Repository: calcite Updated Branches: refs/heads/master d262c860a -> d3b02ae2c
[CALCITE-2574] Update download page to include instructions for verifying a downloaded artifact Project: http://git-wip-us.apache.org/repos/asf/calcite/repo Commit: http://git-wip-us.apache.org/repos/asf/calcite/commit/d3b02ae2 Tree: http://git-wip-us.apache.org/repos/asf/calcite/tree/d3b02ae2 Diff: http://git-wip-us.apache.org/repos/asf/calcite/diff/d3b02ae2 Branch: refs/heads/master Commit: d3b02ae2cb9dce786270d6657b8e758ce3aa55f1 Parents: d262c86 Author: Francis Chuang <francischu...@apache.org> Authored: Thu Sep 20 09:37:09 2018 +1000 Committer: Francis Chuang <francischu...@apache.org> Committed: Thu Sep 20 09:37:09 2018 +1000 ---------------------------------------------------------------------- site/downloads/index.md | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/calcite/blob/d3b02ae2/site/downloads/index.md ---------------------------------------------------------------------- diff --git a/site/downloads/index.md b/site/downloads/index.md index 4770e44..0d00c41 100644 --- a/site/downloads/index.md +++ b/site/downloads/index.md @@ -70,16 +70,11 @@ Release | Date | Commit | Download {% endcomment %} {% endfor %} -Choose a source distribution in either *tar* or *zip* format, -and [verify](http://www.apache.org/dyn/closer.cgi#verify) -using the corresponding *pgp* signature (using the committer file in -[KEYS](http://www.apache.org/dist/calcite/KEYS)). -If you cannot do that, use the *digest* file -to check that the download has completed OK. +Choose a source distribution in either *tar* or *zip* format. For fast downloads, current source distributions are hosted on mirror servers; older source distributions are in the -[archive](http://archive.apache.org/dist/calcite/) +[archive](http://archive.apache.org/dist/calcite/) or [incubator archive](http://archive.apache.org/dist/incubator/calcite/). If a download from a mirror fails, retry, and the second download will likely succeed. @@ -87,6 +82,35 @@ succeed. For security, hash and signature files are always hosted at [Apache](https://www.apache.org/dist). +# Verify the integrity of the files + +You must verify the integrity of the downloaded file using the PGP signature (.asc file) or a hash (.sha256, .md5 for older +releases). For more information why this must be done, please read [Verifying Apache Software Foundation Releases](https://www.apache.org/info/verification.html). + +To verify the signature using GPG or PGP, please do the following: + +1. Download the release artifact and the corresponding PGP signature from the table above. +2. Download the [Apache Calcite KEYS](http://www.apache.org/dist/calcite/KEYS) file. +3. Import the KEYS file and verify the downloaded artifact using one of the following methods: +{% highlight shell %} +% gpg --import KEYS +% gpg --verify downloaded_file.asc downloaded_file +{% endhighlight %} + +or + +{% highlight shell %} +% pgpk -a KEYS +% pgpv downloaded_file.asc +{% endhighlight %} + +or + +{% highlight shell %} +% pgp -ka KEYS +% pgp downloaded_file.asc +{% endhighlight %} + # Maven artifacts Add the following to the dependencies section of your `pom.xml` file:
