This has been copied over from the IoTDB and was adapted for NuttX (Validating a staged Release).


Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/nuttx it must be validated and voted on in order to proceed.

Team members must do the following.  

NOTE:  The 12.3.0-RC0 release is used here as an example

Only the Release Manager needs to perform the items tagged with '[RM]' though all are encouraged to.

  1. download staged artifacts. Check their signature and hashes.
    1. mkdir checkrelease
    2. cd checkrelease
    3. wget -r -nH --cut-dirs=100 --no-parent https://dist.apache.org/repos/dist/dev/nuttx/12.3.0-RC0/
    4. [RM] verify the reported signature ("gpg: Good signature from ...")

      1. gpg --verify apache-nuttx-12.3.0.tar.gz.asc apache-nuttx-12.3.0.tar.gz

      2. gpg --verify apache-nuttx-apps-12.3.0.tar.gz.asc apache-nuttx-apps-12.3.0.tar.gz`

    5. [RM] verify the reported hashes:

      1. sha512sum -c apache-nuttx-12.3.0.tar.gz.sha512

      2. sha512sum -c apache-nuttx-apps-12.3.0.tar.gz.sha512
  2. extract src bundle
    1. tar -xf apache-nuttx-12.3.0.tar.gz
    2. tar -xf apache-nuttx-apps-12.3.0.tar.gz
    3. verify the existence of LICENSE, NOTICE and README.md files in the extracted source bundle in BOTH apps and nuttx
    4. [RM] verify the staged source Documentation/ReleaseNotes/NuttX-12.3.0 file in nuttx corresponds to the current release
    5. [RM] verify the staged source .version file in nuttx corresponds to the current release
    6. WIP for future releases! Run RAT on the extracted source
  3. Built Targets
    1. cd nuttx
    2. build from directions in README.txt for a target that you have
      1. sim target is OK if you do not have hardware, but please try multiple OS if possible (especially Windows and MacOS)
      2. Some targets are built as part of CI but do not have functional testing so these are valuable as well
  4. [RM] WIP for future releases! review target/rat.txt (though the build should fail if RAT constraints aren't met)

    1. Find and files containing binary content with this command:

      1. find . -type f -name 'rat.txt' -exec grep -l " B " {} \;

    2. Then review for B (binary) content in those files:   grep " B " target/rat.txt

Verifying the signature (ASC)

In order to check the signature (ASC) of the release:

gpg --verify apache-nuttx-12.3.0.tar.gz.asc apache-nuttx-12.3.0.tar.gz
gpg --verify apache-nuttx-apps-12.3.0.tar.gz.asc apache-nuttx-apps-12.3.0.tar.gz

This should produce something like this:

❯ gpg: Signature made seg 09 out 2023 03:56:36 -03
gpg:                using RSA key 9208D2E4B800D66F749AD4E94137A71698C5E4DB
gpg: Good signature from "Alin Jerpelea <jerpelea@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9208 D2E4 B800 D66F 749A  D4E9 4137 A716 98C5 E4DB

The important part is that it's a "Good signature". The "ultimate/unknown" at the end depends on your PGP trust environment. If you are not yet trusting any Apache people, this might be different.

If you get the following error,  it means you don't have the public key of the person who signed the message.

gpg: Signature made Thu 23 Apr 2020 07:59:22 PM PDT
gpg:                using RSA key 66C4832A165ECC9354895A209750ED7E692B99E2
gpg: Can't check signature: No public key


Then you can use the RSA key provided to receive the public key to verify and verify again.

gpg2 --receive-keys 66C4832A165ECC9354895A209750ED7E692B99E2


If you find an error message when running `gpg2 --receive-keys ....`, like "gpg: keyserver receive failed: No data" or others, it may be caused by a network problem.

In this way, you can load the public key: Download the KEYS file from https://dlcdn.apache.org/nuttx/KEYS, and then

❯ gpg2 --import KEYS gpg: key E1B6E30DB05D6280: "Brennan Ashton <btashton@apache.org>" not changed
gpg: key 2B8C7F0EAB22000E: public key "Abdelatif Guettouche (CODE SIGNING KEY) <aguettouche@apache.org>" imported
gpg: key 4137A71698C5E4DB: public key "Alin Jerpelea <jerpelea@apache.org>" imported
gpg: key 9E711BAD3264C061: public key "Alin Jerpelea <alin.jerpelea@sony.com>" imported
gpg: key A57CE1279F1E7328: public key "Alin Jerpelea (CODE SIGNING KEY) <jerpelea@apache.org>" imported
gpg: key 6E72660F995FBC42: public key "Brennan Ashton <bashton@brennanashton.com>" imported
gpg: Total number processed: 6
gpg:               imported: 5
gpg:              unchanged: 1

Verifying the hashes (SHA512)

sha512sum -c apache-nuttx-12.3.0.tar.gz.sha512
sha512sum -c apache-nuttx-apps-12.3.0.tar.gz.sha512

Running RAT  (WIP for Future Releases)

Before building it might be a good idea to run RAT on the unpacked sources. This will find all binaries and files without headers completely ignoring any "exclusions" in the pom.

Download the latest version of RAT from here: https://creadur.apache.org/rat/download_rat.cgi

Unpack it somewhere and change into the unpacked source-directory and run the following command:

java -Xms1024m -Xmx1024m -jar {path-to-apache-rat-0.13.jar} .
  • No labels