Thank you for downloading the Zowe binary

These commands are tested on both Mac OS X v10.13.6 and Ubuntu v17.11.

Step 1 - Verify Hash Code

You can download hash code file zowe-1.0.0.pax.sha512, then use this command to check:

If you see "matched" means the binary you have downloaded is the same one that was officially distributed by the Zowe project. You can delete temporary "zowe-1.0.0.pax.sha512.my" after that.

You can also use other commands, like "sha512", "sha512sum", or "openssl dgst -sha512" to generate SHA512 hash code. Just those hash code results are in a different format from what we provided but the values should be the same.

Step 2 - Verify With Signature File

In addition to the SHA512 hash we ensure that the hash is verifiable as well. This is done by digitally signing the hash text file with a KEY from one of the Zowe developers.

You can download the signature file zowe-1.0.0.pax.asc, and public key KEYS.

There are few steps:

1. Import the public key with command: gpg --import KEYS
2. If you never use gpg before, you may need to generate keys first: gpg --gen-key. Otherwise, please proceed to next step.
3. Sign the downloaded public key with command: gpg --sign-key KEY
4. Verify the file with command: gpg --verify zowe-1.0.0.pax.asc zowe-1.0.0.pax
5. You can remove the imported key with command: gpg --delete-key KEY

If you see output like this that matches the info in the public key you downloaded you can be assured that the binary file you have has come from the Zowe project.