From 64051a3a7126ffa308a38987e7f2095afe47cebe Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 14 Nov 2002 13:01:35 +0000 Subject: [PATCH] Add a FAQ on how to check the authenticity of the openSSL distribution. PR: 292 --- FAQ | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/FAQ b/FAQ index 9998821fde..24f4de7727 100644 --- a/FAQ +++ b/FAQ @@ -9,6 +9,7 @@ OpenSSL - Frequently Asked Questions * Where can I get a compiled version of OpenSSL? * Why aren't tools like 'autoconf' and 'libtool' used? * What is an 'engine' version? +* How do I check the authenticity of the OpenSSL distribution? [LEGAL] Legal questions @@ -136,6 +137,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With version 0.9.7 (not yet released) the changes were merged into the main development line, so that the special release is no longer necessary. +* How do I check the authenticity of the OpenSSL distribution? + +We provide MD5 digests and ASC signatures of each tarball. +Use MD5 to check that a tarball from a mirror site is identical: + + md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5 + +You can check authenticity using pgp or gpg. You need the OpenSSL team +member public key used to sign it (download it from a key server). Then +just do: + + pgp TARBALL.asc + [LEGAL] ======================================================================= * Do I need patent licenses to use OpenSSL? -- 2.25.1