-1 (non-binding) The signing key F4439BD9D8BB60A5F0693E7D307F9414B754EFE5 isn't in https://dist.apache.org/repos/dist/release/bookkeeper/KEYS .
Ran commands: svn co https://dist.apache.org/repos/dist/dev/bookkeeper/bookkeeper-4.16.5-rc0/ cd bookkeeper-4.16.5-rc0 gpg --import <(curl https://dist.apache.org/repos/dist/release/bookkeeper/KEYS) for i in *.asc; do gpg --verify $i; done Error message: gpg: assuming signed data in 'bookkeeper-4.16.5-src.tar.gz' gpg: Signature made Wed Mar 27 12:26:02 2024 EET gpg: using RSA key F4439BD9D8BB60A5F0693E7D307F9414B754EFE5 - sha512 checksums are ok, verified with "sha512sum -c *.sha512" - All Pulsar master branch CI tests pass with staged BK 4.16.5 artifacts in the staging repository - verified with PR builds in https://github.com/lhotari/pulsar/pull/176 One possible solution to the signing problem is to ensure that the Apache key is the default GPG key. In Pulsar's release guides there's instructions for this [1]. -Lari 1 - https://pulsar.apache.org/contribute/create-gpg-keys/#make-your-the-apache-key-the-default-key-for-gpg On 2024/03/27 10:50:02 Nicolò Boschi wrote: > Hi everyone, > Please review and vote on the release candidate #0 for the version 4.16.5, > as follows: > [ ] +1, Approve the release > [ ] -1, Do not approve the release (please provide specific comments) > > The complete staging area is available for your review, which includes: > * Release notes [1] > * The official Apache source and binary distributions to be deployed to > dist.apache.org [2] > * All artifacts to be deployed to the Maven Central Repository [3] > * Source code tag "v4.16.5-rc0" [4] with git sha > 3160f9628c625310fef322d4d84060248763cb3f > > BookKeeper's KEYS file contains PGP keys we used to sign this release: > https://dist.apache.org/repos/dist/release/bookkeeper/KEYS > > Please download these packages and review this release candidate: > > - Review release notes > - Download the source package (verify shasum, and asc) and follow the > instructions to build and run the bookkeeper service. > - Download the binary package (verify shasum, and asc) and follow the > instructions to run the bookkeeper service. > - Review maven repo, release tag, licenses, and any other things you think > it is important for a release. > > The vote will be open for at least 72 hours. It is adopted by majority > approval, with at least 3 PMC affirmative votes. > > Thanks, > Release Manager > > [1] https://github.com/apache/bookkeeper/pull/4249 > [2] https://dist.apache.org/repos/dist/dev/bookkeeper/bookkeeper-4.16.5-rc0/ > [3] > https://repository.apache.org/content/repositories/orgapachebookkeeper-1093/ > > [4] https://github.com/apache/bookkeeper/tree/v4.16.5-rc0 >
