incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: Release procedural question
Date Fri, 02 Nov 2012 18:47:33 GMT
On Fri, Nov 2, 2012 at 2:44 PM, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> Chip Childers wrote on Fri, Nov 02, 2012 at 14:27:24 -0400:
>> On Fri, Nov 2, 2012 at 9:26 AM, Chip Childers <chip.childers@sungard.com> wrote:
>> > Hi all,
>> >
>> > In reading the release policy section about the detached signature
>> > file and the voting process, there is a mention about allowing (at the
>> > RM's discretion) other PMC members (in a podling's case, PPMC members)
>> > to concatenate their own signature to the *.asc release artifacts as
>> > part of their +1 vote.
>> >
>> > As the RM for the (currently being voted on) CloudStack release, I
>> > have been provided with another PPMC member's detached signature.
>> >
>> > Can someone please confirm that, after validating that adding the
>> > signature to the asc file works, I'm allowed to use the new combined
>> > signature file as the final release artifact?  Is there anything that
>> > I should be aware of when adding this second signature?
>> >
>
> In my experience, 'gpg --verify' sometimes verifies only the first
> signature in a file.  Hence:
>
> [[[
> % cat ~/bin/gpg-verify-many
> #!/bin/sh
> # perl -pe 'open STDOUT, "| gpg --verify - subversion-1.7.0-rc1.tar.gz" if /BEGIN/' <
*rc1*asc
>
> usage() {
>   echo "USAGE: $0 \$foo.tar.gz \$foo.tar.gz.asc"
>   echo "USAGE: $0 \$foo.tar.gz <\$foo.tar.gz.asc"
> }
>
> if [ $# -ge 2 ]; then
>   ascfile=""
> else
>   ascfile="$1.asc"
> fi
>
> perl -pe 'BEGIN { $target = shift }  open STDOUT, "| gpg --verify - $target" if /BEGIN/'
"$@" $ascfile
> ]]]
>
> I don't know if that's still the case in more recent versions of gpg.

It appears to function correctly now:

gpg --verify apache-cloudstack-4.0.0-incubating-src.tar.bz2.asc
gpg: Signature made Mon Oct 22 11:50:37 2012 EDT using RSA key ID A99A5D58
gpg: Good signature from "Chip Childers <chipchilders@apache.org>"
gpg: Signature made Wed Oct 24 10:08:47 2012 EDT using RSA key ID 6FE50F1C
gpg: Good signature from "David Nalley (Code signing key) <ke4qqq@apache.org>"

This is with version: gpg (GnuPG/MacGPG2) 2.0.18 / libgcrypt 1.5.0

>
>> > Thanks for the support and advice.
>> >
>> > -chip
>>
>> Given the release policy [1] description of adding additional
>> signatures to the release, and testing locally to ensure that the
>> concatenated signature validates correctly, I will presume that this
>> is a normal practice and move forward.
>>
>
> It's normal practice.  Every Subversion release does it.

Excellent.  Thanks for the followup.

>> Thanks!
>>
>> -chip
>>
>> [1] http://www.apache.org/dev/release.html#what-must-every-release-contain
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message