It is good practice to verify the integrity of the downloaded files using the PGP or MD5 signatures. The Apache HTTP Server project has a good page on why you should verify releases here.
The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the asc signature file for the relevant distribution. Make sure you get these files from the main distribution directory, rather than from a mirror (the links above are correct in this manner). Then verify the signatures using pgp or gpg.
Alternatively, you can verify the MD5 signature on the files. A unix program called
md5
or md5sum is included in many unix distributions. It is also available as
part of
GNU Textutils.
Windows users can get binary md5 programs from
here,
here,
here, or
here.