Hi Paul,
Ha, I must of only tested with a download arg :o
Changes made and also added descriptions in the headers like Jonny included in
Geb versions.
PR submitted:
https://github.com/apache/groovy/pull/2414
Thanks for the assist!
Best regards,
Carl
On 3/26/26 4:59 AM, Paul King wrote:
Hi Carl,
The scripts were great (with some trivial glitches)!
I was trying to use them without the "optional download location". In
this scenario, it was trying to load keys from downloads/SVN_KEYS
after already doing a cd to downloads/src etc.
I moved the following fragments to above the cd in each script:
############
...
export GROOVY_GPG_HOME=$(mktemp -d)
cleanup() {
rm -rf "${GROOVY_GPG_HOME}"
}
trap cleanup EXIT
echo "Importing GPG key to independent GPG home ..."
gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS"
echo "✅ GPG Key Imported"
cd "${DOWNLOAD_LOCATION}/src"
...
############
Also, I had to do a "cd -" at the end of the gradle bootstrap section
in verify.sh to avoid a similar incorrect pwd issue.
I think these are good for inclusion. I note that currently they don't
appear in the source or sdk distributions. Maybe we can include them
there too but that can be done separately.
Did you want to re-test the scripts with the above changes using other
scenarios? If that works, a PR would be greatly appreciated.
Cheers, Paul.
On Thu, Feb 5, 2026 at 10:07 AM Carl Marcum<[email protected]> wrote:
For clarification this was for Groovy releases.
I will look at Geb after I finish the testcontainers work to see what could be
done there.
Best regards,
Carl
On 1/30/26 3:58 PM, Jonny wrote:
I missed the trick on using these during the last release cycle, Carl, but I'd
be open to the PR.
Best,
Jonny
On Tue, Jan 20, 2026 at 3:10 PM Carl Marcum<[email protected]> wrote:
Hi All,
While working on the release votes this weekend it made me think about
automating some of this like Apache Grails does.
So I borrowed some of that and got something working for our releases.
In general it will:
1. Download KEYS file from release directory.
2. Download artifacts (source, binary, docs, and sdk) including hashes and
sig files from /dist/dev or dist/release into sub-directories of the specified
download location.
3. Verify each artifact for signature and checksum.
4. Unpack each artifact and check for a LICENSE and NOTICE file. Source is
also checked for a README.
5. For the unpacked source it will bootstrap a gradle wrapper if needed and
run the rat task.
The scripts are in my project fork in the add-verify-scripts branch here [1].
Run from etc/bin with ./verify.sh ['dev' or 'release'] [semantic.version]
<download location>
'dev' or 'release' is used for the server location
underhttps://dist.apache.org/repos/dist/
Ex. ./verify.sh release 5.0.4 ~/temp/groovy-5.0.4-verify
Download location will be created.
Since the votes are over you can test on 'release'.
There is more work that can be done in this area but it's a start.
If you would like to include them I can create a PR.
[1]https://github.com/cbmarcum/groovy/tree/add-verify-scripts/etc/bin
Best regards,
Carl
