Sorry I misunderstood before, I think I've got it now.

1. I've added the SHA256 hashes.
2. I've recreated the GPG signatures with the SHA512 algorithm.
3. I will send a revised helper email referencing the standalone files as
you listed them.

I see what happened with the signatures, I followed the steps in the shell
script on the Releasing NiFi
<https://cwiki.apache.org/confluence/display/NIFI/Releasing+NiFi> wiki page
which does not specify the algorithm.  The Release Guidelines
<http://nifi.apache.org/release-guide.html> page does specify the algorithm
but that page is harder to follow and I thought the wiki page was supposed
to be newer.

So we have two sets of instructions that may give enough detail for someone
experienced with the release process, but neither of is complete or up to
date.  There are at least a few references to old processes that I caught,
such as not specifying that the pushes should go to the ASF repository.
But it wasn't until I was gathering information for the vote email that I
realized they don't cover pushing the tag once it's created.

Like I mentioned earlier, I'll try to get the details together an submit
updates for the release instructions this week.

Thanks for the help and patience!  :-D

On Mon, Oct 17, 2016 at 4:09 PM, Andy LoPresto <alopre...@apache.org> wrote:

> Really sorry for the confusion here Joe.
>
> The standalone files provided should be:
>
> .zip - source file
> .asc - GPG signature
> .md5 - MD5 checksum
> .sha1 - SHA1 checksum
> .sha256 - SHA256 checksum
>
> Your GPG signature should internally use SHA512/SHA384/SHA256 as the
> hashing algorithm.
>
> Andy LoPresto
> alopre...@apache.org
> *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Oct 17, 2016, at 12:06 PM, Joe Skora <jsk...@apache.org> wrote:
>
> Hello Apache NiFi community,
>
> Please find the associated guidance to help those interested in
> validating/verifying the release so they can vote.
>
> # Download latest KEYS file:
> https://dist.apache.org/repos/dist/dev/nifi/KEYS
>
> # Import keys file:
> gpg --import KEYS
>
> # [optional] Clear out local maven artifact repository
>
> # Pull down nifi-0.7.1 source release artifacts for review:
>
> wget
> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
> 0.7.1-source-release.zip
> wget
> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
> 0.7.1-source-release.zip.asc
> wget
> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
> 0.7.1-source-release.zip.md5
> wget
> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
> 0.7.1-source-release.zip.sha384
> wget
> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
> 0.7.1-source-release.zip.sha512
>
> # Verify the signature
> gpg --verify nifi-0.7.1-source-release.zip.asc
>
> # Verify the hashes (md5, sha384, sha512) match the source and what was
> provided in the vote email thread
> md5sum nifi-0.7.1-source-release.zip
> sha384sum nifi-0.7.1-source-release.zip
> sha512sum nifi-0.7.1-source-release.zip
>
> # Unzip nifi-0.7.1-source-release.zip
>
> # Verify the build works including release audit tool (RAT) checks
> cd nifi-0.7.1
> mvn clean install -Pcontrib-check
>
> # Verify the contents contain a good README, NOTICE, and LICENSE.
>
> # Verify the git commit ID is correct
>
> # Verify the RC was branched off the correct git commit ID
>
> # Look at the resulting convenience binary as found in nifi-assembly/target
>
> # Make sure the README, NOTICE, and LICENSE are present and correct
>
> # Run the resulting convenience binary and make sure it works as expected
>
> # Send a response to the vote thread indicating a +1, 0, -1 based on your
> findings.
>
> Thank you for your time and effort to validate the release!
>
>
>

Reply via email to