Start by downloading and installing GnuPG, an
implementation of OpenPGP. There are many tools for verifying
MD5 and SHA1 checksums, here's the GnuPG way for MD5:
gpg --print-md MD5 <ReleaseFile>
and for SHA1:
gpg --print-md SHA1 <ReleaseFile>
You can simply compare the resulting checksum to the one contained in the
<ReleaseFile>.sha1 checksum file. Use diff or your eyes, the signatures are short.
A better way of verifying a distribution file is to use the PGP signature provided in the
.asc files. To be able to use the PGP signature files, you need to obtain the UIMA
developers' public keys from a trusted source. The keys do come with the distribution as well,
but obviously using those is not a good way to ascertain the pedigree of a distribution. Instead,
get the keys from the main Apache distribution site (not a mirror), or
directly out of the UIMA SVN repository.
- (Right click the following links, and select save link/target as ...)
Depending how sure you want to be that those
keys are really the ones you can trust, you may think of even safer ways to obtain them (for example,
go to ApacheCon and get them personally).
Once you have downloaded the
KEYS file, you can import it into your GnuPG key registry
Check what your key registry contains with
gpg --import KEYS
To verify a release file,
cd to the directory with the release and run
for each file you would like to verify. The output should contain something like this:
gpg --verify <fileName>.asc
gpg: Good signature from "Thilo Goetz (CODE SIGNING KEY) <email@example.com>"