Thanks Joe. Sharpening our tools is always valuable and often 
forgotten/underappreciated. Your updates will be silently thanked by many in 
the future.

Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Oct 17, 2016, at 3:01 PM, Joe Skora <jsk...@gmail.com> wrote:
> 
> Sorry I misunderstood before, I think I've got it now.
> 
> 1. I've added the SHA256 hashes.
> 2. I've recreated the GPG signatures with the SHA512 algorithm.
> 3. I will send a revised helper email referencing the standalone files as
> you listed them.
> 
> I see what happened with the signatures, I followed the steps in the shell
> script on the Releasing NiFi
> <https://cwiki.apache.org/confluence/display/NIFI/Releasing+NiFi 
> <https://cwiki.apache.org/confluence/display/NIFI/Releasing+NiFi>> wiki page
> which does not specify the algorithm.  The Release Guidelines
> <http://nifi.apache.org/release-guide.html 
> <http://nifi.apache.org/release-guide.html>> page does specify the algorithm
> but that page is harder to follow and I thought the wiki page was supposed
> to be newer.
> 
> So we have two sets of instructions that may give enough detail for someone
> experienced with the release process, but neither of is complete or up to
> date.  There are at least a few references to old processes that I caught,
> such as not specifying that the pushes should go to the ASF repository.
> But it wasn't until I was gathering information for the vote email that I
> realized they don't cover pushing the tag once it's created.
> 
> Like I mentioned earlier, I'll try to get the details together an submit
> updates for the release instructions this week.
> 
> Thanks for the help and patience!  :-D
> 
> On Mon, Oct 17, 2016 at 4:09 PM, Andy LoPresto <alopre...@apache.org 
> <mailto:alopre...@apache.org>> wrote:
> 
>> Really sorry for the confusion here Joe.
>> 
>> The standalone files provided should be:
>> 
>> .zip - source file
>> .asc - GPG signature
>> .md5 - MD5 checksum
>> .sha1 - SHA1 checksum
>> .sha256 - SHA256 checksum
>> 
>> Your GPG signature should internally use SHA512/SHA384/SHA256 as the
>> hashing algorithm.
>> 
>> Andy LoPresto
>> alopre...@apache.org
>> *alopresto.apa...@gmail.com <mailto:alopresto.apa...@gmail.com> 
>> <alopresto.apa...@gmail.com <mailto:alopresto.apa...@gmail.com>>*
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>> 
>> On Oct 17, 2016, at 12:06 PM, Joe Skora <jsk...@apache.org> wrote:
>> 
>> Hello Apache NiFi community,
>> 
>> Please find the associated guidance to help those interested in
>> validating/verifying the release so they can vote.
>> 
>> # Download latest KEYS file:
>> https://dist.apache.org/repos/dist/dev/nifi/KEYS
>> 
>> # Import keys file:
>> gpg --import KEYS
>> 
>> # [optional] Clear out local maven artifact repository
>> 
>> # Pull down nifi-0.7.1 source release artifacts for review:
>> 
>> wget
>> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
>> 0.7.1-source-release.zip
>> wget
>> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
>> 0.7.1-source-release.zip.asc
>> wget
>> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
>> 0.7.1-source-release.zip.md5
>> wget
>> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
>> 0.7.1-source-release.zip.sha384
>> wget
>> https://dist.apache.org/repos/dist/dev/nifi/nifi-0.7.1/nifi-
>> 0.7.1-source-release.zip.sha512
>> 
>> # Verify the signature
>> gpg --verify nifi-0.7.1-source-release.zip.asc
>> 
>> # Verify the hashes (md5, sha384, sha512) match the source and what was
>> provided in the vote email thread
>> md5sum nifi-0.7.1-source-release.zip
>> sha384sum nifi-0.7.1-source-release.zip
>> sha512sum nifi-0.7.1-source-release.zip
>> 
>> # Unzip nifi-0.7.1-source-release.zip
>> 
>> # Verify the build works including release audit tool (RAT) checks
>> cd nifi-0.7.1
>> mvn clean install -Pcontrib-check
>> 
>> # Verify the contents contain a good README, NOTICE, and LICENSE.
>> 
>> # Verify the git commit ID is correct
>> 
>> # Verify the RC was branched off the correct git commit ID
>> 
>> # Look at the resulting convenience binary as found in nifi-assembly/target
>> 
>> # Make sure the README, NOTICE, and LICENSE are present and correct
>> 
>> # Run the resulting convenience binary and make sure it works as expected
>> 
>> # Send a response to the vote thread indicating a +1, 0, -1 based on your
>> findings.
>> 
>> Thank you for your time and effort to validate the release!

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to