Victor wrote:
I have followed these steps, step 2 and step 3 are OK. Step 1
(signature is not passing).
Ok! Victor, thank you for exercising your right to vote, and especially
for showing your work! This is super useful. Looks like there are a
couple things going wrong, one of which is because the validation steps
are slightly different than the ones I used for the previous release.
Sorry about that! You'll also need my PGP key. I'll explain.
*First*: The .sha512 files are in a different format. I wish gpg used
the same format as the sha512sum tool, but anyway, that's why checksum
verification is failing. So just make sure you're doing something more
like this:
gpg --print-md SHA512 $src | diff - $src.sha512
*Second*: You'll need to import my public key for signature
verification. It's in our KEYS file (which recently changed), so you can do:
keys=https://dist.apache.org/repos/dist/dev/fineract/KEYS
curl $keys | gpg --import
(That's OK to run and re-run.)
Or you can fetch & import my public key from a public key server using
your favorite tool, e.g.:
gpg --receive-keys 0xA9A14F22F57DA182
(You may need to specify the key server as keyserver.ubuntu.com or
keys.openpgp.org, I forget where all I uploaded it)
If you still get errors or warnings during checksum or signature
verification please let me know -- I'd like to improve my instructions
for next time.
Also see this thread on key hygiene
<https://lists.apache.org/thread/7wq9moshw1hfndycodfnzy8ndocpwoy7> ...
ideally we build and maintain our web of trust directly with each other,
especially whenever we gather. We have the tools, we have the talent!
I'll host the keysigning party.
--
Adam Monsen
Software Engineer ~ Mifos Initiative
Apache Fineract Release Manager
