THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than from mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors. (Our download page points you at the mirrors for the release and the official site for the signatures, so this happens automatically for you.)
The following example details how signature interaction works. In this example, you are already assumed to have downloaded apache-fineract-0.6.0-incubating-src.tar.gz (the source release) and httpd-apache-fineract-0.6.0-incubating-src.tar.gz.asc (the detached signature).
This example uses The GNU Privacy Guard. Any OpenPGP -compliant program should work successfully.
First, we will check the detached signature ( fineract-0.6.0-incubating-src.tar.gz.asc ) against our release ( apache-fineract-0.6.0-incubating-src.tar.gz ).
% gpg --verifyfineract-0.6.0-incubating-src.tar.gz.ascapache-fineract-0.6.0-incubating-src.tar.gzgpg: Signature made Tue Dec 8 21:32:07 2015 CET using RSA key ID 0BB29444 gpg: Can't check signature: public key not found
We don't have the release manager's public key ( 0BB29444 ) in our local system. You now need to retrieve the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface ). The public key servers are linked together, so you should be able to connect to any key server or KEYS file which is available as part Apache Fineract Project (https://dist.apache.org/repos/dist/dev/incubator/fineract)