Useful references:
- Release notes, with important information about known issues
- Changelog
Each official software release at the ASF is digitally signed with a detached PGP signature, as well as accompanying checksum files for extra verification. You can verify the PGP signatures using PGP or GPG.
To verify the PGP signature, you will need the following files:
Make sure you get these files from the official apache.org release distribution service, rather than from a mirror, as we cannot verify the authenticity of mirrors.
Once you have all the needed files, you can verify the release artifact as follows:
% pgpk -a tomcat.txt % pgpv apache-tomcat-10.0.21-src.tar.gz.asc OR % pgp -ka tomcat.txt % pgp apache-tomcat-10.0.21-src.tar.gz.asc OR % gpg --import tomcat.txt % gpg --verify apache-tomcat-10.0.21-src.tar.gz.asc apache-tomcat-10.0.21-src.tar.gz
If you're unable to verify the PGP signatures, you can instead verify the checksums on the files. However, PGP signatures are superior to checksums, and we recommend you verify using PGP whenever possible.
The following checksum files are available for this release:
When multiple checksums are available, we recommend you use the strongest checksum algorithm found. In order of strength, they are: sha512, sha256, sha1, md5Most Unix systems have a program called shasum included in their core distribution, which can be used here. To verify a checksum file, download it to the same directory as the relase artifact you downloaded, and run: shasum -c [checksum-filename]
The shasum program should emit the following response: apache-tomcat-10.0.21-src.tar.gz: OK. If the program indicates any errors or warnings, there may be authenticity issues with the artifact, and you should let us know at security@apache.org.
On Windows you can use the following command in a command line window to generate a checksum for the artifact, for instance: certutil -hashfile <filename> SHA512.
You can then compare this checksum value to the value in the checksum file.
Some older artifacts may only have an MD5 checksum file associated with it. As MD5 is now considered a weak algorithm, we strongly advise that users verify such artifacts using the PGP method described above. Should you have a need to verify the MD5 checksum file, you can use the Unix program md5sum in a similar manner to how SHA checksums are verified: md5sum -c [checksum-filename]. The response from the md5sum program is similar to that of the shasum program, and an OK response should always be expected.
Useful references:
- Release notes, with important information about known issues
- Changelog
Each official software release at the ASF is digitally signed with a detached PGP signature, as well as accompanying checksum files for extra verification. You can verify the PGP signatures using PGP or GPG.
To verify the PGP signature, you will need the following files:
Make sure you get these files from the official apache.org release distribution service, rather than from a mirror, as we cannot verify the authenticity of mirrors.
Once you have all the needed files, you can verify the release artifact as follows:
% pgpk -a tomcat.txt % pgpv apache-tomcat-10.0.21-src.zip.asc OR % pgp -ka tomcat.txt % pgp apache-tomcat-10.0.21-src.zip.asc OR % gpg --import tomcat.txt % gpg --verify apache-tomcat-10.0.21-src.zip.asc apache-tomcat-10.0.21-src.zip
If you're unable to verify the PGP signatures, you can instead verify the checksums on the files. However, PGP signatures are superior to checksums, and we recommend you verify using PGP whenever possible.
The following checksum files are available for this release:
When multiple checksums are available, we recommend you use the strongest checksum algorithm found. In order of strength, they are: sha512, sha256, sha1, md5Most Unix systems have a program called shasum included in their core distribution, which can be used here. To verify a checksum file, download it to the same directory as the relase artifact you downloaded, and run: shasum -c [checksum-filename]
The shasum program should emit the following response: apache-tomcat-10.0.21-src.zip: OK. If the program indicates any errors or warnings, there may be authenticity issues with the artifact, and you should let us know at security@apache.org.
On Windows you can use the following command in a command line window to generate a checksum for the artifact, for instance: certutil -hashfile <filename> SHA512.
You can then compare this checksum value to the value in the checksum file.
Some older artifacts may only have an MD5 checksum file associated with it. As MD5 is now considered a weak algorithm, we strongly advise that users verify such artifacts using the PGP method described above. Should you have a need to verify the MD5 checksum file, you can use the Unix program md5sum in a similar manner to how SHA checksums are verified: md5sum -c [checksum-filename]. The response from the md5sum program is similar to that of the shasum program, and an OK response should always be expected.