You may be wondering what those .asc, .md5 and .sha1 files
on the download pages are good for. They are signature files that let you verify the integrity
and origin of the distribution artifacts (zip files, compressed archives) that you have downloaded.
The signatures come in two varieties. The .md5 and .sha1 files contain
MD5 and SHA1 checksums, respectively. The main purpose of those files is to let you verify the
integrity of your release artifact. You can use a tool to generate the same kind of checksum and
check that it's the same checksum as the one you downloaded. If the checksums agree, you can be sure
that your archive did not get corrupted during transmission.
The .asc files are so-called detached, ASCII-armored PGP signatures. They let you do
the same thing as the MD5 and SHA1 signatures, but they let you do something in addition: you can
use these signatures to verify that the release artifacts were signed by a certain, trusted source.
The .asc files contain checksums that were encrypted with the private PGP key of the
release manager responsible for the release. This is useful if you received the release files from
some arbitrary source, and you would like to be sure that what you have there is really a UIMA
release (and not something containing a virus, for example). You can then download the corresponding
public key from a trusted source, and use it to verify not only the integrity of the file, but that
it is actually the file the release manager signed in the first place. Anybody can tamper with
a released file and create a new checksum, but they can't fake the .asc file so it
will work with the public key of the release manager.
If you would like to verify your UIMA distribution or not is up to you, but unless you do it, you cannot
be sure that you have an uncorrupted copy. The next section will
tell you how can use each type of signature file.
