# Download Most users use DataFusion as a library in their Rust projects by adding it as a dependency in their `Cargo.toml` file and downloading it from the Rust [crates.io] package registry. For example: ```toml [dependencies] datafusion = "41.0.0" ``` While DataFusion is distributed via [crates.io] as a convenience, the official Apache DataFusion releases are provided as source artifacts. [crates.io]: https://crates.io/crates/datafusion ## Releases You can find the latest releases, signatures and checksums on the [ASF Release Page](https://dist.apache.org/repos/dist/release/datafusion) For previous releases, please check the [archive](https://archive.apache.org/dist/datafusion/). For releases earlier than 37.0.0, please check [Arrow's archive](https://archive.apache.org/dist/arrow/). ## Notes - When downloading a release, please verify the OpenPGP compatible signature (or failing that, check the SHA-512); these should be fetched from the main Apache site. - The [KEYS] file contains the public keys used for signing release. It is recommended that (when possible) a web of trust is used to confirm the identity of these keys. - Please download the [KEYS] file as well as the .asc signature files. [keys]: https://downloads.apache.org/datafusion/KEYS ### To verify the signature of the release artifact You will need to download both the release artifact and the .asc signature file for that artifact. Then verify the signature by: - Download the KEYS file and the .asc signature files for the relevant release artifacts. - Import the KEYS file to your GPG keyring: ```shell gpg --import KEYS ``` - Verify the signature of the release artifact using the following command: ```shell gpg --verify .asc ``` ### To verify the checksum of the release artifact You will need to download both the release artifact and the .sha512 checksum file for that artifact. Then verify the checksum by: ```shell shasum -a 512 -c .sha512 ```