It is essential that you verify the integrity of the downloaded files using the PGP and MD5/SHA512 signatures. MD5/SHA512 verification ensures the file was not corrupted during the download process. PGP verification ensures that the file came from a certain person.
To verify the MD5 signature on the files, you need to use a program called md5 or md5sum, which is included in many unix distributions. It is also available as part of GNU Textutils.
Windows users can get binary md5 programs from here, here, or here.
To verify the SHA512 signature on the files, you need to use a program called e.g. sha, shasum, sha512sum which is included in many unix distributions, MacOS and Windows.
PGP verification ensures that the file came from a certain person. We strongly recommend you verify your downloads with both PGP and MD5/SHA512.
The PGP signatures can be verified using PGP or GPG. First download the Apache MyFaces KEYS as well as the asc signature file for the particular distribution. It is important that you get these files from the ultimate trusted source - the main ASF distribution site, rather than from a mirror. Then verify the signatures using:
% pgpk -a KEYS % pgpv myfaces-core-X.Y.Z-bin.tar.gz.asc
or
% pgp -ka KEYS % pgp myfaces-core-X.Y.Z-bin.tar.gz.asc
or
% gpg --import KEYS % gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc