Add some instructions on verifying PGP signatures. This could really

<p>Version numbers that end in <code>alpha</code> indicate early

pre-test versions which may or may not work.  Version numbers ending

in <code>beta</code> indicate more reliable releases that still

require further testing or bug fixing.  If you wish to dowload the

require further testing or bug fixing.  If you wish to download the

best available production release of the Apache HTTP Server, you

should choose the latest version with neither <code>alpha</code> nor

<code>beta</code> in its filename.</p>

<p>After downloading, especially if a mirror site is used, it is

important to verify that you have a complete and unmodified version

of the Apache HTTP Server.  This can be accomplished by testing the

downloaded tarball against the PGP signature, which should always be

obtained from the <a href="http://www.apache.org/dist/httpd">main

Apache website</a>.  The signature file has a filename identical to

the source tarball with the addition of <code>.asc</code>.</p>

important to verify that you have a complete and unmodified version of

the Apache HTTP Server.  This can be accomplished by testing the

downloaded tarball against the PGP signature.  This, in turn, is a two

step procedure.  First, you must obtain the <code>KEYS</code> file

from the <a href="http://www.apache.org/dist/">Apache distribution

site</a>.  (To assure that the <code>KEYS</code> file itself has not

been modified, it may be a good idea to use a file from a previous

distribution of Apache or import the keys from a public key server.)

The keys are imported into your personal key ring using

one of the following commands (depending on your pgp version):</p>

<blockquote><code>

$ pgp < KEYS

</code></blockquote>

or

<blockquote><code>

$ gpg --import KEYS

</code></blockquote>

<p>The next step is to test the tarball against the PGP signature,

which should always be obtained from the <a

href="http://www.apache.org/dist/httpd">main Apache website</a>.  The

signature file has a filename identical to the source tarball with the

addition of <code>.asc</code>.  Then you can check the distribution

with one of the following commands (again, depending on your pgp

version):</p>

<blockquote><code>

$ pgp httpd-2_0_<em>NN</em>.tar.gz.asc

</code></blockquote>

or

<blockquote><code>

$ gpg --verify httpd-2_0_<em>NN</em>.tar.gz.asc

</code></blockquote

<p>You should receive a message like</p>

<blockquote><code>

Good signature from user "Martin Kraemer <martin@apache.org>".

</code></blockquote>

<p>Depending on the trust relationships contained

in your key ring, you may also receive a message saying that

the relationship between the key and the signer of the key

cannot be verified.  This is not a problem if you trust the

authenticity of the <code>KEYS</code> file.</p>

<h3><a name="extract">Extract</a></h3>

<p>Version numbers that end in <code>alpha</code> indicate early

pre-test versions which may or may not work.  Version numbers ending

in <code>beta</code> indicate more reliable releases that still

require further testing or bug fixing.  If you wish to dowload the

require further testing or bug fixing.  If you wish to download the

best available production release of the Apache HTTP Server, you

should choose the latest version with neither <code>alpha</code> nor

<code>beta</code> in its filename.</p>

<p>After downloading, especially if a mirror site is used, it is

important to verify that you have a complete and unmodified version

of the Apache HTTP Server.  This can be accomplished by testing the

downloaded tarball against the PGP signature, which should always be

obtained from the <a href="http://www.apache.org/dist/httpd">main

Apache website</a>.  The signature file has a filename identical to

the source tarball with the addition of <code>.asc</code>.</p>

important to verify that you have a complete and unmodified version of

the Apache HTTP Server.  This can be accomplished by testing the

downloaded tarball against the PGP signature.  This, in turn, is a two

step procedure.  First, you must obtain the <code>KEYS</code> file

from the <a href="http://www.apache.org/dist/">Apache distribution

site</a>.  (To assure that the <code>KEYS</code> file itself has not

been modified, it may be a good idea to use a file from a previous

distribution of Apache or import the keys from a public key server.)

The keys are imported into your personal key ring using

one of the following commands (depending on your pgp version):</p>

<blockquote><code>

$ pgp < KEYS

</code></blockquote>

or

<blockquote><code>

$ gpg --import KEYS

</code></blockquote>

<p>The next step is to test the tarball against the PGP signature,

which should always be obtained from the <a

href="http://www.apache.org/dist/httpd">main Apache website</a>.  The

signature file has a filename identical to the source tarball with the

addition of <code>.asc</code>.  Then you can check the distribution

with one of the following commands (again, depending on your pgp

version):</p>

<blockquote><code>

$ pgp httpd-2_0_<em>NN</em>.tar.gz.asc

</code></blockquote>

or

<blockquote><code>

$ gpg --verify httpd-2_0_<em>NN</em>.tar.gz.asc

</code></blockquote

<p>You should receive a message like</p>

<blockquote><code>

Good signature from user "Martin Kraemer <martin@apache.org>".

</code></blockquote>

<p>Depending on the trust relationships contained

in your key ring, you may also receive a message saying that

the relationship between the key and the signer of the key

cannot be verified.  This is not a problem if you trust the

authenticity of the <code>KEYS</code> file.</p>

<h3><a name="extract">Extract</a></h3>