Improvements to Verification page.
Project: http://git-wip-us.apache.org/repos/asf/brooklyn-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-docs/commit/b01daa59 Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-docs/tree/b01daa59 Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-docs/diff/b01daa59 Branch: refs/heads/0.5.0 Commit: b01daa595697f62c830981dda2ae7df0252baafd Parents: 781c95b Author: David Toy <[email protected]> Authored: Mon Apr 22 12:22:40 2013 +0100 Committer: David Toy <[email protected]> Committed: Mon Apr 22 12:22:40 2013 +0100 ---------------------------------------------------------------------- docs/meta/verify.md | 55 +++++++++++++++++++----------------------------- 1 file changed, 22 insertions(+), 33 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/brooklyn-docs/blob/b01daa59/docs/meta/verify.md ---------------------------------------------------------------------- diff --git a/docs/meta/verify.md b/docs/meta/verify.md index faa97f5..5965946 100644 --- a/docs/meta/verify.md +++ b/docs/meta/verify.md @@ -1,47 +1,36 @@ --- layout: page -title: Verify the integrity of the files +title: Verify the Integrity of Downloads toc: /toc.json --- {% include fields.md %} -It is essential that you verify the integrity of the downloaded files using the PGP signatures or SHA-1 checksums. +It is essential for security that you verify the integrity of the downloaded files using their PGP signatures or SHA-1 checksums. -The PGP signatures can be verified using PGP or GPG. First download the [brooklyn-gpg-public-key.asc](brooklyn-gpg-public-key.asc) -file as well as the `.asc` PGP signature file for the relevant artefact. Make sure you get these files from the main -{% if SNAPSHOT %} -[Maven Central]({{ mavencentral_repo_groupid_url }}) -{% else %} -[Sonatype]({{ sonatype_repo_groupid_url }}) -{% endif %} -repository rather than from a mirror. Then verify the signatures using one of the following commands: +### Verifying PGP signatures using PGP or GPG -``` -% pgpk -a brooklyn-gpg-public-key.asc -% pgpv brooklyn-{{ site.brooklyn-version }}-dist.tar.gz.asc -``` +Download the [brooklyn-gpg-public-key.asc](brooklyn-gpg-public-key.asc) +file and the `.asc` PGP signature file for the relevant artefact. + +(Make sure you get these files from the main {% if SNAPSHOT %}[Maven Central]({{ mavencentral_repo_groupid_url }}){% else %}[Sonatype]({{ sonatype_repo_groupid_url }}){% endif %} repository rather than from a mirror.) + +Verify the signatures using one of the following commands: + + pgpk -a brooklyn-gpg-public-key.asc + pgpv brooklyn-{{ site.brooklyn-version }}-dist.tar.gz.asc or -``` -% pgp -ka brooklyn-gpg-public-key.asc -% pgp brooklyn-{{ site.brooklyn-version }}-dist.zip.asc -``` + pgp -ka brooklyn-gpg-public-key.asc + pgp brooklyn-{{ site.brooklyn-version }}-dist.zip.asc or -``` -% gpg --import brooklyn-gpg-public-key.asc -% gpg --verify brooklyn-{{ site.brooklyn-version }}-dist.tar.gz.asc -``` - -You can also verify the SHA-1 checksum of the files. A program called `sha1` or `sha1sum` is included in -most Linux distributions and OSX. For Windows users, `fsum` supports SHA-1. Ensure your generated checksum -string matches the contents of the `.sha1` file for the relevant artefact, again making sure you get this -file from the main -{% if SNAPSHOT %} -[Maven Central]({{ mavencentral_repo_groupid_url }}) -{% else %} -[Sonatype]({{ sonatype_repo_groupid_url }}) -{% endif %} -repository, rather than from a mirror. + gpg --import brooklyn-gpg-public-key.asc + gpg --verify brooklyn-{{ site.brooklyn-version }}-dist.tar.gz.asc + +You can also verify the SHA-1 checksum of the files. + +A program called `sha1` or `sha1sum` is included in most Linux distributions and OSx. For Windows users, `fsum` supports SHA-1. + +Ensure the generated checksum string matches the contents of the `.sha1` file for the relevant artefact (and again download from {% if SNAPSHOT %}[Maven Central]({{ mavencentral_repo_groupid_url }}){% else %}[Sonatype]({{ sonatype_repo_groupid_url }}){% endif %} repository, rather than from a mirror).
