+1 Run the verification script attached to check the rc1:
[x] Download links work. [x] Binaries work [x] Checksums and PGP signatures are valid. [x] Expanded source archive matches contents of RC tag. [x] Expanded source archive builds and passes tests. [x] LICENSE is present and correct. [x] NOTICE is present and correct, including copyright date. [x] All files have license headers where appropriate. [-] All dependencies have compatible licenses. (not tested myself, but in good hands ;) ) [x] No compiled archives bundled in source archive. In particular, apache-brooklyn-0.10.0-bin works for me using Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T17:41:47+01:00) Maven home: /usr/local/Cellar/maven/3.3.9/libexec Java version: 1.7.0_71, vendor: Oracle Corporation Java home: /Library/Java/JavaVirtualMachines/jdk1.7.0_ 71.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.12.1", arch: "x86_64", family: "mac" to deploy: * "Template 1: Server" to localhost * "Template 2: Bash Web Server" to localhost * "Template 3: Bash Web Server and Scaling Riak Cluster" to ibm softlayer * "Template 4: Resilient load-balanced bash web cluster with sensors" to ibm softlayer-amsterdam Andrea On 6 December 2016 at 12:30, Richard Downer <[email protected]> wrote: > Aled, > > On 6 December 2016 at 11:20, Aled Sage <[email protected]> wrote: > > > > > *gpg: WARNING: This key is not certified with a trusted signature* Do we > > need to worry about that? Do I need to import more keys into my chain of > > trust? > > (Note that the script had previously executed `curl > > https://dist.apache.org/repos/dist/release/brooklyn/KEYS | gpg > --import`). > > > > GPG is simply telling you that the "trusted" bit is not set on the copy of > Svet's key *that is in your keyring*. The key has been imported (so you > don't need to import anything else) but by default GPG won't trust the key. > You can tell GPG that you do trust that key really does belong to Svet and > then the warning would go away. (Ideally you would use some "real world" > verification before telling GPG to trust the key.) > > Of course, my description is a gross oversimplification of the "web of > trust" system. > > So this is not a problem with the release process, artifacts or Svet's key > - merely the way your own GPG is configured. > > Richard. >
verify_brooklyn_rc.sh
Description: Bourne shell script
