Hi, Am 28.06.2012 um 16:09 schrieb Jeremy Hughes:
> On 28 June 2012 14:09, Felix Meschberger <[email protected]> wrote: >> Thanks alot ! >> >> Works perfectly on my Mac box, too. >> >> One minor nitpick, though: I think the script should not wget and import the >> keys from dist/aries/KEYS. I prefer to import them manually myself from a >> different source ... > > What's the safest source: http://svn.apache.org/repos/asf/aries/KEYS > or dist/aries/KEYS ? Or do you mean a non-apache source? dist/aries/KEYS is certainly one source. I generally get the keys from a key server. > > Would gpg --import --interactive and perhaps --verbose help you? No, I prefer the script to not import any keys at all but just depend on the gpg infra on the platform. If the key is missing on the platform, the platform gpg infrastructure should either get it itself from a key server or fail the check for me to care to get the key. Having the script import the keys from the same source (basically) from where the thing to check comes, is a bit, hmm, sounds strange ;-) Regards Felix > >> >> Regards >> Felix >> >> Am 28.06.2012 um 15:00 schrieb Jeremy Hughes: >> >>> On 26 June 2012 21:39, Holly Cummins <[email protected]> wrote: >>>> With some liberal borrowing from the Felix script Guillaume pointed us >>>> to, I've converted Jeremy's release verification instructions >>>> (http://aries.apache.org/development/verifyingrelease.html) into a >>>> shell script. This should make it *much* easier for PMC members to >>>> validate our releases - just point and go. The script is at >>>> https://svn.apache.org/repos/asf/aries/scripts/verify_staged_release.sh. >>>> I've tested on mac, and I believe it will also work on cygwin and >>>> linux, although I'd love to know if it doesn't. >>> >>> Great works for me on cygwin. Needed to use openssl to get md5sum and >>> sha1sum checking as per the comments in the script. (I was using >>> md5sum command line), >>> >>>> >>>> It imports the Apache keys, downloads the staged artefacts, runs MD5 >>>> and SHA1 checks, verifies the signature, builds the source, and runs >>>> rat checks. A failure in any of those stages will give a FAIL message >>>> in the log which can be grepped for. Doing these steps should be >>>> sufficient to meet the Apache process and allow a PMC member to +1 a >>>> release in clear conscience. >>>> >>>> For example, to verify the current test support release candidate, >>>> just cut and paste: >>>> >>>> wget --no-check-certificate >>>> https://svn.apache.org/repos/asf/aries/scripts/verify_staged_release.sh >>>> chmod a+x verify_staged_release.sh >>>> ./verify_staged_release.sh 256 mytempdirectory &> verifyresults.txt >>>> grep FAIL verifyresults.txt >>>> >>>> To verify the small set of API bundles release candidate, cut and paste: >>>> >>>> wget --no-check-certificate >>>> https://svn.apache.org/repos/asf/aries/scripts/verify_staged_release.sh >>>> chmod a+x verify_staged_release.sh >>>> ./verify_staged_release.sh 269 mytempdirectory &> verifyresults.txt >>>> grep FAIL verifyresults.txt >>>> >>>> Feedback very welcome - hopefully this will make things easier for all of >>>> us. >>>> >>>> Holly >>
