Verify the Integrity of Downloads

You can verify the integrity of the downloaded files using their PGP (GPG) signatures or SHA256 checksums.

Verifying Hashes

To verify the downloads, first get the GPG signatures and SHA256 hashes using these links. Note that all links are for first-class Apache Software Foundation mirrors so there is already reduced opportunity for anyone maliciously tampering with these files.

Artifact Hashes
Release Manager's public keys KEYS
apache-brooklyn-1.0.0-src.tar.gz pgp sha256
apache-brooklyn-1.0.0-src.zip pgp sha256
apache-brooklyn-1.0.0-bin.tar.gz pgp sha256
apache-brooklyn-1.0.0-bin.zip pgp sha256
apache-brooklyn-1.0.0-client-cli-linux.tar.gz pgp sha256
apache-brooklyn-1.0.0-client-cli-linux.zip pgp sha256
apache-brooklyn-1.0.0-client-cli-macosx.tar.gz pgp sha256
apache-brooklyn-1.0.0-client-cli-macosx.zip pgp sha256
apache-brooklyn-1.0.0-client-cli-windows.tar.gz pgp sha256
apache-brooklyn-1.0.0-client-cli-windows.zip pgp sha256
apache-brooklyn-1.0.0-vagrant.tar.gz pgp sha256
apache-brooklyn-1.0.0-vagrant.zip pgp sha256
apache-brooklyn-1.0.0.deb pgp sha256
apache-brooklyn-1.0.0-1.noarch.rpm pgp sha256
apache-brooklyn-1.0.0-classic.tar.gz pgp sha256
apache-brooklyn-1.0.0-classic.zip pgp sha256
apache-brooklyn-1.0.0-M1-bin.tar.gz pgp sha256
apache-brooklyn-1.0.0-M1-bin.zip pgp sha256
apache-brooklyn-1.0.0-M1-classic.tar.gz pgp sha256
apache-brooklyn-1.0.0-M1-classic.zip pgp sha256
apache-brooklyn-1.0.0-M1-1.noarch.rpm pgp sha256
apache-brooklyn-1.0.0-M1-src.tar.gz pgp sha256
apache-brooklyn-1.0.0-M1-src.zip pgp sha256
apache-brooklyn-1.0.0-M1-client-cli-linux.tar.gz pgp sha256
apache-brooklyn-1.0.0-M1-client-cli-linux.zip pgp sha256
apache-brooklyn-1.0.0-M1-client-cli-macosx.tar.gz pgp sha256
apache-brooklyn-1.0.0-M1-client-cli-macosx.zip pgp sha256
apache-brooklyn-1.0.0-M1-client-cli-windows.tar.gz pgp sha256
apache-brooklyn-1.0.0-M1-client-cli-windows.zip pgp sha256
apache-brooklyn-0.12.0-bin.tar.gz pgp sha256
apache-brooklyn-0.12.0-bin.zip pgp sha256
apache-brooklyn-0.12.0-classic.tar.gz pgp sha256
apache-brooklyn-0.12.0-classic.zip pgp sha256
apache-brooklyn-0.12.0-1.noarch.rpm pgp sha256
apache-brooklyn-0.12.0-src.tar.gz pgp sha256
apache-brooklyn-0.12.0-src.zip pgp sha256
apache-brooklyn-0.12.0-client-cli-linux.tar.gz pgp sha256
apache-brooklyn-0.12.0-client-cli-linux.zip pgp sha256
apache-brooklyn-0.12.0-client-cli-macosx.tar.gz pgp sha256
apache-brooklyn-0.12.0-client-cli-macosx.zip pgp sha256
apache-brooklyn-0.12.0-client-cli-windows.tar.gz pgp sha256
apache-brooklyn-0.12.0-client-cli-windows.zip pgp sha256
apache-brooklyn-0.11.0-bin.tar.gz pgp sha256
apache-brooklyn-0.11.0-bin.zip pgp sha256
apache-brooklyn-0.11.0-karaf.tar.gz pgp sha256
apache-brooklyn-0.11.0-karaf.zip pgp sha256
apache-brooklyn-0.11.0-1.noarch.rpm pgp sha256
apache-brooklyn-0.11.0-src.tar.gz pgp sha256
apache-brooklyn-0.11.0-src.zip pgp sha256
apache-brooklyn-0.11.0-client-cli-linux.tar.gz pgp sha256
apache-brooklyn-0.11.0-client-cli-linux.zip pgp sha256
apache-brooklyn-0.11.0-client-cli-macosx.tar.gz pgp sha256
apache-brooklyn-0.11.0-client-cli-macosx.zip pgp sha256
apache-brooklyn-0.11.0-client-cli-windows.tar.gz pgp sha256
apache-brooklyn-0.11.0-client-cli-windows.zip pgp sha256
apache-brooklyn-0.10.0-bin.tar.gz pgp sha256
apache-brooklyn-0.10.0-bin.zip pgp sha256
apache-brooklyn-0.10.0-karaf.tar.gz pgp sha256
apache-brooklyn-0.10.0-karaf.zip pgp sha256
apache-brooklyn-0.10.0-1.noarch.rpm pgp sha256
apache-brooklyn-0.10.0-src.tar.gz pgp sha256
apache-brooklyn-0.10.0-src.zip pgp sha256
apache-brooklyn-0.10.0-client-cli-linux.tar.gz pgp sha256
apache-brooklyn-0.10.0-client-cli-linux.zip pgp sha256
apache-brooklyn-0.10.0-client-cli-macosx.tar.gz pgp sha256
apache-brooklyn-0.10.0-client-cli-macosx.zip pgp sha256
apache-brooklyn-0.10.0-client-cli-windows.tar.gz pgp sha256
apache-brooklyn-0.10.0-client-cli-windows.zip pgp sha256
apache-brooklyn-0.9.0-bin.tar.gz pgp sha256
apache-brooklyn-0.9.0-bin.zip pgp sha256
apache-brooklyn-0.9.0-1.noarch.rpm pgp sha256
apache-brooklyn-0.9.0-src.tar.gz pgp sha256
apache-brooklyn-0.9.0-src.zip pgp sha256
apache-brooklyn-0.9.0-client-cli-linux.tar.gz pgp sha256
apache-brooklyn-0.9.0-client-cli-linux.zip pgp sha256
apache-brooklyn-0.9.0-client-cli-macosx.tar.gz pgp sha256
apache-brooklyn-0.9.0-client-cli-macosx.zip pgp sha256
apache-brooklyn-0.9.0-client-cli-windows.tar.gz pgp sha256
apache-brooklyn-0.9.0-client-cli-windows.zip pgp sha256
apache-brooklyn-0.8.0-incubating-bin.tar.gz pgp sha256
apache-brooklyn-0.8.0-incubating-bin.zip pgp sha256
apache-brooklyn-0.8.0-incubating-src.tar.gz pgp sha256
apache-brooklyn-0.8.0-incubating-src.zip pgp sha256
apache-brooklyn-0.7.0-incubating-bin.tar.gz pgp sha256
apache-brooklyn-0.7.0-incubating-bin.zip pgp sha256
apache-brooklyn-0.7.0-incubating-src.tar.gz pgp sha256
apache-brooklyn-0.7.0-incubating-src.zip pgp sha256
apache-brooklyn-0.7.0-M2-incubating.tar.gz pgp sha256

You can verify the SHA256 hashes easily by placing the files in the same folder as the download artifact and then running shasum, which is included in most UNIX-like systems:

shasum -c apache-brooklyn-1.0.0.tar.gz.sha256

In order to validate the release signature, download both the release .asc file for the release, and the KEYS file which contains the public keys of key individuals in the Apache Brooklyn project.

Verify the signatures using one of the following commands:

pgpk -a KEYS
pgpv brooklyn-1.0.0-dist.tar.gz.asc

or

pgp -ka KEYS
pgp brooklyn-1.0.0-dist.zip.asc

or

gpg --import KEYS
gpg --verify brooklyn-1.0.0-dist.tar.gz.asc