output/release-integrity-primer.html - infrastructure-website - Git at Google

 <!doctype html>
 <html class="no-js" lang="en" dir="ltr">
   <head>
     <meta charset="utf-8">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Handling Release Artifact Integrity Errors at the ASF - Apache Infrastructure Website</title>
 <link href="/css/bootstrap.min.css" rel="stylesheet">
 <link href="/css/fontawesome.all.min.css" rel="stylesheet">
 <link href="/css/headerlink.css" rel="stylesheet">
 <script src="/highlight/highlight.min.js"></script>  </head>
   <body class="d-flex flex-column h-100">
   <main class="flex-shrink-0">
       <div>

 <!-- nav bar -->
 <nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
     <div class="container-fluid">
         <a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
         <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
             <span class="navbar-toggler-icon"></span>
         </button>

         <div class="collapse navbar-collapse" id="navbarADP">
             <ul class="navbar-nav me-auto mb-2 mb-lg-0">
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/team.html">About the team</a></li>
                         <li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
                         <li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
                     </ul>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/policies.html">Policies</a>
                 </li>
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
                         <li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
                         <li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
                         <li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
                         <li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
                     </ul>
                 </li>
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
                         <li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
                         <li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
                         <li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>

                     </ul>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/stats.html">Status</a>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/contact.html">Contact Us</a>
                 </li>
             </ul>
         </div>
     </div>
 </nav>


 <!-- page contents -->
 <div id="contents">
     <div class="bg-white p-5 rounded">
         <div class="col-sm-8 mx-auto">
           <h1>
               Handling Release Artifact Integrity Errors at the ASF
           </h1>
               <p>This page will help you resolve <a href="https://infra.apache.org/release-distribution">release distribution policy</a> errors that our <a href="https://github.com/apache/infrastructure-download-integrity-checker">Download Integrity Checker</a> discovers.
 Each reported error has an accompanying error code (<code>CHKxx</code>). The code will help you resolve issues by using the matrix below:</p>
 <table>
 <thead>
 <tr>
 <th>Error Code</th>
 <th>Error Description</th>
 <th>How to Address the Issue</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td><code>CHK01</code></td>
 <td>Key used for signing artifact is missing from the <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file</td>
 <td>Make sure the key that signed the release was expected. <br/>Update your <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file to include the key. Remember to move your updated <code>KEYS</code> file from <code>/dev/</code> to <code>/release/</code> on dist.apache.org when releasing with new keys.</td>
 </tr>
 <tr>
 <td><code>CHK02</code></td>
 <td>Weak or missing checksum file(s)</td>
 <td><ul><li>If the release artifact has a valid signature, generate a <a href="https://infra.apache.org/release-signing.html#sha-checksum">conforming checksum</a> and add it. You can leave the old hash file.</li><li>Otherwise, see <code>CHK05</code>.</li></ul></td>
 </tr>
 <tr>
 <td><code>CHK03</code></td>
 <td>No <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file was found in the project's distribution directory</td>
 <td>Make sure the project directory has at least one KEYS file containing all signing keys used for distribution. Projects may have more than one <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file (per-component, per-version, etc.) but they <em>MUST</em> be called <code>KEYS</code> and exist within the project's dist directory.</td>
 </tr>
 <tr>
 <td><code>CHK04</code></td>
 <td>The signature used for signing expired before signing the file</td>
 <td><ul><li>It’s possible the expiry has been changed. Make sure the <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file is updated.</li><li>If the key has really expired treat the file as if it has no signature (<code>CHK05</code>).</td>
 </tr>
 <tr>
 <td><code>CHK05</code></td>
 <td>No (or invalid) signature found for the release artifact</td>
 <td>Check: <ul><li>Is there a signature file for this artifact?:<ul><li>If the signature is valid but has the wrong file name or extension, rename it to the appropriate .asc file name.</li><li>If the signature is invalid, see <a href="#invalid-sig">handling invalid or missing signatures</a>.</li></ul></li><li>If there is no signature file at all, see <a href="#invalid-sig">handling invalid or missing signatures</a>.</td>
 </tr>
 <tr>
 <td><code>CHK06</code></td>
 <td>Checksum mismatch</td>
 <td>Try to spot what the problem was (why are you generating the wrong checksum?): <ul><li>If the file has a valid signature (no <code>CHK04</code> or <code>CHK05</code> errors for this file), generate a <a href="https://infra.apache.org/release-signing.html#sha-checksum">conforming checksum</a>, add it, and remove the broken one.</li><li>Otherwise: treat as if <code>CHK05</code>.</li></ul></td>
 </tr>
 </tbody>
 </table>
 <h2><a id="invalid-sig">Handling invalid or missing signatures</a></h2>
 <p>In case of an invalid or missing signature for a release artifact, the project MUST choose one of the following actions:
  - Remove the artifact(s)
  - Re-assert that the artifact is valid, sign and upload the correct .asc signature file (and fix any missing/invalid checksum files)</p>
 <p>In either case, the project MUST inform the ASF Infrastructure and Security Team
  at <code>private@infra.apache.org</code> and <code>security@apache.org</code> of their action, with clear evidence that the action
  has been discussed and agreed upon (a link to a lists.apache.org thread will suffice).</p>
 <p>If you have questions about the error reports, this page, or our release distribution polices in general,
 feel free to reach out to us at <code>users@infra.apache.org</code>.</p>
         </div>
       </div>
     </div>
     <!-- footer -->
     <div class="row">
       <div class="large-12 medium-12 columns">
         <p style="font-style: italic; font-size: 0.8rem; text-align: center;">
           Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
           Apache&reg; and the Apache feather logo are trademarks of The Apache Software Foundation...
         </p>
       </div>
     </div>
     <script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script>      </div>
   </main>
     <script>hljs.initHighlightingOnLoad();</script>
   </body>
 </html>
	<!doctype html>
	<html class="no-js" lang="en" dir="ltr">
	<head>
	<meta charset="utf-8">
	<meta http-equiv="x-ua-compatible" content="ie=edge">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Handling Release Artifact Integrity Errors at the ASF - Apache Infrastructure Website</title>
	<link href="/css/bootstrap.min.css" rel="stylesheet">
	<link href="/css/fontawesome.all.min.css" rel="stylesheet">
	<link href="/css/headerlink.css" rel="stylesheet">
	<script src="/highlight/highlight.min.js"></script> </head>
	<body class="d-flex flex-column h-100">
	<main class="flex-shrink-0">
	<div>

	<!-- nav bar -->
	<nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
	<div class="container-fluid">
	<a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
	<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
	<span class="navbar-toggler-icon"></span>
	</button>

	<div class="collapse navbar-collapse" id="navbarADP">
	<ul class="navbar-nav me-auto mb-2 mb-lg-0">
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/team.html">About the team</a></li>
	<li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
	<li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
	</ul>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/policies.html">Policies</a>
	</li>
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
	<li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
	<li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
	<li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
	<li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
	</ul>
	</li>
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
	<li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
	<li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
	<li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>

	</ul>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/stats.html">Status</a>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/contact.html">Contact Us</a>
	</li>
	</ul>
	</div>
	</div>
	</nav>


	<!-- page contents -->
	<div id="contents">
	<div class="bg-white p-5 rounded">
	<div class="col-sm-8 mx-auto">
	<h1>
	Handling Release Artifact Integrity Errors at the ASF
	</h1>
	<p>This page will help you resolve <a href="https://infra.apache.org/release-distribution">release distribution policy</a> errors that our <a href="https://github.com/apache/infrastructure-download-integrity-checker">Download Integrity Checker</a> discovers.
	Each reported error has an accompanying error code (<code>CHKxx</code>). The code will help you resolve issues by using the matrix below:</p>
	<table>
	<thead>
	<tr>
	<th>Error Code</th>
	<th>Error Description</th>
	<th>How to Address the Issue</th>
	</tr>
	</thead>
	<tbody>
	<tr>
	<td><code>CHK01</code></td>
	<td>Key used for signing artifact is missing from the <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file</td>
	<td>Make sure the key that signed the release was expected. <br/>Update your <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file to include the key. Remember to move your updated <code>KEYS</code> file from <code>/dev/</code> to <code>/release/</code> on dist.apache.org when releasing with new keys.</td>
	</tr>
	<tr>
	<td><code>CHK02</code></td>
	<td>Weak or missing checksum file(s)</td>
	<td><ul><li>If the release artifact has a valid signature, generate a <a href="https://infra.apache.org/release-signing.html#sha-checksum">conforming checksum</a> and add it. You can leave the old hash file.</li><li>Otherwise, see <code>CHK05</code>.</li></ul></td>
	</tr>
	<tr>
	<td><code>CHK03</code></td>
	<td>No <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file was found in the project's distribution directory</td>
	<td>Make sure the project directory has at least one KEYS file containing all signing keys used for distribution. Projects may have more than one <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file (per-component, per-version, etc.) but they <em>MUST</em> be called <code>KEYS</code> and exist within the project's dist directory.</td>
	</tr>
	<tr>
	<td><code>CHK04</code></td>
	<td>The signature used for signing expired before signing the file</td>
	<td><ul><li>It’s possible the expiry has been changed. Make sure the <a href="https://infra.apache.org/release-signing.html#key-basics"><code>KEYS</code></a> file is updated.</li><li>If the key has really expired treat the file as if it has no signature (<code>CHK05</code>).</td>
	</tr>
	<tr>
	<td><code>CHK05</code></td>
	<td>No (or invalid) signature found for the release artifact</td>
	<td>Check: <ul><li>Is there a signature file for this artifact?:<ul><li>If the signature is valid but has the wrong file name or extension, rename it to the appropriate .asc file name.</li><li>If the signature is invalid, see <a href="#invalid-sig">handling invalid or missing signatures</a>.</li></ul></li><li>If there is no signature file at all, see <a href="#invalid-sig">handling invalid or missing signatures</a>.</td>
	</tr>
	<tr>
	<td><code>CHK06</code></td>
	<td>Checksum mismatch</td>
	<td>Try to spot what the problem was (why are you generating the wrong checksum?): <ul><li>If the file has a valid signature (no <code>CHK04</code> or <code>CHK05</code> errors for this file), generate a <a href="https://infra.apache.org/release-signing.html#sha-checksum">conforming checksum</a>, add it, and remove the broken one.</li><li>Otherwise: treat as if <code>CHK05</code>.</li></ul></td>
	</tr>
	</tbody>
	</table>
	<h2><a id="invalid-sig">Handling invalid or missing signatures</a></h2>
	<p>In case of an invalid or missing signature for a release artifact, the project MUST choose one of the following actions:
	- Remove the artifact(s)
	- Re-assert that the artifact is valid, sign and upload the correct .asc signature file (and fix any missing/invalid checksum files)</p>
	<p>In either case, the project MUST inform the ASF Infrastructure and Security Team
	at <code>private@infra.apache.org</code> and <code>security@apache.org</code> of their action, with clear evidence that the action
	has been discussed and agreed upon (a link to a lists.apache.org thread will suffice).</p>
	<p>If you have questions about the error reports, this page, or our release distribution polices in general,
	feel free to reach out to us at <code>users@infra.apache.org</code>.</p>
	</div>
	</div>
	</div>
	<!-- footer -->
	<div class="row">
	<div class="large-12 medium-12 columns">
	<p style="font-style: italic; font-size: 0.8rem; text-align: center;">
	Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
	Apache® and the Apache feather logo are trademarks of The Apache Software Foundation...
	</p>
	</div>
	</div>
	<script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script> </div>
	</main>
	<script>hljs.initHighlightingOnLoad();</script>
	</body>
	</html>