Source Release is the focus of Apache’s attention and is also a required content for release; Binary Release is optional. Please refer to the following link to find more ASF release guidelines:
Mainly include the preparation of the signature tool GnuPG, Maven repository certification
Download the binary installation package (GnuPG binary releases) at GnuPG official website. The commands of GnuPG 1.x version and 2.x version are slightly different. The following description takes GnuPG-2.x version as example.
$ gpg --version #Check the version, it should be 2.x
According to the prompt, generate the key
Note: please use Apache mail box generate GPG Key
$ gpg --full-gen-key gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: ${please enter the username} Email address: ${enter the email address} Comment: CODE SIGNING KEY You selected this USER-ID: "${username} (CODE SIGNING KEY) <${email address}>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. # enter the password for protecting your secret key
$ gpg --list-keys pub rsa4096/579C25F5 2021-04-26 # 579C25F5 is key id uid [ultimate] ${username} <${email address}> sub rsa4096 2021-04-26 # upload the public key to keyserver with key id # Currently available in China: pgp.mit.edu, keyserver.ubuntu.com $ gpg --keyserver keyserver.ubuntu.com --send-key 579C25F5 # keyserver.ubuntu.com is the corresponding keyserver, The keyserver list is: https://sks-keyservers.net/status/, which are automatically synchronized with each other, and you can choose any one. $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 579C25F5 # Verify whether it is synchronized to the public network. If the network is not good, you may need to try a few more times
**Note: If there are multiple public keys, set the default key. **Modify ~/.gnupg/gpg.conf
# If you have more than 1 secret key in your keyring, you may want to # uncomment the following option and set your preferred keyid. default-key 28681CB1
If there are multiple public keys, useless keys can also be deleted:
$ gpg --delete-secret-keys 29BBC3CB # first delete the private key and specify the key id gpg (GnuPG) 2.2.27; Copyright (C) 2021 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec rsa4096/EE8DAE7D29BBC3CB 2021-04-27 mikexue <mikexue@apache.org> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y
$ gpg --delete-keys 29BBC3CB # delete the public key, specify the key id gpg (GnuPG) 2.2.27; Copyright (C) 2021 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/EE8DAE7D29BBC3CB 2021-04-27 mikexue <mikexue@apache.org> Delete this key from the keyring? (y/N) y
Since the public key server has no checking mechanism, anyone can upload the public key in your name, so there is no way to guarantee the reliability of the public key on the server. Usually, you can publish a public key fingerprint on the website, so that others can check whether the downloaded public key is genuine.
# use fingerprint parameter generates a public key fingerprint: $gpg --fingerprint mikexue pub rsa4096 2021-04-26 [SCA] F84A 0041 D70B 37AF 9C7B F0B3 39F4 29D7 579C 25F5 uid [ultimate] mikexue <mikexue@apache.org> sub rsa4096 2021-04-26 [E]
Log in to https://id.apache.org, paste the above fingerprint (ie F84A 0041 D70B 37AF 9C7B F0B3 39F4 29D7 579C 25F5) into your user information OpenPGP Public Key Primary Fingerprint
Note: EventMesh is built using Gradle, and gradle-related configuration needs to be modified
$ gpg --export-secret-keys -o secring.gpg #the private key file is properly kept, and it is required for later configuration
Pull the new branch from the master branch as the release branch. If you want to release the ${release_version} version now, pull the new branch ${release_version}-prepare from the master branch, and then ${release_version} Release Candidates involves The modification and labeling of all files are carried out in the ${release_version}-prepare branch, and merged into the main branch after the final release is completed.
Update the following files of the official website project and submit them to the master branch:
https://github.com/apache/eventmesh-site/tree/master/events/release-notes
group=org.apache.eventmesh version=1.2.0-release #the last 8 digits of the 40-digit public key signing.keyId=579C25F5 #the passphrase filled in when generating the key signing.password= #the path of the exported private key file secring.gpg, absolute path, such as /home/root/secring.gpg signing.secretKeyRingFile=/home/root/secring.gpg #apache account apacheUserName= #apache password apachePassWord= #sign switch signEnabled=true
group=org.apache.eventmesh version=${release_version}
publishing { publications { mavenJava(MavenPublication) { from components.java artifact packageSources artifact packageJavadoc versionMapping { usage('java-api') { fromResolutionOf('runtimeClasspath') } usage('java-runtime') { fromResolutionResult() } } pom { name = 'EventMesh' description = 'Apache EventMesh' url = 'https://github.com/apache/eventmesh' licenses { license { name = 'The Apache License, Version 2.0' url = 'http://www.apache.org/licenses/LICENSE-2.0.txt' } } developers { developer { id = 'Apache EventMesh' name = 'Apache EventMesh of ASF' url = 'https://eventmesh.apache.org/' } } scm { connection = 'scm:git:git@github.com:apache/eventmesh.git' developerConnection = 'scm:git:git@github.com:apache/eventmesh.git' url = 'https://github.com/apache/eventmesh' } } } } repositories { maven { def releasesRepoUrl = 'https://repository.apache.org/service/local/staging/deploy/maven2/' def snapshotsRepoUrl = 'https://repository.apache.org/content/repositories/snapshots/' url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl credentials { username apacheUserName password apachePassWord } } } } signing { sign publishing.publications.mavenJava }
Execute the following command, you need to sign and encrypt files such as jar, source package, doc and pom
$ gradle signMavenJavaPublication publish
After the above command is executed successfully, the version to be released will be automatically uploaded to Apache‘s staging repository. All Artifacts that are deployed to the remote maven repository will be in the staging state, visit https://repository.apache.org/#stagingRepositories ,log in with Apache’s LDAP account, You will see the uploaded version, and the content of the Repository column is ${STAGING.REPOSITORY}. Click Close to tell Nexus that the build is complete and only then will the build be usable. If there is a problem with the electronic signature, Close will fail, and you can view the failure information through Activity.
$ svn checkout https://dist.apache.org/repos/dist/dev/eventmesh/ # the local directory is assumed to be ~/apache/eventmesh
Add the public key to the KEYS file and submit it to the SVN warehouse (the first time the person who publishes needs to do this operation, specifically refer to the description in the KEYS file for operation). KEYS is mainly for voters to import locally to verify the correctness of sign
Windows
$ gpg --list-sigs <your name> | out-file -append KEYS -encoding utf8 $ gpg --armor --export <your name> | out-file -append KEYS -encoding utf8
Mac OS/Linux
$ (gpg --list-sigs <your name> && gpg --armor --export <your name>) >> KEYS
$ cd ~/apache/eventmesh # eventmesh svn root path $ mkdir ${release_version}-${rc_version}
Create a tag on ${release_version}-prepare branch, with rc version, which is a pre-release version
$ git tag -a v{$release_version}-{$rc_version} -m "Tagging the ${release_version} first Release Candidate (Candidates start at zero)" $ git push origin --tags
Check the naming format of the project source package, name the source code apache-eventmesh-${release_version}-src, and package it in tar.gz format
$ tar -czvf apache-eventmesh-${release_version}-source.tar.gz apache-eventmesh-${release_version}-src
Note: Make sure that there are no binary files in the source package, such as gradle-wrapper.jar, etc.
Package the binary release on the
${release_version}-preparebranch.
Note: The
disttask depends ongenerateDistLicenseandgenerateDistNoticetasks, which will automatically generateLICENSEandNOTICEfiles under thetools/dist-licensedirectory. Thedisttask itself will copy the contents from thetools/dist-licensedirectory to the/distdirectory.
$ ./gradlew clean dist && ./gradlew installPlugin
Check the compiled file naming, renaming the /dist directory to apache-eventmesh-${release_version}.
$ tar -czvf apache-eventmesh-${release_version}-bin.tar.gz apache-eventmesh-${release_version}
Compress the source package and the binary package, and copy the relevant compressed packages to the local SVN repository under /apache/eventmesh/${release_version}-${rc_version}.
Generate signature/sha512 files for source and binary packages
$ for i in *.tar.gz; do echo $i; gpg --print-md SHA512 $i > $i.sha512 ; done #compute sha512 $ for i in *.tar.gz; do echo $i; gpg --armor --output $i.asc --detach-sig $i ; done #compute signature
$ cd ~/apache/eventmesh # eventmesh svn root directory $ svn status $ svn commit -m 'prepare for ${release_version}-${rc_version}'
For a detailed check list, please refer to the official check list
Download the Release Candidates to be released to the local environment from the following address:
https://dist.apache.org/repos/dist/dev/eventmesh/${release_version}-${rc_version}/
Then start the verification link, which includes but is not limited to the following content and forms
Due to different operating systems, the check command may be different. For details, please refer to Official Verification Steps
Mac OS/Linux
$ shasum -a apache-eventmesh-${release_version}-source.tar.gz #and compare the output with the contents of the apache-eventmesh-${release_version}-${rc_version}-source.tar.gz.sha512 file $ shasum -a apache-eventmesh-${release_version}-bin.tar.gz #and compare the output with the contents of the apache-eventmesh-${release_version}-${rc_version}-bin.tar.gz.sha512 file
Windows
$ certUtil -hashfile apache-eventmesh-${release_version}-source.tar.gz SHA512 #and compare the output with the contents of the apache-eventmesh-${release_version}-${rc_version}-source.tar.gz.sha512 file $ certUtil -hashfile apache-eventmesh-${release_version}-bin.tar.gz SHA512 #and compare the output with the contents of the apache-eventmesh-${release_version}-${rc_version}-bin.tar.gz.sha512 file
First import the release manager's public key. Import KEYS from the svn repository to the local environment. (The release manager does not need to import again, the person who helps to do the verification needs to import, and the user name can be filled with the user name of the release manager)
$ curl https://dist.apache.org/repos/dist/dev/eventmesh/KEYS >> KEYS $ gpg --import KEYS $ gpg --edit-key "${release manager gpg name}" > trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 > save
Then check the signature with the following command
$ gpg --verify apache-eventmesh-${release_version}-source.tar.gz.asc apache-eventmesh-${release_version}-source.tar.gz $ gpg --verify apache-eventmesh-${release_version}-bin.tar.gz.asc apache-eventmesh-${release_version}-bin.tar.gz
Extract apache-eventmesh-${release_version}-source.tar.gz and perform the following checks:
LICENSE and NOTICE files.NOTICE file is correct.license-eye header check command of the skywalking-eyes tool for verification)../gradlew build) (currently supporting JAVA 8/gradle 7.0/idea 2021.1.1 and above).LICENSE and NOTICE files.NOTICE file is correct.license-eye header check command of the skywalking-eyes tool for verification).checkDeniedLicense task, focusing on the compatibility of newly added license files under the tools/dist-license directory).LICENSE file.licenses directory (pay attention to the warning logs of the generateDistLicense task and supplement the license content of outdated artifacts).NOTICE file, include these NOTICE files' content in EventMesh's NOTICE file.EventMesh has graduated from incubation and only needs to be voted by the community
dev@eventmesh.apache.orgdev@eventmesh.apache.org. PMC needs to check the correctness of the version according to the document before voting. After at least 72 hours and counting 3 +1 PMC member votes, you can enter the next stage of voting.dev@eventmesh.apache.org.Title:
[VOTE] Release Apache EventMesh ${release_version} ${rc_version}
Content:
Hello EventMesh Community,
This is a call for vote to release Apache EventMesh version ${release_version}-${rc_version}.
Release notes:
https://github.com/apache/eventmesh/releases/tag/v${release_version}-${rc_version}
The release candidates:
https://dist.apache.org/repos/dist/dev/eventmesh/${release_version}-${rc_version}/
Maven artifacts are available in a staging repository at:
https://repository.apache.org/content/repositories/orgapacheeventmesh-{staging-id}
Git tag for the release:
https://github.com/apache/eventmesh/tree/v${release_version}-${rc_version}
Keys to verify the Release Candidate:
https://downloads.apache.org/eventmesh/KEYS
Hash for the release tag:
#hashCode of this release tag
GPG user ID:
${YOUR.GPG.USER.ID}
The vote will be open for at least 72 hours or until necessary number of votes are reached.
Please vote accordingly:
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove with the reason
Checklist for reference:
[ ] Download links are valid.
[ ] Checksums and PGP signatures are valid.
[ ] Source code distributions have correct names matching the current release.
[ ] LICENSE and NOTICE files are correct for each EventMesh repo.
[ ] All files have license headers if necessary.
[ ] No compiled archives bundled in source archive.
More detail checklist please refer:
https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist
Thanks,
${Your EventMesh Release Manager}
Title:
[RESULT][VOTE] Release Apache EventMesh ${release_version} ${rc_version}
Content:
Hello Apache EventMesh PMC and Community,
The vote closes now as 72hr have passed. The vote PASSES with
xx (+1 binding) votes from the PMC members,
member one
member two
member three
...
xx (+1 non-binding) votes from the rest of the developer community,
and no further 0 or -1 votes.
The vote thread: {vote_mail_address}
Many thanks for all people helping us with the release procedure. I will be working on publishing the artifacts soon.
Thank you for your support.
${Your EventMesh Release Manager}
Merge the changes of the ${release_version}-prepare branch to the master branch, delete the release branch after the merge is complete
$ git checkout master $ git merge origin/${release_version}-prepare $ git pull $ git push origin master $ git push --delete origin ${release_version}-prepare $ git branch -d ${release_version}-prepare
Move source and binary packages from the svn dev directory to the release directory
$ svn mv https://dist.apache.org/repos/dist/dev/eventmesh/${release_version}-${rc_version} https://dist.apache.org/repos/dist/release/eventmesh/ -m "transfer packages for ${release_version}-${rc_version}" #Move source and binary packages $ svn delete https://dist.apache.org/repos/dist/release/eventmesh/KEYS -m "delete KEYS" #Clear the KEYS in the original release directory $ svn cp https://dist.apache.org/repos/dist/dev/eventmesh/KEYS https://dist.apache.org/repos/dist/release/eventmesh/ -m "transfer KEYS for ${release_version}-${rc_version}" #Copy dev directory KEYS to release directory
${release_version}-${rc_version} under dev has been removed$ svn delete https://dist.apache.org/repos/dist/release/eventmesh/${last_release_version} -m "Delete ${last_release_version}"
Release button above, this process will perform a series of checksIt usually takes 24 hours for the warehouse to synchronize to other data sources
Tag the commit (on which the vote happened) with the release version without -${RELEASE_CANDIDATE}. such as: after a successful vote on v1.2-rc5, the hash will be tagged again with v1.2 only.
Click Edit on the ${release_version} version of the GitHub Releases page to edit the version number and version description, and click Publish release
After waiting and confirming that the new release version is synchronized to the Apache mirror, update the following page:
https://eventmesh.apache.org/download/
https://eventmesh.apache.org/zh/download/
Download links for GPG signature files and hash verification files should use this prefix: https://downloads.apache.org/eventmesh/
Note: The project download link should use https://www.apache.org/dyn/closer.lua instead of closer.cgi or mirrors.cgi
Please make sure that the Apache Staging warehouse has been released successfully, usually after 24 hours of this step.
Email to dev@eventmesh.apache.org 、 announce@apache.org
Title:
[ANNOUNCE] Apache EventMesh ${release_version} available
Content:
Hi all,
Apache EventMesh Team is glad to announce the new release of Apache EventMesh ${release_version}.
Apache EventMesh is a dynamic cloud-native eventing infrastructure used to decouple the application and backend middleware layer, which supports a wide range of use cases that encompass complex multi-cloud, widely distributed topologies using diverse technology stacks.
Download Links: https://eventmesh.apache.org/projects/eventmesh/download/
Release Notes: https://eventmesh.apache.org/events/release-notes/v${release_version}/
Website: https://eventmesh.apache.org/
EventMesh Resources:
- Issue: https://github.com/apache/eventmesh/issues
- Mailing list: dev@eventmesh.apache.org
Apache EventMesh Team