Hello, Before doing the signature verification I am trying to import this KEYS file https://downloads.apache.org/fineract/KEYS
The attached file contains the commands executed and shows checksum error verification for the KEYS file. El dom, 2 mar 2025 a las 1:01, VICTOR MANUEL ROMERO RODRIGUEZ (< victor.rom...@fintecheando.mx>) escribió: > Hello, > > I have tested the branch, the checksum and the signatures. > > Using https://github.com/apache/fineract/tree/maintenance/1.11 and > https://dist.apache.org/repos/dist/dev/fineract/1.11.0 > > The output of the commands for the branch: > > ./gradlew srcDistTar - OK > ./gradlew binaryDistTar - FAILURE: Executed 714 tests in 3m 13s (15 > failed) - testing02032025.txt > > - Checksum is Ok for tar and binary files. > > - I cannot verify the signature and it seems that there are some issues > with the KEYS files available for Apache Fineract - signatures.txt > > Regards > > Victor Romero > > > > > El vie, 28 feb 2025 a las 15:45, James Dailey (<jdai...@apache.org>) > escribió: > >> Devs - Please see this request from Adam and do the verification step he >> mentions. >> https://dist.apache.org/repos/dist/dev/fineract/1.11.0 Which now >> includes the binary files he built and signed. >> >> There's a lot involved in doing a release of an ASF project. To learn >> more, see also: >> https://infra.apache.org/release-distribution.html >> https://infra.apache.org/release-publishing.html >> >> I will also note that we're going to revise some of the release documents >> as we go along. All release practices will comply with the ASF >> expectations and requirements. >> >> As a note, formally, the ASF does not *require* built artifacts as part >> of the release, those are provided as a convenience. But, we treat the >> process at Fineract as important because if someone cannot verify that the >> build works and matches what we have in the release code, then we have >> something broken.... and we should not release that. >> >> Thanks Adam for assisting the "Release manager". Hopefully these notes >> and the documentation will help the next Release Manager. >> >> James >> >> >> On Fri, Feb 28, 2025 at 12:22 PM Adam Monsen <amon...@mifos.org> wrote: >> >>> We've got a 1.11.0 release candidate ready and we'd like help making >>> sure it's good to go. >>> >>> The maintenance/1.11 branch was created off commit 843b279 and tagged >>> 1.11.0. James ran ./gradlew srcDistTar to create the source tarball >>> from that commit. He then manually created checksum and signature files and >>> used svn to upload all that to >>> https://dist.apache.org/repos/dist/dev/fineract/1.11.0 . The srcDistTar >>> task took a few seconds to run. >>> >>> We couldn't get the binaryDistTar task to succeed on his computer, so I >>> ran that on mine. gradle binaryDistTar took 7min 5sec to run and >>> succeeded, but confusingly threw one NoClassDefFoundError exception. I'm >>> not sure if seeing this exception should block the release--please review >>> the attached log snippet and let me know what you think. Note that this >>> task was initially breaking for me--I also only got it to work from a very >>> clean clone. I think git clean -fdx helped with that, and perhaps also >>> that I manually cleaned out some gradle/maven/cargo caches I was able to >>> find. I could also have just done this in a fresh container or VM but it >>> seemed like overkill and if something is polluting a build I want to >>> understand what and why. Anyway, James will upload the binary, its >>> checksum, and signatures for same. Temporary home for these is: >>> >>> https://adammonsen.com/tmp/apache-fineract-1.11.0-binary.tar.gz >>> https://adammonsen.com/tmp/apache-fineract-1.11.0-binary.tar.gz.sha512 >>> >>> And here's the actual SHA-512 checksum, just in case: >>> 0ebe4e13d778e5d6d56f6b472e6304c17a34ebaea67742ac968ffcde2c787559442981de453b1360eb0b7adcc78a0a1fd1c6d4a3f51ed0ee18e759bfa2546992 >>> . That should be one 128-character hex string (in case it got broken into >>> separate lines somewhere along the way to your eyeballs). >>> >>> *The help I'm seeking is for PMC members to fetch and verify these >>> artifacts are valid*, following "Step 9: Verify Distribution Staging" >>> from the official docs (current-enough copy at >>> https://fineract.apache.org/docs/current/ ) and >>> https://www.apache.org/legal/release-policy.html . Additionally, my >>> unofficial suggestions are currently living at >>> https://github.com/meonkeys/fineract-asf-release-checklist/ (there's >>> some overlap and it's a work in progress, but I've got some good ideas >>> there). >>> >>> I'm working on updates to the docs to reflect what worked and didn't for >>> us today. >>> >>> Thanks! >>> -Adam >>> >>
(base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-binary.tar.gz --2025-03-02 00:21:05-- https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-binary.tar.gz Resolviendo dist.apache.org (dist.apache.org)... 13.90.137.153 Conectando con dist.apache.org (dist.apache.org)[13.90.137.153]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 405444986 (387M) [application/octet-stream] Guardando como: ‘apache-fineract-1.11.0-binary.tar.gz’ apache-fineract-1.11.0-binary.tar.gz 100%[=====================================================================================================================>] 386.66M 14.4MB/s en 27s 2025-03-02 00:21:33 (14.2 MB/s) - ‘apache-fineract-1.11.0-binary.tar.gz’ guardado [405444986/405444986] (base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-binary.tar.gz.asc --2025-03-02 00:21:44-- https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-binary.tar.gz.asc Resolviendo dist.apache.org (dist.apache.org)... 13.90.137.153 Conectando con dist.apache.org (dist.apache.org)[13.90.137.153]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 228 [text/plain] Guardando como: ‘apache-fineract-1.11.0-binary.tar.gz.asc’ apache-fineract-1.11.0-binary.tar.gz.asc 100%[=====================================================================================================================>] 228 --.-KB/s en 0s 2025-03-02 00:21:44 (75.0 MB/s) - ‘apache-fineract-1.11.0-binary.tar.gz.asc’ guardado [228/228] (base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-binary.tar.gz.sha512 --2025-03-02 00:21:53-- https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-binary.tar.gz.sha512 Resolviendo dist.apache.org (dist.apache.org)... 13.90.137.153 Conectando con dist.apache.org (dist.apache.org)[13.90.137.153]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 167 [text/plain] Guardando como: ‘apache-fineract-1.11.0-binary.tar.gz.sha512’ apache-fineract-1.11.0-binary.tar.gz.sha512 100%[=====================================================================================================================>] 167 --.-KB/s en 0s 2025-03-02 00:21:53 (90.2 MB/s) - ‘apache-fineract-1.11.0-binary.tar.gz.sha512’ guardado [167/167] (base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-binary.tar.gz.sha512.asc --2025-03-02 00:22:11-- https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-binary.tar.gz.sha512.asc Resolviendo dist.apache.org (dist.apache.org)... 13.90.137.153 Conectando con dist.apache.org (dist.apache.org)[13.90.137.153]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 228 [text/plain] Guardando como: ‘apache-fineract-1.11.0-binary.tar.gz.sha512.asc’ apache-fineract-1.11.0-binary.tar.gz.sha512.asc 100%[=====================================================================================================================>] 228 --.-KB/s en 0s 2025-03-02 00:22:12 (115 MB/s) - ‘apache-fineract-1.11.0-binary.tar.gz.sha512.asc’ guardado [228/228] (base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-src.tar.gz --2025-03-02 00:22:19-- https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-src.tar.gz Resolviendo dist.apache.org (dist.apache.org)... 13.90.137.153 Conectando con dist.apache.org (dist.apache.org)[13.90.137.153]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 10123770 (9.7M) [application/octet-stream] Guardando como: ‘apache-fineract-1.11.0-src.tar.gz’ apache-fineract-1.11.0-src.tar.gz 100%[=====================================================================================================================>] 9.65M 12.3MB/s en 0.8s 2025-03-02 00:22:20 (12.3 MB/s) - ‘apache-fineract-1.11.0-src.tar.gz’ guardado [10123770/10123770] (base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-src.tar.gz.asc --2025-03-02 00:22:27-- https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-src.tar.gz.asc Resolviendo dist.apache.org (dist.apache.org)... 13.90.137.153 Conectando con dist.apache.org (dist.apache.org)[13.90.137.153]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 228 [text/plain] Guardando como: ‘apache-fineract-1.11.0-src.tar.gz.asc’ apache-fineract-1.11.0-src.tar.gz.asc 100%[=====================================================================================================================>] 228 --.-KB/s en 0s 2025-03-02 00:22:28 (122 MB/s) - ‘apache-fineract-1.11.0-src.tar.gz.asc’ guardado [228/228] (base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-src.tar.gz.sha512 --2025-03-02 00:22:45-- https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-src.tar.gz.sha512 Resolviendo dist.apache.org (dist.apache.org)... 13.90.137.153 Conectando con dist.apache.org (dist.apache.org)[13.90.137.153]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 164 [text/plain] Guardando como: ‘apache-fineract-1.11.0-src.tar.gz.sha512’ apache-fineract-1.11.0-src.tar.gz.sha512 100%[=====================================================================================================================>] 164 --.-KB/s en 0s 2025-03-02 00:22:45 (68.6 MB/s) - ‘apache-fineract-1.11.0-src.tar.gz.sha512’ guardado [164/164] (base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-src.tar.gz.sha512.asc --2025-03-02 00:22:53-- https://dist.apache.org/repos/dist/dev/fineract/1.11.0/apache-fineract-1.11.0-src.tar.gz.sha512.asc Resolviendo dist.apache.org (dist.apache.org)... 13.90.137.153 Conectando con dist.apache.org (dist.apache.org)[13.90.137.153]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 228 [text/plain] Guardando como: ‘apache-fineract-1.11.0-src.tar.gz.sha512.asc’ apache-fineract-1.11.0-src.tar.gz.sha512.asc 100%[=====================================================================================================================>] 228 --.-KB/s en 0s 2025-03-02 00:22:53 (130 MB/s) - ‘apache-fineract-1.11.0-src.tar.gz.sha512.asc’ guardado [228/228] (base) fintecheando@thales:~/dev/apache/v11/binaries$ sha512sum apache-fineract-1.11.0-src.tar.gz 4de721f4eb4d7752c2ecc42558b18c38d6165febfb654b799d9a33b2fdef74606339a023a7fef86f1e9fed36255d5e8d52f65a9b7f0a29221b294f8a9909c24b apache-fineract-1.11.0-src.tar.gz (base) fintecheando@thales:~/dev/apache/v11/binaries$ sha512sum apache-fineract-1.11.0-binary.tar.gz 0ebe4e13d778e5d6d56f6b472e6304c17a34ebaea67742ac968ffcde2c787559442981de453b1360eb0b7adcc78a0a1fd1c6d4a3f51ed0ee18e759bfa2546992 apache-fineract-1.11.0-binary.tar.gz (base) fintecheando@thales:~/dev/apache/v11/binaries$ wget https://downloads.apache.org/fineract/KEYS --2025-03-02 00:33:32-- https://downloads.apache.org/fineract/KEYS Resolviendo downloads.apache.org (downloads.apache.org)... 135.181.214.104, 88.99.208.237, 2a01:4f8:10a:39da::2, ... Conectando con downloads.apache.org (downloads.apache.org)[135.181.214.104]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 22524 (22K) Guardando como: ‘KEYS’ KEYS 100%[=====================================================================================================================>] 22.00K 62.9KB/s en 0.3s 2025-03-02 00:33:33 (62.9 KB/s) - ‘KEYS’ guardado [22524/22524] (base) fintecheando@thales:~/dev/apache/v11/binaries$ gpg --import KEYS gpg: clave 8CB2BDA8B983100D: "Adi Raju (CODE SIGNING KEY FOR APACHE FINERACT) <raj...@apache.org>" sin cambios gpg: clave DAB52C0F0CB6C40C: "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer.sh...@confluxtechnologies.com>" sin cambios gpg: clave 80C4D8890BB29444: "Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer1100...@apache.org>" sin cambios gpg: clave 7EACD80938F84C72: "Avik Ganguly <av...@apache.org>" sin cambios gpg: clave 06C8222D2397CEA8: "Shruthi Rajaram (CODE SIGNING KEY) <shruthiraja...@apache.org>" sin cambios gpg: clave 487B2C687CEDFA72: "Aleksandar Vidakovic (Apache Fineract Release Manager) <al...@apache.org>" sin cambios gpg: cabecera de armadura inválida: mDMEZjQMBRYJKwYBBAHaRw8BAQdAdp1SHI8Vwu0dXB1iDzD4qPXD2nu9XDiDv895\n gpg: Error en suma de comprobación: E6C61E - 3A0EE2 gpg: [don't know]: invalid packet (ctb=40) gpg: read_block: read error: Paquete incorrecto gpg: import from 'KEYS' failed: Anillo de claves incorrecto gpg: Cantidad total procesada: 6 gpg: sin cambios: 6 (base) fintecheando@thales:~/dev/apache/v11/binaries$ gpg --verify apache-fineract-1.11.0-src.tar.gz.sha512.asc apache-fineract-1.11.0-src.tar.gz gpg: Firmado el vie 28 feb 2025 12:41:08 CST gpg: usando EDDSA clave BD58EA9F85201ADB52CFC0444F169FF263F5F98E gpg: Imposible comprobar la firma: No hay clave pública (base) fintecheando@thales:~/dev/apache/v11/binaries$ gpg --verify apache-fineract-1.11.0-binary.tar.gz.sha512.asc apache-fineract-1.11.0-binary.tar.gz gpg: Firmado el vie 28 feb 2025 20:06:37 CST gpg: usando EDDSA clave BD58EA9F85201ADB52CFC0444F169FF263F5F98E gpg: Imposible comprobar la firma: No hay clave pública (base) fintecheando@thales:~/dev/apache/v11/binaries$
