Hi all, Verifying a Polaris release is a pretty manual process that involves a lot of individual steps.
As I am a lazy guy and like automation for the tasks that can be automated, I built a bash script to perform a lot of the release verification steps, like * Git commit/tag cross-verification * Build Polaris * Build Helm Chart * Verify GPG signatures * Verify checksums * Compare the binary artifacts Many of the verifications also apply to the Apache Trusted Releases effort, in particular getting to reproducible builds. The tool can be run directly from a terminal (no download necessary) and requires a few parameters (version, RC number, Git commit, Nexus staging repo ID). Please note that the `bash/curl` command mentioned on the new web page doesn't work yet as the PR is not merged yet. More detailed information is available in the PR, which also adds a new page to the Polaris website on "how to verify a release". We could also create a GitHub workflow for the script, if that's convenient for committers (aka those who can run GH workflows). PR: https://github.com/apache/polaris/pull/2824 Direct link to the new website page: https://github.com/snazy/polaris/blob/release-verification/site/content/release-verify.md Robert
