New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release] Add support for verifying .{asc,sha256,512} for .jar related files in `dev/release/verify_rc.sh` #593

Open

kou opened this issue Feb 7, 2025 · 3 comments

Labels

Type: enhancement

Member

kou commented Feb 7, 2025

Describe the enhancement requested

We should:

Download binary artifacts from GitHub Release
Verify signature by gpg --verify XXX.asc XXX
Verify checksum by sha256 -c XXX.sha256 and sha512 -c XXX.sha512

The text was updated successfully, but these errors were encountered:

kou added the Type: enhancement label

Member

jbonofre commented Feb 12, 2025

From an ASF standpoint, the most important is to verify the source distribution from dist.apache.org.
So, maybe we can verify artifacts from GitHub Release, but also from dist.apache.org.

Do you want me to give it a shoot ?

Member Author

kou commented Feb 13, 2025

Oh, really!?
https://www.apache.org/legal/release-policy.html#host-rc uses "SHOULD":

Projects should use the /dev tree of the dist repository or the staging features of repository.apache.org to host release candidates posted for developer testing/voting (prior to being, potentially, formally blessed as a GA release).

So, I thought that we can use other ASF approved locations such as Artifactory https://apache.jfrog.io/ and GitHub Release.

Member

jbonofre commented Feb 17, 2025

@kou for staging, it's fine, we can use GitHub Release location. As we also push to dist.apache.org (release location, not dev after release), it's OK.

@kou so you are right, GitHub Release is good enough for verification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment