The other signature type, which is replacing MD5 in the Apache distribution process, is a PGP signature. In order to check it, you will need to have loaded the PGP keys of the Apache developers (available on the Apache site at <URL:apache/dist/KEYS) into your PGP tool. Verify the signature on the file using your PGP tool; for instance, like this:

% pgpv apache_1.3.12.tar.gz.asc
This signature applies to another message
File to check signature against [apache_1.3.12.tar.gz]: [hit Enter]
Good signature made 2000-02-23 23:14 GMT by key:
768 bits, Key ID A0BB71C1, Created 1997-06-03
"Jim Jagielski "

WARNING: The signing key is not trusted to belong to:
Jim Jagielski

(The last portion of the message simply means that you haven't marked Jim's key on your keyring as definitely being Jim's.)

PGP signatures provide more information about an Apache package. They identify whom of the Apache developers approved it, when, and that the package you downloaded is the same as the one the developer approved.

If either of the signatures don't match (that is, PGP reports an error or the MD5 checksum you generated is different from the one in the .md5 file), please report the problem to <apacheapache.

The CHANGES file
Also in the main distribution directory are some files with names starting with "CHANGES. These describe all the modifications and bug-fixes that have been applied to the latest version found in the main distribution directory. If you're upgrading from an earlier version of Apache, reading through this file can be enlightening and informative.

Building the Software from Source
If you download an Apache package, you get the source code -- even if you downloaded a binary distribution. This means that you can always rebuild the Apache binary if you need to (and have the appropriate tools installed). The exact method of rebuilding depends on your platform, but there are really only two different platforms for this process: Windows and Unix (or Unix-like).

[Re]Building Apache on Unix
If you want or need to build Apache from source, you can use the following commands as a quick-start. You should download the latest released version of the Apache tarball and unpack it into a working directory. The top-level directory will then be ./apache-1.3, which matches the assumptions described earlier.