...
- Verify signatures using the instructions at https://www.apache.org/info/verification.html#CheckingSignatures. You will need GPG installed. On MacOS machines, you can install GPG with HomeBrew using
brew install gpg
. Verify checkums for the source and binary artifacts from the corresponding .mds files. E.g. a quick way to do so using gpg is:
Code Block language bash theme RDark gpg --print-mds hadoop-3.1.1-src.tar.gz > mds.tmp diff hadoop-3.1.1-src.tar.gz.mds mds.tmp
- Verify that there are no MD5 signatures provided.
- Verify that jars have been correctly staged to repository.apache.org.
- For 3.x releases and later, verify that the shaded fat jars look correct.
- Sanity check the CHANGES.md and RELEASENOTES.md files.
- Verify that source and binary tarballs include LICENSE.txt and NOTICE.txt files.
...