You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by William A Rowe Jr <wr...@rowe-clan.net> on 2018/09/21 18:29:55 UTC
Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext
You might want to point out the -r flag to OpenSSL, which emits the same
output as bintools sha256.
On Fri, Sep 21, 2018, 12:30 <el...@apache.org> wrote:
> Author: elukey
> Date: Fri Sep 21 17:30:07 2018
> New Revision: 1841620
>
> URL: http://svn.apache.org/viewvc?rev=1841620&view=rev
> Log:
> Remove MD5 traces from documentation and add a SHA256 tutorial.
>
> Modified:
> httpd/site/trunk/content/dev/verification.mdtext
>
> Modified: httpd/site/trunk/content/dev/verification.mdtext
> URL:
> http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff
>
> ==============================================================================
> --- httpd/site/trunk/content/dev/verification.mdtext (original)
> +++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07
> 2018
> @@ -19,10 +19,10 @@ Notice: Licensed to the Apache Softwa
> # Verifying Apache HTTP Server Releases
>
> All official releases of code distributed by the Apache HTTP Server
> Project
> -are signed by the release manager for the release. PGP signatures and MD5
> +are signed by the release manager for the release. PGP signatures and SHA
> hashes are available along with the distribution.
>
> -You should download the PGP signatures and MD5 hashes directly from the
> +You should download the PGP signatures and SHA hashes directly from the
> Apache Software Foundation rather than our mirrors. This is to help ensure
> the integrity of the signature files. However, you are encouraged to
> download the releases from our mirrors. (Our download page points you at
> @@ -168,3 +168,23 @@ verifying the signature of a release.
> gpg: aka "Jim Jagielski <ji...@jaguNET.com>"
> gpg: aka "Jim Jagielski <ji...@gmail.com>"
>
> +In order to check the integrity of the downloaded file, you need to
> download the source and the related SHA256
> +hash. For example, assuming a preference for tar.bz, to verify the
> 2.4.34 release you should end up with two files on disk:
> +
> + * httpd-2.4.34.tar.bz2 (source)
> + * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash)
> +
> +On most Unix systems then it is only a matter of executing:
> +
> + % shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256
> + httpd-2.4.34.tar.bz2: OK
> +
> +Behind the scenes, the command checks that the SHA hash contained in
> httpd-2.4.34.tar.bz2.sha256 matches the one
> +calculated for the file httpd-2.4.34.tar.bz2. The correct result should
> be a 'OK' displayed.
> +
> +Another way to calculate the SHA256 has for a file is to use openssl:
> +
> + % openssl sha -sha256 httpd-2.4.34.tar.bz2
> + SHA256(httpd-2.4.34.tar.bz2)=
> fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0
> +
> +And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches
> the above result.
> \ No newline at end of file
>
>
>
Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext
Posted by Luca Toscano <to...@gmail.com>.
Hi Rainer,
Il giorno sab 22 set 2018 alle ore 05:45 Rainer Jung
<ra...@kippdata.de> ha scritto:
>
> Hi Luca,
>
> Am 21.09.2018 um 23:47 schrieb Luca Toscano:
> > Hi William,
> >
> > can you write in here the full command to use? Didn't find the -r flag
> > that you mentioned :(
>
> The openssl commandline tool at least since 1.0.2 allows eg.
>
> openssl sha256 -r MYFILE
>
> which outputs the hash file in the same form as eg. "sha256sum -b", so
> allows the hash file to get automatically checked via "sha256sum -c".
>
> Although the "sha256" openssl command is not listen in the help output
> of the openssl binary eg. for 1.0.2, it is available. The full list of
> available digests can be seen in the help output of the openssl dgst
> command:
>
> openssl dgst help
>
> An alternative form of the above command is
>
> openssl dgst -sha256 -r MYFILE
>
> HTH!
It helped indeed, I have (hopefully) improved the verification doc
page in r1841684
Thanks!
Luca
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext
Posted by Luca Toscano <to...@gmail.com>.
Hi Rainer,
Il giorno sab 22 set 2018 alle ore 05:45 Rainer Jung
<ra...@kippdata.de> ha scritto:
>
> Hi Luca,
>
> Am 21.09.2018 um 23:47 schrieb Luca Toscano:
> > Hi William,
> >
> > can you write in here the full command to use? Didn't find the -r flag
> > that you mentioned :(
>
> The openssl commandline tool at least since 1.0.2 allows eg.
>
> openssl sha256 -r MYFILE
>
> which outputs the hash file in the same form as eg. "sha256sum -b", so
> allows the hash file to get automatically checked via "sha256sum -c".
>
> Although the "sha256" openssl command is not listen in the help output
> of the openssl binary eg. for 1.0.2, it is available. The full list of
> available digests can be seen in the help output of the openssl dgst
> command:
>
> openssl dgst help
>
> An alternative form of the above command is
>
> openssl dgst -sha256 -r MYFILE
>
> HTH!
It helped indeed, I have (hopefully) improved the verification doc
page in r1841684
Thanks!
Luca
Re: svn commit: r1841620 -
/httpd/site/trunk/content/dev/verification.mdtext
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Luca,
Am 21.09.2018 um 23:47 schrieb Luca Toscano:
> Hi William,
>
> can you write in here the full command to use? Didn't find the -r flag
> that you mentioned :(
The openssl commandline tool at least since 1.0.2 allows eg.
openssl sha256 -r MYFILE
which outputs the hash file in the same form as eg. "sha256sum -b", so
allows the hash file to get automatically checked via "sha256sum -c".
Although the "sha256" openssl command is not listen in the help output
of the openssl binary eg. for 1.0.2, it is available. The full list of
available digests can be seen in the help output of the openssl dgst
command:
openssl dgst help
An alternative form of the above command is
openssl dgst -sha256 -r MYFILE
HTH!
Regards,
Rainer
Re: svn commit: r1841620 -
/httpd/site/trunk/content/dev/verification.mdtext
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Luca,
Am 21.09.2018 um 23:47 schrieb Luca Toscano:
> Hi William,
>
> can you write in here the full command to use? Didn't find the -r flag
> that you mentioned :(
The openssl commandline tool at least since 1.0.2 allows eg.
openssl sha256 -r MYFILE
which outputs the hash file in the same form as eg. "sha256sum -b", so
allows the hash file to get automatically checked via "sha256sum -c".
Although the "sha256" openssl command is not listen in the help output
of the openssl binary eg. for 1.0.2, it is available. The full list of
available digests can be seen in the help output of the openssl dgst
command:
openssl dgst help
An alternative form of the above command is
openssl dgst -sha256 -r MYFILE
HTH!
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: svn commit: r1841620 -
/httpd/site/trunk/content/dev/verification.mdtext
Posted by Dennis Clarke <dc...@blastwave.org>.
On 09/21/2018 05:47 PM, Luca Toscano wrote:
> Hi William,
>
> can you write in here the full command to use? Didn't find the -r flag
> that you mentioned :(
>
perhaps :
$ /usr/local/bin/openssl version
OpenSSL 1.1.1 11 Sep 2018
$ /usr/local/bin/openssl dgst -r -sha256 /usr/local/bin/openssl
13f515a26bec8fc95d20b17f48a970223979397465dc4039c48e5ea299af692f
*/usr/local/bin/openssl
which is a modifier for :
$ /usr/local/bin/openssl dgst -sha256 /usr/local/bin/openssl
SHA256(/usr/local/bin/openssl)=
13f515a26bec8fc95d20b17f48a970223979397465dc4039c48e5ea299af692f
Dennis
Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext
Posted by Luca Toscano <to...@gmail.com>.
Hi William,
can you write in here the full command to use? Didn't find the -r flag
that you mentioned :(
Thanks!
Luca
Il giorno ven 21 set 2018 alle ore 14:30 William A Rowe Jr
<wr...@rowe-clan.net> ha scritto:
>
> You might want to point out the -r flag to OpenSSL, which emits the same output as bintools sha256.
>
>
> On Fri, Sep 21, 2018, 12:30 <el...@apache.org> wrote:
>>
>> Author: elukey
>> Date: Fri Sep 21 17:30:07 2018
>> New Revision: 1841620
>>
>> URL: http://svn.apache.org/viewvc?rev=1841620&view=rev
>> Log:
>> Remove MD5 traces from documentation and add a SHA256 tutorial.
>>
>> Modified:
>> httpd/site/trunk/content/dev/verification.mdtext
>>
>> Modified: httpd/site/trunk/content/dev/verification.mdtext
>> URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff
>> ==============================================================================
>> --- httpd/site/trunk/content/dev/verification.mdtext (original)
>> +++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07 2018
>> @@ -19,10 +19,10 @@ Notice: Licensed to the Apache Softwa
>> # Verifying Apache HTTP Server Releases
>>
>> All official releases of code distributed by the Apache HTTP Server Project
>> -are signed by the release manager for the release. PGP signatures and MD5
>> +are signed by the release manager for the release. PGP signatures and SHA
>> hashes are available along with the distribution.
>>
>> -You should download the PGP signatures and MD5 hashes directly from the
>> +You should download the PGP signatures and SHA hashes directly from the
>> Apache Software Foundation rather than our mirrors. This is to help ensure
>> the integrity of the signature files. However, you are encouraged to
>> download the releases from our mirrors. (Our download page points you at
>> @@ -168,3 +168,23 @@ verifying the signature of a release.
>> gpg: aka "Jim Jagielski <ji...@jaguNET.com>"
>> gpg: aka "Jim Jagielski <ji...@gmail.com>"
>>
>> +In order to check the integrity of the downloaded file, you need to download the source and the related SHA256
>> +hash. For example, assuming a preference for tar.bz, to verify the 2.4.34 release you should end up with two files on disk:
>> +
>> + * httpd-2.4.34.tar.bz2 (source)
>> + * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash)
>> +
>> +On most Unix systems then it is only a matter of executing:
>> +
>> + % shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256
>> + httpd-2.4.34.tar.bz2: OK
>> +
>> +Behind the scenes, the command checks that the SHA hash contained in httpd-2.4.34.tar.bz2.sha256 matches the one
>> +calculated for the file httpd-2.4.34.tar.bz2. The correct result should be a 'OK' displayed.
>> +
>> +Another way to calculate the SHA256 has for a file is to use openssl:
>> +
>> + % openssl sha -sha256 httpd-2.4.34.tar.bz2
>> + SHA256(httpd-2.4.34.tar.bz2)= fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0
>> +
>> +And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches the above result.
>> \ No newline at end of file
>>
>>
Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext
Posted by Luca Toscano <to...@gmail.com>.
Hi William,
can you write in here the full command to use? Didn't find the -r flag
that you mentioned :(
Thanks!
Luca
Il giorno ven 21 set 2018 alle ore 14:30 William A Rowe Jr
<wr...@rowe-clan.net> ha scritto:
>
> You might want to point out the -r flag to OpenSSL, which emits the same output as bintools sha256.
>
>
> On Fri, Sep 21, 2018, 12:30 <el...@apache.org> wrote:
>>
>> Author: elukey
>> Date: Fri Sep 21 17:30:07 2018
>> New Revision: 1841620
>>
>> URL: http://svn.apache.org/viewvc?rev=1841620&view=rev
>> Log:
>> Remove MD5 traces from documentation and add a SHA256 tutorial.
>>
>> Modified:
>> httpd/site/trunk/content/dev/verification.mdtext
>>
>> Modified: httpd/site/trunk/content/dev/verification.mdtext
>> URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff
>> ==============================================================================
>> --- httpd/site/trunk/content/dev/verification.mdtext (original)
>> +++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07 2018
>> @@ -19,10 +19,10 @@ Notice: Licensed to the Apache Softwa
>> # Verifying Apache HTTP Server Releases
>>
>> All official releases of code distributed by the Apache HTTP Server Project
>> -are signed by the release manager for the release. PGP signatures and MD5
>> +are signed by the release manager for the release. PGP signatures and SHA
>> hashes are available along with the distribution.
>>
>> -You should download the PGP signatures and MD5 hashes directly from the
>> +You should download the PGP signatures and SHA hashes directly from the
>> Apache Software Foundation rather than our mirrors. This is to help ensure
>> the integrity of the signature files. However, you are encouraged to
>> download the releases from our mirrors. (Our download page points you at
>> @@ -168,3 +168,23 @@ verifying the signature of a release.
>> gpg: aka "Jim Jagielski <ji...@jaguNET.com>"
>> gpg: aka "Jim Jagielski <ji...@gmail.com>"
>>
>> +In order to check the integrity of the downloaded file, you need to download the source and the related SHA256
>> +hash. For example, assuming a preference for tar.bz, to verify the 2.4.34 release you should end up with two files on disk:
>> +
>> + * httpd-2.4.34.tar.bz2 (source)
>> + * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash)
>> +
>> +On most Unix systems then it is only a matter of executing:
>> +
>> + % shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256
>> + httpd-2.4.34.tar.bz2: OK
>> +
>> +Behind the scenes, the command checks that the SHA hash contained in httpd-2.4.34.tar.bz2.sha256 matches the one
>> +calculated for the file httpd-2.4.34.tar.bz2. The correct result should be a 'OK' displayed.
>> +
>> +Another way to calculate the SHA256 has for a file is to use openssl:
>> +
>> + % openssl sha -sha256 httpd-2.4.34.tar.bz2
>> + SHA256(httpd-2.4.34.tar.bz2)= fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0
>> +
>> +And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches the above result.
>> \ No newline at end of file
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org