Hi Victor, thank you for helping me with this! Others: *we need help* *from at least two more people* to get this release out the door. Please:
1. download the release candidate artifacts and verify their integrity 2. run a build using only the source tarball and the recommended JDK 3. start up a Fineract server using the war in the binary tarball These are just suggestions and I apologize for being brief/vague, I'm looking forward to helping out with documenting and detailing this process. If you have feedback on the best way to perform these steps, please share. Victor wrote: > The attached file contains the commands executed and shows checksum error > verification for the KEYS file. Good catch! I was able to reproduce this. The "invalid armor header" / "cabecera de armadura inválida", "CRC error" / "Error en suma de comprobación", and "[don't know]: invalid packet (ctb=40)" messages are all due to *one missing newline in the last key*. I hadn't run into this error previously because I think James gave me that key directly when we were able to do a mini keysigning party in person and it was properly formatted. But yeah, that's an invalid key there. Probably a copy/paste error or something. I'd like to improve this KEYS file to fix the broken key, add some documentation at the top, and use consistent formatting. James or Aleks, will you please review, apply and commit the attached patch against https://dist.apache.org/repos/dist/dev/fineract/KEYS at r71016? Regarding verifying the release candidate, I don't think there's much value in running the srcDistTar task, but I suppose it doesn't hurt. The binaryDistTar task is a bit more useful since it does build the code and run some basic tests. I'm not sure exactly what failed there but I'd say start with the recommended JDK version and try running the build from a *very* clean environment. For example, I've found I need to sometimes run `git clean -fdx` remove all of ~/.gradle to get a successful Fineract build and/or test run. I think this helps get rid of cached artifacts or old/bad dependencies or something. I wrote: > The help I'm seeking is for PMC members to fetch and verify these > artifacts are valid, following "Step 9: Verify Distribution Staging" from > the official docs (current-enough copy at > https://fineract.apache.org/docs/current/ ) and > https://www.apache.org/legal/release-policy.html . Additionally, my > unofficial suggestions are currently living at > https://github.com/meonkeys/fineract-asf-release-checklist/ (there's some > overlap and it's a work in progress, but I've got some good ideas there). > > I'm working on updates to the docs to reflect what worked and didn't for > us today.
Index: KEYS =================================================================== --- KEYS (revision 75237) +++ KEYS (working copy) @@ -1,3 +1,48 @@ +This is the collection of public developer keys for Apache Fineract. +The canonical name for this file is "KEYS". + + +The format of this file is: + + KEY DESCRIPTION + + PUBLIC KEY DATA + + + KEY DESCRIPTION + + PUBLIC KEY DATA + + + KEY DESCRIPTION + + PUBLIC KEY DATA + +...and so on. + + +This file may be fed directly into PGP verification software such as GnuPG. +GnuPG will ignore everything besides public key data. +Examples: + + # parse this file + gpg < KEYS + + # import all keys + gpg --import KEYS + +See also: + +* https://fineract.apache.org +* https://infra.apache.org/openpgp.html +* https://infra.apache.org/release-signing.html + + +pub rsa4096/0x8CB2BDA8B983100D 2016-04-06 [SC] + Key fingerprint = BDD1 5D65 9567 9C02 B523 1CE2 8CB2 BDA8 B983 100D +uid Adi Raju (CODE SIGNING KEY FOR APACHE FINERACT) <raj...@apache.org> +sub rsa4096/0x2B9FE5719249AC7F 2016-04-06 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 @@ -51,12 +96,12 @@ =6fEZ -----END PGP PUBLIC KEY BLOCK----- -pub 4096R/0CB6C40C 2016-05-03 -uid [ultimate] Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer.sh...@confluxtechnologies.com> -sig 3 0CB6C40C 2016-05-03 Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer.sh...@confluxtechnologies.com> -sub 4096R/677BDBB7 2016-05-03 -sig 0CB6C40C 2016-05-03 Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer.sh...@confluxtechnologies.com> +pub rsa4096/0xDAB52C0F0CB6C40C 2016-05-03 [SC] + Key fingerprint = A2EC 4806 503A 5DE1 342E A889 DAB5 2C0F 0CB6 C40C +uid Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer.sh...@confluxtechnologies.com> +sub rsa4096/0x0BBFB4D9677BDBB7 2016-05-03 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 @@ -110,6 +155,12 @@ =58aJ -----END PGP PUBLIC KEY BLOCK----- + +pub rsa4096/0x80C4D8890BB29444 2016-06-29 [SC] + Key fingerprint = AF4F D65D E78C A5B1 BF30 939F 80C4 D889 0BB2 9444 +uid Shaik Nazeer Hussain (CODE SIGNING KEY) <nazeer1100...@apache.org> +sub rsa4096/0x8F8F1CC9F11A0D70 2016-06-29 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 @@ -162,13 +213,13 @@ LL2vnTLdck1AuKud7WX9r3mLnkT9LdB3ZTvd8oZt0cE= =T96K -----END PGP PUBLIC KEY BLOCK----- -pub rsa2048 2018-01-18 [SC] [expires: 2020-01-18] - 68053152E5B482B9191394C37EACD80938F84C72 -uid [ultimate] Avik Ganguly <av...@apache.org> -sig 3 7EACD80938F84C72 2018-01-18 Avik Ganguly <av...@apache.org> -sub rsa2048 2018-01-18 [E] [expires: 2020-01-18] -sig 7EACD80938F84C72 2018-01-18 Avik Ganguly <av...@apache.org> + +pub rsa2048/0x7EACD80938F84C72 2018-01-18 [SC] [expired: 2020-01-18] + Key fingerprint = 6805 3152 E5B4 82B9 1913 94C3 7EAC D809 38F8 4C72 +uid Avik Ganguly <av...@apache.org> +sub rsa2048/0xE6F9186011BC67F9 2018-01-18 [E] [expired: 2020-01-18] + -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFpgpxsBCACu1ucz7MbUpLxRWLs+Fr44DufQ7HTv9hJ7m2sTjqQt8a1/H04T @@ -199,13 +250,13 @@ ZLoDsREpadZH1qxU4uSQdYFhMsC83J6XrOMF4Ze3mwBDwcbwHnQ5 =Qls/ -----END PGP PUBLIC KEY BLOCK----- -pub rsa4096 2018-11-28 [SC] - 7B6CD112E36EA69C94583F1906C8222D2397CEA8 -uid [ultimate] Shruthi Rajaram (CODE SIGNING KEY) <shruthiraja...@apache.org> -sig 3 06C8222D2397CEA8 2018-11-28 Shruthi Rajaram (CODE SIGNING KEY) <shruthiraja...@apache.org> -sub rsa4096 2018-11-28 [E] -sig 06C8222D2397CEA8 2018-11-28 Shruthi Rajaram (CODE SIGNING KEY) <shruthiraja...@apache.org> + +pub rsa4096/0x06C8222D2397CEA8 2018-11-28 [SC] + Key fingerprint = 7B6C D112 E36E A69C 9458 3F19 06C8 222D 2397 CEA8 +uid Shruthi Rajaram (CODE SIGNING KEY) <shruthiraja...@apache.org> +sub rsa4096/0x249A18CB2A6D1F82 2018-11-28 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFv+cpMBEADBAdEJi+iEFmbTyezh7tcZvwgfmzgfSgam2lMG6L4wHbcVVjKp @@ -259,6 +310,12 @@ =/lw/ -----END PGP PUBLIC KEY BLOCK----- + +pub rsa4096/0x487B2C687CEDFA72 2020-07-30 [SC] + Key fingerprint = 4A62 4DE1 09F7 7CD8 A574 6793 487B 2C68 7CED FA72 +uid Aleksandar Vidakovic (Apache Fineract Release Manager) <al...@apache.org> +sub rsa4096/0xE0842E0003715551 2020-07-30 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF8iGq0BEADGRqeSsOoNDc1sV9L7sQ34KhmoQrACnMYGztx33TD98aWplul+ @@ -312,6 +369,12 @@ =95/E -----END PGP PUBLIC KEY BLOCK----- + +pub rsa4096/0xDE6FCF80F8144D71 2021-05-21 [SC] + Key fingerprint = E6DA 4774 AAB0 0501 6380 2D57 DE6F CF80 F814 4D71 +uid Petri Tuomola (CODE SIGNING KEY) <ptuom...@apache.org> +sub rsa4096/0x7AB3848093F533DF 2021-05-21 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGCntgMBEADBlTN0ybMZd5Z0a6V1SFGVOd7O+bW8881z/DQkSa/ul0Hx+gWC @@ -364,53 +427,15 @@ K0u+MOwvlnzWgIQER3+910S9ieeRrw== =GXI6 -----END PGP PUBLIC KEY BLOCK----- -pub rsa3072/B87CFCD0AE2E7E6F 2022-10-11 [SC] [expires: 2024-10-10] - 651B5B65583B9848E8AF18F2B87CFCD0AE2E7E6F -uid [ultimate] Manoj Mohanan <mano...@apache.org> -sub rsa3072/A6C149C4D490D1D5 2022-10-11 [E] [expires: 2024-10-10] ------BEGIN PGP PUBLIC KEY BLOCK----- -mQGNBGNFaTIBDADAq3nLQT7AAw+QK1bM3zg540v69J8tgcqhw82CXi2Xzy/b03FL -mV3YyZDE95hpaYWpK1x77l/rnX6gbddaypVTNpsC9S6YjdE9z/YbbbPyqH8565Fg -W7J1Sp8GXdBBCoWqF8qcz9VOBIj3o3gWd/a3TRuYlDXz1sZYTZBtRqGpjRQp55Er -w9Yd5ed1KDeAKLiac2bT2VI6VME+OuNpRu6J46JRGZ+hSZ2cZv7+7EfZkniNsX60 -ly/5H8kNhyiuvHbaslo0Unt4OTmXOOjzX0e+LB4/PlWuGk0V60fNNvw4VpumLk5u -LV8L7sqIpYXlg4hUR7wTmECCTWQ2DxcEUcyUvjiqx0UW/lcRoUdyD+vEyHq+s5lt -cc7t6coluCizV+9s1YB53E43eSVFb000MisaKgpsgEHCZqvafwrseHO7DAameci0 -oTzLlVRg7juj72u8vNhy2/DugKCBqr6MYsWDm/aEWphonteQX/fq7gIPhEEkn0+p -v6kWdiU+qPujuLkAEQEAAbQiTWFub2ogTW9oYW5hbiA8bWFub2p2bUBhcGFjaGUu -b3JnPokB1AQTAQgAPhYhBGUbW2VYO5hI6K8Y8rh8/NCuLn5vBQJjRWkyAhsDBQkD -wmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELh8/NCuLn5vxscL/iMYi915 -w2uHORLvXtIDplO7ZJH6bHSp+SlUR/0B2zM4CtiIRNjB/fXWg3dhNF/k5xvvN4HQ -Ztq9VTuYDT8PG/xAqlSthoIy5l6M0LLpErdSpR5tRXpuFFBsa6RU80RQCPjAXEgO -Yvuaw+2WaTZyvDldKDOGP6Tp8RA32YcNG6PS+1tkCGBto59oOT9tQFXniK14IkuR -phoq8twsvOq8VED6hyBK2uth0RYUXSOOugnWFgtdsGmS7Y32ahdv/dIQ2+KTCafP -o0pZb9cjKlI6MB0LbJQOvY/V0yfhLE2RSRDT8tMedM1MtOfGuvNcHFDgioOIAKAr -hPzRk2oeCO1lqL+fOj913BDjSxtHjKdMDlhL8go/E6zbm1AytFw1R5Tx74piWPKL -j0wVSheR3ec0cwb+q9izCCNDy/L6+ATcIvZnNwXJYm6FBU2XM7ABaMkQojqjDQMj -Nx/zDzGEwJG5moM6tDPaj1I6Q2Scj98WBWfOB3VuTEEGyRv7GUF7o2mbg7kBjQRj -RWkyAQwAxN1eU9qwoYxMjFdiBlsdwYvC15A+Yiye0OhBhI7QwQPYeEWKNi9ku/hQ -FX+QBNXfKGXw4fXZwQ07XCtEpB//zA3y/2hsQItMjWvEaXElRaqsQHyZGxuIBYdn -/YaUIq42h+TiHHwf0AdhfufqRaWcwwDSXg/qAJoWitE3CAkuOX/d2X09OFqhE8UT -JDNeOwpcjqX0Rg6JD0oKHAHS8vOHxVcJD9gV20bhpZx5O95aM29/TGxNQzKxbTax -MC8DC2GwcqSfZKIQl1un9qwJO1fLHwQgZrHXc1g/8HoZAg1Y8DDhSKKOxzNKbZ/0 -phmkmHbz2VZD6s5T45IhaU/Zi9W8x0DPEo03V91s7x0TCrzitzSo/egBYPwvoySi -arXvMzuMQOzk1GlRnPrm2mOHI5MzT0uShA5Ayp/ZJF3pBxzzaPmouMou4nNb8PaP -XKUDMk8g19dNPK64AFJIjnpaHabr1Ct5D5aWla91u+8sIEqL6wXzfE+yLKaHbnUK -fPGO6hg5ABEBAAGJAbwEGAEIACYWIQRlG1tlWDuYSOivGPK4fPzQri5+bwUCY0Vp -MgIbDAUJA8JnAAAKCRC4fPzQri5+b0nNC/9TQSlTGH8exU9Lwv5Q5uuKVm2MoEgu -pg2hVMQe+mdQQVLL3W744Fiqo3mbdz3X84ms9qchYaY1AMPfrE+9MBtPknxHNVKv -geLC6azbv8QA7132mHJchTJJfpDi2sdxLykZOHuszMEX49NX+pzbkTLDsXJd2br/ -0Hl1iT5BGzWh0qV4ExldFuvZNXdnElgo0pzGe0OMY8XhOvsMIAp5Bm2hBN5CMBcl -pyv3X3+JwGWq3aF52u7s8hHWlHUgAnSzkFYSeoWzO7WARWDNGelBEMJKKb8WH42b -w2Imuj6wY5nl2ej1nPnL4Bfe8CsffiOd32xORPXx4jozBG6/hbs7Bp9I9Bftd2TK -eCH3Oe6mEXE++m+iV+oY+8pP5p+DvjZVESsUbbqWtWjPOkV7lAgPWf1S7hhar/rN -D2IarzxNQlNuhTvNVbYoehU9pcj1VMWqZ7IaQWmpjNO5935EL3Ac14FBUSv2PlkR -i4IyYeqOnRY2HD0W69+v3viSR0sdukV58kg= -=QbVb ------END PGP PUBLIC KEY BLOCK----- +pub ed25519/0x4F169FF263F5F98E 2024-05-02 [SC] [expires: 2027-05-02] + Key fingerprint = BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E +uid James Patrick Dailey <jdai...@apache.org> +sub cv25519/0xF794D8D50C02A895 2024-05-02 [E] [expires: 2027-05-02] + -----BEGIN PGP PUBLIC KEY BLOCK----- + mDMEZjQMBRYJKwYBBAHaRw8BAQdAdp1SHI8Vwu0dXB1iDzD4qPXD2nu9XDiDv895 AyYopJK0KUphbWVzIFBhdHJpY2sgRGFpbGV5IDxqZGFpbGV5QGFwYWNoZS5vcmc+ iJkEExYKAEEWIQS9WOqfhSAa21LPwERPFp/yY/X5jgUCZjQMBQIbAwUJBaOagAUL @@ -423,4 +448,3 @@ M8zo0go= =Og7i -----END PGP PUBLIC KEY BLOCK----- -
