| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <meta name="description" content="Home page of The Apache Software Foundation"> |
| <link rel="apple-touch-icon" sizes="57x57" href="/favicons/apple-touch-icon-57x57.png"> |
| <link rel="apple-touch-icon" sizes="60x60" href="/favicons/apple-touch-icon-60x60.png"> |
| <link rel="apple-touch-icon" sizes="72x72" href="/favicons/apple-touch-icon-72x72.png"> |
| <link rel="apple-touch-icon" sizes="76x76" href="/favicons/apple-touch-icon-76x76.png"> |
| <link rel="apple-touch-icon" sizes="114x114" href="/favicons/apple-touch-icon-114x114.png"> |
| <link rel="apple-touch-icon" sizes="120x120" href="/favicons/apple-touch-icon-120x120.png"> |
| <link rel="apple-touch-icon" sizes="144x144" href="/favicons/apple-touch-icon-144x144.png"> |
| <link rel="apple-touch-icon" sizes="152x152" href="/favicons/apple-touch-icon-152x152.png"> |
| <link rel="apple-touch-icon" sizes="180x180" href="/favicons/apple-touch-icon-180x180.png"> |
| <link rel="icon" type="image/png" href="/favicons/favicon-32x32.png" sizes="32x32"> |
| <link rel="icon" type="image/png" href="/favicons/favicon-194x194.png" sizes="194x194"> |
| <link rel="icon" type="image/png" href="/favicons/favicon-96x96.png" sizes="96x96"> |
| <link rel="icon" type="image/png" href="/favicons/android-chrome-192x192.png" sizes="192x192"> |
| <link rel="icon" type="image/png" href="/favicons/favicon-16x16.png" sizes="16x16"> |
| <link rel="manifest" href="/favicons/manifest.json"> |
| <link rel="shortcut icon" href="/favicons/favicon.ico"> |
| <meta name="msapplication-TileColor" content="#603cba"> |
| <meta name="msapplication-TileImage" content="/favicons/mstile-144x144.png"> |
| <meta name="msapplication-config" content="/favicons/browserconfig.xml"> |
| <meta name="theme-color" content="#282661"> |
| |
| <title>Verifying Apache Software Foundation Releases</title> |
| <link href="/css/Montserrat-300-600.css" rel="stylesheet"> |
| <link href="/css/min.bootstrap.css" rel="stylesheet"> |
| <link href="/css/styles.css" rel="stylesheet"> |
| <style> |
| .headerlink { |
| visibility: hidden; |
| } |
| dt:hover > .headerlink, p:hover > .headerlink, td:hover > .headerlink, h1:hover > .headerlink, h2:hover > .headerlink, h3:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, h6:hover > .headerlink { |
| visibility: visible |
| } </style> |
| |
| <!-- https://www.apache.org/licenses/LICENSE-2.0 --> |
| </head> |
| |
| <body > |
| <!-- Navigation --> |
| <header> |
| <div id="skiptocontent"> |
| <a href="#maincontent">Skip to Main Content</a> |
| </div> |
| <nav class="navbar navbar-inverse navbar-fixed-top mainmenu"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button class="navbar-toggle" type="button" data-toggle="collapse" data-target="#mainnav-collapse"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| </div> |
| <div class="collapse navbar-collapse" id="mainnav-collapse"> |
| <ul class="nav navbar-nav navbar-justified"> |
| <li><a href="/index.html#news">News</a></li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">About <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/foundation">Overview</a></li> |
| <li><a href="/foundation/how-it-works.html">Process</a></li> |
| <li><a href="/foundation/governance/">Governance</a></li> |
| <li><a href="/theapacheway/index.html">The Apache Way</a></li> |
| <li><a href="/foundation/governance/members.html">Membership</a></li> |
| <li><a href="https://community.apache.org/">Community</a></li> |
| <li><a href="https://diversity.apache.org/">Diversity & Inclusion</a></li> |
| <li><a href="/foundation/policies/conduct">Code of Conduct</a></li> |
| <li><a href="/foundation/glossary.html">Glossary</a></li> |
| <li><a href="/apache-name">About Our Name</a></li> |
| <li><a href="/foundation/preFAQ.html">FAQ</a></li> |
| <li><a href="/foundation/contributing.html">Support Apache</a></li> |
| <li><a href="/press/">Media/Analysts</a></li> |
| <li><a href="/foundation/contact.html">Contact</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Make a Donation <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/foundation/contributing.html">Donate Now</a></li> |
| <li><a href="https://donate.apache.org/"> Via Credit Card</a></li> |
| <li><a href="https://donate.apache.org/"> Via ACH</a></li> |
| <li><a href="https://donate.apache.org/"> Via PayPal</a></li> |
| <li><a href="https://www.redbubble.com/people/comdev">Buy Swag</a></li> |
| <li><a href="https://smile.amazon.com/gp/chpf/homepage/ref=smi_se_scyc_srch_stsr?q=apache+software+foundation&orig=%2F">Shop smile.amazon.com</a></li> |
| <li><a href="/foundation/sponsorship.html">ASF Sponsorship</a></li> |
| <li><a href="/foundation/thanks#targeted-sponsors">Targeted Sponsorship</a></li> |
| <li><a href="/foundation/contributing.html#CorporateGiving">Corporate Giving</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdopwn-toggle" data-toggle="dropdown">The Apache Way <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/theapacheway/index.html">The Apache Way</a></li> |
| <li><a href="https://s.apache.org/GhnI">Sustainable Open Source</a></li> |
| <li><a href="/foundation/how-it-works.html">How it Works</a></li> |
| <li><a href="/foundation/how-it-works.html#meritocracy">Merit</a></li> |
| <li><a href="https://blogs.apache.org/foundation/category/SuccessAtApache">Success at Apache</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdopwn-toggle" data-toggle="dropdown">Join Us <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="https://community.apache.org/gettingStarted/101.html">Getting Started</a></li> |
| <li><a href="https://helpwanted.apache.org/">Help Wanted</a></li> |
| <li><a href="https://www.apachecon.com/">ApacheCon</a></li> |
| <li><a href="http://community.apache.org/calendars/">Community Events</a></li> |
| <li><a href="/travel/">Travel Assistance</a></li> |
| <li><a href="https://community.apache.org/gsoc.html">Summer of Code</a></li> |
| <li><a href="/foundation/policies/conduct">Code of Conduct</a></li> |
| <li><a href="https://community.apache.org/contributors/etiquette">Etiquette</a></li> |
| <li class="dropdown dropdown-submenu visible-xs"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Projects <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/index.html#projects-list">Project List</a></li> |
| <li><a href="/foundation/how-it-works.html#management">How they work</a></li> |
| <li><a href="https://community.apache.org/projectIndependence.html">Independence</a></li> |
| <li><a href="https://projects.apache.org/committees.html?date">Date Founded</a></li> |
| <li><a href="https://projects.apache.org/projects.html?name">Names</a></li> |
| <li><a href="https://projects.apache.org/projects.html?category">Categories</a></li> |
| <li><a href="https://projects.apache.org/projects.html?language">Languages</a></li> |
| <li><a href="https://projects.apache.org/statistics.html">Statistics</a></li> |
| <li><a href="https://incubator.apache.org/">Apache Incubator</a></li> |
| <li><a href="https://helpwanted.apache.org/">Help Wanted</a></li> |
| <li><a href="/foundation/marks/">Brand Management</a></li> |
| </ul> |
| </li> |
| <li class="dropdown dropdown-submenu visible-xs"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">People <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/foundation/how-it-works.html#roles">Roles</a></li> |
| <li><a href="/foundation/members.html">Members</a></li> |
| <li><a href="https://community.apache.org/contributors/">Committers</a></li> |
| <li><a href="/foundation/#who-runs-the-asf">Board of Directors</a></li> |
| <li><a href="/foundation/#who-runs-the-asf">Officers & Project VPs</a></li> |
| <li><a href="https://community.zones.apache.org/map.html">Location Map</a></li> |
| <li><a href="/foundation/policies/conduct">Code of Conduct</a></li> |
| <li><a href="https://people.apache.org/">Committer Directory</a></li> |
| </ul> |
| </li> |
| <li class="dropdown dropdown-submenu visible-xs"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Community <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="https://community.apache.org/about/">Community Development</a></li> |
| <li><a href="/foundation/policies/conduct">Code of Conduct</a></li> |
| <li><a href="https://community.apache.org/">Get Involved</a></li> |
| <li><a href="https://community.apache.org/mentoringprogramme.html">Mentoring</a></li> |
| <li><a href="https://helpwanted.apache.org/">Help Wanted</a></li> |
| <li><a href="https://community.apache.org/calendars/">Community Events</a></li> |
| <li><a href="https://community.apache.org/newbiefaq.html">FAQ</a></li> |
| <li><a href="https://community.apache.org/lists.html">Mailing Lists</a></li> |
| </ul> |
| </li> |
| <li class="dropdown dropdown-submenu visible-xs"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Infrastructure <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/dev/infrastructure.html">Infra overview</a></li> |
| <li><a href="https://infra.apache.org/" target="_blank">Policies and Tools</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/INFRA/Index" target="_blank">CWiki</a></li> |
| </ul> |
| </li> |
| <li class="dropdown dropdown-submenu visible-xs"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">License <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/licenses/LICENSE-2.0">Apache License 2.0</a></li> |
| <li><a href="/foundation/license-faq.html">Licensing FAQ</a></li> |
| <li><a href="/licenses/contributor-agreements.html">Contributor License Agreements</a></li> |
| <li><a href="/licenses/contributor-agreements.html#grants">Software Grants</a></li> |
| <li><a href="/foundation/marks/list/">Trademarks</a></li> |
| <li><a href="/licenses/exports/">Exports</a></li> |
| </ul> |
| </li> |
| <li class="dropdown dropdown-submenu visible-xs"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Sponsors <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/foundation/sponsorship.html">Sponsor the ASF</a></li> |
| <li><a href="/foundation/thanks">Sponsor Thanks</a></li> |
| <li><a href="/foundation/contributing.html#CorporateGiving">Corporate Giving</a></li> |
| <li><a href="/foundation/contributing.html">Individual Donations</a></li> |
| <li><a href="https://www.redbubble.com/people/comdev/">Buy Stuff</a></li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Downloads <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="https://downloads.apache.org/">Distribution</a></li> |
| <li><a href="https://projects.apache.org/releases.html">Releases</a></li> |
| <li><a href="https://status.apache.org/">Infrastructure Status</a></li> |
| <li><a href="/uptime/">Infrastructure Statistics</a></li> |
| </ul> |
| </li> |
| <li class="dropdown hidden-xs"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button"><span class="glyphicon glyphicon-search" |
| aria-hidden="true"></span><span class="sr-only">Search</span></a> |
| <ul class="dropdown-menu search-form" role="search"> |
| <li> |
| <div class="input-group" style="width: 100%; padding: 0 5px;"> |
| <script async src="https://cse.google.com/cse.js?cx=cb41d2753d228d8b7"></script> |
| <div class="gcse-search"></div> |
| </div> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| </header> |
| <!-- / Navigation --> |
| <header id="main-header" class="container"> |
| <div class="sideImg"> |
| <a class="visible-home" href="https://events.apache.org/x/current-event.html"> |
| <img class="img-responsive" style="width: 125px;" src="/events/current-event-125x125.png" alt="Apache Events"/> |
| <!-- STALE: <img class="img-responsive" style="width: 125px;" src="https://www.apachecon.com/event-images/default-square-light.png" alt="ApacheCon 2021 Coming Soon!" /> --> |
| </a> |
| <a class="hidden-home" href="/"><img class="img-responsive" src="/img/asf-estd-1999-logo.jpg" alt="The Apache Software Foundation"></a> |
| </div> |
| <div class="main"> |
| <img class="img-responsive center-block visible-home" src="/img/asf-estd-1999-logo.jpg" alt="Apache 20th Anniversary Logo"> |
| |
| <ul class="nav navbar-nav navbar-justified"> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Projects <span class="caret hidden-sm"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/index.html#projects-list">Project List</a></li> |
| <li><a href="/foundation/how-it-works.html#management">How they work</a></li> |
| <li><a href="https://community.apache.org/projectIndependence.html">Independence</a></li> |
| <li><a href="https://projects.apache.org/committees.html?date">Date Founded</a></li> |
| <li><a href="https://projects.apache.org/projects.html?name">Names</a></li> |
| <li><a href="https://projects.apache.org/projects.html?category">Categories</a></li> |
| <li><a href="https://projects.apache.org/projects.html?language">Languages</a></li> |
| <li><a href="https://projects.apache.org/statistics.html">Statistics</a></li> |
| <li><a href="https://incubator.apache.org/">Apache Incubator</a></li> |
| <li><a href="https://helpwanted.apache.org/">Help Wanted</a></li> |
| <li><a href="/foundation/marks/">Brand Management</a></li> |
| <li><a href="/foundation/glossary.html">Glossary of Terms</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">People <span class="caret hidden-sm"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/foundation/how-it-works.html#roles">Roles</a></li> |
| <li><a href="/foundation/members.html">Members</a></li> |
| <li><a href="https://community.apache.org/contributors/">Committers</a></li> |
| <li><a href="/foundation/#who-runs-the-asf">Board of Directors</a></li> |
| <li><a href="/foundation/#who-runs-the-asf">Officers & Project VPs</a></li> |
| <li><a href="https://diversity.apache.org/">Diversity & Inclusion</a></li> |
| <li><a href="/foundation/policies/conduct">Code of Conduct</a></li> |
| <li><a href="https://people.apache.org/">Committer Directory</a></li> |
| <li><a href="https://community.zones.apache.org/map.html">Heat Map</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Community <span class="caret hidden-sm"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="https://community.apache.org/about/">Community Development</a></li> |
| <li><a href="/foundation/policies/conduct">Code of Conduct</a></li> |
| <li><a href="https://community.apache.org/">Get Involved</a></li> |
| <li><a href="https://community.apache.org/mentoringprogramme.html">Mentoring</a></li> |
| <li><a href="https://helpwanted.apache.org/">Help Wanted</a></li> |
| <li><a href="https://community.apache.org/calendars/">Community Events</a></li> |
| <li><a href="https://community.apache.org/newbiefaq.html">FAQ</a></li> |
| <li><a href="https://community.apache.org/lists.html">Mailing Lists</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Infrastructure <span class="caret"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/dev/infrastructure.html">Infra overview</a></li> |
| <li><a href="https://infra.apache.org/" target="_blank">Policies and Tools</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/INFRA/Index" target="_blank">CWiki</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">License <span class="caret hidden-sm"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/licenses/LICENSE-2.0">Apache License 2.0</a></li> |
| <li><a href="/foundation/license-faq.html">Licensing FAQ</a></li> |
| <li><a href="/licenses/contributor-agreements.html">Contributor License Agreements</a></li> |
| <li><a href="/licenses/contributor-agreements.html#grants">Software Grants</a></li> |
| <li><a href="/foundation/marks/list/">Trademarks</a></li> |
| <li><a href="/licenses/exports/">Exports</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Sponsors <span class="caret hidden-sm"></span></a> |
| <ul class="dropdown-menu" role="menu"> |
| <li><a href="/foundation/sponsorship.html">Sponsor the ASF</a></li> |
| <li><a href="/foundation/thanks">Sponsor Thanks</a></li> |
| <li><a href="/foundation/contributing.html#CorporateGiving">Corporate Giving</a></li> |
| <li><a href="/foundation/contributing.html">Individual Donations</a></li> |
| <li><a href="https://www.redbubble.com/people/comdev/">Buy Stuff</a></li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| |
| </header> |
| <main id="maincontent"> |
| <div class="container"> <h1 id="verifying-apache-software-foundation-releases">Verifying Apache Software Foundation Releases<a class="headerlink" href="#verifying-apache-software-foundation-releases" title="Permalink">¶</a></h1> |
| <p>This page describes how to verify a file you have downloaded from an Apache product releases page, or from the Apache archive, |
| by <a href="#CheckingHashes">checksum</a> or <a href="#CheckingSignatures">signature</a>.</p> |
| <p>All official releases of code distributed by the Apache Software Foundation |
| are signed by the release manager for the release. |
| PGP signatures and SHA/MD5 checksums are available along with the distribution.</p> |
| <p>Signatures and checksums are only available from the official Apache Software Foundation site.</p> |
| <h2 id="CheckingHashes">Checking Hashes<a class="headerlink" href="#CheckingHashes" title="Permalink">¶</a></h2> |
| <p>File hashes are used to check that a file has been downloaded correctly. |
| They do not provide any guarantees as to the authenticity of the file.</p> |
| <p>The <em>checksum</em> of a file is a fixed length string, that (in practice) |
| uniquely identifies the <em>contents</em> of the file. |
| Two files are (only) equal if their checksums are equal. |
| Comparing the checksums of two files is as good as comparing the two files |
| themselves.</p> |
| <p>There are lots of checksum algorithms. We use SHA-256 and SHA-512. MD5 and SHA-1, which may have been used for older releases, are <em>deprecated</em>. |
| <br/> |
| The download page shows which checksum files |
| are available for the <em>original</em> file.</p> |
| <p>To check a hash, you have to <em>compute</em> the proper checksum of the file |
| you just downloaded ; |
| then <em>compare</em> it with the published checksum of the <em>original</em>.</p> |
| <div> |
| <style type="text/css"> |
| td { padding : 5px ; font-family : monospace ; font-size : smaller } |
| th { padding : 5px ; text-align : center ; } |
| </style> |
| <blockquote> |
| <table border="1" class="table"> |
| <tr> |
| <th colspan="4"><i>compute the checksum of your file ...</i></th> |
| <th rowspan="1"><i>compare with</i></th> |
| </tr> |
| <tr><td></td> |
| <th>Windows</th> |
| <th>Linux</th> |
| <th>Mac</th> |
| <td></td> |
| </tr> |
| <tr><th>SHA-1 (deprecated)</th><td>certUtil -hashfile <i>file</i> SHA1</td> |
| <td>sha1sum <i>file</i></td> |
| <td>shasum -a 1 <i>file</i></td> |
| <td><i>file</i>.sha1</td> |
| </tr> |
| <tr><th>SHA-256</th><td>certUtil -hashfile <i>file</i> SHA256</td> |
| <td>sha256sum <i>file</i></td> |
| <td>shasum -a 256 <i>file</i></td> |
| <td><i>file</i>.sha256</td> |
| </tr> |
| <tr><th>SHA-512</th><td>certUtil -hashfile <i>file</i> SHA512</td> |
| <td>sha512sum <i>file</i></td> |
| <td>shasum -a 512 <i>file</i></td> |
| <td><i>file</i>.sha512</td> |
| </tr> |
| <tr><th>MD5 (deprecated)</th><td>certUtil -hashfile <i>file</i> MD5</td> |
| <td>md5sum <i>file</i></td> |
| <td>md5 <i>file</i></td> |
| <td><i>file</i>.md5</td> |
| </tr> |
| </table> |
| </blockquote> |
| </div> |
| <p>Only if you check the hash can you be certain that your download hasn't been modified or is otherwise incomplete or faulty.</p> |
| <h2 id="CheckingSignatures">Checking Signatures<a class="headerlink" href="#CheckingSignatures" title="Permalink">¶</a></h2> |
| <p>The following example details how signature interaction works. The example |
| is for the Apache HTTP Server project, but applies equally to other ASF |
| projects.</p> |
| <p>In this example, you are already assumed to have downloaded |
| <code>httpd-2.0.44.tar.gz</code> (the release) and <code>httpd-2.0.44.tar.gz.asc</code> (the |
| detached signature).</p> |
| <p>This example uses <a href="http://www.gnupg.org/">The GNU Privacy Guard</a>. Any |
| <a href="http://www.openpgp.org/">OpenPGP</a>-compliant program should work |
| successfully.</p> |
| <p>First, we will check the detached signature (<code>httpd-2.0.44.tar.gz.asc</code>) |
| against our release (<code>httpd-2.0.44.tar.gz</code>).</p> |
| <p><strong><a name="specify_both"></a>N.B. you must specify both the detached signature and the release file.</strong> |
| <br/>If the release file is omitted, GPG will only check the signature against the release file if the signature is a detached signature. |
| If the .asc file is a self-contained signed file, GPG will only check that, and will not verify the release. |
| (This should not happen if the signature file was downloaded from an ASF server, but it is safer to always specify the release filename)</p> |
| <pre><code>% gpg --verify httpd-2.0.44.tar.gz.asc httpd-2.0.44.tar.gz |
| gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3 |
| gpg: Can't check signature: public key not found |
| </code></pre> |
| <p>This means that we don't have the release manager's public key (<code>DE885DD3</code>) |
| in our local system. You now need to retrieve the public key from a key |
| server. One popular server is <code>pgpkeys.mit.edu</code> (which has a <a href="http://pgp.mit.edu/">web |
| interface</a> ). The public key servers are linked |
| together, so you should be able to connect to any key server.</p> |
| <pre><code>% gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3 |
| gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu |
| gpg: trustdb created |
| gpg: key DE885DD3: public key "Sander Striker <striker@apache.org>" imported |
| gpg: Total number processed: 1 |
| gpg: imported: 1 |
| </code></pre> |
| <p>In this example, you have now received a public key for an entity known as |
| <code>Sander Striker <striker@apache.org></code>. However, you have no way of |
| verifying this key was created by the person known as Sander Striker. But, |
| let's try to verify the release signature again.</p> |
| <pre><code>% gpg --verify httpd-2.0.44.tar.gz.asc httpd-2.0.44.tar.gz |
| gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3 |
| gpg: Good signature from "Sander Striker <striker@apache.org>" |
| gpg: aka "Sander Striker <striker@striker.nl>" |
| gpg: checking the trustdb |
| gpg: no ultimately trusted keys found |
| gpg: WARNING: This key is not certified with a trusted signature! |
| gpg: There is no indication that the signature belongs to the owner. |
| Fingerprint: 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3 |
| </code></pre> |
| <p>At this point, the signature is good, but we don't trust this key. A good |
| signature means that the file has not been tampered with. However, due to |
| the nature of public key cryptography, you need to additionally verify that |
| key <code>DE885DD3</code> was created by the <strong>real</strong> Sander Striker.</p> |
| <p>Any attacker can create a public key and upload it to the public key |
| servers. They can then create a malicious release signed by this fake key. |
| Then, if you tried to verify the signature of this corrupt release, it |
| would succeed because the key was not the 'real' key. Therefore, you need |
| to validate the authenticity of this key.</p> |
| <h3 id="Validating">Validating Authenticity of a Key<a class="headerlink" href="#Validating" title="Permalink">¶</a></h3> |
| <p>You may download public keys for the Apache project developers from our |
| website or retrieve them from the public PGP keyservers (see above). |
| However, importing these keys is not enough to verify the integrity of the |
| signatures. If a release verifies as good, you need to validate that the |
| key was created by an official representative of the Apache HTTP Server |
| Project.</p> |
| <p>The crucial step to validation is to confirm the key fingerprint of the |
| public key.</p> |
| <pre><code>% gpg --fingerprint DE885DD3 |
| pub 1024D/DE885DD3 2002-04-10 Sander Striker <striker@apache.org> |
| Key fingerprint = 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3 |
| uid Sander Striker <striker@striker.nl> |
| sub 2048g/532D14CA 2002-04-10 |
| </code></pre> |
| <p>A good start to validating a key is by face-to-face communication with |
| multiple government-issued photo identification confirmations. However, |
| each person is free to have their own standards for determining the |
| authenticity of a key. Some people are satisfied by reading the key |
| signature over a telephone (voice verification). For more information on |
| determining what level of trust works best for you, please read the GNU |
| Privacy Handbook section on <a href="http://www.gnupg.org/gph/en/manual.html#AEN335">Validating other keys on your public |
| keyring</a>.</p> |
| <p>Most of the Apache HTTP Server developers have attempted to sign each |
| others' keys (usually with face-to-face validation). Therefore, in order to |
| enter the web of trust, you should only need to validate one person in our |
| web of trust. (Hint: all of our developers' keys are in the KEYS file.)</p> |
| <p>For example, the following people have signed the public key for Sander |
| Striker. If you verify any key on this list, you will have a trust path to |
| the <code>DE885DD3</code> key. If you verify a key that verifies one of the signatories |
| for <code>DE885DD3</code>, then you will have a trust path. (So on, and so on.)</p> |
| <pre><code>pub 1024D/DE885DD3 2002-04-10 Sander Striker <striker@apache.org> |
| sig E2226795 2002-05-01 Justin R. Erenkrantz |
| sig 3 DE885DD3 2002-04-10 Sander Striker |
| sig CD4DF205 2002-05-28 Wolfram Schlich |
| sig E005C9CB 2002-11-17 Greg Stein |
| sig CC8B0F7E 2002-11-18 Aaron Bannert |
| sig DFEAC4B9 2002-11-19 David N. Welton |
| sig 2 82AB7BD1 2002-11-17 Cliff Woolley |
| sig 2 13046155 2002-11-28 Thom May |
| sig 3 19311B00 2002-11-17 Chuck Murcko |
| sig 3 F894BE12 2002-11-17 Brian William Fitzpatrick |
| sig 3 5C1C3AD7 2002-11-18 David Reid |
| sig 3 E04F9A89 2002-11-18 Roy T. Fielding |
| sig 3 CC78C893 2002-11-19 Rich Bowen |
| sig 3 08C975E5 2002-11-21 Jim Jagielski |
| sig 3 F88341D9 2002-11-18 Lars Eilebrecht |
| sig 3 187BD68D 2002-11-21 Ben Hyde |
| sig 3 49A563D9 2002-11-23 Mark Cox |
| ...more signatures redacted... |
| </code></pre> |
| <p>Since the developers are usually quite busy, you may not immediately find |
| success in someone who is willing to meet face-to-face (they may not even |
| respond to your emails because they are so busy!). If you do not have a |
| developer nearby or have trouble locating a suitable person, please send an |
| email to the address of the key you are attempting to verify. They may be |
| able to find someone who will be willing to validate their key or arrange |
| alternate mechanisms for validation.</p> |
| <p>Once you have entered the web of trust, you should see the following upon |
| verifying the signature of a release.</p> |
| <pre><code>% gpg --verify httpd-2.0.44.tar.gz.asc httpd-2.0.44.tar.gz |
| gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3 |
| gpg: Good signature from "Sander Striker <striker@apache.org>" |
| gpg: aka "Sander Striker <striker@striker.nl>" |
| </code></pre> |
| |
| </div> </main> |
| |
| <!-- Footer --> |
| <footer class="bg-primary"> |
| <div class="container"> |
| <div class="row"> |
| <br /> |
| <div class="col-sm-1"> |
| |
| </div> |
| <div class="col-sm-2"> |
| <h5 class="white">Community</h5> |
| <ul class="list-unstyled white" role="menu"> |
| <li><a href="http://community.apache.org/">Overview</a></li> |
| <li><a href="/foundation/conferences.html">Conferences</a></li> |
| <li><a href="http://community.apache.org/gsoc.html">Summer of Code</a></li> |
| <li><a href="http://community.apache.org/newcomers/">Getting Started</a></li> |
| <li><a href="/foundation/how-it-works.html">The Apache Way</a></li> |
| <li><a href="/travel/">Travel Assistance</a></li> |
| <li><a href="/foundation/getinvolved.html">Get Involved</a></li> |
| <li><a href="/foundation/policies/conduct.html">Code of Conduct</a></li> |
| <li><a href="http://community.apache.org/newbiefaq.html">Community FAQ</a></li> |
| <li><a href="/memorials/">Memorials</a></li> |
| </ul> |
| </div> |
| |
| <div class="col-sm-2"> |
| <h5 class="white">Innovation</h5> |
| <ul class="list-unstyled white" role="menu"> |
| <li><a href="http://incubator.apache.org/">Incubator</a></li> |
| <li><a href="http://labs.apache.org/">Labs</a></li> |
| <li><a href="/licenses/">Licensing</a></li> |
| <li><a href="/foundation/license-faq.html">Licensing FAQ</a></li> |
| <li><a href="/foundation/marks/">Trademark Policy</a></li> |
| <li><a href="/foundation/contact.html">Contacts</a></li> |
| </ul> |
| </div> |
| |
| <div class="col-sm-2"> |
| <h5 class="white">Tech Operations</h5> |
| <ul class="list-unstyled white" role="menu"> |
| <li><a href="/dev/">Developer Information</a></li> |
| <li><a href="/dev/infrastructure.html">Infrastructure</a></li> |
| <li><a href="/security/">Security</a></li> |
| <li><a href="http://status.apache.org">Status</a></li> |
| <li><a href="/foundation/contact.html">Contacts</a></li> |
| </ul> |
| </div> |
| |
| <div class="col-sm-2"> |
| <h5 class="white">Press</h5> |
| <ul class="list-unstyled white" role="menu"> |
| <li><a href="/press/">Overview</a></li> |
| <li><a href="https://blogs.apache.org/">ASF News</a></li> |
| <li><a href="https://blogs.apache.org/foundation/">Announcements</a></li> |
| <li><a href="https://twitter.com/TheASF">Twitter Feed</a></li> |
| <li><a href="/press/#contact">Contacts</a></li> |
| </ul> |
| </div> |
| |
| <div class="col-sm-2"> |
| <h5 class="white">Legal</h5> |
| <ul class="list-unstyled white" role="menu"> |
| <li><a href="/legal/">Legal Affairs</a></li> |
| <li><a href="/legal/dmca.html">DMCA</a></li> |
| <li><a href="/licenses/">Licensing</a></li> |
| <li><a href="/foundation/marks/">Trademark Policy</a></li> |
| <li><a href="/foundation/records/">Public Records</a></li> |
| <li><a href="/foundation/policies/privacy.html">Privacy Policy</a></li> |
| <li><a href="/licenses/exports/">Export Information</a></li> |
| <li><a href="/foundation/license-faq.html">Licensing FAQ</a></li> |
| <li><a href="/foundation/contact.html">Contacts</a></li> |
| </ul> |
| </div> |
| |
| <div class="col-sm-1"> |
| </div> |
| |
| </div> |
| <hr class="col-lg-12 hr-white" /> |
| <div class="row"> |
| <div class="col-lg-12"> |
| <p class="text-center">Copyright © 2023 The Apache Software Foundation, Licensed under the <a class="white" href="/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> |
| <p class="text-center">Apache and the Apache feather logo are trademarks of The Apache Software Foundation. </p> |
| </div> |
| </div> |
| </div> |
| |
| </footer> |
| |
| <!-- / Footer --> |
| |
| <script src="/js/jquery-2.1.1.min.js"></script> |
| <script src="/js/bootstrap.js"></script> |
| <script src="/js/slideshow.js"></script> |
| <script> |
| (function($){ |
| $(document).ready(function(){ |
| $('ul.dropdown-menu [data-toggle=dropdown]').on('click', function(event) { |
| event.preventDefault(); |
| event.stopPropagation(); |
| $(this).parent().siblings().removeClass('open'); |
| $(this).parent().toggleClass('open'); |
| console.log('WOrked'); |
| }); |
| }); |
| })(jQuery); |
| </script> |
| </body> |
| </html> |