Hi All, While working on the release votes this weekend it made me think about automating some of this like Apache Grails does. So I borrowed some of that and got something working for our releases.
In general it will: 1. Download KEYS file from release directory. 2. Download artifacts (source, binary, docs, and sdk) including hashes and sig files from /dist/dev or dist/release into sub-directories of the specified download location. 3. Verify each artifact for signature and checksum. 4. Unpack each artifact and check for a LICENSE and NOTICE file. Source is also checked for a README. 5. For the unpacked source it will bootstrap a gradle wrapper if needed and run the rat task. The scripts are in my project fork in the add-verify-scripts branch here [1]. Run from etc/bin with ./verify.sh ['dev' or 'release'] [semantic.version] <download location> 'dev' or 'release' is used for the server location underhttps://dist.apache.org/repos/dist/ Ex. ./verify.sh release 5.0.4 ~/temp/groovy-5.0.4-verify Download location will be created. Since the votes are over you can test on 'release'. There is more work that can be done in this area but it's a start. If you would like to include them I can create a PR. [1]https://github.com/cbmarcum/groovy/tree/add-verify-scripts/etc/bin Best regards, Carl
