Hi, I get two failures running rcverify.sh on my Mac that's running Tahoe.
First one is a gpg verify issue: verifying asc... failed (gpg --verify '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9-sources.tar.gz.asc' '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9-sources.tar.gz') When I run manually, this is what I get: $ gpg --verify '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9-sources.tar.gz.asc' '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9-sources.tar.gz' gpg: Signature made Fri 15 May 00:38:42 2026 CEST gpg: using RSA key C1D90B9C589D22D65B2BCB04F461DBA5CB7D70D9 gpg: Can't check signature: No public key Second one is verifying the notice: verifying notice... failed (cat '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9/NOTICE.txt') When I run manually, I get: $ cat '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9/NOTICE.txt' Apache OpenWhisk Client Js Copyright 2016-2026 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). I imagine that this is related to my local installation. Any ideas on what I should do so that rcverify.sh passes? Regards, Rob Full output: rob@leviathan tmp $ curl -s "https://raw.githubusercontent.com/apache/openwhisk-release/d611846/tools/rcverify.sh"; -o rcverify.sh rob@leviathan tmp $ chmod +x rcverify.sh rob@leviathan tmp $ ./rcverify.sh openwhisk-client-js 3.21.9 rc1 rcverify.sh (script SHA1: 6DC9 462D 3035 5FD0 ADE6 9EF9 D0DF 1A25 13E1 5CFD) working in the following directory: /var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh fetching tarball and signatures from https://dist.apache.org/repos/dist/dev/openwhisk/rc1 fetching openwhisk-client-js-3.21.9-sources.tar.gz... ok fetching openwhisk-client-js-3.21.9-sources.tar.gz.asc... ok fetching openwhisk-client-js-3.21.9-sources.tar.gz.sha512... ok fetching apache license... ok fetching release keys... ok importing keys... ok (keys already imported (processed 14 unchanged 14)) unpacking tar ball... ok cloning scancode... ok computing sha512 for openwhisk-client-js-3.21.9-sources.tar.gz... ok openwhisk-client-js-3.21.9-sources.tar.gz: F5C6D18A BFA0A51A 17341796 0DA49156 E152C536 02F98BCC B0A054FF 187C2FFF 7547F2CA F39E866B 510E97B2 894BBEA5 C8682502 3930E581 4A356AF6 1001F7FD validating sha512... passed verifying asc... failed (gpg --verify '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9-sources.tar.gz.asc' '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9-sources.tar.gz') verifying notice... failed (cat '/var/folders/9_/3nr999k540g1713n82jkyc5w0000gn/T/tmp.Hkzs5OIHjh/openwhisk-client-js-3.21.9/NOTICE.txt') verifying absence of DISCLAIMER.txt passed verifying license... passed verifying sources have proper headers... passed scanning for executable files... passed scanning for unexpected file types... passed scanning for archives... passed scanning for packages... passed scanning package.json for version match... passed scanning package-lock.json for version match… passed > On 15 May 2026, at 01:09, Cosmin Stanciu via dev <[email protected]> > wrote: > > Hi, > > This is a call to vote on releasing version 3.21.9 release candidate rc1 of > the following project module with artifacts built from the Git repositories > and commit IDs listed below. > > * OpenWhisk Client Js: 56d529d4d6d3bc29a266eec417742465440c839a > > https://github.com/apache/openwhisk-client-js/commit/56d529d4d6d3bc29a266eec417742465440c839a > > https://dist.apache.org/repos/dist/dev/openwhisk/rc1/openwhisk-client-js-3.21.9-sources.tar.gz > > https://dist.apache.org/repos/dist/dev/openwhisk/rc1/openwhisk-client-js-3.21.9-sources.tar.gz.asc > > https://dist.apache.org/repos/dist/dev/openwhisk/rc1/openwhisk-client-js-3.21.9-sources.tar.gz.sha512 > > This release is comprised of source code distribution only. > > You can use this UNIX script to download the release and verify the checklist > below: > https://github.com/apache/openwhisk-release/blob/d611846/tools/rcverify.sh > > Usage: > curl -s > "https://raw.githubusercontent.com/apache/openwhisk-release/d611846/tools/rcverify.sh"; > -o rcverify.sh > chmod +x rcverify.sh > ./rcverify.sh openwhisk-client-js 3.21.9 rc1 > > Please vote to approve this release: > > [ ] +1 Approve the release > [ ] 0 Don't care > [ ] -1 Don't release, because ... > > Release verification checklist for reference: > [ ] Download links are valid. > [ ] Checksums and PGP signatures are valid. > [ ] Source code artifacts have correct names matching the current release. > [ ] LICENSE and NOTICE files are correct for each OpenWhisk repository. > [ ] All files have license headers as specified by OpenWhisk project policy > [1]. > [ ] No compiled archives bundled in source archive. > > This majority vote is open for at least 72 hours. > > > [1] > https://github.com/apache/openwhisk-release/blob/master/docs/license_compliance.md > > > My local execution with changes from this PR: > https://github.com/apache/openwhisk-release/pull/436 > > #### ./local_verify.sh ../release-configs/client-js-3.21.9.config > Checking the artifacts with rcverify.sh > rcverify.sh (script SHA1: > 4233 E227 E14B 0402 E189 BEC5 82D4 3B4C 7004) > working in the following directory: > /var/folders/kx/cdd8xm7j4ylbw6svh_2f57680000gq/T/tmp.j9Pki0zn4A > copying from > /Users/stanciu/work/openwhisk/openwhisk-release/stagingArea/artifacts > fetching apache license... ok > fetching release keys... ok > importing keys... ok (keys already imported (processed 14 unchanged 14)) > unpacking tar ball... ok > cloning scancode... ok > computing sha512 for openwhisk-client-js-3.21.9-sources.tar.gz... ok > openwhisk-client-js-3.21.9-sources.tar.gz: > F5C6D18A BFA0A51A 17341796 0DA49156 E152C536 02F98BCC B0A054FF 187C2FFF > 7547F2CA F39E866B 510E97B2 894BBEA5 C8682502 3930E581 4A356AF6 1001F7FD > validating sha512... passed > verifying asc... passed (signed-by: Cosmin Stanciu <[email protected]>) > verifying notice... passed > verifying absence of DISCLAIMER.txt passed > verifying license... passed > verifying sources have proper headers... passed > scanning for executable files... passed > scanning for unexpected file types... passed > scanning for archives... passed > scanning for packages... passed > scanning package.json for version match... passed > scanning package-lock.json for version match... passed > removing the scratch space > (/var/folders/kx/cdd8xm7j4ylbw6svh_2f57680000gq/T/tmp.j9Pki0zn4A)... ok
