It is essential that you verify the integrity of the downloaded
files using the PGP or MD5 signatures. The PGP signatures can be verified using PGP or GPG.
First download the KEYS
as well as the PGP
signature file for the relevant
distribution. Make sure you get these files from the main site,
rather than from a mirror. The above [PGP
] links automatically
retrieve the signature files from the main site. Then verify the signatures
using
% pgpk -a KEYS
% pgpv tomcat-native-1.1.16-src.tar.gz.asc
or
% pgp -ka KEYS
% pgp tomcat-native-1.1.16-src.tar.gz.asc
or
% gpg --import KEYS
% gpg --verify tomcat-native-1.1.16-src.tar.gz.asc
Alternatively, you can verify the MD5 signature (hash value) on the files.
Make sure you get these files from the main site,
rather than from a mirror. The above [MD5
] links automatically
retrieve the signature files from the main site.
Check the integrity of your download by comparing the downloaded MD5
signature files with the MD5 signature of the downloaded archives created on
your system. A unix program called md5
or md5sum
is
included in many unix distributions. It is also available as part of
GNU
Textutils. Windows users can get binary md5 programs from here, here, or
here.