From cbf172d0d5cc720edc6a1c66c49365edde715c48 Mon Sep 17 00:00:00 2001 From: LinkinStars Date: Wed, 20 Dec 2023 20:17:44 +0800 Subject: [PATCH] Fix release doc (#133) --- community/contributing/how-to-release.md | 43 +++++++++++++++++++++--- 1 file changed, 39 insertions(+), 4 deletions(-) diff --git a/community/contributing/how-to-release.md b/community/contributing/how-to-release.md index 15f939ec4d..e00d80863a 100644 --- a/community/contributing/how-to-release.md +++ b/community/contributing/how-to-release.md @@ -21,11 +21,43 @@ All Apache projects are required to follow the [Apache Release Policy](https://w 3. Sign the release artifacts. 4. Create the checksums for the release artifacts. +### Sign the release artifacts + +1. Create a GPG key if you don't have one. +2. Add the GPG key to the KEYS file. +3. Sign the release artifacts with the GPG key. + +```shell +# create a GPG key +$ gpg --full-generate-key + +# list the GPG keys +$ gpg --keyid-format SHORT --list-keys + +# upload the GPG key to the key server, xxx is the GPG key id +$ gpg --keyserver keyserver.ubuntu.com --send-key xxx + +# append the GPG key to the KEYS file the svn repository +# [IMPORTANT] Don't replace the KEYS file, just append the GPG key to the KEYS file. +$ svn co https://dist.apache.org/repos/dist/release/incubator/answer/ +$ (gpg --list-sigs xxx@apache.org && gpg --export --armor xxx@apache.org) >> KEYS +$ svn ci -m "add gpg key" + +# sign the release artifacts +$ for i in *.tar.gz; do echo $i; gpg --local-user xxxx --armor --output $i.asc --detach-sig $i ; done +``` + +### Create the checksums for the release artifacts + +```shell +# create the checksums +$ for i in *.tar.gz; do echo $i; sha512sum $i > $i.sha512 ; done +``` + ## Upload the release artifacts to the svn repository 1. Create a directory for the release artifacts in the svn repository. 2. Upload the release artifacts to the svn repository. -3. Upload the KEYS file to the svn repository. ## Verify the release artifacts @@ -42,16 +74,19 @@ Following is the basic check items for the release artifacts. ```shell # download KEYS -$ curl https://dist.apache.org/repos/dist/dev/incubator/answer/KEYS > KEYS +$ curl https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > KEYS -# import KEYS and trust the key +# import KEYS and trust the key, please replace the email address with the one you want to trust. $ gpg --import KEYS -$ gpg --edit-key joyqi@apache.org +$ gpg --edit-key linkinstar@apache.org gpg> trust gpg> 5 gpg> y gpg> quit +# enter the directory where the release artifacts are located +$ cd /path/to/release/artifacts + # verify the signature $ for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done