We are currently voting on the upcoming Apache log4php 2.1.0 release. An Apache release usually contains the src package, an asc file a nd an md5 file. The asc contains the signature of the release manager, which is accessible from the projects page. The md5 file contains the checksum for the release.
I wrote a small script which helps to check the md5 and the signature. It has been developed on OS X 10.6.7. I use the preinstalled md5 tool and installed gpg with:
port install gpg
The latter one is pretty similar to pgp, just GPL licensed.
You might tweak this script so it fits to your release. May it give you a good start ;-)
#!/bin/bash file1=`md5 -q $1` file2=`cut -d* -f1 $1.md5` echo "Checking file: $1" echo "Using MD5 file: $1.md5" echo $file1 echo $file2 if [ $file1 != $file2 ] then echo "md5 sums mismatch" else echo "checksums OK" fi echo "GPG verification output" gpg --verify $1.asc $1
To call it, you need to pass the filename to check as a parameter:
$ ./verify.sh Apache_log4php-2.1.0-pear.tgz
That's it. The output should look like:
Checking file: Apache_log4php-2.1.0-pear.tgz Using MD5 file: Apache_log4php-2.1.0-pear.tgz.md5 b39f7d2b216542cc7fb81c3a126b07e6 b39f7d2b216542cc7fb81c3a126b07e6 checksums OK GPG verification output gpg: Unterschrift vom Di 28 Jun 11:09:39 2011 CEST mittels RSA-Schlüssel ID xxx gpg: Korrekte Unterschrift von "xxx" Haupt-Fingerabdruck = xxxxxx