Hey everyone,
I have a couple questions about verifying the tarballs I download for
Zookeeper.
I don't see any listing of an official release manager identity and their
pub key. Therefore, I don't know which key I should be getting to verify a
signature against. Is there a list somewhere of the release manager
identity. Ideally, I'd also be able to get the key from an Apache site
protected by TLS (maybe even HTTPS). Am I just missing this info? If so,
where is the info?
Also, I don't see corresponding .asc signature files that can be used to
verify the authenticity of the archives even if I did have a pub key. Are
these located in some special location other than in the directories along
side the released tarballs?
Alternatively, is there a better way to retrieve crypto-secured releases
than just downloading the release tarballs?
Thanks,
wt
I have a couple questions about verifying the tarballs I download for
Zookeeper.
I don't see any listing of an official release manager identity and their
pub key. Therefore, I don't know which key I should be getting to verify a
signature against. Is there a list somewhere of the release manager
identity. Ideally, I'd also be able to get the key from an Apache site
protected by TLS (maybe even HTTPS). Am I just missing this info? If so,
where is the info?
Also, I don't see corresponding .asc signature files that can be used to
verify the authenticity of the archives even if I did have a pub key. Are
these located in some special location other than in the directories along
side the released tarballs?
Alternatively, is there a better way to retrieve crypto-secured releases
than just downloading the release tarballs?
Thanks,
wt