FYI: I have added an example for "PGP signatures and SMA256/MD5 checksum verification" in the Validate the Release Candidate <https://cwiki.apache.org/confluence/display/HAWQ/Release+Process%3A+Step+by+step+guide#ReleaseProcess:Stepbystepguide-ValidatetheReleaseCandidate> section on the HAWQ project's wiki. With the right utilities (using brew) and release signature KEYS imported, the process is a breeze on a MacBook Pro:
$ brew install gpg2 coreutils brew install gpg2 coreutils Warning: gnupg2-2.0.30_3 already installed Warning: coreutils-8.26 already installed $ which gpg2 gsha256sum gmd5sum /usr/local/bin/gpg2 /usr/local/bin/gsha256sum /usr/local/bin/gmd5sum *$ gpg2 --import KEYS* gpg: directory `/Users/espino/.gnupg' created gpg: new configuration file `/Users/espino/.gnupg/gpg.conf' created gpg: WARNING: options in `/Users/espino/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/Users/espino/.gnupg/secring.gpg' created gpg: keyring `/Users/espino/.gnupg/pubring.gpg' created gpg: /Users/espino/.gnupg/trustdb.gpg: trustdb created gpg: key D0D6D44A: public key "Caleb Welton <[email protected]>" imported gpg: key 9AF9C0EE: public key "Ting (Goden) Yao (CODE SIGNING KEY) < [email protected]>" imported gpg: key 8051460D: public key "Ting (Goden) Yao (CODE SIGNING KEY) < [email protected]>" imported gpg: key 9475BD5D: public key "Roman V Shaposhnik (CODE SIGNING KEY) < [email protected]>" imported gpg: key 2858A0C9: public key "Lei Chang <[email protected]>" imported gpg: key 57325522: public key "Edward Bartolo Espino (CODE SIGNING KEY) < [email protected]>" imported gpg: Total number processed: 6 gpg: imported: 6 (RSA: 5) gpg: no ultimately trusted keys found *$ gpg2 --verify apache-hawq-src-2.1.0.0-incubating.tar.gz.asc* gpg: assuming signed data in 'apache-hawq-src-2.1.0.0-incubating.tar.gz' gpg: Signature made Tue Jan 10 17:25:01 2017 CST using RSA key ID 57325522 gpg: Good signature from "Edward Bartolo Espino (CODE SIGNING KEY) < [email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BBED A7B5 F336 D516 B34A DE0C FC06 62F2 5732 5522 *$ gsha256sum --check apache-hawq-src-2.1.0.0-incubating.tar.gz.sha256* apache-hawq-src-2.1.0.0-incubating.tar.gz: OK *$ gmd5sum --check apache-hawq-src-2.1.0.0-incubating.tar.gz.md5* apache-hawq-src-2.1.0.0-incubating.tar.gz: OK Regards, -=e -- *Ed Espino* *[email protected] <[email protected]>*
