tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Verify the downloaded files integrity
Date Fri, 27 Jul 2007 19:44:02 GMT
Hash: SHA1


Varuna Seneviratna wrote:
> I want to know how verify the downloaded Tomcat .zip version's integrity
> using pgp keys and cheksums

Mladen Turk already answered that question in 2007-07-26 at 14:25. He
then pointed you to in a
subsequent message.

> and what is the theory behind it

The theory is that each file has a cryptographic signature generated and
then both the file and the signature (found in the KEYS file) are made
available for download.

After you download a file from a mirror, you can get the KEYS file from
the official site and then run your own cryptographic signature on the
file and compare it to the official KEYS. If they do not match, then you
know that the file you got from the mirror is corrupted or, worse, booby

Apache uses GnuPG to sign their files. If you don't have GnuPG, you can
use your own MD5-checksum-generating program to check the file against
the file's MD5 sum (usually found in original_file.md5 in the same
directory where you downloaded the original file).

Both procedures are covered in the page Mladen provided.

If you want to learn about GnuPGP, then google GnuPG and read all about
it. If you want to learn about MD5, then google MD5 (or look it up in
Wikipedia) and read all about it.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message