You might want to point out the -r flag to OpenSSL, which emits the same output as bintools sha256.
On Fri, Sep 21, 2018, 12:30 <elu...@apache.org> wrote: > Author: elukey > Date: Fri Sep 21 17:30:07 2018 > New Revision: 1841620 > > URL: http://svn.apache.org/viewvc?rev=1841620&view=rev > Log: > Remove MD5 traces from documentation and add a SHA256 tutorial. > > Modified: > httpd/site/trunk/content/dev/verification.mdtext > > Modified: httpd/site/trunk/content/dev/verification.mdtext > URL: > http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff > > ============================================================================== > --- httpd/site/trunk/content/dev/verification.mdtext (original) > +++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07 > 2018 > @@ -19,10 +19,10 @@ Notice: Licensed to the Apache Softwa > # Verifying Apache HTTP Server Releases > > All official releases of code distributed by the Apache HTTP Server > Project > -are signed by the release manager for the release. PGP signatures and MD5 > +are signed by the release manager for the release. PGP signatures and SHA > hashes are available along with the distribution. > > -You should download the PGP signatures and MD5 hashes directly from the > +You should download the PGP signatures and SHA hashes directly from the > Apache Software Foundation rather than our mirrors. This is to help ensure > the integrity of the signature files. However, you are encouraged to > download the releases from our mirrors. (Our download page points you at > @@ -168,3 +168,23 @@ verifying the signature of a release. > gpg: aka "Jim Jagielski <j...@jagunet.com>" > gpg: aka "Jim Jagielski <jim...@gmail.com>" > > +In order to check the integrity of the downloaded file, you need to > download the source and the related SHA256 > +hash. For example, assuming a preference for tar.bz, to verify the > 2.4.34 release you should end up with two files on disk: > + > + * httpd-2.4.34.tar.bz2 (source) > + * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash) > + > +On most Unix systems then it is only a matter of executing: > + > + % shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256 > + httpd-2.4.34.tar.bz2: OK > + > +Behind the scenes, the command checks that the SHA hash contained in > httpd-2.4.34.tar.bz2.sha256 matches the one > +calculated for the file httpd-2.4.34.tar.bz2. The correct result should > be a 'OK' displayed. > + > +Another way to calculate the SHA256 has for a file is to use openssl: > + > + % openssl sha -sha256 httpd-2.4.34.tar.bz2 > + SHA256(httpd-2.4.34.tar.bz2)= > fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0 > + > +And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches > the above result. > \ No newline at end of file > > >
