So in addition to the checklist I have verified the jars using jardiff and can confirm they are fine (just like with pekko-management there are issues with line encodings [1] when using sbt-reproducible-build as well as an additional issue of duplicate jars which I have to look into [2]).
I also manually checked detached signatures for both the grpc plugin and some other artifacts (i.e. runtime) and everything seems good on my end. +1 [1] https://github.com/raboof/sbt-reproducible-builds/issues/277#issuecomment-1678540941 [2] https://github.com/raboof/sbt-reproducible-builds/issues/279 On Tue, Aug 15, 2023 at 12:42 PM PJ Fanning <fannin...@apache.org> wrote: > Thanks Matthew. There was indeed a problem with my Gradle setup > locally. I've fixed up my local gradle.properties and republished the > grade-plugin jars. > > On Tue, 15 Aug 2023 at 08:52, Matthew de Detrich > <matthew.dedetr...@aiven.io.invalid> wrote: > > > > I am getting issues verifying the signature for the pekko-grpc-gradle > > plugin, i.e. > > > > <~/pekko-release-check-jars>-> gpg --verify > > pekko-grpc-gradle-plugin-1.0.0-RC2.jar.asc > > pekko-grpc-gradle-plugin-1.0.0-RC2.jar > > gpg: Signature made Sa 12 Aug 12:26:08 2023 CEST > > gpg: using RSA key 6E77DFA74070290A > > gpg: bad data signature from key 6E77DFA74070290A: Wrong key usage (0x00, > > 0x2) > > gpg: Can't check signature: Wrong key usage > > > > The other jars which were signed by sbt work as expected > > > > <~/pekko-release-check-jars>-2-> gpg --verify > > pekko-grpc-runtime_2.13-1.0.0-RC2.jar.asc > > pekko-grpc-runtime_2.13-1.0.0-RC2.jar > > gpg: Signature made Sa 12 Aug 12:21:01 2023 CEST > > gpg: using RSA key > 6BA4DA8B1C88A49428A29C3D0C69C1EF41181E13 > > gpg: Good signature from "PJ Fanning <fannin...@yahoo.com>" [unknown] > > gpg: aka "PJ Fanning (http://www.apache.org/) < > > fannin...@apache.org>" [unknown] > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > Primary key fingerprint: 6BA4 DA8B 1C88 A494 28A2 9C3D 0C69 C1EF 4118 > 1E13 > > > > Can someone else check its not a problem on my end? You can just download > > the jar/asc directly from > > > https://repository.apache.org/content/groups/staging/org/apache/pekko/pekko-grpc-gradle-plugin/1.0.0-RC2/ > > , add PJ Fanning's key[1] to gpg and then run gpg --verify as I did > > > > [1] https://github.com/apache/incubator-pekko/blob/main/KEYS#L31-L69 > > > > On Mon, Aug 14, 2023 at 11:28 AM Samuele Resca <samuele.re...@gmail.com> > > wrote: > > > > > Hi, > > > > > > I checked the followings: > > > - Download links are valid. > > > - Checksums and signatures. > > > - LICENSE/NOTICE files exist > > > - No unexpected binary files > > > - Source files have ASF headers > > > - Can compile from source > > > > > > tests from source looks fine to me. > > > > > > One thing that I noticed is that .scala-steward.conf has still the old > > > references to Akka modules. > > > I don't think this is blocking, but it brought to my mind the borader > topic > > > on how (and if) we want to manage dependencies updates. I going to > open a > > > separate thread. > > > > > > +1 (Non-PPMC) > > > > > > Thanks in advance. > > > Samuele > > > > > > > > > Il giorno sab 12 ago 2023 alle ore 11:33 PJ Fanning < > fannin...@apache.org> > > > ha scritto: > > > > > > > Hello Pekko Community, > > > > > > > > This is a call for a vote to release Apache Pekko(incubating) > > > > gRPC version 1.0.0-RC2. > > > > > > > > The discussion thread: > > > > > > > > https://lists.apache.org/thread/r76o8bchv4d9xlkbj6drcpvohcdkvxf3 > > > > > > > > The release candidate: > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/pekko/GRPC-1.0.0-RC2/ > > > > > > > > This release has been signed with a PGP key available here: > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/pekko/KEYS > > > > > > > > Release Notes: > > > > > > > > > > > > https://pekko.apache.org/docs/pekko-grpc/current/release-notes/index.html > > > > > > > > Git branch for the release: > > > > > > > > https://github.com/apache/incubator-pekko-grpc/tree/v1.0.0-RC2 > > > > Git commit ID: 3ca2531749bbb28001c5c57d9bdcd913f7570369 > > > > > > > > Please download, verify, and test. > > > > > > > > We have also staged jars in the Apache Nexus Repository. These were > > > > built with the same code > > > > as appears in this Source Release Candidate. We would appreciate if > > > > users could test with these too. > > > > If anyone finds any serious problems with these jars, please also > > > > notify us on this thread. > > > > > > > > > https://repository.apache.org/content/groups/staging/org/apache/pekko/ > > > > > > > > In sbt, you can add this resolver. > > > > > > > > resolvers += "Apache Pekko Staging" at > > > > "https://repository.apache.org/content/groups/staging"; > > > > > > > > > > > > The VOTE will pass if we have more positive votes than negative votes > > > > and there must be a minimum of 3 approvals from Pekko PPMC members. > > > > Anyone voting in favour of the release, could you please provide a > > > > list of the checks you have done? > > > > The vote will be left open until 11:00 UTC on 15 August 2023. > > > > > > > > [ ] +1 approve > > > > [ ] +0 no opinion > > > > [ ] -1 disapprove with the reason > > > > > > > > To learn more about Apache Pekko, please see > https://pekko.apache.org/ > > > > > > > > Checklist for reference: > > > > > > > > [ ] Download links are valid. > > > > [ ] Checksums and signatures. > > > > [ ] LICENSE/NOTICE files exist > > > > [ ] No unexpected binary files > > > > [ ] Source files have ASF headers > > > > [ ] Can compile from source > > > > > > > > To compile from the source, please refer to: > > > > > > > > > > > > > > > > https://github.com/apache/incubator-pekko-grpc/blob/main/README.md#building-from-source > > > > > > > > Some notes about verifying downloads can be found at: > > > > > > > > https://pekko.apache.org/download.html#verifying-downloads > > > > > > > > > > > > Here is my +1. > > > > > > > > Thanks, > > > > > > > > PJ Fanning (Apache Pekko PPMC member) > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: dev-unsubscr...@pekko.apache.org > > > > For additional commands, e-mail: dev-h...@pekko.apache.org > > > > > > > > > > > > > > > > > -- > > > > Matthew de Detrich > > > > *Aiven Deutschland GmbH* > > > > Immanuelkirchstraße 26, 10405 Berlin > > > > Amtsgericht Charlottenburg, HRB 209739 B > > > > Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen > > > > *m:* +491603708037 > > > > *w:* aiven.io *e:* matthew.dedetr...@aiven.io > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@pekko.apache.org > For additional commands, e-mail: dev-h...@pekko.apache.org > > -- Matthew de Detrich *Aiven Deutschland GmbH* Immanuelkirchstraße 26, 10405 Berlin Amtsgericht Charlottenburg, HRB 209739 B Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen *m:* +491603708037 *w:* aiven.io *e:* matthew.dedetr...@aiven.io
