You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by le...@apache.org on 2011/08/14 13:31:47 UTC
svn commit: r1157518 - in /pdfbox/site: publish/download.html
src/site/xdoc/download.xml
Author: lehmi
Date: Sun Aug 14 11:31:47 2011
New Revision: 1157518
URL: http://svn.apache.org/viewvc?rev=1157518&view=rev
Log:
PDFBOX-1089: added a section on how to verify the integrity of the provided artifacts
Modified:
pdfbox/site/publish/download.html
pdfbox/site/src/site/xdoc/download.xml
Modified: pdfbox/site/publish/download.html
URL: http://svn.apache.org/viewvc/pdfbox/site/publish/download.html?rev=1157518&r1=1157517&r2=1157518&view=diff
==============================================================================
--- pdfbox/site/publish/download.html (original)
+++ pdfbox/site/publish/download.html Sun Aug 14 11:31:47 2011
@@ -254,7 +254,51 @@
<a class="externalLink" href="http://www.apache.org/dist/pdfbox/1.6.0/RELEASE-NOTES.txt">release notes</a> for more details.
</p>
</div>
-
+ <a name="verify"></a><div class="section"><h2 id="verify">Verify</h2>
+ <!-- Instructions copied from Apache Jackrabbit -->
+ <p>
+ It is essential that you verify the integrity of the downloaded files using
+ the PGP signatures or MD5 and SHA1 checksums. Please read
+ <a class="externalLink" href="http://httpd.apache.org/dev/verification.html">Verifying Apache HTTP Server Releases</a>
+ for more information on why you should verify our releases.
+ </p>
+ <p>
+ The PGP signatures can be verified using PGP or GPG. First download the
+ <a class="externalLink" href="http://www.apache.org/dist/pdfbox/KEYS">KEYS</a> file as well as the
+ .asc signature files for the relevant release packages. Make sure you get
+ these files from the <a class="externalLink" href="http://www.apache.org/dist/pdfbox">main distribution directory</a>,
+ rather than from a mirror. Then verify the signatures using
+ </p>
+ <div class="source"><pre>
+ % pgpk -a KEYS
+ % pgpv pdfbox-X.Y.Z-src.zip.asc
+ </pre></div>
+ <p>
+ or
+ </p>
+ <div class="source"><pre>
+ % pgp -ka KEYS
+ % pgp pdfbox-X.Y.Z-src.zip.asc
+ </pre></div>
+ <p>
+ or
+ </p>
+ <div class="source"><pre>
+ % gpg --import KEYS
+ % gpg --verify pdfbox-X.Y.Z-src.zip.asc
+ </pre></div>
+ <p>
+ Alternatively, you can verify the MD5 or SHA1 checksums on the files.
+ For checking the MD5 checksums, use the program called md5 or md5sum
+ included in many Unix distributions. The similar program for SHA1
+ is called sha1sum. It is also available as part of the
+ <a class="externalLink" href="http://www.gnu.org/software/coreutils/">GNU core utilities</a>.
+ Windows users can get binary md5 programs from
+ <a class="externalLink" href="http://www.fourmilab.ch/md5/">here</a>,
+ <a class="externalLink" href="http://www.pc-tools.net/win32/md5sums/">here</a>, or
+ <a class="externalLink" href="http://www.slavasoft.com/fsum/">here</a>.
+ </p>
+ </div>
<a name="subversion"></a><div class="section"><h2 id="subversion">Get the latest source from version control</h2>
<p>
To fetch the latest source code from the trunk in the Subversion
Modified: pdfbox/site/src/site/xdoc/download.xml
URL: http://svn.apache.org/viewvc/pdfbox/site/src/site/xdoc/download.xml?rev=1157518&r1=1157517&r2=1157518&view=diff
==============================================================================
--- pdfbox/site/src/site/xdoc/download.xml (original)
+++ pdfbox/site/src/site/xdoc/download.xml Sun Aug 14 11:31:47 2011
@@ -102,7 +102,51 @@
>release notes</a> for more details.
</p>
</section>
-
+ <section id="verify" name="Verify">
+ <!-- Instructions copied from Apache Jackrabbit -->
+ <p>
+ It is essential that you verify the integrity of the downloaded files using
+ the PGP signatures or MD5 and SHA1 checksums. Please read
+ <a href="http://httpd.apache.org/dev/verification.html">Verifying Apache HTTP Server Releases</a>
+ for more information on why you should verify our releases.
+ </p>
+ <p>
+ The PGP signatures can be verified using PGP or GPG. First download the
+ <a href="http://www.apache.org/dist/pdfbox/KEYS">KEYS</a> file as well as the
+ .asc signature files for the relevant release packages. Make sure you get
+ these files from the <a href="http://www.apache.org/dist/pdfbox">main distribution directory</a>,
+ rather than from a mirror. Then verify the signatures using
+ </p>
+ <source>
+ % pgpk -a KEYS
+ % pgpv pdfbox-X.Y.Z-src.zip.asc
+ </source>
+ <p>
+ or
+ </p>
+ <source>
+ % pgp -ka KEYS
+ % pgp pdfbox-X.Y.Z-src.zip.asc
+ </source>
+ <p>
+ or
+ </p>
+ <source>
+ % gpg --import KEYS
+ % gpg --verify pdfbox-X.Y.Z-src.zip.asc
+ </source>
+ <p>
+ Alternatively, you can verify the MD5 or SHA1 checksums on the files.
+ For checking the MD5 checksums, use the program called md5 or md5sum
+ included in many Unix distributions. The similar program for SHA1
+ is called sha1sum. It is also available as part of the
+ <a href="http://www.gnu.org/software/coreutils/">GNU core utilities</a>.
+ Windows users can get binary md5 programs from
+ <a href="http://www.fourmilab.ch/md5/">here</a>,
+ <a href="http://www.pc-tools.net/win32/md5sums/">here</a>, or
+ <a href="http://www.slavasoft.com/fsum/">here</a>.
+ </p>
+ </section>
<section id="subversion" name="Get the latest source from version control">
<p>
To fetch the latest source code from the trunk in the Subversion