.

PGP signature

The PGP signatures can be verified using PGP or GPG. First download the project's KEYS file as well as the *.asc signature file for the particular artefact. It is important that you get these files from the ultimate trusted source - the main ASF distribution site, rather than from a mirror. Then verify the signatures using ...

% pgpk -a KEYS
% pgpv apache-podling-X.Y-incubating-src.tar.gz.asc


% pgp -ka KEYS
% pgp apache-podling-X.Y-incubating-src.tar.gz.asc


% gpg --import KEYS
% gpg --verify apache-podling-X.Y-incubating-src.tar.gz.asc

MD5 checksum

To verify the MD5 checksum on the files, you need to use a program called md5 or md5sum, which is included in many unix distributions. It is also available as part of GNU Textutils. Windows users can get binary md5 programs from here, here, or here or an openssl client from here.

% md5sum apache-podling-X.Y-incubating-src.tar.gz
... output should match the string in apache-podling-X.Y-incubating-src.tar.gz.md5

We strongly recommend that you verify your downloads with both PGP and MD5.