For those interested, if you are on a *nix system and make the above tweaks, you can verify the current release candidates using the mentioned scripts:
$ ./verify.sh dev 4.0.31 $ ./verify.sh dev 5.0.5 Cheers, Paul. On Thu, Mar 26, 2026 at 6:59 PM Paul King <[email protected]> wrote: > > Hi Carl, > > The scripts were great (with some trivial glitches)! > > I was trying to use them without the "optional download location". In > this scenario, it was trying to load keys from downloads/SVN_KEYS > after already doing a cd to downloads/src etc. > > I moved the following fragments to above the cd in each script: > > ############ > ... > export GROOVY_GPG_HOME=$(mktemp -d) > cleanup() { > rm -rf "${GROOVY_GPG_HOME}" > } > trap cleanup EXIT > > echo "Importing GPG key to independent GPG home ..." > gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" > echo "✅ GPG Key Imported" > > cd "${DOWNLOAD_LOCATION}/src" > ... > ############ > > Also, I had to do a "cd -" at the end of the gradle bootstrap section > in verify.sh to avoid a similar incorrect pwd issue. > > I think these are good for inclusion. I note that currently they don't > appear in the source or sdk distributions. Maybe we can include them > there too but that can be done separately. > Did you want to re-test the scripts with the above changes using other > scenarios? If that works, a PR would be greatly appreciated. > > Cheers, Paul. > > > On Thu, Feb 5, 2026 at 10:07 AM Carl Marcum <[email protected]> wrote: > > > > For clarification this was for Groovy releases. > > > > I will look at Geb after I finish the testcontainers work to see what could > > be done there. > > > > Best regards, > > Carl > > > > On 1/30/26 3:58 PM, Jonny wrote: > > > > I missed the trick on using these during the last release cycle, Carl, but > > I'd be open to the PR. > > > > Best, > > > > Jonny > > > > On Tue, Jan 20, 2026 at 3:10 PM Carl Marcum <[email protected]> wrote: > >> > >> Hi All, > >> > >> While working on the release votes this weekend it made me think about > >> automating some of this like Apache Grails does. > >> So I borrowed some of that and got something working for our releases. > >> > >> In general it will: > >> 1. Download KEYS file from release directory. > >> 2. Download artifacts (source, binary, docs, and sdk) including hashes > >> and sig files from /dist/dev or dist/release into sub-directories of the > >> specified download location. > >> 3. Verify each artifact for signature and checksum. > >> 4. Unpack each artifact and check for a LICENSE and NOTICE file. Source > >> is also checked for a README. > >> 5. For the unpacked source it will bootstrap a gradle wrapper if needed > >> and run the rat task. > >> > >> The scripts are in my project fork in the add-verify-scripts branch here > >> [1]. > >> > >> Run from etc/bin with ./verify.sh ['dev' or 'release'] [semantic.version] > >> <download location> > >> > >> 'dev' or 'release' is used for the server location under > >> https://dist.apache.org/repos/dist/ > >> > >> Ex. ./verify.sh release 5.0.4 ~/temp/groovy-5.0.4-verify > >> > >> Download location will be created. > >> > >> Since the votes are over you can test on 'release'. > >> > >> There is more work that can be done in this area but it's a start. > >> > >> If you would like to include them I can create a PR. > >> > >> [1] https://github.com/cbmarcum/groovy/tree/add-verify-scripts/etc/bin > >> > >> Best regards, > >> Carl
