We are currently voting on the upcoming Apache log4php 2.1.0 release. An Apache release usually contains the src package, an asc file and an md5 file. The asc contains the signature of the release manager, which is accessible from the projects page. The md5 file contains the checksum for the release.
I wrote a small script which helps to check the md5 and the signature. It has been developed on OS X 10.6.7. I use the preinstalled md5 tool and installed gpg with
port install gpg. The latter one is pretty similar to pgp, just GPL licensed.
You might tweak this script so it fits to your release. May it give you a good start
#!/bin/bash file1=`md5 -q $1` file2=`cut -d* -f1 $1.md5` echo "Checking file: $1" echo "Using MD5 file: $1.md5" echo $file1 echo $file2 if [ $file1 != $file2 ] then echo "md5 sums mismatch" else echo "checksums OK" fi echo "GPG verification output" gpg --verify $1.asc $1
To call it, you need to pass the filename to check as a parameter:
$ ./verify.sh Apache_log4php-2.1.0-pear.tgz
Thats it. The output should look like:
Checking file: Apache_log4php-2.1.0-pear.tgz Using MD5 file: Apache_log4php-2.1.0-pear.tgz.md5 b39f7d2b216542cc7fb81c3a126b07e6 b39f7d2b216542cc7fb81c3a126b07e6 checksums OK GPG verification output gpg: Unterschrift vom Di 28 Jun 11:09:39 2011 CEST mittels RSA-Schlüssel ID xxx gpg: Korrekte Unterschrift von "xxx" Haupt-Fingerabdruck = xxxxxx
Follow me on Twitter :-)