Versions Compared

Old Version 3

changes.mady.by.user Nathan Hartman

Saved on

compared with

New Version Current

changes.mady.by.user Tiago Medicci

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update the version used as example and update the location of the KEYS file

...

Info

This has been copied over from the IoTDB  IoTDB and was adapted for NuttX (Validating a staged Release).

...

Team members must do the following.  

NOTE:  The 912.03.0-RC0 release is used here as an example

Only the Release Manager need needs to perform the items tagged with '[RM]' though all are encouraged to.

  1. download staged artifacts. Check their signature and hashes.
    1. mkdir checkrelease
    2. cd checkrelease
    3. wget -r -nH --cut-dirs=100 --no-parent https://dist.apache.org/repos/dist/dev/incubator/nuttx/912.03.0-RC0/
    4. [RM] verify the reported signature ("gpg: Good signature from ...")

      1. gpg --verify apache-nuttx-912.03.0-incubating.tar.gz.asc apache-nuttx-912.03.0-incubating.tar.gz

      2. gpg --verify apache-nuttx-apps-912.03.0-incubating.tar.gz.asc apache-nuttx-apps-912.03.0-incubating.tar.gzgz`

    5. [RM] verify the reported hashes:

      1. sha512sum -c apache-nuttx-912.03.0-incubating.tar.gz.sha512

      2. sha512sum -c apache-nuttx-apps-912.03.0-incubating.tar.gz.sha512
  2. extract src bundle
    1. tar -xf apache-nuttx-912.03.0-incubating.tar.gz
    2. tar -xf apache-nuttx-apps-912.03.0-incubating.tar.gz
    3. verify the existence of LICENSE, NOTICE , and README.md , DISCLAIMER-WIP files in the extracted source bundle in BOTH apps and nuttx
    4. [RM]  verify verify the staged source ReleaseNotes source Documentation/ReleaseNotes/NuttX-12.3.0 file in nuttx correspond corresponds to the current release
    5. [RM] verify the staged source .version file in nuttx correspond corresponds to the current release
    6. WIP for future releases! Run RAT on the extracted source
  3. Built Targets
    1. cd nuttx
    2. build from directions in README.txt for a target that you have
      1. sim target is OK if you do not have hardware, but please try multiple OS if possible (especially Windows and MacOS)
      2. Some targets are built as part of CI , but do not have functional testing so these are valuable as well
  4. [RM] WIP for future releases! review target/rat.txt (though the build should fail if RAT constraints aren't met)

...

Code Block
gpg --verify apache-nuttx-912.03.0-incubating.tar.gz.asc apache-nuttx-912.03.0-incubating.tar.gz
gpg --verify apache-nuttx-apps-912.03.0-incubating.tar.gz.asc apache-nuttx-apps-912.03.0-incubating.tar.gz

This should produce something like this:

Code Block
❯ gpg --verify apache-nuttx-9.0.0-incubating.tar.gz.asc apache-nuttx-9.0.0-incubating.tar.gz
gpg: Signature made Thuseg 2309 Aprout 20202023 0703:5956:22 PM PDT36 -03
gpg:                using RSA key 66C4832A165ECC9354895A209750ED7E692B99E29208D2E4B800D66F749AD4E94137A71698C5E4DB
gpg: Good signature from "BrennanAlin AshtonJerpelea <bashton@brennanashton<jerpelea@apache.com>org>" [ultimate]unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9208 D2E4 B800 D66F 749A  D4E9 4137 A716 98C5 E4DB

The important part is that it's a "correct Good signature". The "ultimativultimate/unknown" at the end depends on your PGP trust environment. If you are not yet trusting any Apache people, this might be different.

...

Code Block
gpg2 --receive-keys 66C4832A165ECC9354895A209750ED7E692B99E2


If you find an error message when running `gpg2 --receive-keys ....`, like "gpg: keyserver receive failed: No data" or others, it may be caused by the a network problem.

In this way, you can load the public key by:  Download Download the KEYS file from from https://distdlcdn.apache.org/repos/dist/dev/incubator/nuttx/KEYS , and then

Code Block
❯ gpg2 --import KEYS
 gpg: key E1B6E30DB05D6280: "Brennan Ashton <bashton@brennanashton<btashton@apache.com>org>" not changed
gpg: key 2B8C7F0EAB22000E: public key "Abdelatif Guettouche (CODE SIGNING KEY) <aguettouche@apache.org>" imported
gpg: key 4137A71698C5E4DB: public key "Alin Jerpelea <jerpelea@apache.org>" imported
gpg: key 9E711BAD3264C061: public key "Alin Jerpelea <alin.jerpelea@sony.com>" imported
gpg: key A57CE1279F1E7328: public key "Alin Jerpelea (CODE SIGNING KEY) <jerpelea@apache.org>" imported
gpg: key 6E72660F995FBC42: public key "Brennan Ashton <bashton@brennanashton.com>" imported
gpg: Total number processed: 6
gpg:               imported: 15
gpg:              unchanged: 1

Verifying the hashes (SHA512)

Code Block
sha512sum -c apache-nuttx-912.03.0-incubating.tar.gz.sha512
sha512sum -c apache-nuttx-apps-912.03.0-incubating.tar.gz.sha512

Running RAT  (WIP for Future Releases)

...