Date: Fri Sep 21 17:30:07 2018
New Revision: 1841620
Remove MD5 traces from documentation and add a SHA256 tutorial.
--- httpd/site/trunk/content/dev/verification.mdtext (original)
+++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07 2018
@@ -19,10 +19,10 @@ Notice: Licensed to the Apache Softwa
# Verifying Apache HTTP Server Releases
All official releases of code distributed by the Apache HTTP Server Project
-are signed by the release manager for the release. PGP signatures and MD5
+are signed by the release manager for the release. PGP signatures and SHA
hashes are available along with the distribution.
-You should download the PGP signatures and MD5 hashes directly from the
+You should download the PGP signatures and SHA hashes directly from the
Apache Software Foundation rather than our mirrors. This is to help ensure
the integrity of the signature files. However, you are encouraged to
download the releases from our mirrors. (Our download page points you at
@@ -168,3 +168,23 @@ verifying the signature of a release.
gpg: aka "Jim Jagielski <jim@xxxxxxxxxxx>"
gpg: aka "Jim Jagielski <jimjag@xxxxxxxxx>"
+In order to check the integrity of the downloaded file, you need to download the source and the related SHA256
+hash. For example, assuming a preference for tar.bz, to verify the 2.4.34 release you should end up with two files on disk:
+ * httpd-2.4.34.tar.bz2 (source)
+ * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash)
+On most Unix systems then it is only a matter of executing:
+ % shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256
+ httpd-2.4.34.tar.bz2: OK
+Behind the scenes, the command checks that the SHA hash contained in httpd-2.4.34.tar.bz2.sha256 matches the one
+calculated for the file httpd-2.4.34.tar.bz2. The correct result should be a 'OK' displayed.
+Another way to calculate the SHA256 has for a file is to use openssl:
+ % openssl sha -sha256 httpd-2.4.34.tar.bz2
+ SHA256(httpd-2.4.34.tar.bz2)= fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0
+And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches the above result.
\ No newline at end of file