Dear all, Just a reminder, please cast your vote at your earliest convenience.
To make it easier for you, I just wrote a script to verify the GPG signature and SHA1 checksum for all 12 release jars. This script has been tested on Mac OS Catalina and Ubuntu 18.04. All you need to do is three steps: 1. gpg --import the-key-file You can get my public key here: https://gist.githubusercontent.com/jiayuasu/8b6cc263c538148490f7a090ee1dbeab/raw/09d3821e2794ddf22542f74c0db5195cf5c1ff49/gpg-public-key.gpg 2. chmod 777 verify-sedona-release.sh to make the script runnable 3. Run the script You will find three variables in the script if you open it. It will create a "TMP" folder to store "1.0.0-incuabtor" jars from Sedona staging repo "1006" Please let me know if you have any questions. Thanks, Jia On Thu, Jan 7, 2021 at 2:16 AM Jia Yu <ji...@apache.org> wrote: > Hi All, > > After a fruitful discussion about our first Apache Sedona release > 1.0.0-incubator, the release has been created. This is a call for vote to > release Apache Sedona (incubating) 1.0.0. > > Note that: the current sha1 and checksum verification of Sedona will > require us to manually download artifact jars, sha1, asc from > repository.apache.org 12 times each. It is very annoying. Please let me > know if you have any suggestions to speed up the process. > > Release note: > > https://sedona.staged.apache.org/download/GeoSpark-All-Modules-Release-notes/#sedona-100 > > Build instructions: > https://sedona.staged.apache.org/download/compile/ > > Git tag: > > https://github.com/apache/incubator-sedona/releases/tag/sedona-1.0.0-incubator > > Maven staging repository (search for "sedona", 12 artifacts in total): > https://repository.apache.org/#stagingRepositories > > Release Commit ID: > > https://github.com/apache/incubator-sedona/commit/29f897bbcaf65aa5b5b28ea4e93c6b7e783d83a6 > > GPG public key to verify the Release: > > https://gist.githubusercontent.com/jiayuasu/8b6cc263c538148490f7a090ee1dbeab/raw/09d3821e2794ddf22542f74c0db5195cf5c1ff49/gpg-public-key.gpg > > The vote will be open for at least 72 hours or until a majority of at > least 3 +1 PMC votes are cast > > Please vote accordingly: > > [ ] +1 approve > > [ ] +0 no opinion > > [ ] -1 disapprove with the reason > > Checklist for reference (because of DISCLAIMER-WIP, other checklist items > are not blockers): > > [ ] Download links are valid. > > [ ] Checksums and PGP signatures are valid. > > [ ] DISCLAIMER is included. > > [ ] Source code artifacts have correct names matching the current release. > > For a detailed checklist please refer to: > > https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist > > To verify the checksum, > 1. open https://repository.apache.org > 2 (1) click each release jar (12 in total) to see its current SHA1 (under > Artifact tab) (2) download .jar.sha1 to see the content of the uploaded > sha1. This two should match > > To verify the GPG key (12 in total), > gpg --import the-key-file > gpg --verify xxx.jar.asc xxx.jar > > You should see something like "gpg: Good signature from "Jia Yu (Arizona > State University Data Systems Lab) <jia...@asu.edu>" gpg: WARNING: This > key is not certified with a trusted signature!" > > Thanks, > Jia > >
#!/bin/bash VERSION=1.0.0-incubator STAGED_REPO_ID=1006 PATH_TMP=tmp mkdir ${PATH_TMP} for MODULE in core sql viz python-adapter; do for COMPAT in 3.0_2.12 2.4_2.12 2.4_2.11; do echo "downloading files for sedona-${MODULE}-${COMPAT}-${VERSION}" curl https://repository.apache.org/service/local/repositories/orgapachesedona-${STAGED_REPO_ID}/content/org/apache/sedona/sedona-${MODULE}-${COMPAT}/${VERSION}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar -o ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar curl https://repository.apache.org/service/local/repositories/orgapachesedona-${STAGED_REPO_ID}/content/org/apache/sedona/sedona-${MODULE}-${COMPAT}/${VERSION}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.asc -o ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.asc curl https://repository.apache.org/service/local/repositories/orgapachesedona-${STAGED_REPO_ID}/content/org/apache/sedona/sedona-${MODULE}-${COMPAT}/${VERSION}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.sha1 -o ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.sha1 done done for MODULE in core sql viz python-adapter; do for COMPAT in 3.0_2.12 2.4_2.12 2.4_2.11; do echo "gpg signature verifying sedona-${MODULE}-${COMPAT}-${VERSION}.jar" gpg --verify ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.asc ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar done done for MODULE in core sql viz python-adapter; do for COMPAT in 3.0_2.12 2.4_2.12 2.4_2.11; do echo "sha1 checksum verifying sedona-${MODULE}-${COMPAT}-${VERSION}.jar" sha1_generated=$(shasum ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar | awk '{print $1}') sha1_downloaded=$(cat ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.sha1) if [ "$sha1_generated" = "$sha1_downloaded" ]; then echo "Sha1 checksum match" else echo "Sha1 checksum not match" fi done done