You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/pegasus it must be validated and voted on in order to proceed.

The full checklist can be found here: Incubator Release Checklist.

Prerequisites

For mac:

brew install gpg

For ubuntu:

sudo apt install gpg

Downloading the release files

A release consists of a source zip, a signature file, a sha512 checksum file.

  • Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip
  • Signature (asc)https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip.asc
  • Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip.sha512

Verifying the signature (ASC)

Before checking the signature, you should import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS

gpg --import KEYS

In order to check the signature (ASC) of the release:

gpg --verify apache-pegasus-2.1.0-source-release.zip.asc apache-pegasus-2.1.0-source-release.zip

This should produce something like this:

gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9
gpg: issuer "wutao@apache.org"
gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate]

If you get the following error,  it means you don't have the public key of the person who signed the message.

gpg: Signature made 一 10/14 13:04:42 2019 CST
gpg:                using RSA key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889
gpg: Can't check signature: No public key

Verifying the checksum (SHA512)

sha512sum --check apache-pegasus-2.1.0-source-release.zip.sha512

If it produces "apache-pegasus-2.1.0-source-release.zip: OK", it means the package is good.

Running RAT

Before building it might be a good idea to run RAT on the unpacked sources. This will find all binaries and files without headers completely ignoring any "exclusions" in the pom.

Download the latest version of RAT from here: https://creadur.apache.org/rat/download_rat.cgi

Unpack it somewhere and change into the unpacked source-directory and run the following command:

java -Xms1024m -Xmx1024m -jar {path-to-apache-rat-0.13.jar} .

  • No labels