kou commented on PR #240:
URL: https://github.com/apache/arrow-nanoarrow/pull/240#issuecomment-1596412527
How about just ignoring `gpg --import KEYS` error instead of skipping all
signature verification?
```diff
diff --git a/dev/release/verify-release-candidate.sh
b/dev/release/verify-release-candidate.sh
index d513cf0..df2e325 100755
--- a/dev/release/verify-release-candidate.sh
+++ b/dev/release/verify-release-candidate.sh
@@ -31,6 +31,10 @@
# If unset, the script will check out a version into NANOARROW_TMPDIR.
# - NANOARROW_TMPDIR: Use to specify a persistent directory such that
verification
# results are more easily retrieved.
+# - NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR: Don't stop verification even
when
+# "gpg --import KEYS" returns an error. In general, we should not use this
+# to ensure importing all GPG keys. But newer algorithms such as ed25519
may
+# not be supported in old GPG such as GPG on CentOS 7.
# - TEST_SOURCE: Set to 0 to selectively run component verification.
# - TEST_C: Builds C libraries and tests using the default CMake
# configuration. Defaults to the value of TEST_SOURCE.
@@ -114,7 +118,11 @@ import_gpg_keys() {
return 0
fi
download_dist_file KEYS
- gpg --import KEYS
+ if [ "${NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR:-0}" -gt 0 ]; then
+ gpg --import KEYS || :
+ else
+ gpg --import KEYS
+ fi
GPGKEYS_ALREADY_IMPORTED=1
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
