Verify the Integrity of Downloads

You can verify the integrity of the downloaded files using their PGP signatures or SHA-1 checksums.

Verifying Hashes

To verify the downloads, first get the MD5, SHA1 and/or SHA256 hashes using these links. Note that all links are for first-class Apache Software Foundation mirrors so there is already reduced opportunity for anyone maliciously tampering with these files.

Artifact Hashes
apache-brooklyn-0.11.0-bin.tar.gz md5 sha1 sha256
apache-brooklyn-0.11.0-bin.zip md5 sha1 sha256
apache-brooklyn-0.11.0-karaf.tar.gz md5 sha1 sha256
apache-brooklyn-0.11.0-karaf.zip md5 sha1 sha256
apache-brooklyn-0.11.0-1.noarch.rpm md5 sha1 sha256
apache-brooklyn-0.11.0-src.tar.gz md5 sha1 sha256
apache-brooklyn-0.11.0-src.zip md5 sha1 sha256
apache-brooklyn-0.11.0-client-cli-linux.tar.gz md5 sha1 sha256
apache-brooklyn-0.11.0-client-cli-linux.zip md5 sha1 sha256
apache-brooklyn-0.11.0-client-cli-macosx.tar.gz md5 sha1 sha256
apache-brooklyn-0.11.0-client-cli-macosx.zip md5 sha1 sha256
apache-brooklyn-0.11.0-client-cli-windows.tar.gz md5 sha1 sha256
apache-brooklyn-0.11.0-client-cli-windows.zip md5 sha1 sha256
apache-brooklyn-0.10.0-bin.tar.gz md5 sha1 sha256
apache-brooklyn-0.10.0-bin.zip md5 sha1 sha256
apache-brooklyn-0.10.0-karaf.tar.gz md5 sha1 sha256
apache-brooklyn-0.10.0-karaf.zip md5 sha1 sha256
apache-brooklyn-0.10.0-1.noarch.rpm md5 sha1 sha256
apache-brooklyn-0.10.0-src.tar.gz md5 sha1 sha256
apache-brooklyn-0.10.0-src.zip md5 sha1 sha256
apache-brooklyn-0.10.0-client-cli-linux.tar.gz md5 sha1 sha256
apache-brooklyn-0.10.0-client-cli-linux.zip md5 sha1 sha256
apache-brooklyn-0.10.0-client-cli-macosx.tar.gz md5 sha1 sha256
apache-brooklyn-0.10.0-client-cli-macosx.zip md5 sha1 sha256
apache-brooklyn-0.10.0-client-cli-windows.tar.gz md5 sha1 sha256
apache-brooklyn-0.10.0-client-cli-windows.zip md5 sha1 sha256
apache-brooklyn-0.9.0-bin.tar.gz md5 sha1 sha256
apache-brooklyn-0.9.0-bin.zip md5 sha1 sha256
apache-brooklyn-0.9.0-1.noarch.rpm md5 sha1 sha256
apache-brooklyn-0.9.0-src.tar.gz md5 sha1 sha256
apache-brooklyn-0.9.0-src.zip md5 sha1 sha256
apache-brooklyn-0.9.0-client-cli-linux.tar.gz md5 sha1 sha256
apache-brooklyn-0.9.0-client-cli-linux.zip md5 sha1 sha256
apache-brooklyn-0.9.0-client-cli-macosx.tar.gz md5 sha1 sha256
apache-brooklyn-0.9.0-client-cli-macosx.zip md5 sha1 sha256
apache-brooklyn-0.9.0-client-cli-windows.tar.gz md5 sha1 sha256
apache-brooklyn-0.9.0-client-cli-windows.zip md5 sha1 sha256
apache-brooklyn-0.8.0-incubating-bin.tar.gz md5 sha1 sha256
apache-brooklyn-0.8.0-incubating-bin.zip md5 sha1 sha256
apache-brooklyn-0.8.0-incubating-src.tar.gz md5 sha1 sha256
apache-brooklyn-0.8.0-incubating-src.zip md5 sha1 sha256
apache-brooklyn-0.7.0-incubating-bin.tar.gz md5 sha1 sha256
apache-brooklyn-0.7.0-incubating-bin.zip md5 sha1 sha256
apache-brooklyn-0.7.0-incubating-src.tar.gz md5 sha1 sha256
apache-brooklyn-0.7.0-incubating-src.zip md5 sha1 sha256
apache-brooklyn-0.7.0-M2-incubating md5 sha1 sha256

You can verify the SHA1 or SHA256 hashes easily by placing the files in the same folder as the download artifact and then running shasum, which is included in most UNIX-like systems:

shasum -c apache-brooklyn-0.11.0.tar.gz.sha1
shasum -c apache-brooklyn-0.11.0.tar.gz.sha256

You can verify the MD5 hashes by running a command like this, and comparing the output to the contents of the .md5 file:

md5 apache-brooklyn-0.11.0.tar.gz

Verifying PGP Signatures using PGP or GPG

You can download PGP/GPG signatures using these links. Note that these links are for first-class Apache Software Foundation mirrors so there will be reduced opportunity for tampering with these files.

Artifact Link
Release Manager's public keys KEYS
apache-brooklyn-0.11.0-bin.tar.gz asc
apache-brooklyn-0.11.0-bin.zip asc
apache-brooklyn-0.11.0-karaf.tar.gz asc
apache-brooklyn-0.11.0-karaf.zip asc
apache-brooklyn-0.11.0-1.noarch.rpm asc
apache-brooklyn-0.11.0-src.tar.gz asc
apache-brooklyn-0.11.0-src.zip asc
apache-brooklyn-0.11.0-client-cli-linux.tar.gz asc
apache-brooklyn-0.11.0-client-cli-linux.zip asc
apache-brooklyn-0.11.0-client-cli-macosx.tar.gz asc
apache-brooklyn-0.11.0-client-cli-macosx.zip asc
apache-brooklyn-0.11.0-client-cli-windows.tar.gz asc
apache-brooklyn-0.11.0-client-cli-windows.zip asc
apache-brooklyn-0.10.0-bin.tar.gz asc
apache-brooklyn-0.10.0-bin.zip asc
apache-brooklyn-0.10.0-karaf.tar.gz asc
apache-brooklyn-0.10.0-karaf.zip asc
apache-brooklyn-0.10.0-1.noarch.rpm asc
apache-brooklyn-0.10.0-src.tar.gz asc
apache-brooklyn-0.10.0-src.zip asc
apache-brooklyn-0.10.0-client-cli-linux.tar.gz asc
apache-brooklyn-0.10.0-client-cli-linux.zip asc
apache-brooklyn-0.10.0-client-cli-macosx.tar.gz asc
apache-brooklyn-0.10.0-client-cli-macosx.zip asc
apache-brooklyn-0.10.0-client-cli-windows.tar.gz asc
apache-brooklyn-0.10.0-client-cli-windows.zip asc
apache-brooklyn-0.9.0-bin.tar.gz asc
apache-brooklyn-0.9.0-bin.zip asc
apache-brooklyn-0.9.0-1.noarch.rpm asc
apache-brooklyn-0.9.0-src.tar.gz asc
apache-brooklyn-0.9.0-src.zip asc
apache-brooklyn-0.9.0-client-cli-linux.tar.gz asc
apache-brooklyn-0.9.0-client-cli-linux.zip asc
apache-brooklyn-0.9.0-client-cli-macosx.tar.gz asc
apache-brooklyn-0.9.0-client-cli-macosx.zip asc
apache-brooklyn-0.9.0-client-cli-windows.tar.gz asc
apache-brooklyn-0.9.0-client-cli-windows.zip asc
apache-brooklyn-0.8.0-incubating-bin.tar.gz asc
apache-brooklyn-0.8.0-incubating-bin.zip asc
apache-brooklyn-0.8.0-incubating-src.tar.gz asc
apache-brooklyn-0.8.0-incubating-src.zip asc
apache-brooklyn-0.7.0-incubating-bin.tar.gz asc
apache-brooklyn-0.7.0-incubating-bin.zip asc
apache-brooklyn-0.7.0-incubating-src.tar.gz asc
apache-brooklyn-0.7.0-incubating-src.zip asc
apache-brooklyn-0.7.0-M2-incubating.tar.gz asc

In order to validate the release signature, download both the release .asc file for the release, and the KEYS file which contains the public keys of key individuals in the Apache Brooklyn project.

Verify the signatures using one of the following commands:

pgpk -a KEYS
pgpv brooklyn-0.11.0-dist.tar.gz.asc

or

pgp -ka KEYS
pgp brooklyn-0.11.0-dist.zip.asc

or

gpg --import KEYS
gpg --verify brooklyn-0.11.0-dist.tar.gz.asc