GPG Key Setup

PGP Signature Verification Instructions

To verify the integrity and authenticity of the release artifacts, use the Apache PGP process:

Import the release manager’s public key (if not already trusted):

curl https://dist.apache.org/repos/dist/dev/incubator/cloudberry/KEYS | gpg --import

Verify the signature of the source release artifact:

gpg --verify apache-cloudberry-2.0.0-incubating-rc1-src.tar.gz.asc apache-cloudberry-2.0.0-incubating-rc1-src.tar.gz

Expected output:

gpg: Good signature from "Ed Espino <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Validate the SHA512 checksum:

sha512sum -c apache-cloudberry-2.0.0-incubating-rc1-src.tar.gz.sha512

Expected output:

apache-cloudberry-2.0.0-incubating-rc1-src.tar.gz: OK

For more information, see the [Apache Release Signing Guide](https://www.apache.org/dev/release-signing.html).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

GPG Key Setup

PGP Signature Verification Instructions

Validate the SHA512 checksum:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally