Versions Compared

Old Version 13

changes.mady.by.user Nazeer Shaik

Saved on

compared with

New Version 14

changes.mady.by.user Nazeer Shaik

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than from mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors.

...

Checking

...

Signature

The following example details how signature interaction works. In this example, you are already assumed to have downloaded apache-fineract-0.6.0-incubating-src.tar.gz (the source release) and apache-fineract-0.6.0-incubating-src.tar.gz.asc (the detached signature).

...

Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.

Validating Authenticity of a key