Please make sure you're downloading from a nearby mirror site, not directly from www.apache.org.
The official Solr Reference Guide can be downloaded from the ref-guide folder.
The changes in each release are detailed in the release notes, to be found in the
changes folder for the release.
Thank you for using Apache Solr.
All official source and binary releases are digitally signed using GnuPG. You are encouraged to verify that your download is the official one by verifying the digital signature. To do this you need, in addition to the downloaded file:
Always download the KEYS and .asc files directly from the Apache site at <https://www.apache.org/dist/lucene/solr/>, and always over HTTPS. Never trust KEYS from a mirror site. Read more
Always test available signatures, e.g., $ pgpk -a KEYS $ pgpk solr-x.y.z.tar.gz.asc or, $ pgp -ka KEYS $ pgp solr-x.y.z.tar.gz.asc or, $ gpg --import KEYS $ gpg --verify solr-x.y.z.tar.gz.asc
Alongside the release artifacts in the official Apache dist site you will also find other files providing checksum hashes for each file, with suffix .sha1, .sha512 or .md5. E.g. for solr-x.y.z.tgz the solr-x.y.z.tgz.sha1 file provides the SHA-1 checksum. These are useful to verify that your download was complete and valid, but will not prove that your download was digitally signed by an actual Apache committer. For that you must check the .asc signature.
Calculate the checksum of your download and compare to the contents of the checksum files $ shasum [-a 512] solr-x.y.z.tgz $ md5 solr-x.y.z.tgz
Older versions of Solr can be found on archive.apache.org.