Some tips, since I found this a pain to figure out. To verify the sha file matches:
> gpg --print-md SHA512 *.zip | diff - *.sha && echo "Exact match" > gpg --print-md MD5 *.zip | diff - *.md5 && echo "Exact match" Oddly the output of gpg is different than that of sha512sum and md5sum so you cannot use those commands to --check the sums, ugh. (We should consider changing the way we generate those files, no?). I'm still trying to figure out how to make sure the zip is signed correctly, but am having issues setting up my KEYS. All-in-all I don't think this is that useful of a process to do, since to be really confident you would have to create the full release zip from scratch from source control yourself and compare *that* to the hosted zip to make sure we releasing what you think we are (as is we are just verifying the download isn't corrupt). But I wanted to go through the process. On Tue, Feb 25, 2014 at 3:33 PM, Lorin Beer <lorin.beer....@gmail.com>wrote: > I've just submitted my +1 for a number of the past releases, and thought > I'd document here what the steps I took were. > > Since these are past releases, some of which I helped tag and have already > run, the checklist is slightly simplified: > > - download package > - sanity check package for expected release artifacts > - tags are correct > - commit hash matches the source > > > On Tue, Feb 25, 2014 at 11:35 AM, Steven Gill <stevengil...@gmail.com > >wrote: > > > It has been brought to our attention that some of our previous releases > > were not voted on in accordance with the ASF by-laws. After some > > discussion, we've decided to call a retroactive vote on these releases. A > > vote is being conducted by the PMC and the results will be posted here > when > > complete. > > >
