Sorry for the goof on response thread. Andy, Thanks for the key education, greatly appreciated.
On Tue, Jul 3, 2018 at 02:10 Andy LoPresto <[email protected]> wrote: > Hi Andrew, > > A couple things: > > * You accidentally replied to the release helper guide; I think you meant > to vote on the [VOTE] thread > * the warning message you received during GPG verification simply means > that you had not previously marked Jeremy’s key as “trusted” via your GPG > application. The intended process is: > > * Jeremy posts his public key on a key server > * You verify Jeremy’s key via a different channel (chat/in-person/voice > verification) — this is where the key fingerprint is useful; he can read it > over the phone and you, knowing his voice, can verify that he is using the > key ostensibly published by him > * If you do not know Jeremy or cannot contact him, you can delegate that > trust verification to someone else. For example, I have verified the key > fingerprint with Jeremy offline, so I trust that this key is his. I have > signed that public key using my private key (key ID 0x2F7DEF69) and I can > publish that signature to public key servers. Now, if you trust my key, you > can accept that transitive trust as well. (The servers are under stress > right now but this link should show that when the server is up: > https://pgp.mit.edu/pks/lookup?search=0x6B295AD5&op=index). > * Once you have verified or trust that the key represents Jeremy, you can > assign it a level of “owner trust” in your GPG application, ranging from > Never -> Marginal -> Full, representing how seriously you believe this is > Jeremy’s key. > * After a trust level has been assigned, you will not get the message you > did. You will get a message like the one below: > > hw12203:/Users/alopresto/Workspace/scratch/release_verification/minifi-java-0.5.0 > (master) alopresto > 🔓 0s @ 11:09:55 $ gpg --verify -v minifi-0.5.0-source-release.zip.asc > gpg: assuming signed data in 'minifi-0.5.0-source-release.zip' > gpg: Signature made Thu Jun 28 09:31:10 2018 PDT > gpg: using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5 > gpg: issuer "[email protected]" > gpg: using pgp trust model > gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) < > [email protected]>" [full] > gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096 > > > Andy LoPresto > [email protected] > *[email protected] <[email protected]>* > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Jul 1, 2018, at 8:35 PM, Andrew Psaltis <[email protected]> > wrote: > > +1 (non-binding) > > - verified keys > - verified signatures > - verified README's, NOTICE and LICENSE > - tested c2 NiFiRestConfigurationProvider with NiFi 1.6.0 and minifi from > this build, various changes to template -- bumping versions, etc. > > One thing I noticed when verifying the keys, which I am not sure is an > issue is the WARNING that the key is not certified with a trusted > signature. The following is the output from the command: > > gpg: assuming signed data in 'minifi-0.5.0-source-release.zip' > gpg: Signature made Fri Jun 29 00:31:10 2018 +08 > gpg: using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5 > gpg: issuer "[email protected]" > gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) < > [email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 50AA 60AD 5D58 3111 87B0 BEB5 C6E5 50DA 6B29 5AD5 > > > On Fri, Jun 29, 2018 at 1:39 AM Jeremy Dyer <[email protected]> wrote: > > Hello Apache NiFi community, > > Please find the associated guidance to help those interested in > validating/verifying the release so they can vote. > > # Download latest KEYS file: > https://dist.apache.org/repos/dist/dev/nifi/KEYS > > # Import keys file: > gpg --import KEYS > > # [optional] Clear out local maven artifact repository > > # Pull down minifi-0.5.0 source release artifacts for review: > > wget > > > https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip > wget > > > https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.asc > wget > > > https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha1 > wget > > > https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha256 > > # Verify the signature > gpg --verify minifi-0.5.0-source-release.zip.asc > > # Verify the hashes (sha1 and sha256) match the source and what was > provided in the vote email thread > sha1sum minifi-0.5.0-source-release.zip > sha256sum minifi-0.5.0-source-release.zip > > # Unzip minifi-0.5.0-source-release.zip > > # Verify the build works including release audit tool (RAT) checks > cd minifi-0.5.0 > mvn clean install -Pcontrib-check > > # Verify the contents contain a good README, NOTICE, and LICENSE. > > # Verify the git commit ID is correct > > # Verify the RC was branched off the correct git commit ID > > > There are three convenience binaries generated as part of this process. > The MiNiFi assembly, a MiNiFi Toolkit assembly, and a MiNiFi C2 Assembly. > > For the MiNiFi assembly: > > # Look at the resulting convenience binary as found in > minifi-assembly/target > > # Make sure the README, NOTICE, and LICENSE are present and correct > > # Run the resulting convenience binary and make sure it works as expected > > > For the MiNiFi Toolkit assembly: > > # Look at the resulting convenience binary as found in > minifi-toolkit/minifi-toolkit-assembly/target > > # Make sure the README, NOTICE, and LICENSE are present and correct > > # Run the resulting convenience binary and make sure it works as expected > > > For the MiNiFi C2 assembly: > > # Look at the resulting convenience binary as found in > minifi-c2/minifi-c2-assembly/target > > # Make sure the README, NOTICE, and LICENSE are present and correct > > # Run the resulting convenience binary and make sure it works as expected > > > > # Send a response to the vote thread indicating a +1, 0, -1 based on your > findings. > > > Thank you for your time and effort to validate the release! > > >
