svn commit: r1024383 - /websites/production/logging/content/chainsaw/2.0.0/download.html

Fri, 26 Jan 2018 11:17:41 -0800 

Author: mattsicker
Date: Fri Jan 26 19:17:08 2018
New Revision: 1024383

Log:
Clarify signature verification in chainsaw

Modified:
    websites/production/logging/content/chainsaw/2.0.0/download.html

Modified: websites/production/logging/content/chainsaw/2.0.0/download.html
==============================================================================
--- websites/production/logging/content/chainsaw/2.0.0/download.html (original)
+++ websites/production/logging/content/chainsaw/2.0.0/download.html Fri Jan 26 
19:17:08 2018
@@ -142,16 +142,9 @@
 <h2><a name="Download"></a>Download</h2>
 <p>
 Apache Chainsaw is distributed under the <a 
href="https://www.apache.org/licenses/LICENSE-2.0.html";>Apache License, version 
2.0</a>.
+<!-- TODO: the below was added manually and should be backported to the main 
repo -->
 Version 2.0.0 was released on 2018-01-25.
-All artifacts are signed by GPG.
-<a href="https://www.apache.org/dist/logging/KEYS";>Download the GPG keys 
here</a>.
-To import that file:
 </p>
-<pre>gpg --import KEYS</pre>
-<p>
-To verify a pair of files <code>foo</code> and <code>foo.asc</code>:
-</p>
-<pre>gpg --verify foo.asc foo</pre>
 <table>
     <tr>
         <th>Distribution</th>
@@ -185,6 +178,26 @@ To verify a pair of files <code>foo</cod
     </tr>
 </table>
 
+<p>
+It is essential that you verify the integrity of the downloaded files using 
the PGP or MD5 signatures.
+Please read <a href="https://httpd.apache.org/dev/verification.html";>Verifying 
Apache HTTP Server Releases</a> for more information on why you should verify 
our releases.
+</p>
+<p>
+The PGP signatures can be verified using PGP or GPG.
+First download the <a href="https://www.apache.org/dist/logging/KEYS";>KEYS</a> 
as well as the asc signature file for the relevant distribution.
+Make sure you get these files from the <a 
href="https://www.apache.org/dist/logging/chainsaw/";>main distribution 
directory</a>, rather than from a mirror.
+Then verify the signatures using
+</p>
+<pre>
+gpg --import KEYS
+gpg --verify apache-chainsaw-2.0.0-bin.tar.gz.asc 
apache-chainsaw-2.0.0-bin.tar.gz
+</pre>
+<p>
+Apache Chainsaw is signed by Matt Sicker with the GPG key fingerprint 
<code>748F 15B2 CF9B A8F0 2415  5E6E D7C9 2B70 FA1C 814D</code>.
+Alternatively, artifacts can be verified using either the provided MD5 
checksums or SHA-512 checksums.
+A program such as <code>shasum</code> or <code>sha512sum</code> can be used 
for this, or subcommands of <code>gpg</code> or <code>openssl</code> can also 
verify checksums.
+</p>
+
 <p>Please check the <a href="distributionnotes.html">Important Distribution 
Notes</a> for more information about some of the extended feature 
sets.</p></li></ul></div>
       </div>
     </div>

Reply via email to