*TL;DR The released files are correct.* Sharing my detailed results:
(base) fintecheando@thales:~/dev/apache/v11/binaries$ gpg --verify apache-fineract-1.11.0-src.tar.gz.sha512.asc apache-fineract-1.11.0-src.tar.gz gpg: Firmado el vie 28 feb 2025 12:41:08 CST gpg: usando EDDSA clave BD58EA9F85201ADB52CFC0444F169FF263F5F98E gpg: Firma INCORRECTA de "James Patrick Dailey <jdai...@apache.org>" [desconocido] (base) fintecheando@thales:~/dev/apache/v11/binaries$ gpg --verify apache-fineract-1.11.0-binary.tar.gz.sha512.asc apache-fineract-1.11.0-binary.tar.gz gpg: Firmado el vie 28 feb 2025 20:06:37 CST gpg: usando EDDSA clave BD58EA9F85201ADB52CFC0444F169FF263F5F98E gpg: Firma INCORRECTA de "James Patrick Dailey <jdai...@apache.org>" [desconocido] Keys are matching with the shared keys, just the warning. Same results as Ádám Sághy Extracted the apache-fineract-1.11.0-binary.tar.gz: - Run fineract locally: Successful - Run fineract locally (Tomcat): Successful - Building fineract from source: - Run: `./gradlew binaryDistTar` -> Partially successful - Run `./gradlew srcDistTar` -> Successful - Run `./gradlew bootRun` -> Successful - Run `./gradlew bootJar` -> Successful- Run `./gradlew :fineract-war:clean :fineract-war:war` -> Successful - Run (Jar file) -> Successful- Run (WAR file ) -> Successful (base) fintecheando@thales:~/dev/apache/v11/binaries$ java --version openjdk 17.0.14 2025-01-21 LTS OpenJDK Runtime Environment Zulu17.56+15-CA (build 17.0.14+7-LTS) OpenJDK 64-Bit Server VM Zulu17.56+15-CA (build 17.0.14+7-LTS, mixed mode, sharing) (base) fintecheando@thales:~/dev/apache/v11/binaries$ javac --version javac 17.0.14 (base) fintecheando@thales:~/dev/apache/v11/binaries$ uname -a Linux thales 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64 x86_64 x86_64 GNU/Linux (base) fintecheando@thales:~/dev/apache/v11/binaries$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.5 LTS Release: 22.04 Codename: jammy MariaDB 11.4 (Docker version) https://github.com/apache/fineract/blob/develop/config/docker/compose/mariadb.yml Postgresql 16.1 (Docker version) https://github.com/apache/fineract/blob/develop/config/docker/compose/postgresql.yml Tomcat 10.1.36 (Native version) https://tomcat.apache.org/download-10.cgi The released files are correct. *Thank you James, Adam Monsen & Ádám Sághy great work!* El mar, 4 mar 2025 a las 11:10, Ádám Sághy (<adamsa...@gmail.com>) escribió: > Hi > > With the new KEYS, i got the following: > ➜ Downloads gpg --verify apache-fineract-1.11.0-binary.tar.gz.asc > apache-fineract-1.11.0-binary.tar.gz > gpg: Signature made Sat 1 Mar 02:06:12 2025 GMT > gpg: using EDDSA key > BD58EA9F85201ADB52CFC0444F169FF263F5F98E > *gpg: Good signature from "James Patrick Dailey <jdai...@apache.org > <jdai...@apache.org>>" [unknown]* > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E > > ➜ Downloads gpg --verify apache-fineract-1.11.0-src.tar.gz.asc.txt > apache-fineract-1.11.0-src.tar.gz > gpg: Signature made Fri 28 Feb 18:38:25 2025 GMT > gpg: using EDDSA key > BD58EA9F85201ADB52CFC0444F169FF263F5F98E > *gpg: Good signature from "James Patrick Dailey <jdai...@apache.org > <jdai...@apache.org>>" [unknown]* > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E > > *Seems the keys are matching with the shared keys!* > > *Extracted the apache-fineract-1.11.0-binary.tar.gz:* > - Run fineract locally: `java -jar fineract-provider-1.11.0.jar` -> > Successful (required database were running in docker) > - Run fineract locally: `docker run --rm -it -v > "$(pwd):/usr/local/tomcat/webapps" --net=host tomcat:jre17`, WAR got > deployed and started successfully (required database were running in docker > also) > > *- Building fineract from source:* > - Run: `./gradlew binaryDistTar` -> Partially successful, tests are > green, but `:fineract-doc:asciidoctorPdf` task failed. but i guess it is > fine since it requires Ghost Script dependencies…. > - Run `./gradlew srcDistTar` -> Successful > - Run `./gradlew bootRun` -> Fineract backend started successfully. l > (required database were running in docker) > - Run `./gradlew bootJar` -> Executable JAR got created successfully > - Run `java -jar fineract-provider/build/libs/fineract-provider.jar` -> > Fineract backend started successfully l (required database were running in > docker) > > > I think i am confident to say the released files are correct and Fineract > can be compiled and executed! > > Regards, > Adam > > > On 2025. Mar 4., at 6:52, Adam Monsen <amon...@mifos.org> wrote: > > Thank you again Ádám and Victor! Bummer about the PGP keys hiccups -- I'm > confident we can sort this all out. I'm more worried about making sure the > build contents are valid so hopefully we can move on to that step soon. > > James and I fixed the KEYS file together earlier today (US/Pacific > time)--the problem was the missing newline in James's armored public key > data block--this is what I identified/mentioned in my previous email > <https://lists.apache.org/thread/wbzyo7o4qlfl8yyh3l4gkjgfoj1fpd96>. My > improve-keys.patch fixes it, but please ignore that patch, I need to take > another look at it tomorrow (I may have made a mistake, my eyes and hands > are too tired right now to be trusted). The minimal fix in r75241 will do > for the time being -- James's key in the KEYS file is valid now. But only > in the "dev" area! > > https://dist.apache.org/repos/dist/dev/fineract/KEYS is fixed > > https://dist.apache.org/repos/dist/release/fineract/KEYS is still broken > > This difference in these two files is a nuance of the Apache release > process we're using (their subversion setup for test/dev/release > distribution). After reviewing their keys policy > <https://infra.apache.org/release-signing.html#keys-policy> I suggest > deleting the "dev" KEYS file and fixing the "release" KEYS file. I can > think of one good reason to delete the dev one (hooray single source of > truth!), and no good reasons to maintain both. James, I'm happy to pair > with you to fix this. > > Ádám Sághy: 4F16 9FF2 63F5 F98E is James's key ID and BD58 EA9F 8520 1ADB > 52CF C044 4F16 9FF2 63F5 F98E is the full fingerprint. Notice how those > two strings overlap. I believe the missing uid is an annoying "feature" of > openpgp's keyserver. They require you to answer an email challenge to > include a uid, so James will have to do that if he wants to get his keys in > sync. Since the KEYS file is now valid, that's the best place to get his > key. Please grab the latest copy. For example: > > curl https://dist.apache.org/repos/dist/dev/fineract/KEYS | gpg --import > > Per PGP best practices, James must be the one to verify the fingerprint > for his key, over a communications channel you both trust. Then he gets > your public key and verifies your fingerprint, then you both trust and sign > each others' keys (hooray web of trust!). The typical / ideal way to do > this is a keysigning party in person. Since we basically span the globe, > just checking fingerprints and release candidate signature validity is > probably the best we can do until we're all able to get together and share > some fun times. I do suggest everyone brush up on PGP skills. I'd be > honored to do a little tutorial on that if folks are interested. This is > useful even/also for non-Apache projects. > > Anyway, hopefully now we can get to running the build and war. Anyone else > get as far as running the build and running the war? > > Victor wrote: > >> I found that the testing on binaryDistTar task is taking my JVM locale >> (which is es-MX), so then changing the locale to en-US fixes it. > > > Huh! Ok, I'm not really familiar with the nuance there. I'd hope it would > work in both, but I know the build env settings are super fickle so I'm not > surprised. Did the build succeed? > > Victor: should your PRs hold up the release? > > James: I just noticed you have another key up on the keys.openpgp.org > keyserver, and that one *does* include a uid. Fingerprint is 849F 00D7 > F9ED B744 CCE3 9EF8 B394 C742 765F 8757. I think we made it before the > new year? I suggest revoking that one. > > >
