diff options
author | Joshua Slive <slive@apache.org> | 2001-06-20 04:33:13 +0000 |
---|---|---|
committer | Joshua Slive <slive@apache.org> | 2001-06-20 04:33:13 +0000 |
commit | 941bc17c484ec4df69bdfaa68b79a34c607efb4a (patch) | |
tree | 01305699e2bd18818fe83485f5086275f6602cfe /docs/manual/install.html | |
parent | e63a05bbd17d24eedf9d51464cbd70c945d75224 (diff) | |
download | httpd-941bc17c484ec4df69bdfaa68b79a34c607efb4a.tar.gz |
Add some instructions on verifying PGP signatures. This could really
use a review from some people who understand these issues better than
I do.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89394 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/install.html')
-rw-r--r-- | docs/manual/install.html | 50 |
1 files changed, 43 insertions, 7 deletions
diff --git a/docs/manual/install.html b/docs/manual/install.html index c6933140bb..8d8f4178af 100644 --- a/docs/manual/install.html +++ b/docs/manual/install.html @@ -147,18 +147,54 @@ href="http://www.apache.org/dyn/closer.cgi">nearby mirror</a>.</p> <p>Version numbers that end in <code>alpha</code> indicate early pre-test versions which may or may not work. Version numbers ending in <code>beta</code> indicate more reliable releases that still -require further testing or bug fixing. If you wish to dowload the +require further testing or bug fixing. If you wish to download the best available production release of the Apache HTTP Server, you should choose the latest version with neither <code>alpha</code> nor <code>beta</code> in its filename.</p> <p>After downloading, especially if a mirror site is used, it is -important to verify that you have a complete and unmodified version -of the Apache HTTP Server. This can be accomplished by testing the -downloaded tarball against the PGP signature, which should always be -obtained from the <a href="http://www.apache.org/dist/httpd">main -Apache website</a>. The signature file has a filename identical to -the source tarball with the addition of <code>.asc</code>.</p> +important to verify that you have a complete and unmodified version of +the Apache HTTP Server. This can be accomplished by testing the +downloaded tarball against the PGP signature. This, in turn, is a two +step procedure. First, you must obtain the <code>KEYS</code> file +from the <a href="http://www.apache.org/dist/">Apache distribution +site</a>. (To assure that the <code>KEYS</code> file itself has not +been modified, it may be a good idea to use a file from a previous +distribution of Apache or import the keys from a public key server.) +The keys are imported into your personal key ring using +one of the following commands (depending on your pgp version):</p> +<blockquote><code> +$ pgp < KEYS +</code></blockquote> +or +<blockquote><code> +$ gpg --import KEYS +</code></blockquote> + +<p>The next step is to test the tarball against the PGP signature, +which should always be obtained from the <a +href="http://www.apache.org/dist/httpd">main Apache website</a>. The +signature file has a filename identical to the source tarball with the +addition of <code>.asc</code>. Then you can check the distribution +with one of the following commands (again, depending on your pgp +version):</p> +<blockquote><code> +$ pgp httpd-2_0_<em>NN</em>.tar.gz.asc +</code></blockquote> +or +<blockquote><code> +$ gpg --verify httpd-2_0_<em>NN</em>.tar.gz.asc +</code></blockquote + +<p>You should receive a message like</p> +<blockquote><code> +Good signature from user "Martin Kraemer <martin@apache.org>". +</code></blockquote> +<p>Depending on the trust relationships contained +in your key ring, you may also receive a message saying that +the relationship between the key and the signer of the key +cannot be verified. This is not a problem if you trust the +authenticity of the <code>KEYS</code> file.</p> <h3><a name="extract">Extract</a></h3> |