You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/pegasus it must be validated and voted on in order to proceed.


The full checklist can be found here: Incubator Release Checklist.

Prerequisites

For mac:

brew install gpg

For mac:

brew install gpg


Downloading the release files

A release consists of a source zip, a signature file, a sha512 checksum file.

  • Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip
  • Signature (asc)https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip.asc
  • Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip.sha512

Verifying the signature (ASC)

Before checking the signature, you should import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS

gpg --import KEYS

In order to check the signature (ASC) of the release:

gpg --verify apache-plc4x-0.8.0-source-release.zip.asc apache-plc4x-0.8.0-source-release.zip

This should produce something like this:

gpg: Signatur vom Fr  2 Aug 14:30:42 2019 CEST
gpg:                mittels RSA-Schlüssel ADBD428CB5BF6C9FFC77B907C336E0143A553B89
gpg: Korrekte Signatur von "Julian Feinauer <jfeinauer@apache.org>" [ultimativ]

The important part is that it's a "correct signature" (Above is on my German Mac Book). And that the email assigned to the signature is an Apache email. The "ultimativ" at the end depends on your PGP trust environment. If you are not yet trusting any Apache people, this might be different.

If you get the following error,  it means you don't have the public key of the person who signed the message.

gpg: Signature made 一 10/14 13:04:42 2019 CST
gpg:                using RSA key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889
gpg: Can't check signature: No public key

Verifying the hashes (SHA512)

Unfortunately checking the hashes isn't as automatic as checking the signatures. 

shasum -a512 apache-plc4x-0.8.0-source-release.zip

This will print out the hash ... unfortunately I haven't found a tool that you could pass along the SHA512 file and it just says: OK or NOT OK, so you have to manually compare the output with the output in the SHA512 file. 

You however don't have to check everything. I usually check the first 8 chars and the last 8 ... the probability of the rest in the middle being different is minimal..

Running RAT

Before building it might be a good idea to run RAT on the unpacked sources. This will find all binaries and files without headers completely ignoring any "exclusions" in the pom.

Download the latest version of RAT from here: https://creadur.apache.org/rat/download_rat.cgi

Unpack it somewhere and change into the unpacked source-directory and run the following command:

java -Xms1024m -Xmx1024m -jar {path-to-apache-rat-0.13.jar} .

  • No labels