Hi,
It's not a stupid question and I bet for your one message there are at
least 1 times this should have been asked and wasn't. And 10K is a
conservative estimate, not a typo, given the number of tomcat downloads.
The release manager signs the various distros with his (we haven't had a
female release manager yet ;)) PGP key. The key is in the KEYS file in
the tomcat download directory: click the KEYS link on the binary or
source download pages on jakarta.apache.org next to where it says Tomcat
5.0.25.
I'm not going to give a PGP tutorial: get a free PGP command-line tool
(or graphical one for windows if you wish) such as
http://web.mit.edu/network/pgp.html. Import the keys from the KEYS file
onto your ring. In the download directory for tomcat releases, you will
see PGP links next to every download: this is the armored signature file
for the accompanying distro (so the one for tomcat-5.0.25.zip is
different than the one for tomcat-5.0.25.tar.gz for example). The PGP
program will verify that the signature was indeed done by the key. That
assures you the file isn't modified and is indeed the one signed by the
release manager.
MD5 is a checksum digest which is another way to assure your
distribution wasn't modified since its release. You use another
command-line program
(http://www.google.com/search?sourceid=navclient&q=md5+windows for
windows for example, most unix systems have one built-in) to verify the
integrity of the distribution.
You do this extra little step or two (after the first time, it takes
seconds literally: both pgp and md5 are extremely fast) to assure
yourself that what you're downloading is indeed the tomcat release and
not some hacked version that has a Runtime.exec("rm -rf /") as part of
the startup script ;)
Yoav Shapira
Millennium Research Informatics
>-Original Message-
>From: Justin Jaynes [mailto:[EMAIL PROTECTED]
>Sent: Thursday, May 27, 2004 2:43 AM
>To: [EMAIL PROTECTED]
>Subject: Verifying signatures
>
>I recently downloaded TOMCAT 5 and I read that I am
>responsible to verify the integrity of the download
>from the mirror using some key or signature. How do I
>do that? I am running SuSE linux 9.1.
>
>Please be specific. What key's or signatures or
>checksums do I download? Where do I place them? What
>commands do I type?
>
>I hope this is not a stupid question.
>
>
>
>
>__
>Do you Yahoo!?
>Friends. Fun. Try the all-new Yahoo! Messenger.
>http://messenger.yahoo.com/
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
This e-mail, including any attachments, is a confidential business communication, and
may contain information that is confidential, proprietary and/or privileged. This
e-mail is intended only for the individual(s) to whom it is addressed, and may not be
saved, copied, printed, disclosed or used by anyone else. If you are not the(an)
intended recipient, please immediately delete this e-mail from your computer system
and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
