You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rave.apache.org by Apache Wiki <wi...@apache.org> on 2012/04/10 20:22:16 UTC
[Rave Wiki] Update of "ReleaseManagement/ReleaseVerification" by MarlonPierce
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Rave Wiki" for change notification.
The "ReleaseManagement/ReleaseVerification" page has been changed by MarlonPierce:
http://wiki.apache.org/rave/ReleaseManagement/ReleaseVerification
New page:
= Verifying Rave Releases =
As with all Apache release, Rave binaries are signed (the .asc file), and have MD5 and SHA512 message digest files. These are described in more detail [[http://www.apache.org/dev/release-signing|here]]. You can verify your release using GPG with the following steps.
== Setting Up ==
The following steps are a one-time setup.
1. Download and install GPG from http://www.gnupg.org/download/
1. Import the Rave signing keys. These are available from https://svn.apache.org/repos/asf/rave/KEYS. Download the key file and import with the command '''''gpg --import KEYS'''''
1. You may also want to sign and upload the key with your own key pair to a public key server. Again, see [[http://www.apache.org/dev/release-signing|here]] for more information.
== Verifying a Binary Release ==
1. With the binary apache-rave-X.Y.Z-bin.zip and the signature file apache-rave-X.Y.Z-bin.zip.asc in the same directory, verify the binary release signature with '''''gpg apache-rave-X.Y.Z-bin.zip.asc'''''.
a. For untrusted keys, you can verify the fingerprint with '''''gpg --fingerprint ABCD1234''''', replacing '''''ABCD1234''''' with the fingerprint of the key used to sign the release.
1. Verify the SHA message digest with '''''gpg --print-md SHA1 apache-rave-X.Y.Z-bin.zip''''' and compare to the contents of apache-rave-0.10.1-bin.zip.sha.
a. You can use UNIX's ''diff'' for this: '''''gpg --print-md SHA512 apache-rave-X.Y.Z-bin.zip | diff - apache-rave-X.Y.Z-bin.zip.sha'''''. If the digest matches correctly, you will get no output.
1. Verify the MD5 digest with the command '''''gpg --print-md md5 apache-rave-X.Y.Z-bin.zip''''' and compare to the contents of apache-rave-X.Y.Z-bin.zip.md5.
a. You can again use ''diff'' for this: '''''gpg --print-md md5 apache-rave-X.Y.Z-bin.zip | diff - apache-rave-X.Y.Z-bin.zip.md5'''''. If the digest matches correctly, you will get no output.