A Rule Engine for State and Event Monitoring     










Get NodeBrain at Fast, secure and Free Open Source software downloads

Bug Reports

Checking File Integrity

If you follow the steps described here, you can be reasonably assured a file downloaded from a mirror has not been accidentally or deliberately compromised. However, this is not completely assured because this site could also be compromised, including the keys and signatures you obtain to verify release files. We periodically test for this by comparing the keys and signatures to reference copies on an undisclosed server.

File integrity may be checked using either an MD5 checksum (message digest) or a PGP signature, whichever you prefer. The digest and signature files have names that extend the release file name with ".md5" or ".asc".

  • package-release.format  (Released file)
  • package-release.format.md5  (MD5 checksum)
  • package-release.format.asc  (PGP signature)

You should only use digest and signature files downloaded from this site. Links to the digest and signature files are represented by the icons to the right of a release file name as illustrated here. (The icons in this example are not links.)


 MD5 Checksum

A NodeBrain developer creates the *.md5 digest file as follows.

    $ md5sum nodebrain-0.8.15.tar.gz > nodebrain-0.8.15.tar.gz.md5

To verify the integrity of a release file using an MD5 checksum, place the digest file downloaded from this site in the same directory as the downloaded release file and issue the md5sum command. For the file illustrated above, it would look like this.

    $ md5sum -c nodebrain-0.8.15.tar.gz.md5
This method is appropriate when your intended use of a release file does not include critical applications or critical servers. We expect this to be the case for early versions of NodeBrain that have not been tested well enough for use in critical application.

 PGP Signature

A NodeBrain developer creates an *.asc signature for a release file with the following command.

    $ gpg -sba nodebrain-0.8.15.tar.gz

Before attempting to verify a NodeBrain release file using pgp, you must first download the public keys of our developers

and add them to your keyring.
    $ pgp -ka nbdevkeys.txt
    $ gpg --import nbdevkeys.txt
To verify the integrity and authenticity of a given release file, place the signature file downloaded from this site in the same directory as the downloaded release file and issue the following command.
    $ pgp nodebrain-0.8.15.tar.gz.asc
    $ gpg nodebrain-0.8.15.tar.gz.asc
This will tell you if the release file, public key and signature match. If they do, and you trust the public key used to sign the release file, then you can trust the release file. However, if you have no reason to trust the public key, which will be the case for most people, you will at least know that someone had to go to a lot of trouble to trick you if the release file is bad. You must decide if that is sufficient reassurance for you. If not, you must take steps to verify that the public key actually belongs to a NodeBrain developer.

The Apache HTTP Server Project has a good description of release verification using PGP signature files. As they note, The GNU Privacy Handbook has an applicable section titled Validating other keys on your public keyring.

Copyright © 2015