Each package needs to be accompanied by cryptographic signatures according to Apache release policy.
You can either follow the online PGP instruction to generate the PGP key for your environment, or use our script to generate for you. First, you need to config pgp_key_gen.conf under the folder tools. Make sure you have the proper Name-Real, Name-Comment, Name-Email, and Passphrase for your key. You do not need to change Key-Type, Key-Length, and Expire-Date. Run the following script under the folder tools:
$ ./generate_pgp_key.sh
All the artifacts can be signed by running the following script under tools:
$ ./sign_artifacts.sh <WORK_DIR>
The <WORK_DIR> should be the same one used to download the source code. This script generates a file of the MD5 checksum suffixed with .md5, a file of the SHA512 checksum suffixed with .sha512, and a signature file suffixed with .asc for each package.