This is an automated email from the ASF dual-hosted git repository.
cbrisson pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/velocity-site.git
The following commit(s) were added to refs/heads/main by this push:
new d0dc054 [site] Add a 'verifying integrity' section do download page
d0dc054 is described below
commit d0dc054de0bf2c65d68e1f2369ca234b0709cf55
Author: Claude Brisson <[email protected]>
AuthorDate: Tue Mar 9 10:27:14 2021 +0100
[site] Add a 'verifying integrity' section do download page
---
src/content/download.mdtext | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/content/download.mdtext b/src/content/download.mdtext
index 22f580e..fc7c597 100644
--- a/src/content/download.mdtext
+++ b/src/content/download.mdtext
@@ -37,11 +37,15 @@ The currently selected mirror is <b>[preferred]</b>. If you
encounter a problem
You may also consult the [complete list of
mirrors](https://www.apache.org/mirrors/).
-The <tt>KEYS</tt> link links to the code signing keys used to sign the product.
-The <tt>PGP</tt> links download the OpenPGP compatible signature from our main
site.
-The <tt>SHA</tt> links download the checksum from the main site. None of these
should be downloaded from the mirrors.
+### Verifying integrity of downloaded files
-[KEYS](https://www.apache.org/dist/velocity/KEYS)
+It is essential that you [verify the
integrity](https://www.apache.org/info/verification.html) of all downloaded
files using the PGP and/or SHA signatures.
+
+The <tt>PGP</tt> links download the OpenPGP compatible signature from our main
site.
+The <tt>SHA</tt> links download the checksum from the main site.
+None of these should be downloaded from the mirrors.
+
+Here are the Apache Velocity PGP
[KEYS](https://www.apache.org/dist/velocity/KEYS) used to sign the files.
## Production releases
