Others may know a better way to do this, but the only way I know to truly verify the commit id is something like the following:
git clone https://git-wip-us.apache.org/repos/asf/nifi.git git -C nifi checkout <commit id from vote email> diff --brief -r <source dir from unzipped release artifacts> <clone dir from above> For verifying the RC was branched off the correct git commit id, you look at the branch that was used to create the RC... So looking at the commit from the release email shows the JIRA was NIFI-5323 so there should be a branch like NIFI-5323-RC#: https://github.com/apache/nifi/commits/NIFI-5323-RC1 The "prepare" commit in there should line up with the commit referenced in the vote email, and should also be the commit referenced in the release tag: https://github.com/apache/nifi/commits/nifi-1.7.0-RC1 On Wed, Jun 20, 2018 at 9:59 AM, Kevin Doran <kdoran.apa...@gmail.com> wrote: > > > > > > > > Hi Mike, > These values are in the VOTE > email:https://lists.apache.org/thread.html/d8bfef873317c5f681a5deb226d9dd9483aec56a7abc9a72090cb570@<dev.nifi.apache.org> > Cheers,Kevin > > > > > > > On Wed, Jun 20, 2018 at 6:55 AM -0700, "Mike Thomsen" > <mikerthom...@gmail.com> wrote: > > > > > > > > > > > Do we store these values somewhere in the zip? > > # Verify the git commit ID is correct > > # Verify the RC was branched off the correct git commit ID > > On Wed, Jun 20, 2018 at 3:16 AM Andy LoPresto wrote: > >> Hello Apache NiFi community, >> >> Please find the associated guidance to help those interested in >> validating/verifying the release so they can vote. >> >> # Download latest KEYS file: >> https://dist.apache.org/repos/dist/dev/nifi/KEYS >> >> # Import keys file: >> gpg --import KEYS >> >> # [optional] Clear out local maven artifact repository >> >> # Pull down nifi-1.7.0 source release artifacts for review: >> wget >> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.7.0/nifi-1.7.0-source-release.zip >> wget >> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.7.0/nifi-1.7.0-source-release.zip.asc >> wget >> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.7.0/nifi-1.7.0-source-release.zip.sha1 >> wget >> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.7.0/nifi-1.7.0-source-release.zip.sha256 >> wget >> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.7.0/nifi-1.7.0-source-release.zip.sha512 >> >> # Verify the signature >> gpg --verify nifi-1.7.0-source-release.zip.asc >> >> # Verify the hashes (sha1, sha256, sha512) match the source and what was >> provided in the vote email thread >> shasum -a 1 nifi-1.7.0-source-release.zip >> shasum -a 256 nifi-1.7.0-source-release.zip >> shasum -a 512 nifi-1.7.0-source-release.zip >> >> # Unzip nifi-1.7.0-source-release.zip >> >> # Verify the build works including release audit tool (RAT) checks >> cd nifi-1.7.0 >> mvn clean install -Pcontrib-check,include-grpc >> >> # Verify the contents contain a good README, NOTICE, and LICENSE. >> >> # Verify the git commit ID is correct >> >> # Verify the RC was branched off the correct git commit ID >> >> # Look at the resulting convenience binary as found in nifi-assembly/target >> >> # Make sure the README, NOTICE, and LICENSE are present and correct >> >> # Run the resulting convenience binary and make sure it works as expected >> >> # Send a response to the vote thread indicating a +1, 0, -1 based on your >> findings. >> >> Thank you for your time and effort to validate the release! >> Andy LoPresto >> alopre...@apache.org >> *alopresto.apa...@gmail.com * >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> > > > > >