You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@uima.apache.org by tw...@apache.org on 2007/01/25 11:44:26 UTC
svn commit: r499725 - in /incubator/uima/site/trunk/uima-website:
docs/downloads.html xdocs/downloads.xml
Author: twgoetz
Date: Thu Jan 25 02:44:25 2007
New Revision: 499725
URL: http://svn.apache.org/viewvc?view=rev&rev=499725
Log:
Jira UIMA-224: part 2: distribution verification for users, final part.
https://issues.apache.org/jira/browse/UIMA-224
Modified:
incubator/uima/site/trunk/uima-website/docs/downloads.html
incubator/uima/site/trunk/uima-website/xdocs/downloads.xml
Modified: incubator/uima/site/trunk/uima-website/docs/downloads.html
URL: http://svn.apache.org/viewvc/incubator/uima/site/trunk/uima-website/docs/downloads.html?view=diff&rev=499725&r1=499724&r2=499725
==============================================================================
--- incubator/uima/site/trunk/uima-website/docs/downloads.html (original)
+++ incubator/uima/site/trunk/uima-website/docs/downloads.html Thu Jan 25 02:44:25 2007
@@ -266,14 +266,34 @@
<p>
Start by downloading and installing <a href="http://www.gnupg.org/download/">GnuPG</a>, an
implementation of <a href="http://openpgp.org/">OpenPGP</a>. There are many tools for verifying
- MD5 and SHA1 checksums, here's the gpg way for MD5:
+ MD5 and SHA1 checksums, here's the GnuPG way for MD5:
<blockquote> <code>gpg --print-md MD5 <ReleaseFile></code> </blockquote>
and for SHA1:
<blockquote> <code>gpg --print-md MD5 <ReleaseFile></code> </blockquote>
You can simply compare the resulting checksum to the one contained in the <code><ReleaseFile>.md5</code>
or <code><ReleaseFile>.sha1</code> checksum file. Use diff or your eyes, the signatures are short.
</p>
- <p>To be continued...</p>
+ <p>A better way of verifying a distribution file is to use the PGP signature provided in the
+ <code>.asc</code> files. To be able to use the PGP signature files, you need to obtain the UIMA
+ developers' public keys from a trusted source. The keys do come with the distribution as well,
+ but obviously using those is not a good way to ascertain the pedigree of a distribution. Instead,
+ get the <a href="https://svn.apache.org/repos/asf/incubator/uima/uimaj/trunk/uimaj-distr/src/main/readme/KEYS">
+ keys directly out of the UIMA SVN repository</a>. Depending how sure you want to be that those
+ keys are really the ones you can trust, you may think of even safer ways to obtain them (for example,
+ go to ApacheCon and get them personally).
+ </p>
+ <p>
+ Once you have downloaded the <code>KEYS</code> file, you can import it into your GnuPG key registry
+ with <blockquote> <code>gpg --import KEYS</code> </blockquote>
+ Check what your key registry contains with
+ <blockquote> <code>gpg --list-keys</code> </blockquote>
+ </p>
+ <p>
+ To verify a release file, <code>cd</code> to the directory with the release and run
+ <blockquote> <code>gpg --verify <fileName>.asc</code> </blockquote>
+ for each file you would like to verify. The output should contain something like this:
+ <blockquote> <code>gpg: Good signature from "Thilo Goetz (CODE SIGNING KEY) <twgoetz@apache.org>"</code> </blockquote>
+ </p>
</blockquote>
</td></tr>
<tr><td><br/></td></tr>
Modified: incubator/uima/site/trunk/uima-website/xdocs/downloads.xml
URL: http://svn.apache.org/viewvc/incubator/uima/site/trunk/uima-website/xdocs/downloads.xml?view=diff&rev=499725&r1=499724&r2=499725
==============================================================================
--- incubator/uima/site/trunk/uima-website/xdocs/downloads.xml (original)
+++ incubator/uima/site/trunk/uima-website/xdocs/downloads.xml Thu Jan 25 02:44:25 2007
@@ -107,7 +107,7 @@
<p>
Start by downloading and installing <a href="http://www.gnupg.org/download/">GnuPG</a>, an
implementation of <a href="http://openpgp.org/">OpenPGP</a>. There are many tools for verifying
- MD5 and SHA1 checksums, here's the gpg way for MD5:
+ MD5 and SHA1 checksums, here's the GnuPG way for MD5:
<blockquote> <code>gpg --print-md MD5 <ReleaseFile></code> </blockquote>
and for SHA1:
<blockquote> <code>gpg --print-md MD5 <ReleaseFile></code> </blockquote>
@@ -115,8 +115,29 @@
or <code><ReleaseFile>.sha1</code> checksum file. Use diff or your eyes, the signatures are short.
</p>
- <p>To be continued...</p>
+ <p>A better way of verifying a distribution file is to use the PGP signature provided in the
+ <code>.asc</code> files. To be able to use the PGP signature files, you need to obtain the UIMA
+ developers' public keys from a trusted source. The keys do come with the distribution as well,
+ but obviously using those is not a good way to ascertain the pedigree of a distribution. Instead,
+ get the <a href="https://svn.apache.org/repos/asf/incubator/uima/uimaj/trunk/uimaj-distr/src/main/readme/KEYS">
+ keys directly out of the UIMA SVN repository</a>. Depending how sure you want to be that those
+ keys are really the ones you can trust, you may think of even safer ways to obtain them (for example,
+ go to ApacheCon and get them personally).
+ </p>
+ <p>
+ Once you have downloaded the <code>KEYS</code> file, you can import it into your GnuPG key registry
+ with <blockquote> <code>gpg --import KEYS</code> </blockquote>
+ Check what your key registry contains with
+ <blockquote> <code>gpg --list-keys</code> </blockquote>
+ </p>
+
+ <p>
+ To verify a release file, <code>cd</code> to the directory with the release and run
+ <blockquote> <code>gpg --verify <fileName>.asc</code> </blockquote>
+ for each file you would like to verify. The output should contain something like this:
+ <blockquote> <code>gpg: Good signature from "Thilo Goetz (CODE SIGNING KEY) <twgoetz@apache.org>"</code> </blockquote>
+ </p>
</subsection>