Thanks for finding it Cosmin. +1 for the fix.
Regards, Rob > On 4 Jan 2022, at 22:49, Cosmin Stanciu <stan...@adobe.com.INVALID> wrote: > > Indeed, it looks like in the 2.3.4 gpg version: > # gpg --print-md SHA512 openwhisk-client-js-3.21.6-sources.tar.gz > will output: > 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E > 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 > > whereas in the 2.3.3 gpg version, the same command will output: > 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E > 342C9202 > 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 > > And ./rcverify.sh does indeed a string comparison which fails depending on > the local gpg version. > > One solution for this would be to change the validate() function to remove > the white spaces before comparing the two strings: > if [[ "$(echo "$1" | tr -d '[:space:]')" == "$(echo "$2" | tr -d > '[:space:]')" ]]; > instead of: > if [[ $1 == $2 ]]; > as it is now. > > If people agree, I could add a PR to change the ./rcverify.sh > > Regards, > Cosmin > > From: Rob Allen <r...@akrabat.com> > Date: Friday, December 31, 2021 at 1:22 AM > To: dev@openwhisk.apache.org <dev@openwhisk.apache.org> > Subject: rcverify.sh issue with sha512 check for Apache OpenWhisk Client Js > (v3.21.6, rc1) > Hey all, > > Putting this in a separate thread as it’s not directly related to the vote. > > When I ran rcverify.sh, I got an sha512 validation failure: > > validating sha512... failed (cd > /var/folders/sg/7bdwwkc56kl74bgrw2gxhyf40000gn/T/tmp.4kf6mVM4 && gpg > --print-md SHA512 'openwhisk-client-js-3.21.6-sources.tar.gz') > > However running it manually, I get the right hash as the one in > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0, > so I voted +1 to release. > > > The possible problem is that there’s a different whitespace formatting: > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0 > is: > > openwhisk-client-js-3.21.6-sources.tar.gz: > 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E > 342C9202 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 > > > but gpg on my M1 Mac gives: > > openwhisk-client-js-3.21.6-sources.tar.gz: > 4A56223D E7189F6F 7393DB08 ED58F128 639205D7 03CEA4EA A91BF3B5 73563C4E > 342C9202 > 8CC66465 A02F4039 BF6B0636 54AF004C 9F05E45D 99626915 3BEF3C54 > > > So I guess that rcverify.sh does a direct string comparison? > > > The rcverify.sh’s script SHA1 that I used is: 7FC5 5DBE 1809 6D92 DEFF 0E31 > D138 059B 8F27 20F7 > My gpg --version is: gpg (GnuPG) 2.3.3 with libgcrypt 1.9.4 > > > Regards, > > Rob > > >> On 31 Dec 2021, at 05:53, OpenWhisk Release <stan...@apache.org> wrote: >> >> Hi, >> >> This is a call to vote on releasing version 3.21.6 release candidate rc1 of >> the following project module with artifacts built from the Git repositories >> and commit IDs listed below. >> >> * OpenWhisk Client Js: 1aba396e8a59afd5a90acb8157f2009746d7a714 >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fopenwhisk-client-js%2Fcommit%2F1aba396e8a59afd5a90acb8157f2009746d7a714&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=5xBOepLH9%2Fq875w2jVVMtzYNSq7BybOttFgcO84LTCY%3D&reserved=0 >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=sbTvU4vZLKn4CFjgtp45LO3v6lmLlSZpznhAih%2B%2BSNc%3D&reserved=0 >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.asc&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=0tcWZzZkvxxmM86fFB9jDIOrA69yNv87bIr3CdgSo08%3D&reserved=0 >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fopenwhisk%2Frc1%2Fopenwhisk-client-js-3.21.6-sources.tar.gz.sha512&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rugqgm3aTqMdP2cSeC1uSsPwCNYCvQ6sIZjYEvmL5io%3D&reserved=0 >> >> This release is comprised of source code distribution only. >> >> You can use this UNIX script to download the release and verify the >> checklist below: >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%3Fp%3Dopenwhisk-release.git%3Ba%3Dblob_plain%3Bf%3Dtools%2Frcverify.sh%3Bhb%3Dba8a21f&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=M3iOElcySsK%2F7QAIb7d%2Fc8Ut4HNGb%2FSuz18oHLPe4d8%3D&reserved=0 >> >> Usage: >> curl -s >> "https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%3Fp%3Dopenwhisk-release.git%3Ba%3Dblob_plain%3Bf%3Dtools%2Frcverify.sh%3Bhb%3Dba8a21f&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=M3iOElcySsK%2F7QAIb7d%2Fc8Ut4HNGb%2FSuz18oHLPe4d8%3D&reserved=0"; >> -o rcverify.sh >> chmod +x rcverify.sh >> ./rcverify.sh openwhisk-client-js 3.21.6 rc1 >> >> Please vote to approve this release: >> >> [ ] +1 Approve the release >> [ ] 0 Don't care >> [ ] -1 Don't release, because ... >> >> Release verification checklist for reference: >> [ ] Download links are valid. >> [ ] Checksums and PGP signatures are valid. >> [ ] Source code artifacts have correct names matching the current release. >> [ ] LICENSE and NOTICE files are correct for each OpenWhisk repository. >> [ ] All files have license headers as specified by OpenWhisk project policy >> [1]. >> [ ] No compiled archives bundled in source archive. >> >> This majority vote is open for at least 72 hours. >> >> >> [1] >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fopenwhisk-release%2Fblob%2Fmaster%2Fdocs%2Flicense_compliance.md&data=04%7C01%7Cstanciu%40adobe.com%7C128b755bd89c4f897c9b08d9cc4fc3c3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637765465244538670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2BnbzNazz5aMK9y03kk8sPyHMZZMxy4cx3W1xGfU0NxY%3D&reserved=0
