Joe, Thanks for preparing the release. Please send the “helper” email to accompany this (example from 1.0.0 here [1]) and include the SHA-256 hash of the release ZIP as well.
Similarly, when you perform the GPG signing activity, please use SHA-256 as the
hash algorithm. Currently you are configured to use SHA-1. You can find
instructions for changing that here [2].
hw12203:/Users/alopresto/Workspace/scratch/release_verification/nifi-0.7.1
(master) alopresto
🔓 17s @ 10:46:02 $ gpg --verify -vvv nifi-0.7.1-source-release.zip.asc
gpg: using character set `utf-8'
gpg: armor: BEGIN PGP SIGNATURE
Version: GnuPG v1
:signature packet: algo 1, keyid 941C14437D84EBD6
version 4, created 1476642289, md5len 0, sigclass 0x00
digest algo 2, begin of digest f1 9b
hashed subpkt 2 len 4 (sig created 2016-10-16)
subpkt 16 len 8 (issuer key ID 941C14437D84EBD6)
data: [4096 bits]
gpg: armor header:
gpg: assuming signed data in 'nifi-0.7.1-source-release.zip'
gpg: Signature made Sun Oct 16 11:24:49 2016 PDT using RSA key ID 7D84EBD6
gpg: using PGP trust model
gpg: key 00D026C4: accepted as trusted key
gpg: key 51BF2B79: accepted as trusted key
gpg: key 2F7DEF69: accepted as trusted key
gpg: Good signature from "Joseph Skora (CODE SIGNING KEY) <[email protected]>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6B4E F25B 89D2 D330 2D60 1BD3 941C 1443 7D84 EBD6
gpg: binary signature, digest algorithm SHA1
Thanks.
[1]
https://lists.apache.org/thread.html/bc20784d6f8df22277c196e15f33e85cee4a0f409761a42acee54999@%3Cdev.nifi.apache.org%3E
<https://lists.apache.org/thread.html/bc20784d6f8df22277c196e15f33e85cee4a0f409761a42acee54999@%3Cdev.nifi.apache.org%3E>
[2] https://www.apache.org/dev/openpgp.html#key-gen-avoid-sha1
<https://www.apache.org/dev/openpgp.html#key-gen-avoid-sha1>
Andy LoPresto
[email protected]
[email protected]
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Oct 16, 2016, at 8:32 PM, Joe Skora <[email protected]> wrote:
>
> Hello,
>
> I am pleased to be calling this vote for the source release of Apache NiFi
> nifi-0.7.1.
>
> The source zip, including signatures, digests, etc. can be found at:
> https://repository.apache.org/content/repositories/orgapachenifi-1091
>
> The Git tag is nifi-0.7.1-RC1
> The Git commit ID is 421d5e61553e5fa160af9e0cc9fdc237af46906d
> *
> https://git-wip-us.apache.org/repos/asf?p=nifi.git;a=commit;h=421d5e61553e5fa160af9e0cc9fdc237af46906d
> *
> https://github.com/apache/nifi/commit/421d5e61553e5fa160af9e0cc9fdc237af46906d
>
> Checksums of nifi-0.7.1-source-release.zip:
> MD5: a15fc40ec887d82440f2de05ef71f810
> SHA1: 1565f4e123478e91fd26022b939d9d2f6ea6a2cf
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/jskora.asc
>
> KEYS file available here:
> https://dist.apache.org/repos/dist/release/nifi/KEYS
>
> 41 issues were closed/resolved for this release:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12338025
>
> Release note highlights can be found here:
> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version0.7.1
>
> The vote will be open for 72 hours.
> Please download the release candidate and evaluate the necessary items
> including checking hashes, signatures, build from source, and test. The
> please vote:
>
> [ ] +1 Release this package as nifi-0.7.1
> [ ] +0 no opinion
> [ ] -1 Do not release this package because because...
signature.asc
Description: Message signed with OpenPGP using GPGMail
