The other signature type, which is replacing MD5 in the Apache
distribution process, is a PGP signature. In order to check
it, you will need to have loaded the PGP keys of the Apache
developers (available on the Apache site at
http://www.apache.org/dist/KEYS>)
into your PGP tool. Verify the signature on the file using your
PGP tool; for instance, like this:
% pgpv apache_1.3.12.tar.gz.asc This signature applies to another message File to check signature against [apache_1.3.12.tar.gz]: [hit Enter] Good signature made 2000-02-23 23:14 GMT by key: 768 bits, Key ID A0BB71C1, Created 1997-06-03 "Jim Jagielski " WARNING: The signing key is not trusted to belong to: Jim Jagielski
(The last portion of the message simply means that you haven’t
marked Jim’s key on your keyring as definitely being Jim’s.)
PGP signatures provide more information about an Apache package.
They identify whom of the Apache developers approved it, when,
and that the package you downloaded is the same as the one the
developer approved.
If either of the signatures don’t match (that is, PGP reports an
error or the MD5 checksum you generated is different from the one
in the .md5
file), please report the problem to
apache@apache.org>.
The CHANGES file
Also in the main distribution directory are some files with names
starting with “CHANGES
“. These describe all the
modifications and bug-fixes that have been applied to the latest
version found in the main distribution directory. If you’re upgrading
from an earlier version of Apache, reading through this file
can be enlightening and informative.
Building the Software from Source
If you download an Apache package, you get the source code — even
if you downloaded a binary distribution. This means that you can
always rebuild the Apache binary if you need to (and have
the appropriate tools installed). The exact method of rebuilding
depends on your platform, but there are really only two different
platforms for this process: Windows and Unix (or Unix-like).
[Re]Building Apache on Unix
If you want or need to build Apache from source, you can use the
following commands as a quick-start.
You should download the latest released version of the Apache
tarball and unpack it into a working directory. The top-level
directory will then be ./apache-1.3
, which matches the
assumptions described earlier.