<p>Version numbers that end in <code>alpha</code> indicate early
pre-test versions which may or may not work. Version numbers ending
in <code>beta</code> indicate more reliable releases that still
-require further testing or bug fixing. If you wish to dowload the
+require further testing or bug fixing. If you wish to download the
best available production release of the Apache HTTP Server, you
should choose the latest version with neither <code>alpha</code> nor
<code>beta</code> in its filename.</p>
<p>After downloading, especially if a mirror site is used, it is
-important to verify that you have a complete and unmodified version
-of the Apache HTTP Server. This can be accomplished by testing the
-downloaded tarball against the PGP signature, which should always be
-obtained from the <a href="http://www.apache.org/dist/httpd">main
-Apache website</a>. The signature file has a filename identical to
-the source tarball with the addition of <code>.asc</code>.</p>
+important to verify that you have a complete and unmodified version of
+the Apache HTTP Server. This can be accomplished by testing the
+downloaded tarball against the PGP signature. This, in turn, is a two
+step procedure. First, you must obtain the <code>KEYS</code> file
+from the <a href="http://www.apache.org/dist/">Apache distribution
+site</a>. (To assure that the <code>KEYS</code> file itself has not
+been modified, it may be a good idea to use a file from a previous
+distribution of Apache or import the keys from a public key server.)
+The keys are imported into your personal key ring using
+one of the following commands (depending on your pgp version):</p>
+<blockquote><code>
+$ pgp < KEYS
+</code></blockquote>
+or
+<blockquote><code>
+$ gpg --import KEYS
+</code></blockquote>
+
+<p>The next step is to test the tarball against the PGP signature,
+which should always be obtained from the <a
+href="http://www.apache.org/dist/httpd">main Apache website</a>. The
+signature file has a filename identical to the source tarball with the
+addition of <code>.asc</code>. Then you can check the distribution
+with one of the following commands (again, depending on your pgp
+version):</p>
+<blockquote><code>
+$ pgp httpd-2_0_<em>NN</em>.tar.gz.asc
+</code></blockquote>
+or
+<blockquote><code>
+$ gpg --verify httpd-2_0_<em>NN</em>.tar.gz.asc
+</code></blockquote
+
+<p>You should receive a message like</p>
+<blockquote><code>
+Good signature from user "Martin Kraemer <martin@apache.org>".
+</code></blockquote>
+<p>Depending on the trust relationships contained
+in your key ring, you may also receive a message saying that
+the relationship between the key and the signer of the key
+cannot be verified. This is not a problem if you trust the
+authenticity of the <code>KEYS</code> file.</p>
<h3><a name="extract">Extract</a></h3>
<p>Version numbers that end in <code>alpha</code> indicate early
pre-test versions which may or may not work. Version numbers ending
in <code>beta</code> indicate more reliable releases that still
-require further testing or bug fixing. If you wish to dowload the
+require further testing or bug fixing. If you wish to download the
best available production release of the Apache HTTP Server, you
should choose the latest version with neither <code>alpha</code> nor
<code>beta</code> in its filename.</p>
<p>After downloading, especially if a mirror site is used, it is
-important to verify that you have a complete and unmodified version
-of the Apache HTTP Server. This can be accomplished by testing the
-downloaded tarball against the PGP signature, which should always be
-obtained from the <a href="http://www.apache.org/dist/httpd">main
-Apache website</a>. The signature file has a filename identical to
-the source tarball with the addition of <code>.asc</code>.</p>
+important to verify that you have a complete and unmodified version of
+the Apache HTTP Server. This can be accomplished by testing the
+downloaded tarball against the PGP signature. This, in turn, is a two
+step procedure. First, you must obtain the <code>KEYS</code> file
+from the <a href="http://www.apache.org/dist/">Apache distribution
+site</a>. (To assure that the <code>KEYS</code> file itself has not
+been modified, it may be a good idea to use a file from a previous
+distribution of Apache or import the keys from a public key server.)
+The keys are imported into your personal key ring using
+one of the following commands (depending on your pgp version):</p>
+<blockquote><code>
+$ pgp < KEYS
+</code></blockquote>
+or
+<blockquote><code>
+$ gpg --import KEYS
+</code></blockquote>
+
+<p>The next step is to test the tarball against the PGP signature,
+which should always be obtained from the <a
+href="http://www.apache.org/dist/httpd">main Apache website</a>. The
+signature file has a filename identical to the source tarball with the
+addition of <code>.asc</code>. Then you can check the distribution
+with one of the following commands (again, depending on your pgp
+version):</p>
+<blockquote><code>
+$ pgp httpd-2_0_<em>NN</em>.tar.gz.asc
+</code></blockquote>
+or
+<blockquote><code>
+$ gpg --verify httpd-2_0_<em>NN</em>.tar.gz.asc
+</code></blockquote
+
+<p>You should receive a message like</p>
+<blockquote><code>
+Good signature from user "Martin Kraemer <martin@apache.org>".
+</code></blockquote>
+<p>Depending on the trust relationships contained
+in your key ring, you may also receive a message saying that
+the relationship between the key and the signer of the key
+cannot be verified. This is not a problem if you trust the
+authenticity of the <code>KEYS</code> file.</p>
<h3><a name="extract">Extract</a></h3>
projects / apache / commitdiff