Improve verify-ofbiz-release : was Re: [VOTE] [RELEASE] Apache OFBiz 18.12.19

Wed, 02 Apr 2025 00:50:02 -0700 

Thanks Jacopo, I think it's good improvement and work well from my side

Nicolas

Le 28/03/2025 à 16:58, Jacopo Cappellato a écrit :

As a side note,

the following changes to the verification script should do the trick:

diff --git a/verify-ofbiz-release.sh b/verify-ofbiz-release.sh

index 52e90d0..a2ba619 100755

--- a/verify-ofbiz-release.sh

+++ b/verify-ofbiz-release.sh

@@ -147,8 +147,8 @@ verifyFiles () {

  }



  checkSHA () {

-    file1=`gpg --print-md SHA512 $ZIP`

-    file2=`cut -d* -f1 $ZIP.sha512`

+    file1=`gpg --print-md SHA512 $ZIP | tr -d ' \r\n'`

+    file2=`cut -d* -f1 $ZIP.sha512 | tr -d ' \r\n'`



      echo "sha check of file: $ZIP"

      echo "Using sha file: $ZIP.sha512"


Jacopo

On Fri, Mar 28, 2025 at 10:04 AM Nicolas Malin <nicolas.ma...@nereide.fr>
wrote:


Oh damn !

Thanks for this return, I double check from my side

$ . ../ofbiz-tools/verify-ofbiz-release.sh apache-ofbiz-18.12.19.zip
sha check of file: apache-ofbiz-18.12.19.zip
Using sha file: apache-ofbiz-18.12.19.zip.sha512
apache-ofbiz-18.12.19.zip: C9E4BD94 93AA7D92 8BD685FA F9837E7C 70A3FC2F
A1A7FEE4 9A064E09 A246E6C6 1838AC01 474CD09E 7F109026 E83DDF93 17EEA1E8
5904867C D6A1E8EA 411F5D30
apache-ofbiz-18.12.19.zip: C9E4BD94 93AA7D92 8BD685FA F9837E7C 70A3FC2F
A1A7FEE4 9A064E09 A246E6C6 1838AC01 474CD09E 7F109026 E83DDF93 17EEA1E8
5904867C D6A1E8EA 411F5D30
sha checksum OK

GPG verification output
gpg: Signature made Thu Mar 27 11:12:49 2025 CET
gpg:                using RSA key BE920554FD75553B7D9C64AFA2593327114C45E5
gpg: Good signature from "Nicolas Malin (PMC Apache OFBiz)
<nma...@apache.org>" [ultimate]
gpg:                 aka "Nicolas Malin <nicolas.ma...@nereide.fr>"
[ultimate]

Your suggest of end of line depends to the system seems to be confirm.

I propose to improve the script verify-ofbiz-release.sh to analyze only
the alphanumeric string and not all the file because if I understand
well the sha512 print is good but not the generated file through all
platform.
Or I let you update the sha512 print ?

Nicolas

Le 28/03/2025 à 09:40, Jacopo Cappellato a écrit :

I guess it is related to some line ending differences between operating
systems.
In my dev box, the verification script works fine for previous release
files (see output for 17 and 18):

sha check of file: apache-ofbiz-18.12.17.zip

Using sha file: apache-ofbiz-18.12.17.zip.sha512

apache-ofbiz-18.12.17.zip: 0BE42CA7 CBFFBA93 49D282B4 ED715E8B 5C7C87F0
1B42E5ED 8CA64784 C56E27CB 90864CEA C980A6C4 2D2F851F 2A8815BB ED4AFA4C
02F61758 2E8CE61F C035B1ED

apache-ofbiz-18.12.17.zip: 0BE42CA7 CBFFBA93 49D282B4 ED715E8B 5C7C87F0
1B42E5ED 8CA64784 C56E27CB 90864CEA C980A6C4 2D2F851F 2A8815BB ED4AFA4C
02F61758 2E8CE61F C035B1ED

sha checksum OK


sha check of file: apache-ofbiz-18.12.18.zip

Using sha file: apache-ofbiz-18.12.18.zip.sha512

apache-ofbiz-18.12.18.zip: 758238DE 88BEA755 FA226E2B 4AF81946 0B8B7A1E
263007ED B2585B4E 4DF00188 DD3B7E52 B6643D40 DC0CCC92 85391E01 3DBF4482
444FE96D 64C8EE83 6FEABD88

apache-ofbiz-18.12.18.zip: 758238DE 88BEA755 FA226E2B 4AF81946 0B8B7A1E
263007ED B2585B4E 4DF00188 DD3B7E52 B6643D40 DC0CCC92 85391E01 3DBF4482
444FE96D 64C8EE83 6FEABD88

sha checksum OK


but it complains with the latest:

sha check of file: apache-ofbiz-18.12.19.zip

Using sha file: apache-ofbiz-18.12.19.zip.sha512

apache-ofbiz-18.12.19.zip: C9E4BD94 93AA7D92 8BD685FA F9837E7C 70A3FC2F
A1A7FEE4 9A064E09 A246E6C6 1838AC01 474CD09E 7F109026 E83DDF93 17EEA1E8
5904867C D6A1E8EA 411F5D30

apache-ofbiz-18.12.19.zip: C9E4BD94 93AA7D92 8BD685FA F9837E7C 70A3FC2F
A1A7FEE4 9A064E09 A246E6C6 1838AC01 474CD09E 7F109026 E83DDF93 17EEA1E8
5904867C D6A1E8EA 411F5D30

sha sums mismatch!




On Fri, Mar 28, 2025 at 9:30 AM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi Jacopo,

I get the same for months if not years, I decided that my eyes (helped

by

glasses ;) are good.

I'm on a Oracle VirtualBox 7 on Win7. I got the same before when using

Git

Bash on Win7. It appeared at some point, was working before. I don't
remember when.

HTH

Jacques

Le 28/03/2025 à 08:48, Jacopo Cappellato a écrit :

Hi Nicolas,

I am getting a weird sha sums mismatch error when I verify the sha

digest:

% ./verify-ofbiz-release.sh apache-ofbiz-18.12.19.zip

sha check of file: apache-ofbiz-18.12.19.zip

Using sha file: apache-ofbiz-18.12.19.zip.sha512

apache-ofbiz-18.12.19.zip: C9E4BD94 93AA7D92 8BD685FA F9837E7C 70A3FC2F
A1A7FEE4 9A064E09 A246E6C6 1838AC01 474CD09E 7F109026 E83DDF93 17EEA1E8
5904867C D6A1E8EA 411F5D30

apache-ofbiz-18.12.19.zip: C9E4BD94 93AA7D92 8BD685FA F9837E7C 70A3FC2F
A1A7FEE4 9A064E09 A246E6C6 1838AC01 474CD09E 7F109026 E83DDF93 17EEA1E8
5904867C D6A1E8EA 411F5D30

sha sums mismatch!


As you can see, the digests look identical so I guess it is some sort

of

line ending error. Could you please double check, possibly also in

another

dev box?

Thanks,

Jacopo

On Thu, Mar 27, 2025 at 11:27 AM Nicolas Malin <

nicolas.ma...@nereide.fr

wrote:


This is the vote thread to publish "Apache OFBiz 18.12.19", the 19th
release from the release18.12 branch.

The release files can be downloaded from here:
https://dist.apache.org/repos/dist/dev/ofbiz/
and are:
* apache-ofbiz-18.12.19.zip
* KEYS: text file with keys
* apache-ofbiz-18.12.19.zip.asc: the detached signature file
* apache-ofbiz-18.12.19.zip.sha512: checksum file

Please download and test the zip file and its signatures (for
instructions on testing the signatures see
http://www.apache.org/info/verification.html).

Vote:
[ +1] release as Apache OFBiz 18.12.19
[ -1] do not release

This vote is open for at least 5 days.

For more details about this process please refer to
http://www.apache.org/foundation/voting.html

Reply via email to