David,
<<<
I think it's more that we're all using different commands/scripts to create
those files and getting slightly different output.
>>>
Are we open to using some automation? It would seem to me that there is plenty
of tools we could leverage to automate the release. I have not been around
here all that long as compared to many of you, so this was probably discussed
before. I am open to working on that, if we are interested.
Thanks,
Rod.
On 9/16/21, 6:40 PM, "David Blevins" <[email protected]> wrote:
Nationwide Information Security Warning: This is an EXTERNAL email. Use
CAUTION before clicking on links, opening attachments, or responding. (Sender:
[email protected])
------------------------------------------------------------------------------
> On Sep 16, 2021, at 2:49 PM, Jean-Louis Monteiro
<[email protected]> wrote:
>
> Unless I'm mistaken I got 8.0.8 signing based on new apache guidelines.
> Sha512 is now recommended or required can't recall. So not surprised
tomcat
> is doing the same
I think it's more that we're all using different commands/scripts to create
those files and getting slightly different output.
I created a command in our release tools project to push binaries into
dist.apache.org and it will create the sha256 and sha512 files in the process.
Maybe we can all use it instead of our personal scripts?
-
https://github.com/apache/tomee-release-tools/blob/master/src/main/java/org/apache/openejb/tools/release/cmd/Dist.java#L63-L153
If we want to update the sha files so it has the file name in it, that's
cool with me.
-David
>
> Le jeu. 16 sept. 2021 à 20:54, Jenkins, Rodney J (Rod) <
> [email protected]> a écrit :
>
>> David,
>>
>> From an earlier email:
>>
>> .....
>>
>> 2) Can we please be consistent on how we produce the sha512 files?
>>
>> 8.0.6 file looks like this:
>>
3e8fcaf50362169808f1dd09bcf844c642c2251a3a725c58100066500aa482d4c23a3c027c52178dc6a92b648f75b53106a9efdffc6e39918c7fa2e86c058bf7
>> 8.0.8 looks like:
>>
5a54e24400211f6ef6e48415713996fd5e89da1d5ad29f0e12202b685821245a9d600b4f0ad30539a479a8a8129fad9f7cfb2f3c8232178c42a39e2b9a84a5dd
>> apache-tomee-8.0.8-plume.tar.gz
>>
>> 9.0 follows the 8.0.6 convention. If pushed, I would prefer the 8.0.8
>> convention. It matches how Tomcat does it. However, I can make either
>> work.
>>
>> Thanks,
>> Rod.
>>
>>
>> On 9/16/21, 1:31 PM, "David Blevins" <[email protected]> wrote:
>>
>>> On Sep 16, 2021, at 1:10 PM, Jenkins, Rodney J (Rod) <
>> [email protected]> wrote:
>>>
>>> David,
>>>
>>> WOW, you’re a genius!!
>>>
>>> This worked well and makes the Docerfiles clean. For the record, I
>> dislike awk. What you had is exactly I would have done it if I
understood
>> gpg better.
>>
>> Stackoverflow to the rescue :) I knew fingerprints are usually some
>> kind of sha of the public key, so I figured there had to be a way to
>> calculate it and went looking.
>>
>>> Now, if we can get consistent on the sha512 files, lol.
>>
>> What's the challenge there? Are we missing them on occasion?
>>
>>
>> -David
>>
>>> On 9/16/21, 11:55 AM, "David Blevins" <[email protected]>
>> wrote:
>>>
>>>> On Sep 16, 2021, at 11:03 AM, Jenkins, Rodney J (Rod) <
>> [email protected]> wrote:
>>>>
>>>> Hello David,
>>>>
>>>> Thank you for the response..... I think I understand the
>> issue......
>>>>
>>>> The script parses the KEYS file as such:
>>>> for key in `curl -fsSL 'https://www.apache.org/dist/tomee/KEYS' |
>> awk -F ' = ' '$1 ~ /^ +Key fingerprint$/ { gsub(" ", "", $2); print $2
}' |
>> sort -u`; do \
>>>>
>>>> The key you used that starts with 626C does not have the line "Key
>> fingerprint = 626C..."
>>>>
>>>> Your output gave me the fingerprint I needed I added it to the
>> Dockerfile manually and it was found in the key servers. Jean-Louis is
in
>> a similar boat. His finger print is there it is missing " Key
fingerprint
>> =" in front of it.
>>>
>>> Thanks for the explanation and pointer, Rod!
>>>
>>> I dug and found the loop in question. Looks like there's a way
>> to get gpg to list the keys in a file without importing them and give us
>> more consistent output to parse.
>>>
>>> $ cat KEYS | gpg --with-colons --import-options show-only
>> --import
>>>
>>> I never learned awk, but here's a way to parse it:
>>>
>>> for key in $(curl -fsSL '
>> https://www.apache.org/dist/tomee/KEYS' |cat KEYS | gpg --with-colons
>> --import-options show-only --import | grep '^fpr' | cut -d : -f 10 ); do
>>> # do the stuff
>>> done
>>>
>>> You could probably cook up something fancier with your awk skills
>> :)
>>>
>>>
>>> -David
>>>
>>>
>>
>>
>>
