git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1841620 - /httpd/site/trunk/content/dev/verification.mdtext


You might want to point out the -r flag to OpenSSL, which emits the same output as bintools sha256.


On Fri, Sep 21, 2018, 12:30 <elukey@xxxxxxxxxx> wrote:
Author: elukey
Date: Fri Sep 21 17:30:07 2018
New Revision: 1841620

URL: http://svn.apache.org/viewvc?rev=1841620&view=rev
Log:
Remove MD5 traces from documentation and add a SHA256 tutorial.

Modified:
    httpd/site/trunk/content/dev/verification.mdtext

Modified: httpd/site/trunk/content/dev/verification.mdtext
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1841620&r1=1841619&r2=1841620&view=diff
==============================================================================
--- httpd/site/trunk/content/dev/verification.mdtext (original)
+++ httpd/site/trunk/content/dev/verification.mdtext Fri Sep 21 17:30:07 2018
@@ -19,10 +19,10 @@ Notice:    Licensed to the Apache Softwa
 # Verifying Apache HTTP Server Releases

 All official releases of code distributed by the Apache HTTP Server Project
-are signed by the release manager for the release. PGP signatures and MD5
+are signed by the release manager for the release. PGP signatures and SHA
 hashes are available along with the distribution.

-You should download the PGP signatures and MD5 hashes directly from the
+You should download the PGP signatures and SHA hashes directly from the
 Apache Software Foundation rather than our mirrors. This is to help ensure
 the integrity of the signature files. However, you are encouraged to
 download the releases from our mirrors. (Our download page points you at
@@ -168,3 +168,23 @@ verifying the signature of a release.
     gpg:                 aka "Jim Jagielski <jim@xxxxxxxxxxx>"
     gpg:                 aka "Jim Jagielski <jimjag@xxxxxxxxx>"

+In order to check the integrity of the downloaded file, you need to download the source and the related SHA256
+hash. For example, assuming a preference for tar.bz, to verify the 2.4.34 release you should end up with two files on disk:

+  * httpd-2.4.34.tar.bz2 (source)
+  * httpd-2.4.34.tar.bz2.sha256 (SHA256 hash)
+
+On most Unix systems then it is only a matter of executing:
+
+    % shasum -a 256 -c httpd-2.4.34.tar.bz2.sha256
+    httpd-2.4.34.tar.bz2: OK
+
+Behind the scenes, the command checks that the SHA hash contained in httpd-2.4.34.tar.bz2.sha256 matches the one
+calculated for the file httpd-2.4.34.tar.bz2. The correct result should be a 'OK' displayed.
+
+Another way to calculate the SHA256 has for a file is to use openssl:
+
+    % openssl sha -sha256 httpd-2.4.34.tar.bz2
+    SHA256(httpd-2.4.34.tar.bz2)= fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0
+
+And then verify that the content of httpd-2.4.34.tar.bz2.sha256 matches the above result.
\ No newline at end of file