MySQL Manual
2 MySQL Installation
- 2.2 General Installation Issues
- 2.2.1 How to Get MySQL
- 2.2.2 Verifying Package Integrity Using
MD5 ChecksumsorGnuPG - 2.2.5 Operating Systems Supported by MySQL
- 2.2.6 Which MySQL Version to Use
- 2.2.7 Installation Layouts
- 2.2.8 How and When Updates Are Released
- 2.2.9 Release Philosophy - No Known Bugs in Releases
- 2.2.10 MySQL Binaries Compiled by MySQL AB
- 2.2.11 Installing a MySQL Binary Distribution
2.2.2 Verifying Package Integrity Using MD5 Checksums or GnuPG
After you have downloaded the MySQL package that suits your needs and before you attempt to install it, you should make sure it is intact and has not been tampered with.
MySQL AB offers two means of integrity checking: MD5 checksums and
cryptographic signatures using GnuPG, the GNU Privacy Guard.
2.2.3 Verifying the MD5 Checksum
After you have downloaded the package, you should check, if the MD5 checksum matches the one provided on the MySQL download pages. Each package has an individual checksum, that you can verify with the following command:
shell> md5sum <package>
Note, that not all operating systems support the md5sum command - on
some it is simply called md5, others do not ship it at all. On Linux,
it is part of the GNU Text Utilities package, which is available for
a wide range of platforms. You can download the source code from
http://www.gnu.org/software/textutils/ as well. If you have
OpenSSL installed, you can also use the command openssl md5
<package> instead. A DOS/Windows implementation of the md5 command
is available from http://www.fourmilab.ch/md5/.
Example:
shell> md5sum mysql-standard-4.0.10-gamma-pc-linux-i686.tar.gz
155836a7ed8c93aee6728a827a6aa153
mysql-standard-4.0.10-gamma-pc-linux-i686.tar.gz
You should check, if the resulting checksum matches the one printed on the download page right below the respective package.
Most mirror sites also offer a file named `MD5SUMS', which also includes the MD5 checksums for all files included in the `Downloads' directory. Please note however that it's very easy to modify this file and it's not a very reliable method. If in doubt, you should consult different mirror sites and compare the results.
2.2.4 Signature Checking Using GnuPG
A more reliable method of verifying the integrity of a package is using
cryptographic signatures. MySQL AB uses the GNU Privacy Guard
(GnuPG), an Open Source alternative to the very well-known
Pretty Good Privacy (PGP) by Phil Zimmermann.
See http://www.gnupg.org/ and http://www.openpgp.org/
for more information about OpenPGP/GnuPG and how to obtain
and install GnuPG on your system. Most Linux distributions already
ship with GnuPG installed by default.
Beginning with MySQL 4.0.10 (February 2003), MySQL AB has started signing
their downloadable packages with GnuPG. Cryptographic signatures are
a much more reliable method of verifying the integrity and authenticity of
a file.
To verify the signature for a specific package, you first need to obtain a copy of MySQL AB's public GPG build key build@mysql.com. You can either cut and paste it directly from here, or obtain it from http://www.keyserver.net/.
Key ID:
pub 1024D/5072E1F5 2003-02-03
MySQL Package signing key (www.mysql.com) <build@mysql.com>
Fingerprint: A4A9 4068 76FC BD3C 4567 70C8 8C71 8D3B 5072 E1F5
Public Key (ASCII-armored):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBD4+owwRBAC14GIfUfCyEDSIePvEW3SAFUdJBtoQHH/nJKZyQT7h9bPlUWC3
RODjQReyCITRrdwyrKUGku2FmeVGwn2u2WmDMNABLnpprWPkBdCk96+OmSLN9brZ
fw2vOUgCmYv2hW0hyDHuvYlQA/BThQoADgj8AW6/0Lo7V1W9/8VuHP0gQwCgvzV3
BqOxRznNCRCRxAuAuVztHRcEAJooQK1+iSiunZMYD1WufeXfshc57S/+yeJkegNW
hxwR9pRWVArNYJdDRT+rf2RUe3vpquKNQU/hnEIUHJRQqYHo8gTxvxXNQc7fJYLV
K2HtkrPbP72vwsEKMYhhr0eKCbtLGfls9krjJ6sBgACyP/Vb7hiPwxh6rDZ7ITnE
kYpXBACmWpP8NJTkamEnPCia2ZoOHODANwpUkP43I7jsDmgtobZX9qnrAXw+uNDI
QJEXM6FSbi0LLtZciNlYsafwAPEOMDKpMqAK6IyisNtPvaLd8lH0bPAnWqcyefep
rv0sxxqUEMcM3o7wwgfN83POkDasDbs3pjwPhxvhz6//62zQJ7Q7TXlTUUwgUGFj
a2FnZSBzaWduaW5nIGtleSAod3d3Lm15c3FsLmNvbSkgPGJ1aWxkQG15c3FsLmNv
bT6IXQQTEQIAHQUCPj6jDAUJCWYBgAULBwoDBAMVAwIDFgIBAheAAAoJEIxxjTtQ
cuH1cY4AnilUwTXn8MatQOiG0a/bPxrvK/gCAJ4oinSNZRYTnblChwFaazt7PF3q
zIhMBBMRAgAMBQI+PqPRBYMJZgC7AAoJEElQ4SqycpHyJOEAn1mxHijft00bKXvu
cSo/pECUmppiAJ41M9MRVj5VcdH/KN/KjRtW6tHFPYhMBBMRAgAMBQI+QoIDBYMJ
YiKJAAoJELb1zU3GuiQ/lpEAoIhpp6BozKI8p6eaabzF5MlJH58pAKCu/ROofK8J
Eg2aLos+5zEYrB/LsrkCDQQ+PqMdEAgA7+GJfxbMdY4wslPnjH9rF4N2qfWsEN/l
xaZoJYc3a6M02WCnHl6ahT2/tBK2w1QI4YFteR47gCvtgb6O1JHffOo2HfLmRDRi
Rjd1DTCHqeyX7CHhcghj/dNRlW2Z0l5QFEcmV9U0Vhp3aFfWC4Ujfs3LU+hkAWzE
7zaD5cH9J7yv/6xuZVw411x0h4UqsTcWMu0iM1BzELqX1DY7LwoPEb/O9Rkbf4fm
Le11EzIaCa4PqARXQZc4dhSinMt6K3X4BrRsKTfozBu74F47D8Ilbf5vSYHbuE5p
/1oIDznkg/p8kW+3FxuWrycciqFTcNz215yyX39LXFnlLzKUb/F5GwADBQf+Lwqq
a8CGrRfsOAJxim63CHfty5mUc5rUSnTslGYEIOCR1BeQauyPZbPDsDD9MZ1ZaSaf
anFvwFG6Llx9xkU7tzq+vKLoWkm4u5xf3vn55VjnSd1aQ9eQnUcXiL4cnBGoTbOW
I39EcyzgslzBdC++MPjcQTcA7p6JUVsP6oAB3FQWg54tuUo0Ec8bsM8b3Ev42Lmu
QT5NdKHGwHsXTPtl0klk4bQk4OajHsiy1BMahpT27jWjJlMiJc+IWJ0mghkKHt92
6s/ymfdf5HkdQ1cyvsz5tryVI3Fx78XeSYfQvuuwqp2H139pXGEkg0n6KdUOetdZ
Whe70YGNPw1yjWJT1IhMBBgRAgAMBQI+PqMdBQkJZgGAAAoJEIxxjTtQcuH17p4A
n3r1QpVC9yhnW2cSAjq+kr72GX0eAJ4295kl6NxYEuFApmr1+0uUq/SlsQ==
=YJkx
-----END PGP PUBLIC KEY BLOCK-----
You can import this key into your public GPG keyring by using
gpg --import. See the GPG documentation for more info
on how to work with public keys.
After you have downloaded and imported the public build key, now download your desired MySQL package and the corresponding signature, which is also available from the download page. The signature has the file name extension `.asc'. For example, the signature for `mysql-standard-4.0.10-gamma-pc-linux-i686.tar.gz' would be `mysql-standard-4.0.10-gamma-pc-linux-i686.tar.gz.asc'. Make sure that both files are stored in the same directory and then run the following command to verify the signature for this file:
shell> gpg --verify <package>.asc
Example:
shell> gpg --verify mysql-standard-4.0.10-gamma-pc-linux-i686.tar.gz.asc
gpg: Warning: using insecure memory!
gpg: Signature made Mon 03 Feb 2003 08:50:39 PM MET using DSA key ID 5072E1F5
gpg: Good signature from
"MySQL Package signing key (www.mysql.com) <build@mysql.com>"
The "Good signature" message indicates that everything is all right.
For RPM packages, there is no separate signature - RPM packages
actually have a built-in GPG signature and MD5 checksum. You can
verify them by running the following command:
shell> rpm --checksig <package>.rpm Example: shell> rpm --checksig MySQL-server-4.0.10-0.i386.rpm MySQL-server-4.0.10-0.i386.rpm: md5 gpg OK
Note: If you are using RPM 4.1 and it complains about (GPG)
NOT OK (MISSING KEYS: GPG#5072e1f5) (even though you have imported it into
your GPG public keyring), you need to import the key into the RPM keyring
first. RPM 4.1 no longer uses your GPG keyring (and GPG itself), but
rather maintains its own keyring (because it's a system wide application and
the GPG public keyring is user-specific file). To import the MySQL public
key into the RPM keyring, please use the following command:
shell> rpm --import <pubkey> Example: shell> rpm --import mysql_pubkey.asc
In case you notice that the MD5 checksum or GPG signatures
do not match, first try to download the respective package one more time,
maybe from another mirror site. If you repeatedly can not successfully
verify the integrity of the package, please notify us about such incidents
including the full package name and the download site you have been using
at webmaster@mysql.com or build@mysql.com.
