I wrote: > *we need help from at least two more people to get this release out the > door*. Please: > 1. download the release candidate artifacts and verify their integrity > 2. run a build using only the source tarball and the recommended JDK > 3. start up a Fineract server using the war in the binary tarball
To expand on step 1: first verify checksums, then verify signatures. Here's an example of acceptable output: $ sha512sum -c apache-fineract-1.11.0-binary.tar.gz.sha512 apache-fineract-1.11.0-binary.tar.gz: OK $ gpg --verify apache-fineract-1.11.0-binary.tar.gz.asc gpg: assuming signed data in 'apache-fineract-1.11.0-binary.tar.gz' gpg: Signature made Fri 28 Feb 2025 06:06:12 PM PST gpg: using EDDSA key BD58EA9F85201ADB52CFC0444F169FF263F5F98E gpg: Good signature from "James Patrick Dailey <jdai...@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E $ sha512sum -c apache-fineract-1.11.0-src.tar.gz.sha512 apache-fineract-1.11.0-src.tar.gz: OK $ gpg --verify apache-fineract-1.11.0-src.tar.gz.asc gpg: assuming signed data in 'apache-fineract-1.11.0-src.tar.gz' gpg: Signature made Fri 28 Feb 2025 10:38:25 AM PST gpg: using EDDSA key BD58EA9F85201ADB52CFC0444F169FF263F5F98E gpg: Good signature from "James Patrick Dailey <jdai...@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E Note the scary warnings from gpg. You can ignore these, for now. They are because I have James's key, but nobody I know has signed it. If we ever do a keysigning party, we can get rid of those warnings. Read all about keysigning and the web of trust online or ask your favorite ai. 🙂
