-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Varuna,
Varuna Seneviratna wrote: > I want to know how verify the downloaded Tomcat .zip version's integrity > using pgp keys and cheksums Mladen Turk already answered that question in 2007-07-26 at 14:25. He then pointed you to http://httpd.apache.org/download.cgi#verify in a subsequent message. > and what is the theory behind it The theory is that each file has a cryptographic signature generated and then both the file and the signature (found in the KEYS file) are made available for download. After you download a file from a mirror, you can get the KEYS file from the official site and then run your own cryptographic signature on the file and compare it to the official KEYS. If they do not match, then you know that the file you got from the mirror is corrupted or, worse, booby trapped. Apache uses GnuPG to sign their files. If you don't have GnuPG, you can use your own MD5-checksum-generating program to check the file against the file's MD5 sum (usually found in original_file.md5 in the same directory where you downloaded the original file). Both procedures are covered in the page Mladen provided. If you want to learn about GnuPGP, then google GnuPG and read all about it. If you want to learn about MD5, then google MD5 (or look it up in Wikipedia) and read all about it. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGqksC9CaO5/Lv0PARAr7dAJ4q/xmL5gV39SiwGydmlotIAehQSQCdFrO8 XfoYJ6E2vwvCjGkdrL0rDis= =pMuh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]