Add some instructions on verifying PGP signatures. This could really

use a review from some people who understand these issues better than
I do.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89394 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 43 insertions, 7 deletions

diff --git a/docs/manual/install.html b/docs/manual/install.html
index c6933140bb..8d8f4178af 100644
--- a/docs/manual/install.html
+++ b/docs/manual/install.html
@@ -147,18 +147,54 @@ href="http://www.apache.org/dyn/closer.cgi">nearby mirror</a>.</p>
 <p>Version numbers that end in <code>alpha</code> indicate early
 pre-test versions which may or may not work.  Version numbers ending
 in <code>beta</code> indicate more reliable releases that still
-require further testing or bug fixing.  If you wish to dowload the
+require further testing or bug fixing.  If you wish to download the
 best available production release of the Apache HTTP Server, you
 should choose the latest version with neither <code>alpha</code> nor
 <code>beta</code> in its filename.</p>
 
 <p>After downloading, especially if a mirror site is used, it is
-important to verify that you have a complete and unmodified version
-of the Apache HTTP Server.  This can be accomplished by testing the
-downloaded tarball against the PGP signature, which should always be
-obtained from the <a href="http://www.apache.org/dist/httpd">main
-Apache website</a>.  The signature file has a filename identical to
-the source tarball with the addition of <code>.asc</code>.</p>
+important to verify that you have a complete and unmodified version of
+the Apache HTTP Server.  This can be accomplished by testing the
+downloaded tarball against the PGP signature.  This, in turn, is a two
+step procedure.  First, you must obtain the <code>KEYS</code> file
+from the <a href="http://www.apache.org/dist/">Apache distribution
+site</a>.  (To assure that the <code>KEYS</code> file itself has not
+been modified, it may be a good idea to use a file from a previous
+distribution of Apache or import the keys from a public key server.)
+The keys are imported into your personal key ring using
+one of the following commands (depending on your pgp version):</p>
+<blockquote><code>
+$ pgp < KEYS
+</code></blockquote>
+or
+<blockquote><code>
+$ gpg --import KEYS
+</code></blockquote>
+
+<p>The next step is to test the tarball against the PGP signature,
+which should always be obtained from the <a
+href="http://www.apache.org/dist/httpd">main Apache website</a>.  The
+signature file has a filename identical to the source tarball with the
+addition of <code>.asc</code>.  Then you can check the distribution
+with one of the following commands (again, depending on your pgp
+version):</p>
+<blockquote><code>
+$ pgp httpd-2_0_<em>NN</em>.tar.gz.asc
+</code></blockquote>
+or
+<blockquote><code>
+$ gpg --verify httpd-2_0_<em>NN</em>.tar.gz.asc
+</code></blockquote
+
+<p>You should receive a message like</p>
+<blockquote><code>
+Good signature from user "Martin Kraemer &lt;martin@apache.org&gt;".
+</code></blockquote>
+<p>Depending on the trust relationships contained
+in your key ring, you may also receive a message saying that
+the relationship between the key and the signer of the key
+cannot be verified.  This is not a problem if you trust the
+authenticity of the <code>KEYS</code> file.</p>
 
 <h3><a name="extract">Extract</a></h3>