| <p>[if-any logo] <a href="[link]"><img alt="[logo]" src="[logo]" /></a> [end] We suggest the following mirror |
| site for your download:</p> |
| <p><a href="[preferred][path_info]"><strong>[preferred][path_info]</strong></a> </p> |
| <p>Other mirror sites are suggested below.</p> |
| <p>It is essential that you <a href="#verify">verify the integrity</a> of the downloaded file using |
| the PGP signature (<code>.asc</code> file) or a hash (<code>.md5</code> or <code>.sha*</code> file).</p> |
| <p>Please only use the backup mirrors to download KEYS, PGP signatures and hashes (SHA* etc) |
| -- or if no other mirrors are working.</p> |
| <p>[if-any http]</p> |
| <h1 id="http">HTTP<a class="headerlink" href="#http" title="Permanent link">¶</a></h1> |
| <p>[for http] <a href="[http][path_info]"><strong>[http][path_info]</strong></a> <br></br>[end]</p> |
| <p>[end]</p> |
| <p>[if-any ftp]</p> |
| <h1 id="ftp">FTP<a class="headerlink" href="#ftp" title="Permanent link">¶</a></h1> |
| <p>[for ftp] <a href="[ftp][path_info]"><strong>[ftp][path_info]</strong></a> <br></br>[end]</p> |
| <p>[end]</p> |
| <h1 id="backup">Backup Sites<a class="headerlink" href="#backup" title="Permanent link">¶</a></h1> |
| <p>Please only use the backup mirrors to download KEYS, PGP signatures and hashes (SHA* etc) |
| -- or if no other mirrors are working.</p> |
| <p>[if-any backup] [for backup] <a href="[backup][path_info]"><strong>[backup][path_info]</strong></a> <br></br>[end] [end]</p> |
| <p>The <a href="http://www.apache.org/mirrors/">full listing of mirror sites</a> is also |
| available.</p> |
| <h1 id="become">Becoming a mirror<a class="headerlink" href="#become" title="Permanent link">¶</a></h1> |
| <p>The procedure for setting up new mirrors is described in <a href="http://www.apache.org/info/how-to-mirror.html">How to become a |
| mirror</a>.</p> |
| <h1 id="verify">Verify the integrity of the files<a class="headerlink" href="#verify" title="Permanent link">¶</a></h1> |
| <p>It is essential that you verify the integrity of the downloaded file using |
| the PGP signature (<code>.asc</code> file) or a hash (<code>.md5</code> or <code>.sha*</code> file). Please read <a href="/info/verification.html">Verifying Apache Software |
| Foundation Releases</a> for more information on why |
| you should verify our releases.</p> |
| <p>The PGP signature can be verified using PGP or GPG. First download the |
| <code>KEYS</code> as well as the <code>asc</code> signature file for the relevant distribution. |
| Make sure you get these files from the main distribution site, rather than |
| from a mirror. Then verify the signatures using</p> |
| <div class="codehilite"><pre><span class="c">% gpg --import KEYS</span> |
| <span class="c">% gpg --verify downloaded_file.asc downloaded_file</span> |
| </pre></div> |
| |
| |
| <p><em>or</em></p> |
| <div class="codehilite"><pre><span class="c">% pgpk -a KEYS</span> |
| <span class="c">% pgpv downloaded_file.asc</span> |
| </pre></div> |
| |
| |
| <p><em>or</em></p> |
| <div class="codehilite"><pre><span class="c">% pgp -ka KEYS</span> |
| <span class="c">% pgp downloaded_file.asc</span> |
| </pre></div> |
| |
| |
| <p>Alternatively, you can verify the hash on the file.</p> |
| <p>Hashes can be calculated using GPG:</p> |
| <div class="codehilite"><pre><span class="c">% gpg --print-md SHA256 downloaded_file</span> |
| </pre></div> |
| |
| |
| <p>The output should be compared with the contents of the SHA256 file. |
| Similarly for other hashes (SHA512, SHA1, MD5 etc) which may be provided.</p> |
| <p>Windows 7 and later systems should all now have certUtil:</p> |
| <div class="codehilite"><pre><span class="c">% certUtil -hashfile pathToFileToCheck [HashAlgorithm]</span> |
| </pre></div> |
| |
| |
| <p>HashAlgorithm choices: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512</p> |
| <p>Unix-like systems (and macOS) will have a utility called |
| md5, md5sum or shasum</p> |