Add a FAQ on how to check the authenticity of the openSSL distribution.

PR: 292
2024-11-21 01:15:20 +08:00 · 2002-11-14 13:00:59 +00:00 · 2002-11-14 13:00:59 +00:00 · d4e573f305
commit d4e573f305
parent e20afbb340
1 changed files with 14 additions and 0 deletions
--- a/14
+++ b/14
@ -9,6 +9,7 @@ OpenSSL  -  Frequently Asked Questions
 * Where can I get a compiled version of OpenSSL?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
+* How do I check the authenticity of the OpenSSL distribution?

 [LEGAL] Legal questions

@ -136,6 +137,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With
 version 0.9.7 (not yet released) the changes were merged into the main
 development line, so that the special release is no longer necessary.

+* How do I check the authenticity of the OpenSSL distribution?
+
+We provide MD5 digests and ASC signatures of each tarball.
+Use MD5 to check that a tarball from a mirror site is identical:
+
+   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
+
+You can check authenticity using pgp or gpg. You need the OpenSSL team
+member public key used to sign it (download it from a key server). Then
+just do:
+
+   pgp TARBALL.asc
+
 [LEGAL] =======================================================================

 * Do I need patent licenses to use OpenSSL?