(arrow-rs) branch main updated: fix: Stop using https://dist.apache.org/repos/dist/dev/arrow/KEYS for verification (#9604)

[alamb]

This is an automated email from the ASF dual-hosted git repository.

alamb pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-rs.git


The following commit(s) were added to refs/heads/main by this push:
     new 7f307c031f fix: Stop using 
https://dist.apache.org/repos/dist/dev/arrow/KEYS for verification (#9604)
7f307c031f is described below

commit 7f307c031f31a691be566f5e20171455c41dd661
Author: Raúl Cumplido <raulcumpl...@gmail.com>
AuthorDate: Thu Mar 26 23:17:50 2026 +0100

    fix: Stop using https://dist.apache.org/repos/dist/dev/arrow/KEYS for 
verification (#9604)
    
    # Which issue does this PR close?
    
    - Closes #9603
    
    # Rationale for this change
    
    The release and dev KEYS files could get out of synch.
    We should use the release/ version:
    - Users use the release/ version not dev/ version when they verify our
    artifacts' signature
    - https://dist.apache.org/ may reject our request when we request many
    times by CI
    
    # What changes are included in this PR?
    
    Use
    `https://www.apache.org/dyn/closer.lua?action=download&filename=arrow/KEYS`
    to download the KEYS file and the expected
    `https://dist.apache.org/repos/dist/dev/arrow` for the RC artifacts.
    
    # Are these changes tested?
    
    Yes, I've verified 58.1.0 1 both previous to the change and after the
    change.
    
    # Are there any user-facing changes?
    
    No
---
 dev/release/verify-release-candidate.sh | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/dev/release/verify-release-candidate.sh 
b/dev/release/verify-release-candidate.sh
index 2629d362aa..d8b888effe 100755
--- a/dev/release/verify-release-candidate.sh
+++ b/dev/release/verify-release-candidate.sh
@@ -33,23 +33,27 @@ set -o pipefail
 
 SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" && pwd)"
 ARROW_DIR="$(dirname $(dirname ${SOURCE_DIR}))"
-ARROW_DIST_URL='https://dist.apache.org/repos/dist/dev/arrow'
+ARROW_RC_URL="https://dist.apache.org/repos/dist/dev/arrow";
+ARROW_KEYS_URL="https://www.apache.org/dyn/closer.lua?action=download&filename=arrow/KEYS";
 
-download_dist_file() {
+download_file() {
   curl \
     --silent \
     --show-error \
     --fail \
     --location \
-    --remote-name $ARROW_DIST_URL/$1
+    --output "$2" \
+    "$1"
 }
 
 download_rc_file() {
-  download_dist_file apache-arrow-rs-${VERSION}-rc${RC_NUMBER}/$1
+  download_file \
+  "${ARROW_RC_URL}/apache-arrow-rs-${VERSION}-rc${RC_NUMBER}/$1" \
+  "$1"
 }
 
 import_gpg_keys() {
-  download_dist_file KEYS
+  download_file "${ARROW_KEYS_URL}" KEYS
   gpg --import KEYS
 }