With the suffix ignored it all looks good. Validating binary distributions
* downloading Apache TinkerPop Gremlin (apache-tinkerpop-gremlin-console-3.3.2-bin.zip)... OK * validating signatures and checksums ... * PGP signature ... OK * MD5 checksum ... OK * SHA1 checksum ... OK * unzipping Apache TinkerPop Gremlin ... OK * validating Apache TinkerPop Gremlin's docs ... OK * validating Apache TinkerPop Gremlin's binaries ... OK * validating Apache TinkerPop Gremlin's legal files ... * LICENSE ... OK * NOTICE ... OK * validating Apache TinkerPop Gremlin's plugin directory ... OK * validating Apache TinkerPop Gremlin's lib directory ... OK * testing script evaluation ... OK * downloading Apache TinkerPop Gremlin (apache-tinkerpop-gremlin-server-3.3.2-bin.zip)... OK * validating signatures and checksums ... * PGP signature ... OK * MD5 checksum ... OK * SHA1 checksum ... OK * unzipping Apache TinkerPop Gremlin ... OK * validating Apache TinkerPop Gremlin's docs ... OK * validating Apache TinkerPop Gremlin's binaries ... OK * validating Apache TinkerPop Gremlin's legal files ... * LICENSE ... OK * NOTICE ... OK * validating Apache TinkerPop Gremlin's plugin directory ... OK * validating Apache TinkerPop Gremlin's lib directory ... OK Validating source distribution * downloading Apache TinkerPop 3.3.2 (apache-tinkerpop-3.3.2-src.zip)... OK * validating signatures and checksums ... * PGP signature ... OK * MD5 checksum ... OK * SHA1 checksum ... OK * unzipping Apache TinkerPop 3.3.2 ... OK * building project ... OK VOTE: +1 (if nobody has any objections regarding the suffix) Furthermore, here's the output of the verification step shown on the download page: $ gpg --verify apache-tinkerpop-3.3.2-src.zip.asc apache-tinkerpop-3.3.2-src.zip gpg: Signature made Tue 03 Apr 2018 12:45:53 PM MST gpg: using RSA key EA53A99854EAB0E6 gpg: Good signature from "Stephen Mallette <spmalle...@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0871 A360 AAB5 FD42 2516 E2FB EA53 A998 54EA B0E6 Cheers, Daniel On Wed, Apr 4, 2018 at 1:59 PM, Daniel Kuppitz <m...@gremlin.guru> wrote: > Much newer. > > $ gpg --version > gpg (GnuPG) 2.1.15 > libgcrypt 1.7.8 > Copyright (C) 2016 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl. > html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Home: /home/daniel/.gnupg > Supported algorithms: > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA > Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, > CAMELLIA128, CAMELLIA192, CAMELLIA256 > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > > > On Wed, Apr 4, 2018 at 1:57 PM, Stephen Mallette <spmalle...@gmail.com> > wrote: > >> out of curiosity - what gpg version do you have? i'm on: >> >> $ gpg --version >> gpg (GnuPG) 1.4.16 >> >> is that ancient or something? i'd be curious if anyone else has this >> problem. it's also semi-concerning that this doesn't work because we'd >> want >> to the verification to behave right with the instructions we have here: >> >> http://tinkerpop.apache.org/downloads.html >> >> wonder if that's a problem too? >> >> >> >> On Wed, Apr 4, 2018 at 4:54 PM, Daniel Kuppitz <m...@gremlin.guru> wrote: >> >> > Either this or I might have a newer gpg version which changed the output >> > slightly. We already ignore the suffix for Ted and Jason, so I guess we >> > should just use the same pattern for everyone. I can CTR this change >> into >> > all main branches; it's just that: >> > >> > -[ `gpg ${ZIP_FILENAME}.asc 2>&1 | grep -c '^gpg: Good signature from >> > "Stephen Mallette <spmalle...@apache.org>"$'` -eq 1 ] || \ >> > -[ `gpg ${ZIP_FILENAME}.asc 2>&1 | grep -c '^gpg: Good signature from >> > "Marko Rodriguez <ok...@apache.org>"$'` -eq 1 ] || \ >> > +[ `gpg ${ZIP_FILENAME}.asc 2>&1 | grep -c '^gpg: Good signature from >> > "Stephen Mallette <spmalle...@apache.org>"'` -eq 1 ] || \ >> > +[ `gpg ${ZIP_FILENAME}.asc 2>&1 | grep -c '^gpg: Good signature from >> > "Marko Rodriguez <ok...@apache.org>"'` -eq 1 ] || \ >> > >> > Cheers, >> > Daniel >> > >> > >> > On Wed, Apr 4, 2018 at 1:49 PM, Stephen Mallette <spmalle...@gmail.com> >> > wrote: >> > >> > > I haven't changed anything - i wonder why this is suddenly an issue. I >> > > guess it worked for me locally because i was the person who signed it? >> > > >> > > On Wed, Apr 4, 2018 at 4:47 PM, Daniel Kuppitz <m...@gremlin.guru> >> wrote: >> > > >> > > > gpg: Signature made Tue 03 Apr 2018 12:53:16 PM MST >> > > > gpg: using RSA key EA53A99854EAB0E6 >> > > > gpg: Good signature from "Stephen Mallette <spmalle...@apache.org>" >> > > > [unknown] >> > > > gpg: WARNING: This key is not certified with a trusted signature! >> > > > gpg: There is no indication that the signature belongs to >> the >> > > > owner. >> > > > Primary key fingerprint: 0871 A360 AAB5 FD42 2516 E2FB EA53 A998 >> 54EA >> > > B0E6 >> > > > >> > > > The [unkown] suffix is what breaks the check. >> > > > >> > > > If you haven't changed anything in the way you're signing the >> > artifacts, >> > > we >> > > > can probably just ignore the suffix. >> > > > >> > > > >> > > > >> > > > On Wed, Apr 4, 2018 at 1:39 PM, Daniel Kuppitz <m...@gremlin.guru> >> > wrote: >> > > > >> > > > > The PGP signature check fails for me. >> > > > > >> > > > > daniel@cube /projects/apache/tinkerpop (tp33) $ >> > > > > bin/validate-distribution.sh 3.3.2 >> > > > > >> > > > > Validating binary distributions >> > > > > >> > > > > * downloading Apache TinkerPop Gremlin (apache-tinkerpop-gremlin- >> > > > console-3.3.2-bin.zip)... >> > > > > OK >> > > > > * validating signatures and checksums ... >> > > > > * PGP signature ... failed >> > > > > >> > > > > daniel@cube /projects/apache/tinkerpop (tp33) $ pushd /tmp >> > > > > /tmp /projects/apache/tinkerpop >> > > > > daniel@cube /tmp $ wget https://dist.apache.org/repos/ >> > > > > dist/dev/tinkerpop/KEYS >> > > > > --2018-04-04 13:36:03-- https://dist.apache.org/repos/ >> > > > > dist/dev/tinkerpop/KEYS >> > > > > Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 >> > > > > Connecting to dist.apache.org (dist.apache.org)|209.188.14. >> > 144|:443... >> > > > > connected. >> > > > > HTTP request sent, awaiting response... 200 OK >> > > > > Length: 13788 (13K) [text/plain] >> > > > > Saving to: ‘KEYS’ >> > > > > >> > > > > KEYS >> > > > > 100%[====================================================== >> > > > > ==========================================================>] >> 13.46K >> > > > > --.-KB/s in 0s >> > > > > >> > > > > 2018-04-04 13:36:03 (98.0 MB/s) - ‘KEYS’ saved [13788/13788] >> > > > > >> > > > > daniel@cube /tmp $ gpg --import KEYS >> > > > > gpg: key 59028A48CB97E87B: "Marko Rodriguez <ok...@apache.org>" >> not >> > > > > changed >> > > > > gpg: key EA53A99854EAB0E6: "Stephen Mallette < >> spmalle...@apache.org >> > >" >> > > > not >> > > > > changed >> > > > > gpg: key A39CC3ADAEAEF36E: "Theodore Ratte Wilmes (CODE SIGNING >> KEY) >> > < >> > > > > twil...@apache.org>" not changed >> > > > > gpg: key 66B85FF141802BA8: "Jason Plurad (CODE SIGNING KEY) < >> > > > > plur...@apache.org>" not changed >> > > > > gpg: Total number processed: 4 >> > > > > gpg: unchanged: 4 >> > > > > daniel@cube /tmp $ popd >> > > > > /projects/apache/tinkerpop >> > > > > daniel@cube /projects/apache/tinkerpop (tp33) $ >> > > > > bin/validate-distribution.sh 3.3.2 >> > > > > >> > > > > Validating binary distributions >> > > > > >> > > > > * downloading Apache TinkerPop Gremlin (apache-tinkerpop-gremlin- >> > > > console-3.3.2-bin.zip)... >> > > > > OK >> > > > > * validating signatures and checksums ... >> > > > > * PGP signature ... failed >> > > > > >> > > > > >> > > > > >> > > > > Cheers, >> > > > > Daniel >> > > > > >> > > > > >> > > > > On Tue, Apr 3, 2018 at 2:05 PM, Stephen Mallette < >> > spmalle...@gmail.com >> > > > >> > > > > wrote: >> > > > > >> > > > >> Hello, >> > > > >> >> > > > >> We are happy to announce that TinkerPop 3.3.2 is ready for >> release. >> > > > >> >> > > > >> The release artifacts can be found at this location: >> > > > >> https://dist.apache.org/repos/dist/dev/tinkerpop/3.3.2/ >> > > > >> >> > > > >> The source distribution is provided by: >> > > > >> apache-tinkerpop-3.3.2-src.zip >> > > > >> >> > > > >> Two binary distributions are provided for user convenience: >> > > > >> apache-tinkerpop-gremlin-console-3.3.2-bin.zip >> > > > >> apache-tinkerpop-gremlin-server-3.3.2-bin.zip >> > > > >> >> > > > >> The GPG key used to sign the release artifacts is available at: >> > > > >> https://dist.apache.org/repos/dist/dev/tinkerpop/KEYS >> > > > >> >> > > > >> The online docs can be found here: >> > > > >> http://tinkerpop.apache.org/docs/3.3.2/ (user docs) >> > > > >> http://tinkerpop.apache.org/docs/3.3.2/upgrade/ (upgrade >> > > docs) >> > > > >> http://tinkerpop.apache.org/javadocs/3.3.2/core/ (core >> > > javadoc) >> > > > >> http://tinkerpop.apache.org/javadocs/3.3.2/full/ (full >> > > javadoc) >> > > > >> >> > > > >> The tag in Apache Git can be found here: >> > > > >> >> > > > >> https://git-wip-us.apache.org/repos/asf?p=tinkerpop.git;a=ta >> > > > >> g;h=5938d84a350e048357e3b40f335a0ed161180cc3 >> > > > >> >> > > > >> The release notes are available here (i linked to the branch - >> > github >> > > > >> hasn't sync'd the tag yet for some reason - not sure what the >> delay >> > is >> > > > >> with >> > > > >> Apache infra): >> > > > >> >> > > > >> https://github.com/apache/tinkerpop/blob/tp33/CHANGELOG.asci >> > > > >> idoc#release-3-3-2 >> > > > >> >> > > > >> The [VOTE] will be open for the next 72 hours --- closing Friday, >> > > April >> > > > 6, >> > > > >> 2018 at 5:00pm EST. >> > > > >> >> > > > >> My vote is +1. >> > > > >> >> > > > >> Thank you very much, >> > > > >> Stephen >> > > > >> >> > > > > >> > > > > >> > > > >> > > >> > >> > >