Verify the Integrity of Downloads

You can verify the integrity of the downloaded files using their PGP signatures or SHA-1 checksums.

Verifying Hashes

To verify the downloads, first get the MD5, SHA1 and/or SHA256 hashes using these links. Note that all links are for first-class Apache Software Foundation mirrors so there is already reduced opportunity for anyone maliciously tampering with these files.

Artifact	Hashes
apache-brooklyn-0.12.0-bin.tar.gz	md5	sha1	sha256
apache-brooklyn-0.12.0-bin.zip	md5	sha1	sha256
apache-brooklyn-0.12.0-classic.tar.gz	md5	sha1	sha256
apache-brooklyn-0.12.0-classic.zip	md5	sha1	sha256
apache-brooklyn-0.12.0-1.noarch.rpm	md5	sha1	sha256
apache-brooklyn-0.12.0-src.tar.gz	md5	sha1	sha256
apache-brooklyn-0.12.0-src.zip	md5	sha1	sha256
apache-brooklyn-0.12.0-client-cli-linux.tar.gz	md5	sha1	sha256
apache-brooklyn-0.12.0-client-cli-linux.zip	md5	sha1	sha256
apache-brooklyn-0.12.0-client-cli-macosx.tar.gz	md5	sha1	sha256
apache-brooklyn-0.12.0-client-cli-macosx.zip	md5	sha1	sha256
apache-brooklyn-0.12.0-client-cli-windows.tar.gz	md5	sha1	sha256
apache-brooklyn-0.12.0-client-cli-windows.zip	md5	sha1	sha256
apache-brooklyn-0.11.0-bin.tar.gz	md5	sha1	sha256
apache-brooklyn-0.11.0-bin.zip	md5	sha1	sha256
apache-brooklyn-0.11.0-karaf.tar.gz	md5	sha1	sha256
apache-brooklyn-0.11.0-karaf.zip	md5	sha1	sha256
apache-brooklyn-0.11.0-1.noarch.rpm	md5	sha1	sha256
apache-brooklyn-0.11.0-src.tar.gz	md5	sha1	sha256
apache-brooklyn-0.11.0-src.zip	md5	sha1	sha256
apache-brooklyn-0.11.0-client-cli-linux.tar.gz	md5	sha1	sha256
apache-brooklyn-0.11.0-client-cli-linux.zip	md5	sha1	sha256
apache-brooklyn-0.11.0-client-cli-macosx.tar.gz	md5	sha1	sha256
apache-brooklyn-0.11.0-client-cli-macosx.zip	md5	sha1	sha256
apache-brooklyn-0.11.0-client-cli-windows.tar.gz	md5	sha1	sha256
apache-brooklyn-0.11.0-client-cli-windows.zip	md5	sha1	sha256
apache-brooklyn-0.10.0-bin.tar.gz	md5	sha1	sha256
apache-brooklyn-0.10.0-bin.zip	md5	sha1	sha256
apache-brooklyn-0.10.0-karaf.tar.gz	md5	sha1	sha256
apache-brooklyn-0.10.0-karaf.zip	md5	sha1	sha256
apache-brooklyn-0.10.0-1.noarch.rpm	md5	sha1	sha256
apache-brooklyn-0.10.0-src.tar.gz	md5	sha1	sha256
apache-brooklyn-0.10.0-src.zip	md5	sha1	sha256
apache-brooklyn-0.10.0-client-cli-linux.tar.gz	md5	sha1	sha256
apache-brooklyn-0.10.0-client-cli-linux.zip	md5	sha1	sha256
apache-brooklyn-0.10.0-client-cli-macosx.tar.gz	md5	sha1	sha256
apache-brooklyn-0.10.0-client-cli-macosx.zip	md5	sha1	sha256
apache-brooklyn-0.10.0-client-cli-windows.tar.gz	md5	sha1	sha256
apache-brooklyn-0.10.0-client-cli-windows.zip	md5	sha1	sha256
apache-brooklyn-0.9.0-bin.tar.gz	md5	sha1	sha256
apache-brooklyn-0.9.0-bin.zip	md5	sha1	sha256
apache-brooklyn-0.9.0-1.noarch.rpm	md5	sha1	sha256
apache-brooklyn-0.9.0-src.tar.gz	md5	sha1	sha256
apache-brooklyn-0.9.0-src.zip	md5	sha1	sha256
apache-brooklyn-0.9.0-client-cli-linux.tar.gz	md5	sha1	sha256
apache-brooklyn-0.9.0-client-cli-linux.zip	md5	sha1	sha256
apache-brooklyn-0.9.0-client-cli-macosx.tar.gz	md5	sha1	sha256
apache-brooklyn-0.9.0-client-cli-macosx.zip	md5	sha1	sha256
apache-brooklyn-0.9.0-client-cli-windows.tar.gz	md5	sha1	sha256
apache-brooklyn-0.9.0-client-cli-windows.zip	md5	sha1	sha256
apache-brooklyn-0.8.0-incubating-bin.tar.gz	md5	sha1	sha256
apache-brooklyn-0.8.0-incubating-bin.zip	md5	sha1	sha256
apache-brooklyn-0.8.0-incubating-src.tar.gz	md5	sha1	sha256
apache-brooklyn-0.8.0-incubating-src.zip	md5	sha1	sha256
apache-brooklyn-0.7.0-incubating-bin.tar.gz	md5	sha1	sha256
apache-brooklyn-0.7.0-incubating-bin.zip	md5	sha1	sha256
apache-brooklyn-0.7.0-incubating-src.tar.gz	md5	sha1	sha256
apache-brooklyn-0.7.0-incubating-src.zip	md5	sha1	sha256
apache-brooklyn-0.7.0-M2-incubating	md5	sha1	sha256

You can verify the SHA1 or SHA256 hashes easily by placing the files in the same folder as the download artifact and then running shasum, which is included in most UNIX-like systems:

shasum -c apache-brooklyn-1.1.0.tar.gz.sha1
shasum -c apache-brooklyn-1.1.0.tar.gz.sha256

You can verify the MD5 hashes by running a command like this, and comparing the output to the contents of the .md5 file:

md5 apache-brooklyn-1.1.0.tar.gz

Verifying PGP Signatures using PGP or GPG

You can download PGP/GPG signatures using these links. Note that these links are for first-class Apache Software Foundation mirrors so there will be reduced opportunity for tampering with these files.

Artifact	Link
Release Manager's public keys	KEYS
apache-brooklyn-0.12.0-bin.tar.gz	asc
apache-brooklyn-0.12.0-bin.zip	asc
apache-brooklyn-0.12.0-classic.tar.gz	asc
apache-brooklyn-0.12.0-classic.zip	asc
apache-brooklyn-0.12.0-1.noarch.rpm	asc
apache-brooklyn-0.12.0-src.tar.gz	asc
apache-brooklyn-0.12.0-src.zip	asc
apache-brooklyn-0.12.0-client-cli-linux.tar.gz	asc
apache-brooklyn-0.12.0-client-cli-linux.zip	asc
apache-brooklyn-0.12.0-client-cli-macosx.tar.gz	asc
apache-brooklyn-0.12.0-client-cli-macosx.zip	asc
apache-brooklyn-0.12.0-client-cli-windows.tar.gz	asc
apache-brooklyn-0.12.0-client-cli-windows.zip	asc
apache-brooklyn-0.11.0-bin.tar.gz	asc
apache-brooklyn-0.11.0-bin.zip	asc
apache-brooklyn-0.11.0-karaf.tar.gz	asc
apache-brooklyn-0.11.0-karaf.zip	asc
apache-brooklyn-0.11.0-1.noarch.rpm	asc
apache-brooklyn-0.11.0-src.tar.gz	asc
apache-brooklyn-0.11.0-src.zip	asc
apache-brooklyn-0.11.0-client-cli-linux.tar.gz	asc
apache-brooklyn-0.11.0-client-cli-linux.zip	asc
apache-brooklyn-0.11.0-client-cli-macosx.tar.gz	asc
apache-brooklyn-0.11.0-client-cli-macosx.zip	asc
apache-brooklyn-0.11.0-client-cli-windows.tar.gz	asc
apache-brooklyn-0.11.0-client-cli-windows.zip	asc
apache-brooklyn-0.10.0-bin.tar.gz	asc
apache-brooklyn-0.10.0-bin.zip	asc
apache-brooklyn-0.10.0-karaf.tar.gz	asc
apache-brooklyn-0.10.0-karaf.zip	asc
apache-brooklyn-0.10.0-1.noarch.rpm	asc
apache-brooklyn-0.10.0-src.tar.gz	asc
apache-brooklyn-0.10.0-src.zip	asc
apache-brooklyn-0.10.0-client-cli-linux.tar.gz	asc
apache-brooklyn-0.10.0-client-cli-linux.zip	asc
apache-brooklyn-0.10.0-client-cli-macosx.tar.gz	asc
apache-brooklyn-0.10.0-client-cli-macosx.zip	asc
apache-brooklyn-0.10.0-client-cli-windows.tar.gz	asc
apache-brooklyn-0.10.0-client-cli-windows.zip	asc
apache-brooklyn-0.9.0-bin.tar.gz	asc
apache-brooklyn-0.9.0-bin.zip	asc
apache-brooklyn-0.9.0-1.noarch.rpm	asc
apache-brooklyn-0.9.0-src.tar.gz	asc
apache-brooklyn-0.9.0-src.zip	asc
apache-brooklyn-0.9.0-client-cli-linux.tar.gz	asc
apache-brooklyn-0.9.0-client-cli-linux.zip	asc
apache-brooklyn-0.9.0-client-cli-macosx.tar.gz	asc
apache-brooklyn-0.9.0-client-cli-macosx.zip	asc
apache-brooklyn-0.9.0-client-cli-windows.tar.gz	asc
apache-brooklyn-0.9.0-client-cli-windows.zip	asc
apache-brooklyn-0.8.0-incubating-bin.tar.gz	asc
apache-brooklyn-0.8.0-incubating-bin.zip	asc
apache-brooklyn-0.8.0-incubating-src.tar.gz	asc
apache-brooklyn-0.8.0-incubating-src.zip	asc
apache-brooklyn-0.7.0-incubating-bin.tar.gz	asc
apache-brooklyn-0.7.0-incubating-bin.zip	asc
apache-brooklyn-0.7.0-incubating-src.tar.gz	asc
apache-brooklyn-0.7.0-incubating-src.zip	asc
apache-brooklyn-0.7.0-M2-incubating.tar.gz	asc

In order to validate the release signature, download both the release .asc file for the release, and the KEYS file which contains the public keys of key individuals in the Apache Brooklyn project.

Verify the signatures using one of the following commands:

pgpk -a KEYS
pgpv brooklyn-1.1.0-dist.tar.gz.asc

pgp -ka KEYS
pgp brooklyn-1.1.0-dist.zip.asc

gpg --import KEYS
gpg --verify brooklyn-1.1.0-dist.tar.gz.asc