verifying tarball downloads

[Andre Kelpe <ak...@concurrentinc.com>]

Hi,

I am looking for the most obvious way to verify the downloads of
hadoop tarballs. I saw that you provide a .mds file containing MD5,
SHA1 and other check sums, which is produced by gpg --print-mds. I
fail finding the right way to verify those in a reliable way. I came
up with this:

 md5sum --check  <(grep "MD5 = " hadoop-1.2.1.tar.gz.mds | sed -e
"s/MD5 = //g;s/ //g" | awk -F: '{print tolower($2), "", $1}')

and that works, but that cannot be the right way of doing it. Please
point me to the part of the docs, that I fail finding.

Thanks!

- André

P.S.: Since you are using gpg already, why are you not signing the
releases, like other projects do?

-- 
André Kelpe
andre@concurrentinc.com
http://concurrentinc.com