[
https://issues.apache.org/jira/browse/ZOOKEEPER-2292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14955927#comment-14955927
]
Chris Nauroth commented on ZOOKEEPER-2292:
------------------------------------------
Hello [~elevy].
ZooKeeper releases from apache.org include checksums and a PGP signature in a
.asc file.
http://www.apache.org/dist/zookeeper/zookeeper-3.4.6/
The signature applies to the entire compressed archive, so verifying the
signature verifies the full contents of that archive. This Apache page has
more information about verifying the integrity of an Apache release.
http://www.apache.org/dev/release-signing.html#check-integrity
Note that mirrors do not include the signature and checksums. If they did,
then a malicious mirror could trick users by modifying the bits, and then just
sharing a signature and checksum that matches those bits. The idea behind the
verification process is that apache.org is trusted as the source of valid
checksums and signatures. You can use a local mirror for faster downloads of
the release artifact, but the checksums and signatures always originate from
apache.org, and therefore they are trustworthy.
Does this address your concern, or is there still something missing?
> Sign the download package
> -------------------------
>
> Key: ZOOKEEPER-2292
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2292
> Project: ZooKeeper
> Issue Type: Improvement
> Components: build
> Reporter: Elias Levy
>
> Current ZK is made available for download as a compressed archive. Within
> the archive, there is a cryptographic signature for the ZK JAR file. Alas,
> the signature does not cover any of the other executable components that ZK
> depends on, such as JARs in the lib directory or the scripts in the bin
> directory. These could be tampered with.
> The whole download package should be signed and the signature made available
> along with it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
