[jira] [Commented] (HADOOP-15112) create-release didn't sign artifacts

Thu, 08 Feb 2018 15:15:25 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-15112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16357694#comment-16357694
 ] 

Lei (Eddy) Xu commented on HADOOP-15112:
----------------------------------------

Run on a ubuntu 16.04 machine with {{gnupg-agent  2.1.11-6ubuntu2}}.

{{GPG_AGENT_INFO}} is not set after running the following code :

{code:sh|title=dev-support/bin/create-release}
eval $("${GPGAGENT}" --daemon \
        --options "${LOGDIR}/gpgagent.conf" \
        --log-file="${LOGDIR}/create-release-gpgagent.log")
{code}

because {{gnupg-agent}} > 2.1 does not set this variable: 
https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart.

{{create-release}} checks the existence of this {{GPG_AGENT_INFO}} before 
signing artifacts, so it will ignore signing process: 

{code:sh|title=dev-support/bin/create-release}
 if [[ -n "${GPG_AGENT_INFO}" ]]; then
      echo "Warming the gpg-agent cache prior to calling maven"
      # warm the agent's cache:
      touch "${LOGDIR}/warm"
      ${GPG} --use-agent --armor --output "${LOGDIR}/warm.asc" --detach-sig 
"${LOGDIR}/warm"
      rm "${LOGDIR}/warm.asc" "${LOGDIR}/warm"
    else
      SIGN=false
      hadoop_error "ERROR: Unable to launch or acquire gpg-agent. Disable 
signing."
    fi
{code}

[~mackrorysd] [~andrew.wang] [~aw] would like you hear your inputs here. Should 
we check gpg agent version before it?  Or just change how to use {{gpg > 2.1}}. 
 gpg 2.1 was released Nov 2014. 



> create-release didn't sign artifacts
> ------------------------------------
>
>                 Key: HADOOP-15112
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15112
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Andrew Wang
>            Assignee: Lei (Eddy) Xu
>            Priority: Major
>
> While building the 3.0.0 RC1, I had to re-invoke Maven because the 
> create-release script didn't deploy signatures to Nexus. Looking at the repo 
> (and my artifacts), it seems like "sign" didn't run properly.
> I lost my create-release output, but I noticed that it will log and continue 
> rather than abort in some error conditions. This might have caused my lack of 
> signatures. IMO it'd be better to explicitly fail in these situations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to