You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by bu...@apache.org on 2013/01/03 11:28:23 UTC
svn commit: r844748 - in /websites/staging/isis/trunk: cgi-bin/ content/
content/download.html
Author: buildbot
Date: Thu Jan 3 10:28:23 2013
New Revision: 844748
Log:
Staging update by buildbot for isis
Modified:
websites/staging/isis/trunk/cgi-bin/ (props changed)
websites/staging/isis/trunk/content/ (props changed)
websites/staging/isis/trunk/content/download.html
Propchange: websites/staging/isis/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Jan 3 10:28:23 2013
@@ -1 +1 @@
-1428254
+1428265
Propchange: websites/staging/isis/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Jan 3 10:28:23 2013
@@ -1 +1 @@
-1428254
+1428265
Modified: websites/staging/isis/trunk/content/download.html
==============================================================================
--- websites/staging/isis/trunk/content/download.html (original)
+++ websites/staging/isis/trunk/content/download.html Thu Jan 3 10:28:23 2013
@@ -270,6 +270,47 @@ Write your business logic in entities, d
<p>See the <a href="release-matrix.html">release matrix</a> for details on the dependencies between core, components and archetypes.</p>
+<h2>Verifying Releases</h2>
+
+<h3>Verifying Releases</h3>
+
+<p>It is essential that you verify the integrity of any downloaded files using
+the PGP or MD5 signatures. For more information on signing artifacts and
+why we do it, check out the
+<a href="http://www.apache.org/dev/release-signing.html">Release Signing FAQ</a>.</p>
+
+<p>The PGP signatures can be verified using PGP or GPG. First download the <a href="https://git-wip-us.apache.org/repos/asf/isis/repo?p=isis.git;a=blob_plain;f=KEYS;hb=master">KEYS</a> as well as the asc signature file for the artifact. Make sure you get these files from the <a href="http://www.apache.org/dist/isis/">main distribution directory</a>, rather than from a mirror.</p>
+
+<p>Then verify the signatures using:</p>
+
+<pre><code>$ pgpk -a KEYS
+$ pgpv bval-parent-0.4-source-release.zip.asc
+</code></pre>
+
+<p>or</p>
+
+<pre><code>$ pgp -ka KEYS
+$ pgp bval-parent-0.4-source-release.zip.asc
+</code></pre>
+
+<p>or</p>
+
+<pre><code>$ gpg --import KEYS
+$ gpg --verify bval-parent-0.4-source-release.zip.asc
+</code></pre>
+
+<p>Alternatively, you can verify the MD5 signature on the files. A Unix/Linux
+program called <code>md5</code> or <code>md5sum</code> is included in most distributions. It is
+also available as part of
+<a href="http://www.gnu.org/software/textutils/textutils.html">GNU Textutils</a>.
+Windows users can get binary md5 programs from these (and likely other) places:</p>
+
+<ul>
+<li><a href="http://www.md5summer.org/">http://www.md5summer.org/</a></li>
+<li><a href="http://www.fourmilab.ch/md5/">http://www.fourmilab.ch/md5/</a></li>
+<li><a href="http://www.pc-tools.net/win32/md5sums/">http://www.pc-tools.net/win32/md5sums/</a></li>
+</ul>
+
<h2>Source Code</h2>
<p>You can also download the Isis source code using:</p>