Many ICU downloads
may be verified as to their authenticity.
How to verify the downloads?
- Download the MD5 hash file by clicking the [MD5] link on the download page, as well as another ICU file.
- Run a command line program such as
cfv, or fciv on Windows over your downloaded ICU file
- Verify that the hashed result from the command line program matches the hash in the .md5 file.
GPG / PGP
- Download the file https://ssl.icu-project.org/KEYS and import it with:
gpg --import KEYS
(This is safe to run multiple times, it will update any new keys)
- Download the original ICU file, as well as the .asc file by clicking the [PGP] link in the left column of the download page.
- To verify the file, run this command line against the .asc file
- If the signature is good, you should see "gpg Good signature from..."
For further reading, see the Apache Project release signing page