This content is for Brooklyn 0.6.0, and may differ across versions.
Are you using version 0.6.0?
Verify the Integrity of Downloads
It is essential for security that you verify the integrity of the downloaded files using their PGP signatures or SHA-1 checksums.
Verifying PGP signatures using PGP or GPG
Download the brooklyn-gpg-public-key.asc
file and the .asc
PGP signature file for the relevant artefact.
(Make sure you get these files from the main Sonatype repository rather than from a mirror.)
Verify the signatures using one of the following commands:
pgpk -a brooklyn-gpg-public-key.asc
pgpv brooklyn-0.6.0-dist.tar.gz.asc
or
pgp -ka brooklyn-gpg-public-key.asc
pgp brooklyn-0.6.0-dist.zip.asc
or
gpg --import brooklyn-gpg-public-key.asc
gpg --verify brooklyn-0.6.0-dist.tar.gz.asc
You can also verify the SHA-1 checksum of the files.
A program called sha1
or sha1sum
is included in most Linux distributions and OSx. For Windows users, fsum
supports SHA-1.
Ensure the generated checksum string matches the contents of the .sha1
file for the relevant artefact (and again download from Sonatype repository, rather than from a mirror).