Downloading ICU‎ > ‎

Verifying Downloads

Many ICU downloads may be verified as to their authenticity.

How to verify the downloads?


  • Download the MD5 hash file by clicking the [MD5] link on the download page, as well as another ICU file.
  • Run a command line program such as md5, md5sum, cfv, or fciv on Windows over your downloaded ICU file
  • Verify that the hashed result from the command line program matches the hash in the .md5 file.


  • SHA512 hashes may be created with gpg --print-md SHA512 somefile
  • These hashes may be verified with  shasum -c SHASUM512.txt
  • (Note that GPG signed files may begin with "Hash: SHA256", but this is GPG's hash, not the SHASUM hashes)


  • Download the file  and import it with:
         gpg --import KEYS
    (This is safe to run multiple times, it will update any new keys)
  • Download the original ICU file, as well as the .asc file by clicking the [PGP] link in the left column of the download page.
  • To verify the file, run this command line against the .asc file
             gpg --verify somefile.tgz.asc
  • If the signature is good, you should see "gpg Good signature from..."

For further reading, see the Apache Project release signing page