Validating a Release
Download the GPG keys and import them:
wget https://people.apache.org/keys/group/crunch.asc gpg --import crunch.asc
Download the release and verify checksums and signatures:
RM=mafr VERSION=0.6.0 RELEASE=apache-crunch-$VERSION wget http://people.apache.org/~$RM/crunch-$VERSION-RC0/$RELEASE-{src,bin}.{tar.gz,zip}{,.asc,.md5,.sha1} md5sum -c *.md5 sha1sum -c *.sha1 for i in *.asc; do echo "verify: " $i; gpg --verify $i; done
Extract distribution files and check whether tarballs and ZIP files are identical. If they are you only have to check two distribution artifacts.
mkdir tgz zip tar -xzf $RELEASE-src.tar.gz -C tgz tar -xzf $RELEASE-bin.tar.gz -C tgz unzip -qd zip $RELEASE-src.zip unzip -qd zip $RELEASE-bin.zip diff -Naur {tgz,zip}/$RELEASE-src/ diff -Naur {tgz,zip}/$RELEASE-bin/
Check whether mandatory files are identical across all distribution artifacts:
for i in LICENSE NOTICE; do diff tgz/$RELEASE-{src,bin}/$i; done
Check out the tag from the source repository and make sure that it's identical to the source release:
git clone https://git-wip-us.apache.org/repos/asf/crunch.git cd crunch git fetch --tags git checkout REVISION-CHECKSUM-FROM-VOTING-MAIL cd .. diff -Naur -x .git -x .gitignore crunch/ tgz/$RELEASE-src/
If all of the above checked out you can proceed with validating the release artifacts against Apache regulations.