1. Prerequisite for Mac

    brew install wget
    brew install gpg
  2. Set environment variables for version & release candidate number.

  3. Download the release candidate tarballs and open the directory for the corresponding release candidate (e.g., https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-0.12.0-rc0)

    mkdir rc-test
    cd rc-test
    wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-src.tar.gz
    wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-src.tar.gz.asc
    wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-src.tar.gz.sha512
    wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-bin.tar.gz
    wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-bin.tar.gz.asc
    wget https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-$VERSION-rc$RC/apache-pinot-$VERSION-bin.tar.gz.sha512
  4. Verify bundle name, signature & SHA512 hash
    1. Import public keys from Pinot release managers (need to do if gpg complains that there is no public key)

      wget https://dist.apache.org/repos/dist/release/pinot/KEYS
      gpg --import KEYS
    2. Verify the signature (Note: You may see a WARNING that the key is not certified with a trusted signature. That is fine. See https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key. Also, see https://gpgtools.tenderapp.com/kb/how-to/trusting-keys-and-why-this-signature-is-not-to-be-trusted#this-signature-is-not-to-be-trusted.  In order not to see the warning message, you can edit the key in your local environment (see https://www.gnupg.org/gph/en/manual/x334.html)

      gpg --verify apache-pinot-${VERSION}-bin.tar.gz.asc
      gpg --verify apache-pinot-${VERSION}-src.tar.gz.asc
      gpg: assuming signed data in 'apache-pinot-x.x.x-bin.tar.gz'
      gpg: Signature made Tue Aug 10 13:47:08 2021 PDT
      gpg:                using RSA key 6117BAEB7199AF89
      gpg: Good signature from "Seunghyun Lee <snlee@apache.org>" [unknown]
      gpg: WARNING: This key is not certified with a trusted signature!
      gpg:          There is no indication that the signature belongs to the owner.
      Primary key fingerprint: DDB6 EBD1 C9E6 ACB0 3DAF  3B44 6117 BAEB 7199 AF89
      ### Please note that sometimes "KEYS" file shows the short key. The example is the following:
      -----END PGP PUBLIC KEY BLOCK-----
      pub   4096R/7199AF89 2021-05-10
      uid                  Seunghyun Lee <snlee@apache.org>
      sig 3        7199AF89 2021-05-10  Seunghyun Lee <snlee@apache.org>
      sub   4096R/F306596D 2021-05-10
      sig          7199AF89 2021-05-10  Seunghyun Lee <snlee@apache.org>
      # KEYS file indicates "7199AF89" as the key while the pgp verify command shows the full key "6117BAEB7199AF89"
      # In this case, please do check the last 8 digits and see if they do match.

    3. Verify hashes

      # Compare the output with *.tar.gz.sha512 file
      shasum -a 512 apache-pinot-${VERSION}-bin.tar.gz
      cat apache-pinot-${VERSION}-bin.tar.gz.sha512
      shasum -a 512 apache-pinot-${VERSION}-src.tar.gz
      cat apache-pinot-${VERSION}-src.tar.gz.sha512

  5. Open a directory for the corresponding release candidate and untar the tarball.

    tar -xzvf apache-pinot-${VERSION}-src.tar.gz
    tar -xzvf apache-pinot-${VERSION}-bin.tar.gz

  6. Verify git commit hash & tag 
    1. Checking if the git commit hash provided in voting mail matches with the commit hash from the actual tag & checking if the source release matches with the git tag

      git clone -b release-${VERSION}-rc${RC} --single-branch --depth 1 https://github.com/apache/pinot.git pinot-git-src  
      cd pinot-git-src
      # Check git commit hash given here against the one given in the voting mail
      git log
      cd ..
      diff -r apache-pinot-${VERSION}-src pinot-git-src
      # Expected output is to only include lines starting with "Only in pinot-git-src..."
      # Only in pinot-git-src: .codecov_bash
      # Only in pinot-git-src: .codecov.yml
      # ...

  7. Verify LICENSE, and NOTICE files are present in the extracted bundle.

  8. Verify if the source distribution can compile

    You must build and run with JDK 11+

    cd apache-pinot-${VERSION}-src
    # Build Pinot (This will run license check, compilation, but not tests. Running tests will take a few hours, you can enable it by removing -DskipTests option)
    mvn clean install -Pbin-dist -DskipTests -T1C
    # Run Quick Demo
    cd pinot-distribution/target/apache-pinot-${VERSION}-bin/apache-pinot-${VERSION}-bin
    # At this point, open a web browser and go to http://localhost:9000/query and try to run some queries

  9. Verify if the binary distribution is working well with the Quick Demo

    # Run Quick Demo
    cd apache-pinot-${VERSION}-bin
    # At this point, open a web browser and go to http://localhost:9000/query and try to run some queries


  1. Verify signature, hash
  2. Verify if the released source matches with the provided git tag & hash
  3. Verify if LICENSE, NOTICE files are present
  4. Check if the source distribution can compile (Do not skip the tests)
  5. Run quick demo from both source and binary distributions

  • No labels

1 Comment

  1. Run Quick Demo
    In step 9, it will be clearer if we ask the user to start from rc-test root directory since it follows step 8. It would be better if we use absolute path by defining project root.