httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sl...@apache.org
Subject cvs commit: httpd-2.0/docs/manual install.html
Date Wed, 20 Jun 2001 04:33:15 GMT
slive       01/06/19 21:33:14

  Modified:    docs/manual install.html
  Log:
  Add some instructions on verifying PGP signatures.  This could really
  use a review from some people who understand these issues better than
  I do.
  
  Revision  Changes    Path
  1.36      +43 -7     httpd-2.0/docs/manual/install.html
  
  Index: install.html
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/install.html,v
  retrieving revision 1.35
  retrieving revision 1.36
  diff -u -d -b -u -r1.35 -r1.36
  --- install.html	2001/05/21 20:31:37	1.35
  +++ install.html	2001/06/20 04:33:13	1.36
  @@ -147,18 +147,54 @@
   <p>Version numbers that end in <code>alpha</code> indicate early
   pre-test versions which may or may not work.  Version numbers ending
   in <code>beta</code> indicate more reliable releases that still
  -require further testing or bug fixing.  If you wish to dowload the
  +require further testing or bug fixing.  If you wish to download the
   best available production release of the Apache HTTP Server, you
   should choose the latest version with neither <code>alpha</code> nor
   <code>beta</code> in its filename.</p>
   
   <p>After downloading, especially if a mirror site is used, it is
  -important to verify that you have a complete and unmodified version
  -of the Apache HTTP Server.  This can be accomplished by testing the
  -downloaded tarball against the PGP signature, which should always be
  -obtained from the <a href="http://www.apache.org/dist/httpd">main
  -Apache website</a>.  The signature file has a filename identical to
  -the source tarball with the addition of <code>.asc</code>.</p>
  +important to verify that you have a complete and unmodified version of
  +the Apache HTTP Server.  This can be accomplished by testing the
  +downloaded tarball against the PGP signature.  This, in turn, is a two
  +step procedure.  First, you must obtain the <code>KEYS</code> file
  +from the <a href="http://www.apache.org/dist/">Apache distribution
  +site</a>.  (To assure that the <code>KEYS</code> file itself has not
  +been modified, it may be a good idea to use a file from a previous
  +distribution of Apache or import the keys from a public key server.)
  +The keys are imported into your personal key ring using
  +one of the following commands (depending on your pgp version):</p>
  +<blockquote><code>
  +$ pgp < KEYS
  +</code></blockquote>
  +or
  +<blockquote><code>
  +$ gpg --import KEYS
  +</code></blockquote>
  +
  +<p>The next step is to test the tarball against the PGP signature,
  +which should always be obtained from the <a
  +href="http://www.apache.org/dist/httpd">main Apache website</a>.  The
  +signature file has a filename identical to the source tarball with the
  +addition of <code>.asc</code>.  Then you can check the distribution
  +with one of the following commands (again, depending on your pgp
  +version):</p>
  +<blockquote><code>
  +$ pgp httpd-2_0_<em>NN</em>.tar.gz.asc
  +</code></blockquote>
  +or
  +<blockquote><code>
  +$ gpg --verify httpd-2_0_<em>NN</em>.tar.gz.asc
  +</code></blockquote
  +
  +<p>You should receive a message like</p>
  +<blockquote><code>
  +Good signature from user "Martin Kraemer &lt;martin@apache.org&gt;".
  +</code></blockquote>
  +<p>Depending on the trust relationships contained
  +in your key ring, you may also receive a message saying that
  +the relationship between the key and the signer of the key
  +cannot be verified.  This is not a problem if you trust the
  +authenticity of the <code>KEYS</code> file.</p>
   
   <h3><a name="extract">Extract</a></h3>
   
  
  
  

Mime
View raw message