Hi With the new KEYS, i got the following: ➜ Downloads gpg --verify apache-fineract-1.11.0-binary.tar.gz.asc apache-fineract-1.11.0-binary.tar.gz gpg: Signature made Sat 1 Mar 02:06:12 2025 GMT gpg: using EDDSA key BD58EA9F85201ADB52CFC0444F169FF263F5F98E gpg: Good signature from "James Patrick Dailey <jdai...@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E
➜ Downloads gpg --verify apache-fineract-1.11.0-src.tar.gz.asc.txt apache-fineract-1.11.0-src.tar.gz gpg: Signature made Fri 28 Feb 18:38:25 2025 GMT gpg: using EDDSA key BD58EA9F85201ADB52CFC0444F169FF263F5F98E gpg: Good signature from "James Patrick Dailey <jdai...@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E Seems the keys are matching with the shared keys! Extracted the apache-fineract-1.11.0-binary.tar.gz: - Run fineract locally: `java -jar fineract-provider-1.11.0.jar` -> Successful (required database were running in docker) - Run fineract locally: `docker run --rm -it -v "$(pwd):/usr/local/tomcat/webapps" --net=host tomcat:jre17`, WAR got deployed and started successfully (required database were running in docker also) - Building fineract from source: - Run: `./gradlew binaryDistTar` -> Partially successful, tests are green, but `:fineract-doc:asciidoctorPdf` task failed. but i guess it is fine since it requires Ghost Script dependencies…. - Run `./gradlew srcDistTar` -> Successful - Run `./gradlew bootRun` -> Fineract backend started successfully. l (required database were running in docker) - Run `./gradlew bootJar` -> Executable JAR got created successfully - Run `java -jar fineract-provider/build/libs/fineract-provider.jar` -> Fineract backend started successfully l (required database were running in docker) I think i am confident to say the released files are correct and Fineract can be compiled and executed! Regards, Adam > On 2025. Mar 4., at 6:52, Adam Monsen <amon...@mifos.org> wrote: > > Thank you again Ádám and Victor! Bummer about the PGP keys hiccups -- I'm > confident we can sort this all out. I'm more worried about making sure the > build contents are valid so hopefully we can move on to that step soon. > > James and I fixed the KEYS file together earlier today (US/Pacific time)--the > problem was the missing newline in James's armored public key data > block--this is what I identified/mentioned in my previous email > <https://lists.apache.org/thread/wbzyo7o4qlfl8yyh3l4gkjgfoj1fpd96>. My > improve-keys.patch fixes it, but please ignore that patch, I need to take > another look at it tomorrow (I may have made a mistake, my eyes and hands are > too tired right now to be trusted). The minimal fix in r75241 will do for the > time being -- James's key in the KEYS file is valid now. But only in the > "dev" area! > > https://dist.apache.org/repos/dist/dev/fineract/KEYS is fixed > > https://dist.apache.org/repos/dist/release/fineract/KEYS is still broken > > This difference in these two files is a nuance of the Apache release process > we're using (their subversion setup for test/dev/release distribution). After > reviewing their keys policy > <https://infra.apache.org/release-signing.html#keys-policy> I suggest > deleting the "dev" KEYS file and fixing the "release" KEYS file. I can think > of one good reason to delete the dev one (hooray single source of truth!), > and no good reasons to maintain both. James, I'm happy to pair with you to > fix this. > > Ádám Sághy: 4F16 9FF2 63F5 F98E is James's key ID and BD58 EA9F 8520 1ADB > 52CF C044 4F16 9FF2 63F5 F98E is the full fingerprint. Notice how those two > strings overlap. I believe the missing uid is an annoying "feature" of > openpgp's keyserver. They require you to answer an email challenge to include > a uid, so James will have to do that if he wants to get his keys in sync. > Since the KEYS file is now valid, that's the best place to get his key. > Please grab the latest copy. For example: > > curl https://dist.apache.org/repos/dist/dev/fineract/KEYS | gpg --import > > Per PGP best practices, James must be the one to verify the fingerprint for > his key, over a communications channel you both trust. Then he gets your > public key and verifies your fingerprint, then you both trust and sign each > others' keys (hooray web of trust!). The typical / ideal way to do this is a > keysigning party in person. Since we basically span the globe, just checking > fingerprints and release candidate signature validity is probably the best we > can do until we're all able to get together and share some fun times. I do > suggest everyone brush up on PGP skills. I'd be honored to do a little > tutorial on that if folks are interested. This is useful even/also for > non-Apache projects. > > Anyway, hopefully now we can get to running the build and war. Anyone else > get as far as running the build and running the war? > > Victor wrote: >> I found that the testing on binaryDistTar task is taking my JVM locale >> (which is es-MX), so then changing the locale to en-US fixes it. > > Huh! Ok, I'm not really familiar with the nuance there. I'd hope it would > work in both, but I know the build env settings are super fickle so I'm not > surprised. Did the build succeed? > > Victor: should your PRs hold up the release? > > James: I just noticed you have another key up on the keys.openpgp.org > <http://keys.openpgp.org/> keyserver, and that one does include a uid. > Fingerprint is 849F 00D7 F9ED B744 CCE3 9EF8 B394 C742 765F 8757. I think we > made it before the new year? I suggest revoking that one.
