[
https://issues.apache.org/jira/browse/SVN-4736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Foad closed SVN-4736.
----------------------------
Resolution: Fixed
The gpg command has been updated.
> Download page issues
> --------------------
>
> Key: SVN-4736
> URL: https://issues.apache.org/jira/browse/SVN-4736
> Project: Subversion
> Issue Type: Bug
> Environment: http://subversion.apache.org/download.cgi
> Reporter: Sebb
> Priority: Minor
>
> The download page has links to sigs and SHA-512 hashes. These use https,
> which is good.
> However the page also contains inline SHA1 hashes. These are not necessarily
> protected by https. There are SHA1 hashes in the distribution area; it would
> be best to link to those instead.
> The description for verifying hashes does not mention how to check an SHA-512
> hash.
> The gpg command should read:
> gpg --verify subversion-1.10.0.tar.gz.asc subversion-1.10.0.tar.gz
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
