Indeed - I have the same experience with gpg --version gpg (GnuPG/MacGPG2) 2.2.32 (libgcrypt 1.8.8)
computing sha512 for openwhisk-client-js-3.21.6-sources.tar.gz... ok openwhisk-client-js-3.21.6-sources.tar.gz: 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 validating sha512... failed (cd /var/folders/tt/95md5wxj7k52p4p6ssx653lm0000gp/T/tmp.ij1ALZ2S && gpg --print-md SHA512 'openwhisk-client-js-3.21.6-sources.tar.gz') +1 to patching this. -r On Tue, Jan 4, 2022 at 5:50 PM Cosmin Stanciu <stan...@adobe.com.invalid> wrote: > Indeed, it looks like in the 2.3.4 gpg version: > # gpg --print-md SHA512 openwhisk-client-js-3.21.6-sources.tar.gz > will output: > 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E > 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 > > whereas in the 2.3.3 gpg version, the same command will output: > 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E > 342C9202 > 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 > > And ./rcverify.sh does indeed a string comparison which fails depending on > the local gpg version. > > One solution for this would be to change the validate() function to remove > the white spaces before comparing the two strings: > if [[ "$(echo "$1" | tr -d '[:space:]')" == "$(echo "$2" | tr -d > '[:space:]')" ]]; > instead of: > if [[ $1 == $2 ]]; > as it is now. > > If people agree, I could add a PR to change the ./rcverify.sh > > Regards, > Cosmin > > From: Rob Allen <r...@akrabat.com> > Date: Friday, December 31, 2021 at 1:22 AM > To: dev@openwhisk.apache.org <dev@openwhisk.apache.org> > Subject: rcverify.sh issue with sha512 check for Apache OpenWhisk Client > Js (v3.21.6, rc1) > Hey all, > > Putting this in a separate thread as it’s not directly related to the vote. > > When I ran rcverify.sh, I got an sha512 validation failure: > > validating sha512... failed (cd > /var/folders/sg/7bdwwkc56kl74bgrw2gxhyf40000gn/T/tmp.4kf6mVM4 && gpg > --print-md SHA512 'openwhisk-client-js-3.21.6-sources.tar.gz') > > However running it manually, I get the right hash as the one in > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0, > so I voted +1 to release. > > > The possible problem is that there’s a different whitespace formatting: > > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0 > is: > > openwhisk-client-js-3.21.6-sources.tar.gz: > 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E > 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 > > > but gpg on my M1 Mac gives: > > openwhisk-client-js-3.21.6-sources.tar.gz: > 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E > 342C9202 > 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 > > > So I guess that rcverify.sh does a direct string comparison? > > > The rcverify.sh’s script SHA1 that I used is: 7FC5 5DBE 1809 6D92 DEFF > 0E31 D138 059B 8F27 20F7 > My gpg --version is: gpg (GnuPG) 2.3.3 with libgcrypt 1.9.4 > > > Regards, > > Rob > > > > On 31 Dec 2021, at 05:53, OpenWhisk Release <stan...@apache.org> wrote: > > > > Hi, > > > > This is a call to vote on releasing version 3.21.6 release candidate rc1 > of the following project module with artifacts built from the Git > repositories and commit IDs listed below. > > > > * OpenWhisk Client Js: 1aba396e8a59afd5a90acb8157f2009746d7a714 > > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fopenwhisk-client-js%2Fcommit%2F1aba396e8a59afd5a90acb8157f2009746d7a714&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=5xBOepLH9%2Fq875w2jVVMtzYNSq7BybOttFgcO84LTCY%3D&reserved=0 > > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=sbTvU4vZLKn4CFjgtp45LO3v6lmLlSZpznhAih%2B%2BSNc%3D&reserved=0 > > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.asc&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=0tcWZzZkvxxmM86fFB9jDIOrA69yNv87bIr3CdgSo08%3D&reserved=0 > > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0 > > > > This release is comprised of source code distribution only. > > > > You can use this UNIX script to download the release and verify the > checklist below: > > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%3Fp%3Dopenwhisk-release.git%3Ba%3Dblob_plain%3Bf%3Dtools%2Frcverify.sh%3Bhb%3Dba8a21f&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=M3iOElcySsK%2F7QAIb7d%2Fc8Ut4HNGb%2FSuz18oHLPe4d8%3D&reserved=0 > > > > Usage: > > curl -s " > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%3Fp%3Dopenwhisk-release.git%3Ba%3Dblob_plain%3Bf%3Dtools%2Frcverify.sh%3Bhb%3Dba8a21f&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=M3iOElcySsK%2F7QAIb7d%2Fc8Ut4HNGb%2FSuz18oHLPe4d8%3D&reserved=0"; > -o rcverify.sh > > chmod +x rcverify.sh > > ./rcverify.sh openwhisk-client-js 3.21.6 rc1 > > > > Please vote to approve this release: > > > > [ ] +1 Approve the release > > [ ] 0 Don't care > > [ ] -1 Don't release, because ... > > > > Release verification checklist for reference: > > [ ] Download links are valid. > > [ ] Checksums and PGP signatures are valid. > > [ ] Source code artifacts have correct names matching the current > release. > > [ ] LICENSE and NOTICE files are correct for each OpenWhisk repository. > > [ ] All files have license headers as specified by OpenWhisk project > policy [1]. > > [ ] No compiled archives bundled in source archive. > > > > This majority vote is open for at least 72 hours. > > > > > > [1] > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fopenwhisk-release%2Fblob%2Fmaster%2Fdocs%2Flicense_compliance.md&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2BnbzNazz5aMK9y03kk8sPyHMZZMxy4cx3W1xGfU0NxY%3D&reserved=0 >
