Hi William, can you write in here the full command to use? Didn't find the -r flag that you mentioned :(
Thanks! Luca Il giorno ven 21 set 2018 alle ore 14:30 William A Rowe Jr <wr...@rowe-clan.net> ha scritto: > > You might want to point out the -r flag to OpenSSL, which emits the same > output as bintools sha256. > > > On Fri, Sep 21, 2018, 12:30 <elu...@apache.org> wrote: >> >> Author: elukey >> Date: Fri Sep 21 17:30:07 2018 >> New Revision: 1841620 >> >> URL: http://svn.apache.org/viewvc?rev=1841620&view=rev >> Log: >> Remove MD5 traces from documentation and add a SHA256 tutorial. >> >> Modified: >> httpd/site/trunk/content/dev/verification.mdtext >> >> Modified: httpd/site/trunk/content/dev/verification.mdtext >> URL: >> http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff >> ============================================================================== >> --- httpd/site/trunk/content/dev/verification.mdtext (original) >> +++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07 2018 >> @@ -19,10 +19,10 @@ Notice: Licensed to the Apache Softwa >> # Verifying Apache HTTP Server Releases >> >> All official releases of code distributed by the Apache HTTP Server Project >> -are signed by the release manager for the release. PGP signatures and MD5 >> +are signed by the release manager for the release. PGP signatures and SHA >> hashes are available along with the distribution. >> >> -You should download the PGP signatures and MD5 hashes directly from the >> +You should download the PGP signatures and SHA hashes directly from the >> Apache Software Foundation rather than our mirrors. This is to help ensure >> the integrity of the signature files. However, you are encouraged to >> download the releases from our mirrors. (Our download page points you at >> @@ -168,3 +168,23 @@ verifying the signature of a release. >> gpg: aka "Jim Jagielski <j...@jagunet.com>" >> gpg: aka "Jim Jagielski <jim...@gmail.com>" >> >> +In order to check the integrity of the downloaded file, you need to >> download the source and the related SHA256 >> +hash. For example, assuming a preference for tar.bz, to verify the 2.4.34 >> release you should end up with two files on disk: >> + >> + * httpd-2.4.34.tar.bz2 (source) >> + * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash) >> + >> +On most Unix systems then it is only a matter of executing: >> + >> + % shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256 >> + httpd-2.4.34.tar.bz2: OK >> + >> +Behind the scenes, the command checks that the SHA hash contained in >> httpd-2.4.34.tar.bz2.sha256 matches the one >> +calculated for the file httpd-2.4.34.tar.bz2. The correct result should be >> a 'OK' displayed. >> + >> +Another way to calculate the SHA256 has for a file is to use openssl: >> + >> + % openssl sha -sha256 httpd-2.4.34.tar.bz2 >> + SHA256(httpd-2.4.34.tar.bz2)= >> fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0 >> + >> +And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches the >> above result. >> \ No newline at end of file >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
