All official releases of code distributed by the Apache Fineract Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.
You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than from mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors.
The following example details how signature interaction works. In this example, you are already assumed to have downloaded apache-fineract-0.6.0-incubating-src.tar.gz (the source release) and apache-fineract-0.6.0-incubating-src.tar.gz.asc (the detached signature).
This example uses The GNU Privacy Guard. Any OpenPGP -compliant program should work successfully.
First, we will check the detached signature ( fineract-0.6.0-incubating-src.tar.gz.asc ) against our release ( apache-fineract-0.6.0-incubating-src.tar.gz ).
% gpg --verify fineract-0.6.0-incubating-src.tar.gz.asc apache-fineract-0.6.0-incubating-src.tar.gz gpg: Signature made 12/07/16 16:33:37 India Standard Time using RSA key ID 0BB29444 gpg: Can't check signature: No public key
We don't have the release manager's public key ( 0BB29444 ) in our local system. You now need to retrieve the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface ). The public key servers are linked together, so you should be able to connect to any key server.
% gpg --keyserver pgpkeys.mit.edu --recv-key 0BB29444 gpg: requesting key 0BB29444 from HKP keyserver pgpkeys.mit.edu gpg: trustdb created gpg: key 0BB29444: public key "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer1100126@apache.org>" imported gpg: Total number processed: 1 gpg: imported: 1
Another way to retrieve the public key is from KEYS file which is available as part Apache Fineract Project (https://dist.apache.org/repos/dist/dev/incubator/fineract)
% gpg --import KEYS gpg: key B983100D: public key "Adi Raju (CODE SIGNING KEY FOR APACHE FINERACT) <rajuan@apache.org>" imported gpg: key 0CB6C40C: "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer.shaik@confluxtechnologies.com>" not changed gpg: key 0BB29444: public key "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer1100126@apache.org>" imported gpg: Total number processed: 3 gpg: imported: 2 (RSA: 2) gpg: unchanged: 1
In this example, you have now received a public key for an entity known as 'Shaik Nazeer Hussain<nazeer1100126@apache.org>' However, you have no way of verifying this key was created by the person known as Shaik Nazeer Hussain. But, let's try to verify the release signature again.
% gpg --verify apache-fineract-0.5.0-incubating-src.tar.gz.asc apache-fineract-0.5.0-incubating-src.tar.gz gpg: Signature made 12/07/16 16:33:37 India Standard Time using RSA key ID 0BB29444 gpg: Good signature from "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer1100126@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: AF4F D65D E78C A5B1 BF30 939F 80C4 D889 0BB2 9444
At this point, the signature is good, but we don't trust this key. A good signature means that the file has not been tampered. However, due to the nature of public key cryptography, you need to additionally verify that key 0BB29444 was created by the real Shaik Nazeer Hussain.
Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.