The download page has a section on release integrity but does not detail how to perform the check. The page should either include the information, or provide a link to a generic page with the info. [The httpd download page has both]
The HTTPD page does it wrong. The following command is seriously broken: % gpg --verify httpd-2.2.0.tar.gz.asc It must be % gpg --verify httpd-2.2.0.tar.gz.asc httpd-2.2.0.tar.gz per http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html https://www.gnupg.org/gph/en/manual/x135.html It makes little sense for each project to maintain a "how to verify PGP" page. There is an ASF-wide one, http://www.apache.org/info/verification.html
(In reply to Konstantin Kolinko from comment #1) > The HTTPD page does it wrong. > > The following command is seriously broken: > % gpg --verify httpd-2.2.0.tar.gz.asc It works for me - see below. > It must be > % gpg --verify httpd-2.2.0.tar.gz.asc httpd-2.2.0.tar.gz That works too. > per > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html That page no longer exists. > https://www.gnupg.org/gph/en/manual/x135.html That page does mention both the sig and the input file. However I have found that gpg verify works fine with just the .sig or .asc file. GPG looks for a file with the .asc/.sig removed and uses that if it is found; if not it reports: gpg: no signed data gpg: can't hash datafile: No data > It makes little sense for each project to maintain a "how to verify PGP" > page. There is an ASF-wide one, > http://www.apache.org/info/verification.html Indeed. The ASF one probably appeared after the httpd one.
(In reply to Sebb from comment #2) > (In reply to Konstantin Kolinko from comment #1) > > per > > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html > > That page no longer exists. > It is available from http://archive.org/web/
(In reply to Konstantin Kolinko from comment #3) > (In reply to Sebb from comment #2) > > (In reply to Konstantin Kolinko from comment #1) > > > per > > > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html > > > > That page no longer exists. > > > > It is available from http://archive.org/web/ OK, I see now. I agree it's badly broken. The ASF page is also wrong; I'll fix it.
Fixed. Should be live for all download pages by the time you read this.
(In reply to Konstantin Kolinko from comment #3) > (In reply to Sebb from comment #2) > > (In reply to Konstantin Kolinko from comment #1) > > > per > > > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html > > > > That page no longer exists. > > > > It is available from http://archive.org/web/ FTR it's available from: http://web.archive.org/web/20130417020216/http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html