Prerequisite for Mac
brew install wget brew install gpg
Set environment variables for version & release candidate number.
VERSION=0.12.0 RC=0
Download the release candidate tarballs and open the directory for the corresponding release candidate (e.g., https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-0.12.0-rc0)
mkdir rc-test cd rc-test wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-src.tar.gz wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-src.tar.gz.asc wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-src.tar.gz.sha512 wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-bin.tar.gz wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-bin.tar.gz.asc wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-bin.tar.gz.sha512
- Verify bundle name, signature & SHA512 hash
Import public keys from Pinot release managers (need to do if gpg complains that there is no public key)
wget https://dist.apache.org/repos/dist/release/pinot/KEYS gpg --import KEYS
Verify the signature (Note: You may see a WARNING that the key is not certified with a trusted signature. That is fine. See https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key. Also, see https://gpgtools.tenderapp.com/kb/how-to/trusting-keys-and-why-this-signature-is-not-to-be-trusted#this-signature-is-not-to-be-trusted. In order not to see the warning message, you can edit the key in your local environment (see https://www.gnupg.org/gph/en/manual/x334.html)
gpg --verify apache-pinot-${VERSION}-bin.tar.gz.asc gpg --verify apache-pinot-${VERSION}-src.tar.gz.asc gpg: assuming signed data in 'apache-pinot-x.x.x-bin.tar.gz' gpg: Signature made Tue Aug 10 13:47:08 2021 PDT gpg: using RSA key 6117BAEB7199AF89 gpg: Good signature from "Seunghyun Lee <snlee@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DDB6 EBD1 C9E6 ACB0 3DAF 3B44 6117 BAEB 7199 AF89 ### Please note that sometimes "KEYS" file shows the short key. The example is the following: -----END PGP PUBLIC KEY BLOCK----- pub 4096R/7199AF89 2021-05-10 uid Seunghyun Lee <snlee@apache.org> sig 3 7199AF89 2021-05-10 Seunghyun Lee <snlee@apache.org> sub 4096R/F306596D 2021-05-10 sig 7199AF89 2021-05-10 Seunghyun Lee <snlee@apache.org> -----BEGIN PGP PUBLIC KEY BLOCK----- # KEYS file indicates "7199AF89" as the key while the pgp verify command shows the full key "6117BAEB7199AF89" # In this case, please do check the last 8 digits and see if they do match.
Verify hashes
# Compare the output with *.tar.gz.sha512 file shasum -a 512 apache-pinot-${VERSION}-bin.tar.gz cat apache-pinot-${VERSION}-bin.tar.gz.sha512 shasum -a 512 apache-pinot-${VERSION}-src.tar.gz cat apache-pinot-${VERSION}-src.tar.gz.sha512
Open a directory for the corresponding release candidate and untar the tarball.
tar -xzvf apache-pinot-${VERSION}-src.tar.gz tar -xzvf apache-pinot-${VERSION}-bin.tar.gz
- Verify git commit hash & tag
Checking if the git commit hash provided in voting mail matches with the commit hash from the actual tag & checking if the source release matches with the git tag
git clone -b release-${VERSION}-rc${RC} --single-branch --depth 1 https://github.com/apache/pinot.git pinot-git-src cd pinot-git-src # Check git commit hash given here against the one given in the voting mail git log cd .. diff -r apache-pinot-${VERSION}-src pinot-git-src # Expected output is to only include lines starting with "Only in pinot-git-src..." # Only in pinot-git-src: .codecov_bash # Only in pinot-git-src: .codecov.yml # ...
- Verify LICENSE, and NOTICE files are present in the extracted bundle.
Verify if the source distribution can compile
You must build and run with JDK 11+
cd apache-pinot-${VERSION}-src # Build Pinot (This will run license check, compilation, but not tests. Running tests will take a few hours, you can enable it by removing -DskipTests option) mvn clean install -Pbin-dist -DskipTests -T1C # Run Quick Demo cd pinot-distribution/target/apache-pinot-${VERSION}-bin/apache-pinot-${VERSION}-bin bin/quick-start-batch.sh # At this point, open a web browser and go to http://localhost:9000/query and try to run some queries
Verify if the binary distribution is working well with the Quick Demo
# Run Quick Demo cd apache-pinot-${VERSION}-bin bin/quick-start-batch.sh # At this point, open a web browser and go to http://localhost:9000/query and try to run some queries
Checklist
- Verify signature, hash
- Verify if the released source matches with the provided git tag & hash
- Verify if LICENSE, NOTICE files are present
- Check if the source distribution can compile (Do not skip the tests)
- Run quick demo from both source and binary distributions
1 Comment
Ting Chen