...
Info |
---|
This has been copied over from the IoTDB IoTDB and was adapted for NuttX (Validating a staged Release). |
...
Team members must do the following.
NOTE: The 912.03.0-RC0 release is used here as an example
Only the Release Manager need needs to perform the items tagged with '[RM]' though all are encouraged to.
- download staged artifacts. Check their signature and hashes.
mkdir checkrelease
cd releasecheckcheckrelease
wget -r -nH --cut-dirs=100 --no-parent https://dist.apache.org/repos/dist/dev/incubator/nuttx/912.03.0-RC0/
- [RM] verify the reported signature ("gpg: Good signature from ...")
gpg --verify apache-nuttx-912.03.0-incubating.tar.gz.asc apache-nuttx-912.03.0-incubating.tar.gz
gpg --verify apache-nuttx-apps-912.03.0-incubating.tar.gz.asc apache-nuttx-apps-912.03.0-incubating.tar.gzgz`
- [RM] verify the reported hashes:
sha512sum -c apache-nuttx-912.03.0-incubating.tar.gz.sha512
- sha512sum -c apache-nuttx-apps-912.03.0-incubating.tar.gz.sha512
- extract src bundle
tar -xf apache-nuttx-912.03.0-incubating.tar.gz
tar -xf apache-nuttx-apps-912.03.0-incubating.tar.gz
- verify the existence of LICENSE, NOTICE , and README.md , DISCLAIMER-WIP files in the extracted source bundle in BOTH apps and nuttx
- [RM] verify verify the staged source ReleaseNotes source Documentation/ReleaseNotes/NuttX-12.3.0 file in nuttx correspond corresponds to the current release
- [RM] verify the staged source .version file in nuttx correspond corresponds to the current release
- WIP for future releases! Run RAT on the extracted source
- Built Targets
cd nuttx
- build from directions in README.txt for a target that you have
- sim target is OK if you do not have hardware, but please try multiple OS if possible (especially Windows and MacOS)
- Some targets are built as part of CI , but do not have functional testing so these are valuable as well
- [RM] WIP for future releases! review target/rat.txt (though the build should fail if RAT constraints aren't met)
...
Code Block |
---|
gpg --verify apache-nuttx-912.03.0-incubating.tar.gz.asc apache-nuttx-912.03.0-incubating.tar.gz gpg --verify apache-nuttx-apps-912.03.0-incubating.tar.gz.asc apache-nuttx-apps-912.03.0-incubating.tar.gz |
This should produce something like this:
Code Block |
---|
❯ gpg --verify apache-nuttx-9.0.0-incubating.tar.gz.asc apache-nuttx-9.0.0-incubating.tar.gz gpg: Signature made Thuseg 2309 Aprout 20202023 0703:5956:22 PM PDT36 -03 gpg: using RSA key 66C4832A165ECC9354895A209750ED7E692B99E29208D2E4B800D66F749AD4E94137A71698C5E4DB gpg: Good signature from "BrennanAlin AshtonJerpelea <bashton@brennanashton<jerpelea@apache.com>org>" [ultimate]unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9208 D2E4 B800 D66F 749A D4E9 4137 A716 98C5 E4DB |
The important part is that it's a "correct Good signature". The "ultimativultimate/unknown" at the end depends on your PGP trust environment. If you are not yet trusting any Apache people, this might be different.
...
Code Block |
---|
gpg2 --receive-keys 66C4832A165ECC9354895A209750ED7E692B99E2 |
If you find an error message when running `gpg2 --receive-keys ....`, like "gpg: keyserver receive failed: No data" or others, it may be caused by the a network problem.
In this way, you can load the public key by: Download Download the KEYS file from from https://distdlcdn.apache.org/repos/dist/dev/incubator/nuttx/KEYS , and then
Code Block |
---|
❯ gpg2 --import KEYS gpg: key E1B6E30DB05D6280: "Brennan Ashton <bashton@brennanashton<btashton@apache.com>org>" not changed gpg: key 2B8C7F0EAB22000E: public key "Abdelatif Guettouche (CODE SIGNING KEY) <aguettouche@apache.org>" imported gpg: key 4137A71698C5E4DB: public key "Alin Jerpelea <jerpelea@apache.org>" imported gpg: key 9E711BAD3264C061: public key "Alin Jerpelea <alin.jerpelea@sony.com>" imported gpg: key A57CE1279F1E7328: public key "Alin Jerpelea (CODE SIGNING KEY) <jerpelea@apache.org>" imported gpg: key 6E72660F995FBC42: public key "Brennan Ashton <bashton@brennanashton.com>" imported gpg: Total number processed: 6 gpg: imported: 15 gpg: unchanged: 1 |
Verifying the hashes (SHA512)
Code Block |
---|
sha512sum -c apache-nuttx-912.03.0-incubating.tar.gz.sha512 sha512sum -c apache-nuttx-apps-912.03.0-incubating.tar.gz.sha512 |
Running RAT (WIP for Future Releases)
...