Some additional detail:
Here's a checklist for things to consider when evaluating the release
> 1. Download the sources and verify they compile cleanly.
> 2. Validate the hashes match.
> 3. Validate that the sources contain no unexpected binaries.
> Run the find/grep command: find . -type f | grep -v
> which looks for all files that don't have one of the approved extensions.
> 4. Validate the signature for the build and hashes.
> Verify .asc files found at  using the Aaron's public key:  Then
> verify hashes of these files.
Here are the commands: 
a. Install GPG.
b. import Aaron's key from Apache :
c. Download the files at  and run this in that folder:
gpg --verify rya-project-3.2.10-incubating-source-release.zip.asc
If you see "*Good signature*" from the verify, that is good enough as long
as you feel strongly that you have Aaron's real public key. To eliminate
the warning, either trust Aaron's key "ultimately" or let it find a trusted
path to a key that you trust ultimately.
> 5. Validate the LICENSE/NOTICE/Headers.
> Verify that each project contains the ASF license and notice files.
> Run the grep command: fgrep -Ri 'copyright' rya-project-3.2.10 | fgrep -v
> 'The ASF licenses this file'
> This should return only License and Notice files in rya-project-3.2.10.
> The license files
> and the notice files should be consistent with the ASF license and ASF
> copyright statement. Verify that only
> the notice files contains the ASF copyright statement.