logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Download binaries with PGP key from ApacheLounge !

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Sun 29 Dec '13 20:15    Post subject: Download binaries with PGP key from ApacheLounge ! Reply with quote

The PGP signing key for our binaries is now 4096-bit (was 1024 since 2007):
Code:
pub 4096R/29C17558 12/29/2013 Steffen Land (Apache Lounge) <info@apachelounge.com>
    Primary key fingerprint:  3D49 885E ADE8 BC39 9F46 D5DD BEE8 8A78 29C1 7558


This PGP signature allows anyone to verify that a file is identical to the one created by Apache Lounge. Using a signature, users can make sure that what they received has not been modified in any way, either accidentally via a faulty transmission channel, or intentionally (with or without malicious intent)

PGP signatures confer the usual advantages of digital signatures: authentication, integrity and non-repudiation. MD5 and SHA checksums only provide the integrity part as they are not encrypted.

See also https://www.apache.org/info/verification.html

Steffen


Last edited by Steffen on Sun 05 Nov '17 14:15; edited 1 time in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Sun 05 Nov '17 14:13    Post subject: Reply with quote

There are other sites that supplies downloads from ApacheLounge, and that without PGP signature.

So be warned when downloading from an other site !

With PGP it verifies that only Steffen from Apache Lounge with the matching private key could have generated the signature. And you can be sure that the download is intact and has not been tampered with.

With just a SHA hash check, anyone could have generated the hash, they could have replaced the hash on the download page with one that matches the binary they've just uploaded. The only thing a hash check alone allows is to verify that a mirror is providing the same file as the download page that sends you to the mirror says and that it didn't suffer accidental corruption during the transfer.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1