Indeed, it looks like in the 2.3.4 gpg version: # gpg --print-md SHA512 openwhisk-client-js-3.21.6-sources.tar.gz will output: 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54
whereas in the 2.3.3 gpg version, the same command will output: 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 And ./rcverify.sh does indeed a string comparison which fails depending on the local gpg version. One solution for this would be to change the validate() function to remove the white spaces before comparing the two strings: if [[ "$(echo "$1" | tr -d '[:space:]')" == "$(echo "$2" | tr -d '[:space:]')" ]]; instead of: if [[ $1 == $2 ]]; as it is now. If people agree, I could add a PR to change the ./rcverify.sh Regards, Cosmin From: Rob Allen <r...@akrabat.com> Date: Friday, December 31, 2021 at 1:22 AM To: dev@openwhisk.apache.org <dev@openwhisk.apache.org> Subject: rcverify.sh issue with sha512 check for Apache OpenWhisk Client Js (v3.21.6, rc1) Hey all, Putting this in a separate thread as it’s not directly related to the vote. When I ran rcverify.sh, I got an sha512 validation failure: validating sha512... failed (cd /var/folders/sg/7bdwwkc56kl74bgrw2gxhyf40000gn/T/tmp.4kf6mVM4 && gpg --print-md SHA512 'openwhisk-client-js-3.21.6-sources.tar.gz') However running it manually, I get the right hash as the one in https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0, so I voted +1 to release. The possible problem is that there’s a different whitespace formatting: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0 is: openwhisk-client-js-3.21.6-sources.tar.gz: 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 but gpg on my M1 Mac gives: openwhisk-client-js-3.21.6-sources.tar.gz: 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 So I guess that rcverify.sh does a direct string comparison? The rcverify.sh’s script SHA1 that I used is: 7FC5 5DBE 1809 6D92 DEFF 0E31 D138 059B 8F27 20F7 My gpg --version is: gpg (GnuPG) 2.3.3 with libgcrypt 1.9.4 Regards, Rob > On 31 Dec 2021, at 05:53, OpenWhisk Release <stan...@apache.org> wrote: > > Hi, > > This is a call to vote on releasing version 3.21.6 release candidate rc1 of > the following project module with artifacts built from the Git repositories > and commit IDs listed below. > > * OpenWhisk Client Js: 1aba396e8a59afd5a90acb8157f2009746d7a714 > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fopenwhisk-client-js%2Fcommit%2F1aba396e8a59afd5a90acb8157f2009746d7a714&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=5xBOepLH9%2Fq875w2jVVMtzYNSq7BybOttFgcO84LTCY%3D&reserved=0 > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=sbTvU4vZLKn4CFjgtp45LO3v6lmLlSZpznhAih%2B%2BSNc%3D&reserved=0 > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.asc&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=0tcWZzZkvxxmM86fFB9jDIOrA69yNv87bIr3CdgSo08%3D&reserved=0 > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0 > > This release is comprised of source code distribution only. > > You can use this UNIX script to download the release and verify the checklist > below: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%3Fp%3Dopenwhisk-release.git%3Ba%3Dblob_plain%3Bf%3Dtools%2Frcverify.sh%3Bhb%3Dba8a21f&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=M3iOElcySsK%2F7QAIb7d%2Fc8Ut4HNGb%2FSuz18oHLPe4d8%3D&reserved=0 > > Usage: > curl -s > "https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%3Fp%3Dopenwhisk-release.git%3Ba%3Dblob_plain%3Bf%3Dtools%2Frcverify.sh%3Bhb%3Dba8a21f&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=M3iOElcySsK%2F7QAIb7d%2Fc8Ut4HNGb%2FSuz18oHLPe4d8%3D&reserved=0"; > -o rcverify.sh > chmod +x rcverify.sh > ./rcverify.sh openwhisk-client-js 3.21.6 rc1 > > Please vote to approve this release: > > [ ] +1 Approve the release > [ ] 0 Don't care > [ ] -1 Don't release, because ... > > Release verification checklist for reference: > [ ] Download links are valid. > [ ] Checksums and PGP signatures are valid. > [ ] Source code artifacts have correct names matching the current release. > [ ] LICENSE and NOTICE files are correct for each OpenWhisk repository. > [ ] All files have license headers as specified by OpenWhisk project policy > [1]. > [ ] No compiled archives bundled in source archive. > > This majority vote is open for at least 72 hours. > > > [1] > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fopenwhisk-release%2Fblob%2Fmaster%2Fdocs%2Flicense_compliance.md&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2BnbzNazz5aMK9y03kk8sPyHMZZMxy4cx3W1xGfU0NxY%3D&reserved=0
