|A Rule Engine for State and Event Monitoring|
If you follow the steps described here, you can be reasonably assured a file downloaded from a mirror has not been accidentally or deliberately compromised. However, this is not completely assured because this site could also be compromised, including the keys and signatures you obtain to verify release files. We periodically test for this by comparing the keys and signatures to reference copies on an undisclosed server.
File integrity may be checked using either an MD5 checksum (message digest) or a PGP signature, whichever you prefer. The digest and signature files have names that extend the release file name with ".md5" or ".asc".
You should only use digest and signature files downloaded from this site. Links to the digest and signature files are represented by the icons to the right of a release file name as illustrated here. (The icons in this example are not links.)
A NodeBrain developer creates the *.md5 digest file as follows.
To verify the integrity of a release file using an MD5 checksum, place the digest file downloaded from this site in the same directory as the downloaded release file and issue the md5sum command. For the file illustrated above, it would look like this.
A NodeBrain developer creates an *.asc signature for a release file with the following command.
Before attempting to verify a NodeBrain release file using pgp, you must first download the public keys of our developers
$ gpg --import nbdevkeys.txt
$ gpg nodebrain-0.8.15.tar.gz.asc
The Apache HTTP Server Project has a good description of release verification using PGP signature files. As they note, The GNU Privacy Handbook has an applicable section titled Validating other keys on your public keyring.
Copyright © 2015 NodeBrain.org