-
Notifications
You must be signed in to change notification settings - Fork 195
Apache PGP Signature and SHA512 Checksum Verification
Ed Espino edited this page Jul 7, 2025
·
2 revisions
To verify the integrity and authenticity of the release artifacts, use the Apache PGP process:
- Import the release manager’s public key (if not already trusted):
curl https://dist.apache.org/repos/dist/release/incubator/cloudberry/KEYS | gpg --import- Verify the signature of the source release artifact:
gpg --verify apache-cloudberry-2.0.0-incubating-rc1-src.tar.gz.asc apache-cloudberry-2.0.0-incubating-rc1-src.tar.gzExpected output:
gpg: Signature made Thu 05 Jun 2025 05:43:53 PM PDT
gpg: using RSA key 21571B62BF59A2C896EEA49060C8D62C26775FC1
gpg: issuer "[email protected]"
gpg: Good signature from "Ed Espino <[email protected]>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B90 B563 4E45 06F0 5BA5 1F2F C960 4135 C07C D12A
Subkey fingerprint: 2157 1B62 BF59 A2C8 96EE A490 60C8 D62C 2677 5FC1
sha512sum -c apache-cloudberry-2.0.0-incubating-rc1-src.tar.gz.sha512Expected output:
apache-cloudberry-2.0.0-incubating-rc1-src.tar.gz: OK
For more information, see the [Apache Release Signing Guide](https://www.apache.org/dev/release-signing.html).