I missed the trick on using these during the last release cycle, Carl, but I'd be open to the PR.
Best, Jonny On Tue, Jan 20, 2026 at 3:10 PM Carl Marcum <[email protected]> wrote: > Hi All, > > While working on the release votes this weekend it made me think about > automating some of this like Apache Grails does. > So I borrowed some of that and got something working for our releases. > > In general it will: > 1. Download KEYS file from release directory. > 2. Download artifacts (source, binary, docs, and sdk) including hashes and > sig files from /dist/dev or dist/release into sub-directories of the > specified download location. > 3. Verify each artifact for signature and checksum. > 4. Unpack each artifact and check for a LICENSE and NOTICE file. Source is > also checked for a README. > 5. For the unpacked source it will bootstrap a gradle wrapper if needed and > run the rat task. > > The scripts are in my project fork in the add-verify-scripts branch here [1]. > > Run from etc/bin with ./verify.sh ['dev' or 'release'] [semantic.version] > <download location> > > 'dev' or 'release' is used for the server location under > https://dist.apache.org/repos/dist/ > > Ex. ./verify.sh release 5.0.4 ~/temp/groovy-5.0.4-verify > > Download location will be created. > > Since the votes are over you can test on 'release'. > > There is more work that can be done in this area but it's a start. > > If you would like to include them I can create a PR. > > [1] https://github.com/cbmarcum/groovy/tree/add-verify-scripts/etc/bin > > Best regards, > Carl > >
