You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@rave.apache.org by Apache Wiki <wi...@apache.org> on 2012/04/10 20:22:16 UTC

[Rave Wiki] Update of "ReleaseManagement/ReleaseVerification" by MarlonPierce

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Rave Wiki" for change notification.

The "ReleaseManagement/ReleaseVerification" page has been changed by MarlonPierce:
http://wiki.apache.org/rave/ReleaseManagement/ReleaseVerification

New page:
= Verifying Rave Releases =

As with all Apache release, Rave binaries are signed (the .asc file), and have MD5 and SHA512 message digest files.  These are described in more detail [[http://www.apache.org/dev/release-signing|here]]. You can verify your release using GPG with the following steps.

== Setting Up ==
The following steps are a one-time setup. 
 1. Download and install GPG from http://www.gnupg.org/download/
 1. Import the Rave signing keys. These are available from https://svn.apache.org/repos/asf/rave/KEYS.  Download the key file and import with the command '''''gpg --import KEYS'''''
 1. You may also want to sign and upload the key with your own key pair to a public key server.  Again, see [[http://www.apache.org/dev/release-signing|here]] for more information.
  
== Verifying a Binary Release ==
 1. With the binary apache-rave-X.Y.Z-bin.zip and the signature file apache-rave-X.Y.Z-bin.zip.asc in the same directory, verify the binary release signature with '''''gpg apache-rave-X.Y.Z-bin.zip.asc'''''.
  a. For untrusted keys, you can verify the fingerprint with '''''gpg --fingerprint ABCD1234''''', replacing '''''ABCD1234''''' with the fingerprint of the key used to sign the release.
 1. Verify the SHA message digest with '''''gpg --print-md SHA1 apache-rave-X.Y.Z-bin.zip''''' and compare to the contents of apache-rave-0.10.1-bin.zip.sha.
  a. You can use UNIX's ''diff'' for this: '''''gpg --print-md SHA512 apache-rave-X.Y.Z-bin.zip | diff - apache-rave-X.Y.Z-bin.zip.sha'''''.  If the digest matches correctly, you will get no output.
 1. Verify the MD5 digest with the command '''''gpg --print-md md5 apache-rave-X.Y.Z-bin.zip''''' and compare to the contents of apache-rave-X.Y.Z-bin.zip.md5.  
  a. You can again use ''diff'' for this: '''''gpg --print-md md5 apache-rave-X.Y.Z-bin.zip | diff - apache-rave-X.Y.Z-bin.zip.md5'''''.  If the digest matches correctly, you will get no output.