-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
88f61ae
commit cbf172d
Showing
1 changed file
with
39 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,11 +21,43 @@ All Apache projects are required to follow the [Apache Release Policy](https://w | |
| 3. Sign the release artifacts. | ||
| 4. Create the checksums for the release artifacts. | ||
|
|
||
| ### Sign the release artifacts | ||
|
|
||
| 1. Create a GPG key if you don't have one. | ||
| 2. Add the GPG key to the KEYS file. | ||
| 3. Sign the release artifacts with the GPG key. | ||
|
|
||
| ```shell | ||
| # create a GPG key | ||
| $ gpg --full-generate-key | ||
|
|
||
| # list the GPG keys | ||
| $ gpg --keyid-format SHORT --list-keys | ||
|
|
||
| # upload the GPG key to the key server, xxx is the GPG key id | ||
| $ gpg --keyserver keyserver.ubuntu.com --send-key xxx | ||
|
|
||
| # append the GPG key to the KEYS file the svn repository | ||
| # [IMPORTANT] Don't replace the KEYS file, just append the GPG key to the KEYS file. | ||
| $ svn co https://dist.apache.org/repos/dist/release/incubator/answer/ | ||
| $ (gpg --list-sigs [email protected] && gpg --export --armor [email protected]) >> KEYS | ||
| $ svn ci -m "add gpg key" | ||
|
|
||
| # sign the release artifacts | ||
| $ for i in *.tar.gz; do echo $i; gpg --local-user xxxx --armor --output $i.asc --detach-sig $i ; done | ||
| ``` | ||
|
|
||
| ### Create the checksums for the release artifacts | ||
|
|
||
| ```shell | ||
| # create the checksums | ||
| $ for i in *.tar.gz; do echo $i; sha512sum $i > $i.sha512 ; done | ||
| ``` | ||
|
|
||
| ## Upload the release artifacts to the svn repository | ||
|
|
||
| 1. Create a directory for the release artifacts in the svn repository. | ||
| 2. Upload the release artifacts to the svn repository. | ||
| 3. Upload the KEYS file to the svn repository. | ||
|
|
||
| ## Verify the release artifacts | ||
|
|
||
|
|
@@ -42,16 +74,19 @@ Following is the basic check items for the release artifacts. | |
|
|
||
| ```shell | ||
| # download KEYS | ||
| $ curl https://dist.apache.org/repos/dist/dev/incubator/answer/KEYS > KEYS | ||
| $ curl https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > KEYS | ||
|
|
||
| # import KEYS and trust the key | ||
| # import KEYS and trust the key, please replace the email address with the one you want to trust. | ||
| $ gpg --import KEYS | ||
| $ gpg --edit-key joyqi@apache.org | ||
| $ gpg --edit-key linkinstar@apache.org | ||
| gpg> trust | ||
| gpg> 5 | ||
| gpg> y | ||
| gpg> quit | ||
|
|
||
| # enter the directory where the release artifacts are located | ||
| $ cd /path/to/release/artifacts | ||
|
|
||
| # verify the signature | ||
| $ for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done | ||
|
|
||
|
|
||