You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by ni...@apache.org on 2017/05/13 23:38:12 UTC
svn commit: r1795085 - /apr/site/trunk/xdocs/download.xml
Author: niq
Date: Sat May 13 23:38:12 2017
New Revision: 1795085
URL: http://svn.apache.org/viewvc?rev=1795085&view=rev
Log:
Update horrendously outdated verify section in download.xml
Modified:
apr/site/trunk/xdocs/download.xml
Modified: apr/site/trunk/xdocs/download.xml
URL: http://svn.apache.org/viewvc/apr/site/trunk/xdocs/download.xml?rev=1795085&r1=1795084&r2=1795085&view=diff
==============================================================================
--- apr/site/trunk/xdocs/download.xml (original)
+++ apr/site/trunk/xdocs/download.xml Sat May 13 23:38:12 2017
@@ -154,49 +154,19 @@ list of mirrors</a>.</p>
<section id="verify"><title>Verify the integrity of the files</title>
<p>It is essential that you verify the integrity of the downloaded
-files using the PGP or MD5 signatures. Please read <a
-href="http://httpd.apache.org/dev/verification.html">Verifying Apache
-HTTP Server Releases</a> for more information on why you should verify our
-releases. (The same rationale applies to APR as to HTTP Server.)</p>
-
-<p>The PGP signatures can be verified using PGP or GPG. First
-download the <a href="http://www.apache.org/dist/apr/KEYS">KEYS</a>
-as well as the <code>asc</code> signature file for the particular
-distribution. Make sure you get these files from the <a
-href="http://www.apache.org/dist/apr/">main distribution
-directory</a>, rather than from a mirror. Then verify the signatures
-using</p>
-
-<p><code>
-% pgpk -a KEYS<br />
-% pgpv apr-1.0.1.tar.gz.asc<br />
-</code>
-<em>or</em><br />
-<code>
-% pgp -ka KEYS<br />
-% pgp apr-1.0.1.tar.gz.asc<br />
-</code>
-<em>or</em><br />
-<code>
-% gpg --import KEYS<br />
-% gpg --verify apr-1.0.1.tar.gz.asc
-</code></p>
-
-<p>Alternatively, you can verify the MD5 and/or SHA1 signature on the
-files. An MD5 hash consists of a 32 character string (example:
-<i>d41d8cd98f00b204e9800998ecf8427e</i>), and a SHA1 hash consists of
-a 40 character string (example:
-<i>da39a3ee5e6b4b0d3255bfef95601890afd80709</i>). To verify the hash
-on a file, generate a hash string of your own on the file, and compare
-the hash string you get with the hash string published inside the
-signature files. A unix program called <code>md5</code> or
-<code>md5sum</code> is included in many unix distributions. It is also
-available as part of
-<a href="http://www.gnu.org/software/textutils/textutils.html">GNU
-Textutils</a>. Windows users can get binary md5 programs from <a
-href="http://www.fourmilab.ch/md5/">here</a>, <a
-href="http://www.pc-tools.net/win32/freeware/console/">here</a>, or
-<a href="http://www.slavasoft.com/fsum/">here</a>.</p>
+files using the PGP signatures, using a tool such as GnuPG (GPG).
+Please read <a href="http://httpd.apache.org/dev/verification.html"
+>Verifying Apache HTTP Server Releases</a> for more information on
+how and why you must verify our releases The same rationale applies to
+APR as to HTTP Server).</p>
+
+<p>PGP public keys for individual Apache developers can be downloaded
+(and fingerprints verified) at <a
+href="https://people.apache.org/keys/committer/"
+>https://people.apache.org/keys/committer/</a>. Alternatively, keys
+for APR developers are available in a bundle at <a
+href="https://people.apache.org/keys/group/apr.asc"
+>https://people.apache.org/keys/group/apr.asc</a>.</p>
</section>