Validated the binaries, did several manual tests with the Gremlin Server + Gremlin Console, looked over the documentation.
The instructions on the download page to verify with gpg manually are fine since the output does say "Good signature" even with the [unknown] suffix. VOTE: +1 On Wed, Apr 4, 2018 at 2:08 PM, Daniel Kuppitz <[email protected]> wrote: > With the suffix ignored it all looks good. > > Validating binary distributions > > * downloading Apache TinkerPop Gremlin > (apache-tinkerpop-gremlin-console-3.3.2-bin.zip)... OK > * validating signatures and checksums ... > * PGP signature ... OK > * MD5 checksum ... OK > * SHA1 checksum ... OK > * unzipping Apache TinkerPop Gremlin ... OK > * validating Apache TinkerPop Gremlin's docs ... OK > * validating Apache TinkerPop Gremlin's binaries ... OK > * validating Apache TinkerPop Gremlin's legal files ... > * LICENSE ... OK > * NOTICE ... OK > * validating Apache TinkerPop Gremlin's plugin directory ... OK > * validating Apache TinkerPop Gremlin's lib directory ... OK > * testing script evaluation ... OK > > * downloading Apache TinkerPop Gremlin > (apache-tinkerpop-gremlin-server-3.3.2-bin.zip)... OK > * validating signatures and checksums ... > * PGP signature ... OK > * MD5 checksum ... OK > * SHA1 checksum ... OK > * unzipping Apache TinkerPop Gremlin ... OK > * validating Apache TinkerPop Gremlin's docs ... OK > * validating Apache TinkerPop Gremlin's binaries ... OK > * validating Apache TinkerPop Gremlin's legal files ... > * LICENSE ... OK > * NOTICE ... OK > * validating Apache TinkerPop Gremlin's plugin directory ... OK > * validating Apache TinkerPop Gremlin's lib directory ... OK > > Validating source distribution > > * downloading Apache TinkerPop 3.3.2 (apache-tinkerpop-3.3.2-src.zip)... > OK > * validating signatures and checksums ... > * PGP signature ... OK > * MD5 checksum ... OK > * SHA1 checksum ... OK > * unzipping Apache TinkerPop 3.3.2 ... OK > * building project ... OK > > > VOTE: +1 (if nobody has any objections regarding the suffix) > > Furthermore, here's the output of the verification step shown on the > download page: > > $ gpg --verify apache-tinkerpop-3.3.2-src.zip.asc > apache-tinkerpop-3.3.2-src.zip > gpg: Signature made Tue 03 Apr 2018 12:45:53 PM MST > gpg: using RSA key EA53A99854EAB0E6 > gpg: Good signature from "Stephen Mallette <[email protected]>" > [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 0871 A360 AAB5 FD42 2516 E2FB EA53 A998 54EA B0E6 > > > Cheers, > Daniel > > > On Wed, Apr 4, 2018 at 1:59 PM, Daniel Kuppitz <[email protected]> wrote: > > > Much newer. > > > > $ gpg --version > > gpg (GnuPG) 2.1.15 > > libgcrypt 1.7.8 > > Copyright (C) 2016 Free Software Foundation, Inc. > > License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl > . > > html> > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. > > > > Home: /home/daniel/.gnupg > > Supported algorithms: > > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA > > Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, > > CAMELLIA128, CAMELLIA192, CAMELLIA256 > > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > > > > > > > On Wed, Apr 4, 2018 at 1:57 PM, Stephen Mallette <[email protected]> > > wrote: > > > >> out of curiosity - what gpg version do you have? i'm on: > >> > >> $ gpg --version > >> gpg (GnuPG) 1.4.16 > >> > >> is that ancient or something? i'd be curious if anyone else has this > >> problem. it's also semi-concerning that this doesn't work because we'd > >> want > >> to the verification to behave right with the instructions we have here: > >> > >> http://tinkerpop.apache.org/downloads.html > >> > >> wonder if that's a problem too? > >> > >> > >> > >> On Wed, Apr 4, 2018 at 4:54 PM, Daniel Kuppitz <[email protected]> wrote: > >> > >> > Either this or I might have a newer gpg version which changed the > output > >> > slightly. We already ignore the suffix for Ted and Jason, so I guess > we > >> > should just use the same pattern for everyone. I can CTR this change > >> into > >> > all main branches; it's just that: > >> > > >> > -[ `gpg ${ZIP_FILENAME}.asc 2>&1 | grep -c '^gpg: Good signature from > >> > "Stephen Mallette <[email protected]>"$'` -eq 1 ] || \ > >> > -[ `gpg ${ZIP_FILENAME}.asc 2>&1 | grep -c '^gpg: Good signature from > >> > "Marko Rodriguez <[email protected]>"$'` -eq 1 ] || \ > >> > +[ `gpg ${ZIP_FILENAME}.asc 2>&1 | grep -c '^gpg: Good signature from > >> > "Stephen Mallette <[email protected]>"'` -eq 1 ] || \ > >> > +[ `gpg ${ZIP_FILENAME}.asc 2>&1 | grep -c '^gpg: Good signature from > >> > "Marko Rodriguez <[email protected]>"'` -eq 1 ] || \ > >> > > >> > Cheers, > >> > Daniel > >> > > >> > > >> > On Wed, Apr 4, 2018 at 1:49 PM, Stephen Mallette < > [email protected]> > >> > wrote: > >> > > >> > > I haven't changed anything - i wonder why this is suddenly an > issue. I > >> > > guess it worked for me locally because i was the person who signed > it? > >> > > > >> > > On Wed, Apr 4, 2018 at 4:47 PM, Daniel Kuppitz <[email protected]> > >> wrote: > >> > > > >> > > > gpg: Signature made Tue 03 Apr 2018 12:53:16 PM MST > >> > > > gpg: using RSA key EA53A99854EAB0E6 > >> > > > gpg: Good signature from "Stephen Mallette <[email protected] > >" > >> > > > [unknown] > >> > > > gpg: WARNING: This key is not certified with a trusted signature! > >> > > > gpg: There is no indication that the signature belongs to > >> the > >> > > > owner. > >> > > > Primary key fingerprint: 0871 A360 AAB5 FD42 2516 E2FB EA53 A998 > >> 54EA > >> > > B0E6 > >> > > > > >> > > > The [unkown] suffix is what breaks the check. > >> > > > > >> > > > If you haven't changed anything in the way you're signing the > >> > artifacts, > >> > > we > >> > > > can probably just ignore the suffix. > >> > > > > >> > > > > >> > > > > >> > > > On Wed, Apr 4, 2018 at 1:39 PM, Daniel Kuppitz <[email protected]> > >> > wrote: > >> > > > > >> > > > > The PGP signature check fails for me. > >> > > > > > >> > > > > daniel@cube /projects/apache/tinkerpop (tp33) $ > >> > > > > bin/validate-distribution.sh 3.3.2 > >> > > > > > >> > > > > Validating binary distributions > >> > > > > > >> > > > > * downloading Apache TinkerPop Gremlin > (apache-tinkerpop-gremlin- > >> > > > console-3.3.2-bin.zip)... > >> > > > > OK > >> > > > > * validating signatures and checksums ... > >> > > > > * PGP signature ... failed > >> > > > > > >> > > > > daniel@cube /projects/apache/tinkerpop (tp33) $ pushd /tmp > >> > > > > /tmp /projects/apache/tinkerpop > >> > > > > daniel@cube /tmp $ wget https://dist.apache.org/repos/ > >> > > > > dist/dev/tinkerpop/KEYS > >> > > > > --2018-04-04 13:36:03-- https://dist.apache.org/repos/ > >> > > > > dist/dev/tinkerpop/KEYS > >> > > > > Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 > >> > > > > Connecting to dist.apache.org (dist.apache.org)|209.188.14. > >> > 144|:443... > >> > > > > connected. > >> > > > > HTTP request sent, awaiting response... 200 OK > >> > > > > Length: 13788 (13K) [text/plain] > >> > > > > Saving to: ‘KEYS’ > >> > > > > > >> > > > > KEYS > >> > > > > 100%[====================================================== > >> > > > > ==========================================================>] > >> 13.46K > >> > > > > --.-KB/s in 0s > >> > > > > > >> > > > > 2018-04-04 13:36:03 (98.0 MB/s) - ‘KEYS’ saved [13788/13788] > >> > > > > > >> > > > > daniel@cube /tmp $ gpg --import KEYS > >> > > > > gpg: key 59028A48CB97E87B: "Marko Rodriguez <[email protected]>" > >> not > >> > > > > changed > >> > > > > gpg: key EA53A99854EAB0E6: "Stephen Mallette < > >> [email protected] > >> > >" > >> > > > not > >> > > > > changed > >> > > > > gpg: key A39CC3ADAEAEF36E: "Theodore Ratte Wilmes (CODE SIGNING > >> KEY) > >> > < > >> > > > > [email protected]>" not changed > >> > > > > gpg: key 66B85FF141802BA8: "Jason Plurad (CODE SIGNING KEY) < > >> > > > > [email protected]>" not changed > >> > > > > gpg: Total number processed: 4 > >> > > > > gpg: unchanged: 4 > >> > > > > daniel@cube /tmp $ popd > >> > > > > /projects/apache/tinkerpop > >> > > > > daniel@cube /projects/apache/tinkerpop (tp33) $ > >> > > > > bin/validate-distribution.sh 3.3.2 > >> > > > > > >> > > > > Validating binary distributions > >> > > > > > >> > > > > * downloading Apache TinkerPop Gremlin > (apache-tinkerpop-gremlin- > >> > > > console-3.3.2-bin.zip)... > >> > > > > OK > >> > > > > * validating signatures and checksums ... > >> > > > > * PGP signature ... failed > >> > > > > > >> > > > > > >> > > > > > >> > > > > Cheers, > >> > > > > Daniel > >> > > > > > >> > > > > > >> > > > > On Tue, Apr 3, 2018 at 2:05 PM, Stephen Mallette < > >> > [email protected] > >> > > > > >> > > > > wrote: > >> > > > > > >> > > > >> Hello, > >> > > > >> > >> > > > >> We are happy to announce that TinkerPop 3.3.2 is ready for > >> release. > >> > > > >> > >> > > > >> The release artifacts can be found at this location: > >> > > > >> https://dist.apache.org/repos/ > dist/dev/tinkerpop/3.3.2/ > >> > > > >> > >> > > > >> The source distribution is provided by: > >> > > > >> apache-tinkerpop-3.3.2-src.zip > >> > > > >> > >> > > > >> Two binary distributions are provided for user convenience: > >> > > > >> apache-tinkerpop-gremlin-console-3.3.2-bin.zip > >> > > > >> apache-tinkerpop-gremlin-server-3.3.2-bin.zip > >> > > > >> > >> > > > >> The GPG key used to sign the release artifacts is available at: > >> > > > >> https://dist.apache.org/repos/dist/dev/tinkerpop/KEYS > >> > > > >> > >> > > > >> The online docs can be found here: > >> > > > >> http://tinkerpop.apache.org/docs/3.3.2/ (user docs) > >> > > > >> http://tinkerpop.apache.org/docs/3.3.2/upgrade/ > (upgrade > >> > > docs) > >> > > > >> http://tinkerpop.apache.org/javadocs/3.3.2/core/ (core > >> > > javadoc) > >> > > > >> http://tinkerpop.apache.org/javadocs/3.3.2/full/ (full > >> > > javadoc) > >> > > > >> > >> > > > >> The tag in Apache Git can be found here: > >> > > > >> > >> > > > >> https://git-wip-us.apache.org/repos/asf?p=tinkerpop.git;a=ta > >> > > > >> g;h=5938d84a350e048357e3b40f335a0ed161180cc3 > >> > > > >> > >> > > > >> The release notes are available here (i linked to the branch - > >> > github > >> > > > >> hasn't sync'd the tag yet for some reason - not sure what the > >> delay > >> > is > >> > > > >> with > >> > > > >> Apache infra): > >> > > > >> > >> > > > >> https://github.com/apache/tinkerpop/blob/tp33/CHANGELOG.asci > >> > > > >> idoc#release-3-3-2 > >> > > > >> > >> > > > >> The [VOTE] will be open for the next 72 hours --- closing > Friday, > >> > > April > >> > > > 6, > >> > > > >> 2018 at 5:00pm EST. > >> > > > >> > >> > > > >> My vote is +1. > >> > > > >> > >> > > > >> Thank you very much, > >> > > > >> Stephen > >> > > > >> > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > > > > >
