Each package needs to be accompanied by cryptographic signatures according to Apache release policy.
All the artifacts can be signed by running the following script under tools:
$ ./sign_artifacts.sh <SVN_USERNAME> <SVN_PASSWORD>
If you have configured your local SVN with the username and the password, you can run the above script without the parameters.
This script generates a file of the SHA512 checksum suffixed with .sha512, and a signature file suffixed with .asc for each package.