Start by downloading and installing GnuPG, an
implementation of OpenPGP. There are many tools for verifying
MD5 and SHA1 checksums, here's the GnuPG way for MD5:
gpg --print-md MD5 <ReleaseFile>
and for SHA1:
gpg --print-md SHA1 <ReleaseFile>
You can simply compare the resulting checksum to the one contained in the <ReleaseFile>.md5
or <ReleaseFile>.sha1
checksum file. Use diff or your eyes, the signatures are short.
A better way of verifying a distribution file is to use the PGP signature provided in the
.asc
files. To be able to use the PGP signature files, you need to obtain the UIMA
developers' public keys from a trusted source. The keys do come with the distribution as well,
but obviously using those is not a good way to ascertain the pedigree of a distribution. Instead,
get the keys from the main Apache distribution site (not a mirror), or
directly out of the UIMA SVN repository.
- (Right click the following links, and select save link/target as ...)
Depending how sure you want to be that those
keys are really the ones you can trust, you may think of even safer ways to obtain them (for example,
go to ApacheCon and get them personally).
Once you have downloaded the KEYS
file, you can import it into your GnuPG key registry
with
gpg --import KEYS
Check what your key registry contains with
gpg --list-keys
To verify a release file, cd
to the directory with the release and run
gpg --verify <fileName>.asc
for each file you would like to verify. The output should contain something like this:
gpg: Good signature from "Thilo Goetz (CODE SIGNING KEY) <twgoetz@apache.org>"