...
If everything is correctly verified, you have to post the result on the vote thread while casting your vote.
Verification Script
You can use a convenient shell script to check the signatures, it takes the release managers apache index file URL as argument (e.g. http://people.apache.org/~edwardyoon/dist/0.6-RC3/).
No Format |
---|
#!/bin/bash
function check_return {
RETVAL=$?
[ $RETVAL -ne 0 ] && exit 1
}
function check_md5 {
real=`openssl md5 $1 | cut -d ' ' -f2`
expected=`cat $1.md5 | cut -d ' ' -f1`
if [ "$real" != "$expected" ]
then
echo "md5 sums mismatch" && exit 1
else
echo "md5 checksums OK"
fi
}
function check_sha1 {
real=`openssl sha1 $1 | cut -d ' ' -f2`
expected=`cat $1.sha1 | cut -d ' ' -f1`
if [ "$real" != "$expected" ]
then
echo "sha1 sums mismatch" && exit 1
else
echo "sha1 checksums OK"
fi
}
function import_keys {
wget -q http://hama.apache.org/files/KEYS
gpg --import KEYS
rm KEYS
}
if [ $# -ne 2 ]
then
echo "Usage: `basename $0` {people.apache.org index url of the release}"
exit 1
fi
import_keys
wget --convert-links -q -L -O out.html $1
cat out.html | grep -o -E 'href="([^"#]+).([gz|asc|md5|sha1|zip])"' | cut -d'"' -f2 | sort | uniq > links
mkdir release
while read lnk; do
echo "Downloading $lnk"
wget --directory-prefix=release $lnk
done < links
for filename in `find release/ -iregex ".*\(gz\|zip\)" -printf "%f\n"`
do
echo "checking release/$filename"
gpg --verify release/$filename.asc
check_return
check_md5 release/$filename
check_sha1 release/$filename
done;
rm out.html
rm links
|