Hi, The Cassandra download page [1] includes signature files, but you also need to include a link to the KEYS files to verify these. Relevant ASF policy is here [2].
Trying the verify the latest source release, it fails with this error: gpg: assuming signed data in 'apache-cassandra-5.0-beta1-src.tar.gz' gpg: Signature made Sat 2 Dec 00:13:44 2023 AEDT gpg: using RSA key A4C465FEA0C552561A392A61E91335D77E3E87CB gpg: BAD signature from "Michael Semb Wever <m...@thelastpickle.com>" [unknown] I imported teh KEYS file at [3]. Kind Regards, Justin 1. https://cassandra.apache.org/_/download.html 2. https://infra.apache.org/release-distribution.html#download-links 3. https://downloads.apache.org/cassandra/KEYS
