To ensure the integrity of the release artifacts they are digitally signed. You can find more information about the way that we sign releases here. To verify the integrity of the downloaded files you must use signatures downloaded from our main distribution directory not from the distribution mirrors.
MD5 checksums can be verified simply by regenerating the checksum and comparing it against the checksum (the md5 file) supplied with the release. There are various utilities that can be used to generate the checksum, for example
openssl md5 apache-tuscany-scatours-1.0.tar.gz
PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the asc signature file for the relevant distribution. Make sure you get these files from our main distribution directory, rather than from a mirror. Then verify the signatures using, for example
pgpk -a KEYS