OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext


Hi William,

can you write in here the full command to use? Didn't find the -r flag
that you mentioned :(

Thanks!

Luca
Il giorno ven 21 set 2018 alle ore 14:30 William A Rowe Jr
<wrowe@xxxxxxxxxxxxx> ha scritto:
>
> You might want to point out the -r flag to OpenSSL, which emits the same output as bintools sha256.
>
>
> On Fri, Sep 21, 2018, 12:30 <elukey@xxxxxxxxxx> wrote:
>>
>> Author: elukey
>> Date: Fri Sep 21 17:30:07 2018
>> New Revision: 1841620
>>
>> URL: http://svn.apache.org/viewvc?rev=1841620&view=rev
>> Log:
>> Remove MD5 traces from documentation and add a SHA256 tutorial.
>>
>> Modified:
>>     httpd/site/trunk/content/dev/verification.mdtext
>>
>> Modified: httpd/site/trunk/content/dev/verification.mdtext
>> URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff
>> ==============================================================================
>> --- httpd/site/trunk/content/dev/verification.mdtext (original)
>> +++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07 2018
>> @@ -19,10 +19,10 @@ Notice:    Licensed to the Apache Softwa
>>  # Verifying Apache HTTP Server Releases
>>
>>  All official releases of code distributed by the Apache HTTP Server Project
>> -are signed by the release manager for the release. PGP signatures and MD5
>> +are signed by the release manager for the release. PGP signatures and SHA
>>  hashes are available along with the distribution.
>>
>> -You should download the PGP signatures and MD5 hashes directly from the
>> +You should download the PGP signatures and SHA hashes directly from the
>>  Apache Software Foundation rather than our mirrors. This is to help ensure
>>  the integrity of the signature files. However, you are encouraged to
>>  download the releases from our mirrors. (Our download page points you at
>> @@ -168,3 +168,23 @@ verifying the signature of a release.
>>      gpg:                 aka "Jim Jagielski <jim@xxxxxxxxxxx>"
>>      gpg:                 aka "Jim Jagielski <jimjag@xxxxxxxxx>"
>>
>> +In order to check the integrity of the downloaded file, you need to download the source and the related SHA256
>> +hash. For example, assuming a preference for tar.bz, to verify the 2.4.34 release you should end up with two files on disk:
>> +
>> +  * httpd-2.4.34.tar.bz2 (source)
>> +  * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash)
>> +
>> +On most Unix systems then it is only a matter of executing:
>> +
>> +    % shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256
>> +    httpd-2.4.34.tar.bz2: OK
>> +
>> +Behind the scenes, the command checks that the SHA hash contained in httpd-2.4.34.tar.bz2.sha256 matches the one
>> +calculated for the file httpd-2.4.34.tar.bz2. The correct result should be a 'OK' displayed.
>> +
>> +Another way to calculate the SHA256 has for a file is to use openssl:
>> +
>> +    % openssl sha -sha256 httpd-2.4.34.tar.bz2
>> +    SHA256(httpd-2.4.34.tar.bz2)= fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0
>> +
>> +And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches the above result.
>> \ No newline at end of file
>>
>>