<h2><a name="mirrors">Download from your
<a href="http://www.apache.org/dyn/closer.cgi/commons/">nearest mirror site!</a></a></h2>
<p>
Do not download from www.apache.org. Please use a mirror site
to help us save apache.org bandwidth.
<a href="http://www.apache.org/dyn/closer.cgi/jmeter/">Go here to find your nearest mirror.</a>
</p>
<h2><a name="sig">PGP/GPG Signatures</a></h2>
<p>
All of the release distribution packages have been digitally
signed (using PGP or GPG) by the ASF committers that constructed
them. There will be an accompanying
<tt><var>distribution</var>.asc</tt> file in the same directory
as the distribution. The PGP/GPG keys can be found at the MIT key
repository and within this project's KEYS file at
<a href="https://www.apache.org/dist/jmeter/KEYS"><samp>https://www.apache.org/dist/jmeter/KEYS</samp></a>.
</p>
<h4>Always download the KEYS file directly from the Apache site, never from a mirror.</h4>
<pre>Always check signatures to validate package authenticity, <i>e.g.</i>,
$ pgpk -a KEYS
$ pgpv apache-jmeter-5.6.3.tgz.asc
<i>or</i>,
$ pgp -ka KEYS
$ pgp apache-jmeter-5.6.3.tgz.asc
<i>or</i>
$ gpg --verify apache-jmeter-5.6.3.tgz.asc apache-jmeter-5.6.3.tgz
</pre>
<p>
We also offer SHA512 hashes to validate the
integrity of the downloaded files. See the
<tt><var>distribution</var>.sha512</tt> files.
<br>
Note that such hashes are only useful as a check that the file has been downloaded OK.
They do not provide any guarantee that the downloaded file is authentic.
</p>