Hi All, If you are looking to verify release signatures, here is a quick tip:
* download all release artifacts into a folder or do a svn checkout of the release - `svn co https://dist.apache.org/repos/dist/dev/airavata/0.17/RC1/ <https://dist.apache.org/repos/dist/dev/airavata/0.17/RC1/>` * Verify signatures by a small script something like: for file in `find . -type f -iname '*.asc'` do gpg --verify ${file} done The output will indicate the You'll need to look at the output to ensure it contains only good signatures - gpg: Good signature from ... gpg: Signature made … Once you verify the signature, next step is to uncompress the source and verify it builds fine. This links provide guidance on release verifications: https://www.apache.org/info/verification <https://www.apache.org/info/verification> Cheers, Suresh > On Mar 21, 2019, at 1:07 AM, Suresh Marru <sma...@apache.org> wrote: > > Discussion thread for vote on Apache Airavata 0.17 release candidate. > > If you have any questions or feedback or to post results of validating the > release, please reply to this thread. Once you verify the release, please > post your vote to the VOTE thread. > > For reference, the Apache release guide - > http://www.apache.org/dev/release.html > <http://www.apache.org/dev/release.html> > > Some tips to validate the release before you vote: > > * Download the binary version and run the 5 minute or 10 minute tutorial as > described in README and website. > * Download the source files from compressed files and release tag and build > (which includes tests). > * Verify the distribution for the required LICENSE and NOTICE files > * Verify if all the staged files are signed and the signature is verifiable. > * Verify if the signing key in the project's KEYS file is hosted on a public > server > > Thanks for your time in validating the release and voting, > Suresh > (On Behalf of Airavata PMC) >
