THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
All official releases of code distributed by the Apache Fineract Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.
You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than from mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors.
The following example details how signature interaction works. In this example, you are already assumed to have downloaded apache-fineract-0.6.0-incubating-src.tar.gz (the source release) and httpd-apache-fineract-0.6.0-incubating-src.tar.gz.asc (the detached signature).
This example uses The GNU Privacy Guard. Any OpenPGP -compliant program should work successfully.
First, we will check the detached signature ( fineract-0.6.0-incubating-src.tar.gz.asc ) against our release ( apache-fineract-0.6.0-incubating-src.tar.gz ).
% gpg --verify fineract-0.6.0-incubating-src.tar.gz.asc apache-fineract-0.6.0-incubating-src.tar.gz gpg: Signature made Tue Dec 8 21:32:07 2015 CET using RSA key ID 0BB29444 gpg: Can't check signature: public key not found
We don't have the release manager's public key ( 0BB29444 ) in our local system. You now need to retrieve the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface ). The public key servers are linked together, so you should be able to connect to any key server. Another way to retrieve the public key is from KEYS file which is available as part Apache Fineract Project (https://dist.apache.org/repos/dist/dev/incubator/fineract)