We are currently voting on the upcoming Apache log4php 2.1.0 release. An Apache release usually contains the src package, an asc file a nd an md5 file. The asc contains the signature of the release manager, which is accessible from the projects page. The md5 file contains the checksum for the release.
I wrote a small script which helps to check the md5 and the signature. It has been developed on OS X 10.6.7. I use the preinstalled md5 tool and installed gpg with:
The latter one is pretty similar to pgp, just GPL licensed.
You might tweak this script so it fits to your release. May it give you a good start ;-)
To call it, you need to pass the filename to check as a parameter: