...
The full checklist can be found here: Incubator Release Checklist.
Prerequisites
For mac:
| Code Block |
|---|
brew install gpg |
For ubuntu:
...
| Code Block |
|---|
sudo apt install gpg |
Downloading the release files
...
In order to check the signature (ASC) of the release:
| No Format |
|---|
gpg --verify apache- |
...
pegasus- |
...
2. |
...
1.0-source-release.zip.asc apache- |
...
pegasus- |
...
2. |
...
1.0-source-release.zip |
This should produce something like this:
...
gpg: Signatur vom Fr 2 Aug 14:30:42 2019 CESTgpg: mittels RSA-Schlüssel ADBD428CB5BF6C9FFC77B907C336E0143A553B89gpg: Korrekte Signatur von "Julian Feinauer <jfeinauer@apache.org>" [ultimativ]
...
| No Format |
|---|
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9
gpg: issuer "wutao@apache.org"
gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate] |
If you get the following error, it means you don't have the public key of the person who signed the message.
...
|
Verifying the
...
checksum (SHA512)
Unfortunately checking the hashes isn't as automatic as checking the signatures.
...
| No Format |
|---|
sha512sum --check apache-pegasus-2.1.0-source-release.zip |
...
.sha512 |
If it produces "apache-pegasus-2.1.0-source-release.zip: OK", it means the package is good
This will print out the hash ... unfortunately I haven't found a tool that you could pass along the SHA512 file and it just says: OK or NOT OK, so you have to manually compare the output with the output in the SHA512 file.
You however don't have to check everything. I usually check the first 8 chars and the last 8 ... the probability of the rest in the middle being different is minimal..
Running RAT
Before building it might be a good idea to run RAT on the unpacked sources. This will find all binaries and files without headers completely ignoring any "exclusions" in the pom.
...