From: Richard Levitte <levitte@openssl.org>
Date: Thu, 14 Nov 2002 13:01:35 +0000 (+0000)
Subject: Add a FAQ on how to check the authenticity of the openSSL distribution.
X-Git-Tag: OpenSSL_0_9_7-beta4~38
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=64051a3a7126ffa308a38987e7f2095afe47cebe;p=oweals%2Fopenssl.git

Add a FAQ on how to check the authenticity of the openSSL distribution.
PR: 292
---

diff --git a/FAQ b/FAQ
index 9998821fde..24f4de7727 100644
--- a/FAQ
+++ b/FAQ
@@ -9,6 +9,7 @@ OpenSSL  -  Frequently Asked Questions
 * Where can I get a compiled version of OpenSSL?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
+* How do I check the authenticity of the OpenSSL distribution?
 
 [LEGAL] Legal questions
 
@@ -136,6 +137,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With
 version 0.9.7 (not yet released) the changes were merged into the main
 development line, so that the special release is no longer necessary.
 
+* How do I check the authenticity of the OpenSSL distribution?
+
+We provide MD5 digests and ASC signatures of each tarball.
+Use MD5 to check that a tarball from a mirror site is identical:
+
+   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
+
+You can check authenticity using pgp or gpg. You need the OpenSSL team
+member public key used to sign it (download it from a key server). Then
+just do:
+
+   pgp TARBALL.asc
+
 [LEGAL] =======================================================================
 
 * Do I need patent licenses to use OpenSSL?