On Fri, Nov 2, 2012 at 2:44 PM, Daniel Shahaf <d...@daniel.shahaf.name> wrote:
> Chip Childers wrote on Fri, Nov 02, 2012 at 14:27:24 -0400:
>> On Fri, Nov 2, 2012 at 9:26 AM, Chip Childers <chip.child...@sungard.com>
>> wrote:
>> > Hi all,
>> >
>> > In reading the release policy section about the detached signature
>> > file and the voting process, there is a mention about allowing (at the
>> > RM's discretion) other PMC members (in a podling's case, PPMC members)
>> > to concatenate their own signature to the *.asc release artifacts as
>> > part of their +1 vote.
>> >
>> > As the RM for the (currently being voted on) CloudStack release, I
>> > have been provided with another PPMC member's detached signature.
>> >
>> > Can someone please confirm that, after validating that adding the
>> > signature to the asc file works, I'm allowed to use the new combined
>> > signature file as the final release artifact? Is there anything that
>> > I should be aware of when adding this second signature?
>> >
>
> In my experience, 'gpg --verify' sometimes verifies only the first
> signature in a file. Hence:
>
> [[[
> % cat ~/bin/gpg-verify-many
> #!/bin/sh
> # perl -pe 'open STDOUT, "| gpg --verify - subversion-1.7.0-rc1.tar.gz" if
> /BEGIN/' < *rc1*asc
>
> usage() {
> echo "USAGE: $0 \$foo.tar.gz \$foo.tar.gz.asc"
> echo "USAGE: $0 \$foo.tar.gz <\$foo.tar.gz.asc"
> }
>
> if [ $# -ge 2 ]; then
> ascfile=""
> else
> ascfile="$1.asc"
> fi
>
> perl -pe 'BEGIN { $target = shift } open STDOUT, "| gpg --verify - $target"
> if /BEGIN/' "$@" $ascfile
> ]]]
>
> I don't know if that's still the case in more recent versions of gpg.
It appears to function correctly now:
gpg --verify apache-cloudstack-4.0.0-incubating-src.tar.bz2.asc
gpg: Signature made Mon Oct 22 11:50:37 2012 EDT using RSA key ID A99A5D58
gpg: Good signature from "Chip Childers <chipchild...@apache.org>"
gpg: Signature made Wed Oct 24 10:08:47 2012 EDT using RSA key ID 6FE50F1C
gpg: Good signature from "David Nalley (Code signing key) <ke4...@apache.org>"
This is with version: gpg (GnuPG/MacGPG2) 2.0.18 / libgcrypt 1.5.0
>
>> > Thanks for the support and advice.
>> >
>> > -chip
>>
>> Given the release policy [1] description of adding additional
>> signatures to the release, and testing locally to ensure that the
>> concatenated signature validates correctly, I will presume that this
>> is a normal practice and move forward.
>>
>
> It's normal practice. Every Subversion release does it.
Excellent. Thanks for the followup.
>> Thanks!
>>
>> -chip
>>
>> [1] http://www.apache.org/dev/release.html#what-must-every-release-contain
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>> For additional commands, e-mail: general-h...@incubator.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
