- signatures and checksums match - source builds - apache rat passes (after I excluded module/DEPENDENCIES)
+1 Below are the linux commands I used to verify the release of the myfaces-core-assembly-2.1.9-src files: ============================================= # check checksums find . -name '*.md5' -exec cat {} \; -printf ' %f\n' | sed 's|\.md5$||' | md5sum -c find . -name '*.sha1' -exec cat {} \; -printf ' %f\n' | sed 's|\.sha1$||' | sha1sum -c # check signatures wget http://www.apache.org/dist/myfaces/KEYS gpg --import KEYS find . -name '*.asc' -exec gpg --verify {} \; # verify tar.gz and zip sources are identical mkdir src cd src tar xvf ../myfaces-core-assembly-2.1.9-src.tar.gz ls -l mv myfaces-core-2.1.9-src/ myfaces-core-2.1.9-src-tar-gz unzip ../myfaces-core-assembly-2.1.9-src.zip # should be no output diff -rq myfaces-core-2.1.9-src* # should be "are identical" output diff -srq myfaces-core-2.1.9-src* # build source cd myfaces-core-2.1.9-src/src find \( -name '*.jar' -o -name '*.zip' \) -exec unzip -n {} \; cd myfaces-core-module-2.1.9/ mvn install mvn apache-rat:check # To check for all errors, if more than one project is affected # mvn -e -X apache-rat:check -Drat.numUnapprovedLicenses=9999