Hi Carl,
The scripts were great (with some trivial glitches)!
I was trying to use them without the "optional download location". In
this scenario, it was trying to load keys from downloads/SVN_KEYS
after already doing a cd to downloads/src etc.
I moved the following fragments to above the cd in each script:
############
...
export GROOVY_GPG_HOME=$(mktemp -d)
cleanup() {
rm -rf "${GROOVY_GPG_HOME}"
}
trap cleanup EXIT
echo "Importing GPG key to independent GPG home ..."
gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS"
echo "✅ GPG Key Imported"
cd "${DOWNLOAD_LOCATION}/src"
...
############
Also, I had to do a "cd -" at the end of the gradle bootstrap section
in verify.sh to avoid a similar incorrect pwd issue.
I think these are good for inclusion. I note that currently they don't
appear in the source or sdk distributions. Maybe we can include them
there too but that can be done separately.
Did you want to re-test the scripts with the above changes using other
scenarios? If that works, a PR would be greatly appreciated.
Cheers, Paul.
On Thu, Feb 5, 2026 at 10:07 AM Carl Marcum <[email protected]> wrote:
>
> For clarification this was for Groovy releases.
>
> I will look at Geb after I finish the testcontainers work to see what could
> be done there.
>
> Best regards,
> Carl
>
> On 1/30/26 3:58 PM, Jonny wrote:
>
> I missed the trick on using these during the last release cycle, Carl, but
> I'd be open to the PR.
>
> Best,
>
> Jonny
>
> On Tue, Jan 20, 2026 at 3:10 PM Carl Marcum <[email protected]> wrote:
>>
>> Hi All,
>>
>> While working on the release votes this weekend it made me think about
>> automating some of this like Apache Grails does.
>> So I borrowed some of that and got something working for our releases.
>>
>> In general it will:
>> 1. Download KEYS file from release directory.
>> 2. Download artifacts (source, binary, docs, and sdk) including hashes and
>> sig files from /dist/dev or dist/release into sub-directories of the
>> specified download location.
>> 3. Verify each artifact for signature and checksum.
>> 4. Unpack each artifact and check for a LICENSE and NOTICE file. Source is
>> also checked for a README.
>> 5. For the unpacked source it will bootstrap a gradle wrapper if needed and
>> run the rat task.
>>
>> The scripts are in my project fork in the add-verify-scripts branch here [1].
>>
>> Run from etc/bin with ./verify.sh ['dev' or 'release'] [semantic.version]
>> <download location>
>>
>> 'dev' or 'release' is used for the server location under
>> https://dist.apache.org/repos/dist/
>>
>> Ex. ./verify.sh release 5.0.4 ~/temp/groovy-5.0.4-verify
>>
>> Download location will be created.
>>
>> Since the votes are over you can test on 'release'.
>>
>> There is more work that can be done in this area but it's a start.
>>
>> If you would like to include them I can create a PR.
>>
>> [1] https://github.com/cbmarcum/groovy/tree/add-verify-scripts/etc/bin
>>
>> Best regards,
>> Carl
