ASF Artifacts Distribution Platform

tomcat-maven-plugin-2.0-beta-1-source-release.zip

Download tomcat-maven-plugin-2.0-beta-1-source-release.zip (2.87 MBytes)

Useful references:
How to verify this release

Each official software release at the ASF is digitally signed with a detached PGP signature, as well as accompanying checksum files for extra verification. You can verify the PGP signatures using PGP or GPG.

Verifying the PGP signature

To verify the PGP signature, you will need the following files:

  1. The release artifact itself: tomcat-maven-plugin-2.0-beta-1-source-release.zip
  2. The tomcat release signing key list: tomcat.txt
  3. The detached signature file: tomcat-maven-plugin-2.0-beta-1-source-release.zip.asc

Make sure you get these files from the official apache.org release distribution service, rather than from a mirror, as we cannot verify the authenticity of mirrors.

Once you have all the needed files, you can verify the release artifact as follows:

 % pgpk -a tomcat.txt
 % pgpv tomcat-maven-plugin-2.0-beta-1-source-release.zip.asc
 OR
 % pgp -ka tomcat.txt
 % pgp tomcat-maven-plugin-2.0-beta-1-source-release.zip.asc
 OR
 % gpg --import tomcat.txt
 % gpg --verify tomcat-maven-plugin-2.0-beta-1-source-release.zip.asc tomcat-maven-plugin-2.0-beta-1-source-release.zip
 

Verifying the checksum files

If you're unable to verify the PGP signatures, you can instead verify the checksums on the files. However, PGP signatures are superior to checksums, and we recommend you verify using PGP whenever possible.

The following checksum files are available for this release:

When multiple checksums are available, we recommend you use the strongest checksum algorithm found. In order of strength, they are: sha512, sha256, sha1, md5

Verifying SHA1, SHA256, and SHA512 checksums

Most Unix systems have a program called shasum included in their core distribution, which can be used here. To verify a checksum file, download it to the same directory as the relase artifact you downloaded, and run: shasum -c [checksum-filename]

The shasum program should emit the following response: tomcat-maven-plugin-2.0-beta-1-source-release.zip: OK. If the program indicates any errors or warnings, there may be authenticity issues with the artifact, and you should let us know at security@apache.org.

On Windows you can use the following command in a command line window to generate a checksum for the artifact, for instance: certutil -hashfile <filename> SHA512.

You can then compare this checksum value to the value in the checksum file.

Verifying MD5 checksums

Some older artifacts may only have an MD5 checksum file associated with it. As MD5 is now considered a weak algorithm, we strongly advise that users verify such artifacts using the PGP method described above. Should you have a need to verify the MD5 checksum file, you can use the Unix program md5sum in a similar manner to how SHA checksums are verified: md5sum -c [checksum-filename]. The response from the md5sum program is similar to that of the shasum program, and an OK response should always be expected.