zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Warren Turkal ...@penguintechs.org>
Subject verifying downloads of release tarballs
Date Mon, 06 Oct 2014 18:25:58 GMT
Hey everyone,

I have a couple questions about verifying the tarballs I download for

I don't see any listing of an official release manager identity and their
pub key. Therefore, I don't know which key I should be getting to verify a
signature against. Is there a list somewhere of the release manager
identity. Ideally, I'd also be able to get the key from an Apache site
protected by TLS (maybe even HTTPS). Am I just missing this info? If so,
where is the info?

Also, I don't see corresponding .asc signature files that can be used to
verify the authenticity of the archives even if I did have a pub key. Are
these located in some special location other than in the directories along
side the released tarballs?

Alternatively, is there a better way to retrieve crypto-secured releases
than just downloading the release tarballs?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message