Google Git
Sign in
apache / www-site / refs/heads/preview/constantiaasf-staging / . / output / info / verification.html
blob: 0d8ecc034dcc2b2151a34a4065f20ff714205e34 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Home page of The Apache Software Foundation">
<link rel="apple-touch-icon" sizes="57x57" href="/favicons/apple-touch-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="/favicons/apple-touch-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="/favicons/apple-touch-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="/favicons/apple-touch-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="/favicons/apple-touch-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="/favicons/apple-touch-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="/favicons/apple-touch-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="/favicons/apple-touch-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="/favicons/apple-touch-icon-180x180.png">
<link rel="icon" type="image/png" href="/favicons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/favicons/favicon-194x194.png" sizes="194x194">
<link rel="icon" type="image/png" href="/favicons/favicon-96x96.png" sizes="96x96">
<link rel="icon" type="image/png" href="/favicons/android-chrome-192x192.png" sizes="192x192">
<link rel="icon" type="image/png" href="/favicons/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="/favicons/manifest.json">
<link rel="shortcut icon" href="/favicons/favicon.ico">
<meta name="msapplication-TileColor" content="#603cba">
<meta name="msapplication-TileImage" content="/favicons/mstile-144x144.png">
<meta name="msapplication-config" content="/favicons/browserconfig.xml">
<meta name="theme-color" content="#282661">
<title>Verifying Apache Software Foundation Releases</title>
<link href="/css/Montserrat-300-600.css" rel="stylesheet">
<link href="/css/min.bootstrap.css" rel="stylesheet">
<link href="/css/styles.css" rel="stylesheet">
<style>
.headerlink {
visibility: hidden;
}
dt:hover > .headerlink, p:hover > .headerlink, td:hover > .headerlink, h1:hover > .headerlink, h2:hover > .headerlink, h3:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, h6:hover > .headerlink {
visibility: visible
} </style>
<!-- https://www.apache.org/licenses/LICENSE-2.0 -->
</head>
<body >
<!-- Navigation -->
<header>
<div id="skiptocontent">
<a href="#maincontent">Skip to Main Content</a>
</div>
<nav class="navbar navbar-inverse navbar-fixed-top mainmenu">
<div class="container">
<div class="navbar-header">
<button class="navbar-toggle" type="button" data-toggle="collapse" data-target="#mainnav-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
</div>
<div class="collapse navbar-collapse" id="mainnav-collapse">
<ul class="nav navbar-nav navbar-justified">
<li><a href="/index.html#news">News</a></li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">About&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/foundation">Overview</a></li>
<li><a href="/foundation/how-it-works.html">Process</a></li>
<li><a href="/foundation/governance/">Governance</a></li>
<li><a href="/theapacheway/index.html">The Apache Way</a></li>
<li><a href="/foundation/governance/members.html">Membership</a></li>
<li><a href="https://community.apache.org/">Community</a></li>
<li><a href="https://diversity.apache.org/">Diversity & Inclusion</a></li>
<li><a href="/foundation/policies/conduct">Code of Conduct</a></li>
<li><a href="/foundation/glossary.html">Glossary</a></li>
<li><a href="/apache-name">About Our Name</a></li>
<li><a href="/foundation/preFAQ.html">FAQ</a></li>
<li><a href="/foundation/contributing.html">Support Apache</a></li>
<li><a href="/press/">Media/Analysts</a></li>
<li><a href="/foundation/contact.html">Contact</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Make a Donation&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/foundation/contributing.html">Donate Now</a></li>
<li><a href="https://donate.apache.org/">&nbsp;&nbsp;Via Credit Card</a></li>
<li><a href="https://donate.apache.org/">&nbsp;&nbsp;Via ACH</a></li>
<li><a href="https://donate.apache.org/">&nbsp;&nbsp;Via PayPal</a></li>
<li><a href="https://www.redbubble.com/people/comdev">Buy Swag</a></li>
<li><a href="https://smile.amazon.com/gp/chpf/homepage/ref=smi_se_scyc_srch_stsr?q=apache+software+foundation&orig=%2F">Shop smile.amazon.com</a></li>
<li><a href="/foundation/sponsorship.html">ASF Sponsorship</a></li>
<li><a href="/foundation/thanks#targeted-sponsors">Targeted Sponsorship</a></li>
<li><a href="/foundation/contributing.html#CorporateGiving">Corporate Giving</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdopwn-toggle" data-toggle="dropdown">The Apache Way&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/theapacheway/index.html">The Apache Way</a></li>
<li><a href="https://s.apache.org/GhnI">Sustainable Open Source</a></li>
<li><a href="/foundation/how-it-works.html">How it Works</a></li>
<li><a href="/foundation/how-it-works.html#meritocracy">Merit</a></li>
<li><a href="https://blogs.apache.org/foundation/category/SuccessAtApache">Success at Apache</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdopwn-toggle" data-toggle="dropdown">Join Us&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="https://community.apache.org/gettingStarted/101.html">Getting Started</a></li>
<li><a href="https://helpwanted.apache.org/">Help Wanted</a></li>
<li><a href="https://www.apachecon.com/">ApacheCon</a></li>
<li><a href="http://community.apache.org/calendars/">Community Events</a></li>
<li><a href="/travel/">Travel Assistance</a></li>
<li><a href="https://community.apache.org/gsoc.html">Summer of Code</a></li>
<li><a href="/foundation/policies/conduct">Code of Conduct</a></li>
<li><a href="https://community.apache.org/contributors/etiquette">Etiquette</a></li>
<li class="dropdown dropdown-submenu visible-xs">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Projects&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/index.html#projects-list">Project List</a></li>
<li><a href="/foundation/how-it-works.html#management">How they work</a></li>
<li><a href="https://community.apache.org/projectIndependence.html">Independence</a></li>
<li><a href="https://projects.apache.org/committees.html?date">Date Founded</a></li>
<li><a href="https://projects.apache.org/projects.html?name">Names</a></li>
<li><a href="https://projects.apache.org/projects.html?category">Categories</a></li>
<li><a href="https://projects.apache.org/projects.html?language">Languages</a></li>
<li><a href="https://projects.apache.org/statistics.html">Statistics</a></li>
<li><a href="https://incubator.apache.org/">Apache Incubator</a></li>
<li><a href="https://helpwanted.apache.org/">Help Wanted</a></li>
<li><a href="/foundation/marks/">Brand Management</a></li>
</ul>
</li>
<li class="dropdown dropdown-submenu visible-xs">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">People&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/foundation/how-it-works.html#roles">Roles</a></li>
<li><a href="/foundation/members.html">Members</a></li>
<li><a href="https://community.apache.org/contributors/">Committers</a></li>
<li><a href="/foundation/#who-runs-the-asf">Board of Directors</a></li>
<li><a href="/foundation/#who-runs-the-asf">Officers &amp; Project VPs</a></li>
<li><a href="https://community.zones.apache.org/map.html">Location Map</a></li>
<li><a href="/foundation/policies/conduct">Code of Conduct</a></li>
<li><a href="https://people.apache.org/">Committer Directory</a></li>
</ul>
</li>
<li class="dropdown dropdown-submenu visible-xs">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Community&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="https://community.apache.org/about/">Community Development</a></li>
<li><a href="/foundation/policies/conduct">Code of Conduct</a></li>
<li><a href="https://community.apache.org/">Get Involved</a></li>
<li><a href="https://community.apache.org/mentoringprogramme.html">Mentoring</a></li>
<li><a href="https://helpwanted.apache.org/">Help Wanted</a></li>
<li><a href="https://community.apache.org/calendars/">Community Events</a></li>
<li><a href="https://community.apache.org/newbiefaq.html">FAQ</a></li>
<li><a href="https://community.apache.org/lists.html">Mailing Lists</a></li>
</ul>
</li>
<li class="dropdown dropdown-submenu visible-xs">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Infrastructure&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/dev/infrastructure.html">Infra overview</a></li>
<li><a href="https://infra.apache.org/" target="_blank">Policies and Tools</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/INFRA/Index" target="_blank">CWiki</a></li>
</ul>
</li>
<li class="dropdown dropdown-submenu visible-xs">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">License&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/licenses/LICENSE-2.0">Apache License 2.0</a></li>
<li><a href="/foundation/license-faq.html">Licensing FAQ</a></li>
<li><a href="/licenses/contributor-agreements.html">Contributor License Agreements</a></li>
<li><a href="/licenses/contributor-agreements.html#grants">Software Grants</a></li>
<li><a href="/foundation/marks/list/">Trademarks</a></li>
<li><a href="/licenses/exports/">Exports</a></li>
</ul>
</li>
<li class="dropdown dropdown-submenu visible-xs">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Sponsors&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/foundation/sponsorship.html">Sponsor the ASF</a></li>
<li><a href="/foundation/thanks">Sponsor Thanks</a></li>
<li><a href="/foundation/contributing.html#CorporateGiving">Corporate Giving</a></li>
<li><a href="/foundation/contributing.html">Individual Donations</a></li>
<li><a href="https://www.redbubble.com/people/comdev/">Buy Stuff</a></li>
</ul>
</li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Downloads&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="https://downloads.apache.org/">Distribution</a></li>
<li><a href="https://projects.apache.org/releases.html">Releases</a></li>
<li><a href="https://status.apache.org/">Infrastructure Status</a></li>
<li><a href="/uptime/">Infrastructure Statistics</a></li>
</ul>
</li>
<li class="dropdown hidden-xs">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button"><span class="glyphicon glyphicon-search"
aria-hidden="true"></span><span class="sr-only">Search</span></a>
<ul class="dropdown-menu search-form" role="search">
<li>
<div class="input-group" style="width: 100%; padding: 0 5px;">
<script async src="https://cse.google.com/cse.js?cx=cb41d2753d228d8b7"></script>
<div class="gcse-search"></div>
</div>
</li>
</ul>
</li>
</ul>
</div>
</div>
</nav>
</header>
<!-- / Navigation -->
<header id="main-header" class="container">
<div class="sideImg">
<a class="visible-home" href="https://events.apache.org/x/current-event.html">
<img class="img-responsive" style="width: 125px;" src="/events/current-event-125x125.png" alt="Apache Events"/>
<!-- STALE: <img class="img-responsive" style="width: 125px;" src="https://www.apachecon.com/event-images/default-square-light.png" alt="ApacheCon 2021 Coming Soon!" /> -->
</a>
<a class="hidden-home" href="/"><img class="img-responsive" src="/img/asf-estd-1999-logo.jpg" alt="The Apache Software Foundation"></a>
</div>
<div class="main">
<img class="img-responsive center-block visible-home" src="/img/asf-estd-1999-logo.jpg" alt="Apache 20th Anniversary Logo">
<ul class="nav navbar-nav navbar-justified">
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Projects&nbsp;<span class="caret hidden-sm"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/index.html#projects-list">Project List</a></li>
<li><a href="/foundation/how-it-works.html#management">How they work</a></li>
<li><a href="https://community.apache.org/projectIndependence.html">Independence</a></li>
<li><a href="https://projects.apache.org/committees.html?date">Date Founded</a></li>
<li><a href="https://projects.apache.org/projects.html?name">Names</a></li>
<li><a href="https://projects.apache.org/projects.html?category">Categories</a></li>
<li><a href="https://projects.apache.org/projects.html?language">Languages</a></li>
<li><a href="https://projects.apache.org/statistics.html">Statistics</a></li>
<li><a href="https://incubator.apache.org/">Apache Incubator</a></li>
<li><a href="https://helpwanted.apache.org/">Help Wanted</a></li>
<li><a href="/foundation/marks/">Brand Management</a></li>
<li><a href="/foundation/glossary.html">Glossary of Terms</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">People&nbsp;<span class="caret hidden-sm"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/foundation/how-it-works.html#roles">Roles</a></li>
<li><a href="/foundation/members.html">Members</a></li>
<li><a href="https://community.apache.org/contributors/">Committers</a></li>
<li><a href="/foundation/#who-runs-the-asf">Board of Directors</a></li>
<li><a href="/foundation/#who-runs-the-asf">Officers &amp; Project VPs</a></li>
<li><a href="https://diversity.apache.org/">Diversity & Inclusion</a></li>
<li><a href="/foundation/policies/conduct">Code of Conduct</a></li>
<li><a href="https://people.apache.org/">Committer Directory</a></li>
<li><a href="https://community.zones.apache.org/map.html">Heat Map</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Community&nbsp;<span class="caret hidden-sm"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="https://community.apache.org/about/">Community Development</a></li>
<li><a href="/foundation/policies/conduct">Code of Conduct</a></li>
<li><a href="https://community.apache.org/">Get Involved</a></li>
<li><a href="https://community.apache.org/mentoringprogramme.html">Mentoring</a></li>
<li><a href="https://helpwanted.apache.org/">Help Wanted</a></li>
<li><a href="https://community.apache.org/calendars/">Community Events</a></li>
<li><a href="https://community.apache.org/newbiefaq.html">FAQ</a></li>
<li><a href="https://community.apache.org/lists.html">Mailing Lists</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Infrastructure&nbsp;<span class="caret"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/dev/infrastructure.html">Infra overview</a></li>
<li><a href="https://infra.apache.org/" target="_blank">Policies and Tools</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/INFRA/Index" target="_blank">CWiki</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">License&nbsp;<span class="caret hidden-sm"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/licenses/LICENSE-2.0">Apache License 2.0</a></li>
<li><a href="/foundation/license-faq.html">Licensing FAQ</a></li>
<li><a href="/licenses/contributor-agreements.html">Contributor License Agreements</a></li>
<li><a href="/licenses/contributor-agreements.html#grants">Software Grants</a></li>
<li><a href="/foundation/marks/list/">Trademarks</a></li>
<li><a href="/licenses/exports/">Exports</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button">Sponsors&nbsp;<span class="caret hidden-sm"></span></a>
<ul class="dropdown-menu" role="menu">
<li><a href="/foundation/sponsorship.html">Sponsor the ASF</a></li>
<li><a href="/foundation/thanks">Sponsor Thanks</a></li>
<li><a href="/foundation/contributing.html#CorporateGiving">Corporate Giving</a></li>
<li><a href="/foundation/contributing.html">Individual Donations</a></li>
<li><a href="https://www.redbubble.com/people/comdev/">Buy Stuff</a></li>
</ul>
</li>
</ul>
</div>
</header>
<main id="maincontent">
<div class="container"> <h1 id="verifying-apache-software-foundation-releases">Verifying Apache Software Foundation Releases<a class="headerlink" href="#verifying-apache-software-foundation-releases" title="Permalink">&para;</a></h1>
<p>This page describes how to verify a file you have downloaded from an Apache product releases page, or from the Apache archive,
by <a href="#CheckingHashes">checksum</a> or <a href="#CheckingSignatures">signature</a>.</p>
<p>All official releases of code distributed by the Apache Software Foundation
are signed by the release manager for the release.
PGP signatures and SHA/MD5 checksums are available along with the distribution.</p>
<p>Signatures and checksums are only available from the official Apache Software Foundation site.</p>
<h2 id="CheckingHashes">Checking Hashes<a class="headerlink" href="#CheckingHashes" title="Permalink">&para;</a></h2>
<p>File hashes are used to check that a file has been downloaded correctly.
They do not provide any guarantees as to the authenticity of the file.</p>
<p>The <em>checksum</em> of a file is a fixed length string, that (in practice)
uniquely identifies the <em>contents</em> of the file.
Two files are (only) equal if their checksums are equal.
Comparing the checksums of two files is as good as comparing the two files
themselves.</p>
<p>There are lots of checksum algorithms. We use SHA-256 and SHA-512. MD5 and SHA-1, which may have been used for older releases, are <em>deprecated</em>.
<br/>
The download page shows which checksum files
are available for the <em>original</em> file.</p>
<p>To check a hash, you have to <em>compute</em> the proper checksum of the file
you just downloaded ;
then <em>compare</em> it with the published checksum of the <em>original</em>.</p>
<div>
<style type="text/css">
td { padding : 5px ; font-family : monospace ; font-size : smaller }
th { padding : 5px ; text-align : center ; }
</style>
<blockquote>
<table border="1" class="table">
<tr>
<th colspan="4"><i>compute the checksum of your file ...</i></th>
<th rowspan="1"><i>compare with</i></th>
</tr>
<tr><td></td>
<th>Windows</th>
<th>Linux</th>
<th>Mac</th>
<td></td>
</tr>
<tr><th>SHA-1 (deprecated)</th><td>certUtil -hashfile <i>file</i> SHA1</td>
<td>sha1sum <i>file</i></td>
<td>shasum -a 1 <i>file</i></td>
<td><i>file</i>.sha1</td>
</tr>
<tr><th>SHA-256</th><td>certUtil -hashfile <i>file</i> SHA256</td>
<td>sha256sum <i>file</i></td>
<td>shasum -a 256 <i>file</i></td>
<td><i>file</i>.sha256</td>
</tr>
<tr><th>SHA-512</th><td>certUtil -hashfile <i>file</i> SHA512</td>
<td>sha512sum <i>file</i></td>
<td>shasum -a 512 <i>file</i></td>
<td><i>file</i>.sha512</td>
</tr>
<tr><th>MD5 (deprecated)</th><td>certUtil -hashfile <i>file</i> MD5</td>
<td>md5sum <i>file</i></td>
<td>md5 <i>file</i></td>
<td><i>file</i>.md5</td>
</tr>
</table>
</blockquote>
</div>
<p>Only if you check the hash can you be certain that your download hasn't been modified or is otherwise incomplete or faulty.</p>
<h2 id="CheckingSignatures">Checking Signatures<a class="headerlink" href="#CheckingSignatures" title="Permalink">&para;</a></h2>
<p>The following example details how signature interaction works. The example
is for the Apache HTTP Server project, but applies equally to other ASF
projects.</p>
<p>In this example, you are already assumed to have downloaded
<code>httpd-2.0.44.tar.gz</code> (the release) and <code>httpd-2.0.44.tar.gz.asc</code> (the
detached signature).</p>
<p>This example uses <a href="http://www.gnupg.org/">The GNU Privacy Guard</a>. Any
<a href="http://www.openpgp.org/">OpenPGP</a>-compliant program should work
successfully.</p>
<p>First, we will check the detached signature (<code>httpd-2.0.44.tar.gz.asc</code>)
against our release (<code>httpd-2.0.44.tar.gz</code>).</p>
<p><strong><a name="specify_both"></a>N.B. you must specify both the detached signature and the release file.</strong>
<br/>If the release file is omitted, GPG will only check the signature against the release file if the signature is a detached signature.
If the .asc file is a self-contained signed file, GPG will only check that, and will not verify the release.
(This should not happen if the signature file was downloaded from an ASF server, but it is safer to always specify the release filename)</p>
<pre><code>% gpg --verify httpd-2.0.44.tar.gz.asc httpd-2.0.44.tar.gz
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Can't check signature: public key not found
</code></pre>
<p>This means that we don't have the release manager's public key (<code>DE885DD3</code>)
in our local system. You now need to retrieve the public key from a key
server. One popular server is <code>pgpkeys.mit.edu</code> (which has a <a href="http://pgp.mit.edu/">web
interface</a> ). The public key servers are linked
together, so you should be able to connect to any key server.</p>
<pre><code>% gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu
gpg: trustdb created
gpg: key DE885DD3: public key "Sander Striker &lt;striker@apache.org&gt;" imported
gpg: Total number processed: 1
gpg: imported: 1
</code></pre>
<p>In this example, you have now received a public key for an entity known as
<code>Sander Striker &lt;striker@apache.org&gt;</code>. However, you have no way of
verifying this key was created by the person known as Sander Striker. But,
let's try to verify the release signature again.</p>
<pre><code>% gpg --verify httpd-2.0.44.tar.gz.asc httpd-2.0.44.tar.gz
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Good signature from "Sander Striker &lt;striker@apache.org&gt;"
gpg: aka "Sander Striker &lt;striker@striker.nl&gt;"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Fingerprint: 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3
</code></pre>
<p>At this point, the signature is good, but we don't trust this key. A good
signature means that the file has not been tampered with. However, due to
the nature of public key cryptography, you need to additionally verify that
key <code>DE885DD3</code> was created by the <strong>real</strong> Sander Striker.</p>
<p>Any attacker can create a public key and upload it to the public key
servers. They can then create a malicious release signed by this fake key.
Then, if you tried to verify the signature of this corrupt release, it
would succeed because the key was not the 'real' key. Therefore, you need
to validate the authenticity of this key.</p>
<h3 id="Validating">Validating Authenticity of a Key<a class="headerlink" href="#Validating" title="Permalink">&para;</a></h3>
<p>You may download public keys for the Apache project developers from our
website or retrieve them from the public PGP keyservers (see above).
However, importing these keys is not enough to verify the integrity of the
signatures. If a release verifies as good, you need to validate that the
key was created by an official representative of the Apache HTTP Server
Project.</p>
<p>The crucial step to validation is to confirm the key fingerprint of the
public key.</p>
<pre><code>% gpg --fingerprint DE885DD3
pub 1024D/DE885DD3 2002-04-10 Sander Striker &lt;striker@apache.org&gt;
Key fingerprint = 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3
uid Sander Striker &lt;striker@striker.nl&gt;
sub 2048g/532D14CA 2002-04-10
</code></pre>
<p>A good start to validating a key is by face-to-face communication with
multiple government-issued photo identification confirmations. However,
each person is free to have their own standards for determining the
authenticity of a key. Some people are satisfied by reading the key
signature over a telephone (voice verification). For more information on
determining what level of trust works best for you, please read the GNU
Privacy Handbook section on <a href="http://www.gnupg.org/gph/en/manual.html#AEN335">Validating other keys on your public
keyring</a>.</p>
<p>Most of the Apache HTTP Server developers have attempted to sign each
others' keys (usually with face-to-face validation). Therefore, in order to
enter the web of trust, you should only need to validate one person in our
web of trust. (Hint: all of our developers' keys are in the KEYS file.)</p>
<p>For example, the following people have signed the public key for Sander
Striker. If you verify any key on this list, you will have a trust path to
the <code>DE885DD3</code> key. If you verify a key that verifies one of the signatories
for <code>DE885DD3</code>, then you will have a trust path. (So on, and so on.)</p>
<pre><code>pub 1024D/DE885DD3 2002-04-10 Sander Striker &lt;striker@apache.org&gt;
sig E2226795 2002-05-01 Justin R. Erenkrantz
sig 3 DE885DD3 2002-04-10 Sander Striker
sig CD4DF205 2002-05-28 Wolfram Schlich
sig E005C9CB 2002-11-17 Greg Stein
sig CC8B0F7E 2002-11-18 Aaron Bannert
sig DFEAC4B9 2002-11-19 David N. Welton
sig 2 82AB7BD1 2002-11-17 Cliff Woolley
sig 2 13046155 2002-11-28 Thom May
sig 3 19311B00 2002-11-17 Chuck Murcko
sig 3 F894BE12 2002-11-17 Brian William Fitzpatrick
sig 3 5C1C3AD7 2002-11-18 David Reid
sig 3 E04F9A89 2002-11-18 Roy T. Fielding
sig 3 CC78C893 2002-11-19 Rich Bowen
sig 3 08C975E5 2002-11-21 Jim Jagielski
sig 3 F88341D9 2002-11-18 Lars Eilebrecht
sig 3 187BD68D 2002-11-21 Ben Hyde
sig 3 49A563D9 2002-11-23 Mark Cox
...more signatures redacted...
</code></pre>
<p>Since the developers are usually quite busy, you may not immediately find
success in someone who is willing to meet face-to-face (they may not even
respond to your emails because they are so busy!). If you do not have a
developer nearby or have trouble locating a suitable person, please send an
email to the address of the key you are attempting to verify. They may be
able to find someone who will be willing to validate their key or arrange
alternate mechanisms for validation.</p>
<p>Once you have entered the web of trust, you should see the following upon
verifying the signature of a release.</p>
<pre><code>% gpg --verify httpd-2.0.44.tar.gz.asc httpd-2.0.44.tar.gz
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Good signature from "Sander Striker &lt;striker@apache.org&gt;"
gpg: aka "Sander Striker &lt;striker@striker.nl&gt;"
</code></pre>
</div> </main>
<!-- Footer -->
<footer class="bg-primary">
<div class="container">
<div class="row">
<br />
<div class="col-sm-1">
</div>
<div class="col-sm-2">
<h5 class="white">Community</h5>
<ul class="list-unstyled white" role="menu">
<li><a href="http://community.apache.org/">Overview</a></li>
<li><a href="/foundation/conferences.html">Conferences</a></li>
<li><a href="http://community.apache.org/gsoc.html">Summer of Code</a></li>
<li><a href="http://community.apache.org/newcomers/">Getting Started</a></li>
<li><a href="/foundation/how-it-works.html">The Apache Way</a></li>
<li><a href="/travel/">Travel Assistance</a></li>
<li><a href="/foundation/getinvolved.html">Get Involved</a></li>
<li><a href="/foundation/policies/conduct.html">Code of Conduct</a></li>
<li><a href="http://community.apache.org/newbiefaq.html">Community FAQ</a></li>
<li><a href="/memorials/">Memorials</a></li>
</ul>
</div>
<div class="col-sm-2">
<h5 class="white">Innovation</h5>
<ul class="list-unstyled white" role="menu">
<li><a href="http://incubator.apache.org/">Incubator</a></li>
<li><a href="http://labs.apache.org/">Labs</a></li>
<li><a href="/licenses/">Licensing</a></li>
<li><a href="/foundation/license-faq.html">Licensing FAQ</a></li>
<li><a href="/foundation/marks/">Trademark Policy</a></li>
<li><a href="/foundation/contact.html">Contacts</a></li>
</ul>
</div>
<div class="col-sm-2">
<h5 class="white">Tech Operations</h5>
<ul class="list-unstyled white" role="menu">
<li><a href="/dev/">Developer Information</a></li>
<li><a href="/dev/infrastructure.html">Infrastructure</a></li>
<li><a href="/security/">Security</a></li>
<li><a href="http://status.apache.org">Status</a></li>
<li><a href="/foundation/contact.html">Contacts</a></li>
</ul>
</div>
<div class="col-sm-2">
<h5 class="white">Press</h5>
<ul class="list-unstyled white" role="menu">
<li><a href="/press/">Overview</a></li>
<li><a href="https://blogs.apache.org/">ASF News</a></li>
<li><a href="https://blogs.apache.org/foundation/">Announcements</a></li>
<li><a href="https://twitter.com/TheASF">Twitter Feed</a></li>
<li><a href="/press/#contact">Contacts</a></li>
</ul>
</div>
<div class="col-sm-2">
<h5 class="white">Legal</h5>
<ul class="list-unstyled white" role="menu">
<li><a href="/legal/">Legal Affairs</a></li>
<li><a href="/legal/dmca.html">DMCA</a></li>
<li><a href="/licenses/">Licensing</a></li>
<li><a href="/foundation/marks/">Trademark Policy</a></li>
<li><a href="/foundation/records/">Public Records</a></li>
<li><a href="/foundation/policies/privacy.html">Privacy Policy</a></li>
<li><a href="/licenses/exports/">Export Information</a></li>
<li><a href="/foundation/license-faq.html">Licensing FAQ</a></li>
<li><a href="/foundation/contact.html">Contacts</a></li>
</ul>
</div>
<div class="col-sm-1">
</div>
</div>
<hr class="col-lg-12 hr-white" />
<div class="row">
<div class="col-lg-12">
<p class="text-center">Copyright &#169; 2023 The Apache Software Foundation, Licensed under the <a class="white" href="/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="text-center">Apache and the Apache feather logo are trademarks of The Apache Software Foundation. </p>
</div>
</div>
</div>
</footer>
<!-- / Footer -->
<script src="/js/jquery-2.1.1.min.js"></script>
<script src="/js/bootstrap.js"></script>
<script src="/js/slideshow.js"></script>
<script>
(function($){
$(document).ready(function(){
$('ul.dropdown-menu [data-toggle=dropdown]').on('click', function(event) {
event.preventDefault();
event.stopPropagation();
$(this).parent().siblings().removeClass('open');
$(this).parent().toggleClass('open');
console.log('WOrked');
});
});
})(jQuery);
</script>
</body>
</html>