From: Joshua Slive Date: Wed, 20 Jun 2001 04:33:13 +0000 (+0000) Subject: Add some instructions on verifying PGP signatures. This could really X-Git-Tag: 2.0.19~51 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=941bc17c484ec4df69bdfaa68b79a34c607efb4a;p=apache Add some instructions on verifying PGP signatures. This could really use a review from some people who understand these issues better than I do. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89394 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/install.html b/docs/manual/install.html index c6933140bb..8d8f4178af 100644 --- a/docs/manual/install.html +++ b/docs/manual/install.html @@ -147,18 +147,54 @@ href="http://www.apache.org/dyn/closer.cgi">nearby mirror.

Version numbers that end in alpha indicate early pre-test versions which may or may not work. Version numbers ending in beta indicate more reliable releases that still -require further testing or bug fixing. If you wish to dowload the +require further testing or bug fixing. If you wish to download the best available production release of the Apache HTTP Server, you should choose the latest version with neither alpha nor beta in its filename.

After downloading, especially if a mirror site is used, it is -important to verify that you have a complete and unmodified version -of the Apache HTTP Server. This can be accomplished by testing the -downloaded tarball against the PGP signature, which should always be -obtained from the main -Apache website. The signature file has a filename identical to -the source tarball with the addition of .asc.

+important to verify that you have a complete and unmodified version of +the Apache HTTP Server. This can be accomplished by testing the +downloaded tarball against the PGP signature. This, in turn, is a two +step procedure. First, you must obtain the KEYS file +from the Apache distribution +site. (To assure that the KEYS file itself has not +been modified, it may be a good idea to use a file from a previous +distribution of Apache or import the keys from a public key server.) +The keys are imported into your personal key ring using +one of the following commands (depending on your pgp version):

+
+$ pgp < KEYS +
+or +
+$ gpg --import KEYS +
+ +

The next step is to test the tarball against the PGP signature, +which should always be obtained from the main Apache website. The +signature file has a filename identical to the source tarball with the +addition of .asc. Then you can check the distribution +with one of the following commands (again, depending on your pgp +version):

+
+$ pgp httpd-2_0_NN.tar.gz.asc +
+or +
+$ gpg --verify httpd-2_0_NN.tar.gz.asc +
You should receive a message like

+
+Good signature from user "Martin Kraemer <martin@apache.org>". +
+

Depending on the trust relationships contained +in your key ring, you may also receive a message saying that +the relationship between the key and the signer of the key +cannot be verified. This is not a problem if you trust the +authenticity of the KEYS file.

Extract

diff --git a/docs/manual/install.html.en b/docs/manual/install.html.en index c6933140bb..8d8f4178af 100644 --- a/docs/manual/install.html.en +++ b/docs/manual/install.html.en @@ -147,18 +147,54 @@ href="http://www.apache.org/dyn/closer.cgi">nearby mirror.

Version numbers that end in alpha indicate early pre-test versions which may or may not work. Version numbers ending in beta indicate more reliable releases that still -require further testing or bug fixing. If you wish to dowload the +require further testing or bug fixing. If you wish to download the best available production release of the Apache HTTP Server, you should choose the latest version with neither alpha nor beta in its filename.

After downloading, especially if a mirror site is used, it is -important to verify that you have a complete and unmodified version -of the Apache HTTP Server. This can be accomplished by testing the -downloaded tarball against the PGP signature, which should always be -obtained from the main -Apache website. The signature file has a filename identical to -the source tarball with the addition of .asc.

+important to verify that you have a complete and unmodified version of +the Apache HTTP Server. This can be accomplished by testing the +downloaded tarball against the PGP signature. This, in turn, is a two +step procedure. First, you must obtain the KEYS file +from the Apache distribution +site. (To assure that the KEYS file itself has not +been modified, it may be a good idea to use a file from a previous +distribution of Apache or import the keys from a public key server.) +The keys are imported into your personal key ring using +one of the following commands (depending on your pgp version):

+
+$ pgp < KEYS +
+or +
+$ gpg --import KEYS +
+ +

The next step is to test the tarball against the PGP signature, +which should always be obtained from the main Apache website. The +signature file has a filename identical to the source tarball with the +addition of .asc. Then you can check the distribution +with one of the following commands (again, depending on your pgp +version):

+
+$ pgp httpd-2_0_NN.tar.gz.asc +
+or +
+$ gpg --verify httpd-2_0_NN.tar.gz.asc +
You should receive a message like

+
+Good signature from user "Martin Kraemer <martin@apache.org>". +
+

Depending on the trust relationships contained +in your key ring, you may also receive a message saying that +the relationship between the key and the signer of the key +cannot be verified. This is not a problem if you trust the +authenticity of the KEYS file.

Extract