You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

All official releases of code distributed by the Apache Fineract Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.

You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than from mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors.

The following example details how signature interaction works. In this example, you are already assumed to have downloaded apache-fineract-0.6.0-incubating-src.tar.gz (the source release) and apache-fineract-0.6.0-incubating-src.tar.gz.asc (the detached signature).

This example uses The GNU Privacy Guard. Any OpenPGP -compliant program should work successfully.

First, we will check the detached signature ( fineract-0.6.0-incubating-src.tar.gz.asc ) against our release ( apache-fineract-0.6.0-incubating-src.tar.gz ).

 

% gpg --verify fineract-0.6.0-incubating-src.tar.gz.asc apache-fineract-0.6.0-incubating-src.tar.gz
gpg: Signature made 12/07/16 16:33:37 India Standard Time using RSA key ID 0BB29444
gpg: Can't check signature: No public key

 

We don't have the release manager's public key ( 0BB29444 ) in our local system. You now need to retrieve the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface ). The public key servers are linked together, so you should be able to connect to any key server.

% gpg --keyserver pgpkeys.mit.edu --recv-key 0BB29444 
gpg: requesting key 0BB29444 from HKP keyserver pgpkeys.mit.edu 
gpg: trustdb created 
gpg: key 0BB29444: public key "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer1100126@apache.org>" imported 
gpg: Total number processed: 1 
gpg: imported: 1

Another way to retrieve the public key is from KEYS file which is available as part Apache Fineract Project (https://dist.apache.org/repos/dist/dev/incubator/fineract)

% gpg --import KEYS
gpg: key B983100D: public key "Adi Raju (CODE SIGNING KEY FOR APACHE FINERACT) <rajuan@apache.org>" imported
gpg: key 0CB6C40C: "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer.shaik@confluxtechnologies.com>" not changed
gpg: key 0BB29444: public key "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer1100126@apache.org>" imported
gpg: Total number processed: 3
gpg:               imported: 2  (RSA: 2)
gpg:              unchanged: 1

 

 


 

  • No labels