Verifying Rave Releases

As with all Apache release, Rave binaries are signed (the .asc file), and have MD5 and SHA512 message digest files. These are described in more detail here. You can verify your release using GPG with the following steps.

Setting Up

The following steps are a one-time setup.

1. Download and install GPG from http://www.gnupg.org/download/
2. Import the Rave signing keys. These are available from https://svn.apache.org/repos/asf/rave/KEYS. Download the key file and import with the command gpg --import KEYS
3. You may also want to sign and upload the key with your own key pair to a public key server. Again, see here for more information.

Verifying a Binary Release

1. With the binary apache-rave-X.Y.Z-bin.zip and the signature file apache-rave-X.Y.Z-bin.zip.asc in the same directory, verify the binary release signature with gpg apache-rave-X.Y.Z-bin.zip.asc.
   1. For untrusted keys, you can verify the fingerprint with gpg --fingerprint ABCD1234, replacing ABCD1234 with the fingerprint of the key used to sign the release.
2. Verify the SHA message digest with gpg --print-md SHA1 apache-rave-X.Y.Z-bin.zip and compare to the contents of apache-rave-0.10.1-bin.zip.sha.
   1. You can use UNIX's diff for this: gpg --print-md SHA512 apache-rave-X.Y.Z-bin.zip | diff - apache-rave-X.Y.Z-bin.zip.sha. If the digest matches correctly, you will get no output.
3. Verify the MD5 digest with the command gpg --print-md md5 apache-rave-X.Y.Z-bin.zip and compare to the contents of apache-rave-X.Y.Z-bin.zip.md5.
   1. You can again use diff for this: gpg --print-md md5 apache-rave-X.Y.Z-bin.zip | diff - apache-rave-X.Y.Z-bin.zip.md5. If the digest matches correctly, you will get no output.