apr-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n..@apache.org
Subject svn commit: r1795085 - /apr/site/trunk/xdocs/download.xml
Date Sat, 13 May 2017 23:38:12 GMT
Author: niq
Date: Sat May 13 23:38:12 2017
New Revision: 1795085

URL: http://svn.apache.org/viewvc?rev=1795085&view=rev
Update horrendously outdated verify section in download.xml


Modified: apr/site/trunk/xdocs/download.xml
URL: http://svn.apache.org/viewvc/apr/site/trunk/xdocs/download.xml?rev=1795085&r1=1795084&r2=1795085&view=diff
--- apr/site/trunk/xdocs/download.xml (original)
+++ apr/site/trunk/xdocs/download.xml Sat May 13 23:38:12 2017
@@ -154,49 +154,19 @@ list of mirrors</a>.</p>
 <section id="verify"><title>Verify the integrity of the files</title>
 <p>It is essential that you verify the integrity of the downloaded
-files using the PGP or MD5 signatures.  Please read <a
-href="http://httpd.apache.org/dev/verification.html">Verifying Apache
-HTTP Server Releases</a> for more information on why you should verify our
-releases.  (The same rationale applies to APR as to HTTP Server.)</p>
-<p>The PGP signatures can be verified using PGP or GPG.  First
-download the <a href="http://www.apache.org/dist/apr/KEYS">KEYS</a>
-as well as the <code>asc</code> signature file for the particular
-distribution.  Make sure you get these files from the <a
-href="http://www.apache.org/dist/apr/">main distribution
-directory</a>, rather than from a mirror. Then verify the signatures
-% pgpk -a KEYS<br />
-% pgpv apr-1.0.1.tar.gz.asc<br />
-<em>or</em><br />
-% pgp -ka KEYS<br />
-% pgp apr-1.0.1.tar.gz.asc<br />
-<em>or</em><br />
-% gpg --import KEYS<br />
-% gpg --verify apr-1.0.1.tar.gz.asc
-<p>Alternatively, you can verify the MD5 and/or SHA1 signature on the
-files. An MD5 hash consists of a 32 character string (example:
-<i>d41d8cd98f00b204e9800998ecf8427e</i>), and a SHA1 hash consists of
-a 40 character string (example:
-<i>da39a3ee5e6b4b0d3255bfef95601890afd80709</i>). To verify the hash
-on a file, generate a hash string of your own on the file, and compare
-the hash string you get with the hash string published inside the
-signature files. A unix program called <code>md5</code> or
-<code>md5sum</code> is included in many unix distributions. It is also
-available as part of
-<a href="http://www.gnu.org/software/textutils/textutils.html">GNU
-Textutils</a>. Windows users can get binary md5 programs from <a
-href="http://www.fourmilab.ch/md5/">here</a>, <a
-href="http://www.pc-tools.net/win32/freeware/console/">here</a>, or
-<a href="http://www.slavasoft.com/fsum/">here</a>.</p>
+files using the PGP signatures, using a tool such as GnuPG (GPG).
+Please read <a href="http://httpd.apache.org/dev/verification.html"
+>Verifying Apache HTTP Server Releases</a> for more information on
+how and why you must verify our releases The same rationale applies to
+APR as to HTTP Server).</p>
+<p>PGP public keys for individual Apache developers can be downloaded
+(and fingerprints verified) at <a
+>https://people.apache.org/keys/committer/</a>.  Alternatively, keys
+for APR developers are available in a bundle at <a

View raw message