Hey +1, BINDING
Tested: YES Result 1. GPG key check: # binary artifact signature and checksum verification steps and outputs are similar bin=apache-fineract-$version-binary.tar.gz gpg --verify $bin.asc gpg --print-md SHA512 $bin | diff - $bin.sha512 gpg: assuming signed data in 'apache-fineract-1.12.1-src.tar.gz' gpg: Signature made Wed Jul 21 21:37:01 2025 CEST gpg: using EDDSA key 250775BDB5FE7D53E4AF95C00E895A1A7A090CFC gpg: Good signature from "Adam Monsen <hair...@gmail.com>" [Unknown mode] gpg: WARNING: This key is not verified with a trusted signature! gpg: There is no indication that this key belongs to the specified owner. Primary key fingerprint: 63DB 20DD 87E4 B34F CD9B BB0D A9A1 4F22 F57D A182 Subkey fingerprint: 2507 75BD B5FE 7D53 E4AF 95C0 0E89 5A1A 7A09 0CFC gpg: assuming signed data in 'apache-fineract-1.12.1-binary.tar.gz' gpg: Signature made Wed Jul 21 21:37:12 2025 CEST gpg: using EDDSA key 250775BDB5FE7D53E4AF95C00E895A1A7A090CFC gpg: Good signature from "Adam Monsen <hair...@gmail.com>" [Unknown mode] gpg: WARNING: This key is not verified with a trusted signature! gpg: There is no indication that this key belongs to the specified owner. Primary key fingerprint: 63DB 20DD 87E4 B34F CD9B BB0D A9A1 4F22 F57D A182 Subkey fingerprint: 2507 75BD B5FE 7D53 E4AF 95C0 0E89 5A1A 7A09 0CFC Seems it was in fact signed by Adam Monsen, but we are still missing key verification, but i guess we can move forward. ✅ 2. Build from source I was able to build successfully from source tar. ✅ 3. run from binary I was able to run successfully from binary tar. ✅ Regards, Adam > On 2025. Jul 21., at 23:34, Adam Monsen <meonk...@apache.org> wrote: > > > Hello everyone, > > We are proud to present Apache Fineract 1.12.1, with the artifacts below up > for a vote. Releases are important for a number of reasons: They put a stamp > of approval on a set of code changes and they build momentum for future > improvements. > > 1.12.1 is very similar to 1.12.0--we just had to fix some build and test > issues (thank you Ádám Sághy). > > Release notes and ChangeLog > <https://cwiki.apache.org/confluence/display/FINERACT/1.12.1+-+Apache+Fineract> > (help still needed w/summary please) > > Source and binary artifacts <https://adammonsen.com/tmp/1.12.1/> (yes, this > is the correct URL -- we are waiting for ASF infra to assist with uploading > the release to the staging area in subversion. That's OK, this is why we have > checksums and keys, so these files can be considered immutable in a way > any/all of us can verify) > > Tagged as 1.12.1 > > Committer PGP keys, including the key I used to sign the release > <https://dist.apache.org/repos/dist/dev/fineract/KEYS> (note this KEYS file > is duplicated in the /release/ area, but that KEYS file is not yet updated -- > I need a PMC member to do this for me) > > Note that this release contains source and binary artifacts. > > This vote will be open for 72 hours: > > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove (and reason why) > > Please indicate if you are a binding vote (member of the PMC). > > Please also indicate with "Tested: YES/NO/PARTIAL" if you have locally built > and/or tested these artifacts and/or a clone of the code checked out to the > release commit, following the form: > > Tested: YES ... Verified integrity and signatures of release artifacts > locally, built from source, ran jar/war: Did everything mentioned in the > current release candidate verification guidance ( see below ). If you did > more than that, please specify. > > Tested: NO ... No testing performed on release candidate, e.g. relying on > testing performed by other contributors and/or output of GitHub Actions, > while exercising my right to vote. > > Tested: PARTIAL ... Please specify. > > Cheers, > Adam Monsen > > > > ADDENDUM - release candidate verification guidance > > Here's a recap of the rough steps to verify the rc (release candidate): > download the rc artifacts and verify their integrity > run a build using only the source tarball and the recommended JDK > start up a Fineract server using the war in the binary tarball > I'll give examples of these steps below. These are meant to be run > interactively, that is: Copy+pasted or manually typed in on your own machine. > The steps assume Bash shell on Linux (and a few common utilities: gpg, diff, > tar...) but are hopefully clear enough to use as general guidance on other > systems as well. If you're able to use Bash on macOS or Windows these > commands should work the same. > signatures and checksums > > version=1.12.1 > # source artifact signature and checksum verification steps > src=apache-fineract-$version-src.tar.gz > # upon success: prints "Good signature" and returns successful exit code > # upon failure: prints "BAD signature" and returns error exit code > gpg --verify $src.asc > # upon success: prints nothing and returns successful exit code > # upon failure: prints checksum differences and returns error exit code > gpg --print-md SHA512 $src | diff - $src.sha512 > > # binary artifact signature and checksum verification steps and outputs are > similar > bin=apache-fineract-$version-binary.tar.gz > gpg --verify $bin.asc > gpg --print-md SHA512 $bin | diff - $bin.sha512 > build from source > > tar -xzf $src > # note mismatch in exploded dir name! > cd apache-fineract-src-$version > # bare minimum build! > gradle build -x test -x doc > run from binary > > Explode the binary tarball and run the jar with Java and/or run the war with > Tomcat. > > Ensure http://localhost:8080/fineract-provider/actuator/health works and that > you are able to make API calls against > http://localhost:8080/fineract-provider/api/v1 . > >
