Hi again
At this time voting on "Apache Sling SAML2 Service Provider 0.2.6" will
continue based on the artifacts staged at
https://dist.apache.org/repos/dist/dev/sling/
<https://dist.apache.org/repos/dist/dev/sling/>
Signature can be checked using a bash script such as the example below.
./check_dev_repo.sh /tmp/sling-staging
#!/bin/sh
DOWNLOAD=${1:-/tmp/sling-staging}
mkdir ${DOWNLOAD} 2>/dev/null
if [ -z "${DOWNLOAD}" ]
then
echo "Usage: check_dev_repo.sh [temp-directory]"
exit
fi
echo
"################################################################################"
echo " DOWNLOAD PROMOTED REPOSITORY
"
echo
"################################################################################"
wget -e "robots=off" --wait 1 -nv -r -np "--reject=html,index.html.tmp,../"
"--follow-tags=" \
-P "${DOWNLOAD}" -nH "--cut-dirs=4" \
"https://dist.apache.org/repos/dist/dev/sling/";
echo
"################################################################################"
echo " CHECK SIGNATURES AND DIGESTS
"
echo
"################################################################################"
for i in `find "${DOWNLOAD}" -type f | grep -v '\.\(asc\|sha1\|md5\)$'`
do
f=`echo $i | sed 's/\.asc$//'`
echo "$f"
gpg --verify $f.asc 2>/dev/null
if [ "$?" = "0" ]; then CHKSUM="GOOD"; else CHKSUM="BAD!!!!!!!!"; fi
if [ ! -f "$f.asc" ]; then CHKSUM="----"; fi
echo "gpg: ${CHKSUM}"
for tp in md5 sha1
do
if [ ! -f "$f.$tp" ]
then
CHKSUM="----"
else
A="`cat $f.$tp 2>/dev/null`"
B="`openssl $tp < $f 2>/dev/null | sed 's/.*= *//' `"
if [ "$A" = "$B" ]; then CHKSUM="GOOD (`cat $f.$tp`)"; else CHKSUM="BAD!!
: $A not equal to $B"; fi
fi
echo "$tp : ${CHKSUM}"
done
done
if [ -z "${CHKSUM}" ]; then echo "WARNING: no files found!"; fi
echo
"################################################################################"
Thanks!
Cris
> On Jul 2, 2021, at 11:41 AM, Cris Rockwell <[email protected]> wrote:
>
> Hi,
>
> We solved 3 Jira issues in this initial release:
> https://issues.apache.org/jira/projects/SLING/versions/12350210
> <https://issues.apache.org/jira/projects/SLING/versions/12350210>
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-2490/
> <https://repository.apache.org/content/repositories/orgapachesling-2490/>
>
> You can use this UNIX script to download the release and verify the
> signatures:
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>
> <https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD>
>
> Usage:
> sh check_staged_release.sh 2490 /tmp/sling-staging
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] 0 Don't care
> [ ] -1 Don't release, because ...
>
> This majority vote is open for at least 72 hours.
>
> Regards,
> Cris
