README.md
<h2><a name="mirrors">Download from your
<a href="https://www.apache.org/dyn/closer.cgi/commons/">nearest mirror site!</a></a></h2>

<p>
Do not download from www.apache.org.
Please use a <a href="https://www.apache.org/dyn/closer.cgi/commons/">nearby mirror site</a>
to help us save apache.org bandwidth.
</p>


<h2><a name="sig">PGP/GPG Signatures</a></h2>

<p>
All of the release distribution packages have been digitally
signed (using PGP or GPG) by the ASF committers that constructed
them.
<br>
There will be an accompanying
<tt><var>distribution</var>.asc</tt> file in the same directory
as the distribution.
<br>
The PGP/GPG keys can be found at the MIT key
repository and within this project's KEYS file at
<a href="https://www.apache.org/dist/commons/KEYS"><samp>https://www.apache.org/dist/commons/KEYS</samp></a>
</p>

<pre>Always use the signature to validate package authenticity, <i>e.g.</i>,
$ pgpk -a KEYS
$ pgpv <var>commons-logging-1.2-bin.tar.gz</var>.asc
<i>or</i>,
$ pgp -ka KEYS
$ pgp <var>commons-logging-1.2-bin.tar.gz</var>.asc
<i>or</i>
$ gpg --import KEYS
$ gpg --verify <var>commons-logging-1.2-bin.tar.gz</var>.asc <var>commons-logging-1.2-bin.tar.gz</var>
</pre>

<p>
See also <a href="https://www.apache.org/info/verification.html">Verifying Apache Software Foundation Releases</a>
<p>
<p>
We also offer MD5/SHA hashes as an alternative to validate the
integrity of the downloaded files. See the
<tt><var>distribution</var>.md5/.sha1</tt> files.
<br>
Note that such hashes are only useful as a check that the file has been downloaded OK.
They do not provide any guarantee that the downloaded file is authentic.
</p>