Below are the tranSMART Foundation release artifacts. In the case of the war files, please note: the war files are intended to be replacements for those in an already installed system. A given war file will NOT constitute a complete system on its own; configuration files, data loading, and a raft of supporting software is needed. For details, see the instructions on the wiki at installing tranSMART
Each artifact (for example transmart.war) is accompanied by a Detached Signature, with the extension *.sig (transmart.war.sig) and two checksums, MD5 and SHA1 (transmart.war.md5 and transmart.war.sha). These can be used to verify the authenticity and integrity of downloaded artifacts.
The MD5 and SHA1 checksums of the downloaded artifact should match those give here. This description in the Apache release signing documentation will be helpful.
To verify the Detached Signature, follow the instructions
These are the
release notes for Release 16.3.
Signed Artifacts for Release 16.3
Instructions to verify signature
While, in most cases, checking the md5 or sha (SHA1) hash-sum check-codes should suffice to verify that the downloaded file is intact, you may wish to verify that the signed 'detached signature' (that is the 'signature' above) is valid for the file that you downloaded. This is a little involved, but is described in full as part of the official install process. See the section "Set up environment for verifying downloads...". Those notes will get you going.
The signatures were generated using the GNU Privacy Guard: https://www.gnupg.org/.