THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- The VOTE email,
- The release candidate .zip file, and
- The checksum files (.md5 and .sha1), downloaded at the same time as the release candidate.
(Is the intent to ensure the checksums from all 3 sources are identical?)
There are two steps: generate and verify. You can use You can verify the checksums using a command line interface or a utility. Both methods are described below.
Check using the command line interface
Generate. To generate checksums, navigate to the directory containing the .zip file and run the CertUtil command. Append SHA512 and MD5, as shown below, to generate those checksums. (The default gives you the SHA1 checksum.) Is the intent to make sure that the checksums from all 3 sources are identical?
CertUtil -hashfile 'apache-taverna-parent-2-incubating-source-release.zip'
...
CertUtil -hashfile 'apache-taverna-parent-2-incubating-source-release.zip' MD5
What's the best way to Verify. To verify, visually compare the checksums from with those listed in the VOTE email., or copy and the .md5 and .sha1 files?paste the checksums into an online difference checker.
Check using the MD5 the MD5 and SHA Checksum Utility
Generate. Follow the steps below.
- Open the MD5 and SHA Checksum Utility (double-click the .exe), a window opens (see below).
- Browse to the release candidate .zip file, and the checksums will be displayed. (Use the checkboxes to choose which checksums you want to see.)
- You can copy individual checksums, or use the Copy All button.
Verify. You can
...
visually compare the checksums or use an online difference checker. The utiility also allows you to paste a checksum (e.g., either from the VOTE email or from the downloaded .md5 or .sha1 files) into the Hash input box, and the utility will
...
compare it with the value from the .zip file.
1b Check that the PGP signature is valid
Each software artifact is signed using a PGP (Pretty Good Privacy) key. It is important to verify Verifying the downloaded key matches the original key used to sign the software artifactis critical.
You can verify the signatures using a command line interface. See https://httpd.apache.org/dev/verification.html for some general verification info.
Command line interface
- Download the Taverna key file from https://dist.apache.org/repos/dist/release/incubator/taverna/KEYS. (On Windows this can be done by typing Ctrl-S in the browser window and saving the file as keys.txt.)
- Import the key file into GPG:
gpg --import keys.txt
- Download the .asc file
- Verify the .asc file matches the zipped release candidate . In general:
...
- by using the gpg command with the --verify
...
- option followed by the .asc
...
- filename and the .zip
...
- filename.
And for example:
gpg --verify 'apache-taverna- ... -source-release.zip.asc' 'apache-taverna- ... -source-release.zip'
...
AFTER you unzip the release candidate, but BEFORE you build
...