We are currently voting on the upcoming Apache log4php 2.1.0 release. An Apache release usually contains the src package, an asc file a nd an md5 file. The asc contains the signature of the release manager, which is accessible from the projects page. The md5 file contains the checksum for the release.
I wrote a small script which helps to check the md5 and the signature. It has been developed on OS X 10.6.7. I use the preinstalled md5 tool and installed gpg with:
port install gpgThe latter one is pretty similar to pgp, just GPL licensed.
You might tweak this script so it fits to your release. May it give you a good start ;-)
#!/bin/bash
file1=`md5 -q $1`
file2=`cut -d* -f1 $1.md5`
echo "Checking file: $1"
echo "Using MD5 file: $1.md5"
echo $file1
echo $file2
if [ $file1 != $file2 ]
then
echo "md5 sums mismatch"
else
echo "checksums OK"
fi
echo "GPG verification output"
gpg --verify $1.asc $1To call it, you need to pass the filename to check as a parameter:
$ ./verify.sh Apache_log4php-2.1.0-pear.tgzThat’s it. The output should look like:
Checking file: Apache_log4php-2.1.0-pear.tgz
Using MD5 file: Apache_log4php-2.1.0-pear.tgz.md5
b39f7d2b216542cc7fb81c3a126b07e6
b39f7d2b216542cc7fb81c3a126b07e6
checksums OK
GPG verification output
gpg: Unterschrift vom Di 28 Jun 11:09:39 2011 CEST mittels RSA-Schlüssel ID xxx
gpg: Korrekte Unterschrift von "xxx"
Haupt-Fingerabdruck = xxxxxx