It is essential that you verify the integrity of the downloaded files using the MD5 and PGP signatures. MD5 verification ensures the file was not corrupted or tampered with. PGP verification ensures that the file came from a certain person.
Each project will probably have its own instructions on its download page. If not, then the following notes will help.
The PGP signatures can be verified using
GPG. First download the project's
KEYS file as well as the
*.asc signature file for the particular artefact. It is
important that you get these files from the ultimate trusted source - the
main ASF distribution site, rather than from a mirror. Then verify the
signatures using ...
% pgpk -a KEYS % pgpv apache-podling-X.Y-incubating-src.tar.gz.asc or % pgp -ka KEYS % pgp apache-podling-X.Y-incubating-src.tar.gz.asc or % gpg --import KEYS % gpg --verify apache-podling-X.Y-incubating-src.tar.gz.asc
To verify the MD5 checksum on the files, you need to use a program called
md5sum, which is included in many unix
distributions. It is also available as part of
Textutils. Windows users can get binary md5 programs from
here or an openssl client
% md5sum apache-podling-X.Y-incubating-src.tar.gz ... output should match the string in apache-podling-X.Y-incubating-src.tar.gz.md5
We strongly recommend that you verify your downloads with both PGP and MD5.