This page provides absic informaiton how to prepare, sign and verify source releases. The apache.openoffice-<version>-r<revision>-src.[zip|tar.gz|tar.bz2] files were created with a new ant script file (solven/bin/srcrelease.xml) that can be triggered in instsetoo_native/util as a new target "aoo_srcrelease".
You can use the OpenOffice committers keys file ooo.asc. Or alternatively the local key file aoo.KEYS that I have created intially. Ok, this files contains currently only my new created key that is not well known so far, but at least send to the default public key server of gpg.
Here a short example how you can veryfy the files and play around with it
The PGP signatures can be verified using PGP or GPG. You should first downlaod the key file ooo.asc and the ASC(PGP) signature file for the particular src release file (in this case the tar.gz). You can verify the signatures using
% pgpk -a ooo.asc % pgpv apache-openoffice-4.0.0-r1502185-src.tar.gz.asc or % pgp -ka ooo.asc % pgp apache-openoffice-4.0.0-r1502185-src.tar.gz.asc or % gpg --import ooo.asc % gpg --verify apache-openoffice-4.0.0-r1502185-src.tar.gz.asc
Alternatively, you can verify the checksums on the files. Unix programs called md5/sha256 or md5sum/sha256sum are included in many unix distributions. *sum is also available as part of GNU Textutils.