| (window.webpackJsonp=window.webpackJsonp||[]).push([[51],{118:function(e,t,a){"use strict";a.r(t),a.d(t,"frontMatter",(function(){return c})),a.d(t,"metadata",(function(){return o})),a.d(t,"toc",(function(){return s})),a.d(t,"default",(function(){return u}));var n=a(3),r=a(7),i=(a(0),a(194)),c={title:"How to Verify"},o={unversionedId:"devDocs/HowToVerify",id:"devDocs/HowToVerify",isDocsHomePage:!1,title:"How to Verify",description:"\x3c!--",source:"@site/docs/devDocs/HowToVerify.md",slug:"/devDocs/HowToVerify",permalink:"/docs/next/devDocs/HowToVerify",editUrl:"https://github.com/apache/submarine/edit/master/website/docs/devDocs/HowToVerify.md",version:"current",sidebar:"docs",previous:{title:"How to Release",permalink:"/docs/next/devDocs/HowToRelease"},next:{title:"Apache Submarine Community",permalink:"/docs/next/community/README"}},s=[{value:"Verification of the release candidate",id:"verification-of-the-release-candidate",children:[]},{value:"1. Download the candidate version to be released to the local environment",id:"1-download-the-candidate-version-to-be-released-to-the-local-environment",children:[]},{value:"2. Verify whether the uploaded version is compliant",id:"2-verify-whether-the-uploaded-version-is-compliant",children:[{value:"2.1 Check if the release package is complete",id:"21-check-if-the-release-package-is-complete",children:[]},{value:"2.2 Check gpg signature",id:"22-check-gpg-signature",children:[]},{value:"2.3 Check sha512 hash",id:"23-check-sha512-hash",children:[]},{value:"2.4. Check the file content of the source package.",id:"24-check-the-file-content-of-the-source-package",children:[]},{value:"2.5 Check the binary package (if the binary package is uploaded)",id:"25-check-the-binary-package-if-the-binary-package-is-uploaded",children:[]}]}],l={toc:s};function u(e){var t=e.components,a=Object(r.a)(e,["components"]);return Object(i.b)("wrapper",Object(n.a)({},l,a,{components:t,mdxType:"MDXLayout"}),Object(i.b)("h3",{id:"verification-of-the-release-candidate"},"Verification of the release candidate"),Object(i.b)("h2",{id:"1-download-the-candidate-version-to-be-released-to-the-local-environment"},"1. Download the candidate version to be released to the local environment"),Object(i.b)("pre",null,Object(i.b)("code",{parentName:"pre",className:"language-shell"},"svn co https://dist.apache.org/repos/dist/dev/submarine/${release_version}-${rc_version}/\n")),Object(i.b)("h2",{id:"2-verify-whether-the-uploaded-version-is-compliant"},"2. Verify whether the uploaded version is compliant"),Object(i.b)("blockquote",null,Object(i.b)("p",{parentName:"blockquote"},"Begin the verification process, which includes but is not limited to the following content and forms.")),Object(i.b)("h3",{id:"21-check-if-the-release-package-is-complete"},"2.1 Check if the release package is complete"),Object(i.b)("blockquote",null,Object(i.b)("p",{parentName:"blockquote"},"The package uploaded to dist must include the source code package, and the binary package is optional.")),Object(i.b)("ol",null,Object(i.b)("li",{parentName:"ol"},"Whether it includes the source code package."),Object(i.b)("li",{parentName:"ol"},"Whether it includes the signature of the source code package."),Object(i.b)("li",{parentName:"ol"},"Whether it includes the sha512 of the source code package."),Object(i.b)("li",{parentName:"ol"},"If the binary package is uploaded, also check the contents listed in (2)-(4).")),Object(i.b)("h3",{id:"22-check-gpg-signature"},"2.2 Check gpg signature"),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},"Import the public key")),Object(i.b)("pre",null,Object(i.b)("code",{parentName:"pre",className:"language-shell"},"curl https://dist.apache.org/repos/dist/dev/submarine/KEYS > KEYS # Download KEYS\ngpg --import KEYS # Import KEYS to local\n")),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},"Trust the public key",Object(i.b)("blockquote",{parentName:"li"},Object(i.b)("p",{parentName:"blockquote"},"Trust the KEY used in this version.")))),Object(i.b)("pre",null,Object(i.b)("code",{parentName:"pre"}," gpg --edit-key xxxxxxxxxx # The KEY used in this version\n gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc.\n This is free software: you are free to change and redistribute it.\n There is NO WARRANTY, to the extent permitted by law.\n\n Secret key is available.\n\n sec rsa4096/5EF3A66D57EC647A\n created: 2020-05-19 expires: never usage: SC\n trust: ultimate validity: ultimate\n ssb rsa4096/17628566FEED6AF7\n created: 2020-05-19 expires: never usage: E\n [ultimate] (1). XXX YYYZZZ <yourAccount@apache.org>\n\n gpg> trust\n sec rsa4096/5EF3A66D57EC647A\n created: 2020-05-19 expires: never usage: SC\n trust: ultimate validity: ultimate\n ssb rsa4096/17628566FEED6AF7\n created: 2020-05-19 expires: never usage: E\n [ultimate] (1). XXX YYYZZZ <yourAccount@apache.org>\n\n Please decide how far you trust this user to correctly verify other users' keys\n (by looking at passports, checking fingerprints from different sources, etc.)\n\n 1 = I don't know or won't say\n 2 = I do NOT trust\n 3 = I trust marginally\n 4 = I trust fully\n 5 = I trust ultimately\n m = back to the main menu\n\n Your decision? 5 #choose 5\n Do you really want to set this key to ultimate trust? (y/N) y # choose y\n\n sec rsa4096/5EF3A66D57EC647A\n created: 2020-05-19 expires: never usage: SC\n trust: ultimate validity: ultimate\n ssb rsa4096/17628566FEED6AF7\n created: 2020-05-19 expires: never usage: E\n [ultimate] (1). XXX YYYZZZ <yourAccount@apache.org>\n\n gpg>\n\n sec rsa4096/5EF3A66D57EC647A\n created: 2020-05-19 expires: never usage: SC\n trust: ultimate validity: ultimate\n ssb rsa4096/17628566FEED6AF7\n created: 2020-05-19 expires: never usage: E\n [ultimate] (1). XXX YYYZZZ <yourAccount@apache.org>\n")),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},"Use the following command to check the signature.")),Object(i.b)("pre",null,Object(i.b)("code",{parentName:"pre",className:"language-shell"},"for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done\n#Or\ngpg --verify apache-submarine-${release_version}-src.tar.gz.asc apache-submarine-${release_version}-src.tar.gz\n# If you upload a binary package, you also need to check whether the signature of the binary package is correct.\ngpg --verify apache-submarine-server-${release_version}-bin.tar.gz.asc apache-submarine-server-${release_version}-bin.tar.gz\ngpg --verify apache-submarine-client-${release_version}-bin.tar.gz.asc apache-submarine-client-${release_version}-bin.tar.gz\n")),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},"Check the result",Object(i.b)("blockquote",{parentName:"li"},Object(i.b)("p",{parentName:"blockquote"},"If something like the following appears, it means that the signature is correct. The keyword\uff1a",Object(i.b)("strong",{parentName:"p"},Object(i.b)("inlineCode",{parentName:"strong"},"Good signature")))))),Object(i.b)("pre",null,Object(i.b)("code",{parentName:"pre",className:"language-shell"},'apache-submarine-${release_version}-src.tar.gz\ngpg: Signature made Sat May 30 11:45:01 2020 CST\ngpg: using RSA key 9B12C2228BDFF4F4CFE849445EF3A66D57EC647A\ngpg: Good signature from "XXX YYYZZZ <yourAccount@apache.org>" [ultimate]gular2\n')),Object(i.b)("h3",{id:"23-check-sha512-hash"},"2.3 Check sha512 hash"),Object(i.b)("blockquote",null,Object(i.b)("p",{parentName:"blockquote"},"After calculating the sha512 hash locally, verify whether it is consistent with the one on dist.")),Object(i.b)("pre",null,Object(i.b)("code",{parentName:"pre",className:"language-shell"},"for i in *.tar.gz; do echo $i; gpg --print-md SHA512 $i; done\n#Or\ngpg --print-md SHA512 apache-submarine-${release_version}-src.tar.gz\n# If you upload a binary package, you also need to check the sha512 hash of the binary package.\ngpg --print-md SHA512 apache-submarine-server-${release_version}-bin.tar.gz\ngpg --print-md SHA512 apache-submarine-client-${release_version}-bin.tar.gz\n# \u6216\u8005\nfor i in *.tar.gz.sha512; do echo $i; sha512sum -c $i; done\n")),Object(i.b)("h3",{id:"24-check-the-file-content-of-the-source-package"},"2.4. Check the file content of the source package."),Object(i.b)("p",null,"Unzip ",Object(i.b)("inlineCode",{parentName:"p"},"apache-submarine-${release_version}-src.tar.gz")," and check as follows:"),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},"Whether the DISCLAIMER file exists and whether the content is correct."),Object(i.b)("li",{parentName:"ul"},"Whether the LICENSE and NOTICE file exists and whether the content is correct."),Object(i.b)("li",{parentName:"ul"},"Whether all files have ASF License header."),Object(i.b)("li",{parentName:"ul"},"Whether the source code can be compiled normally."),Object(i.b)("li",{parentName:"ul"},"Whether the single test is passed."),Object(i.b)("li",{parentName:"ul"},"....")),Object(i.b)("h3",{id:"25-check-the-binary-package-if-the-binary-package-is-uploaded"},"2.5 Check the binary package (if the binary package is uploaded)"),Object(i.b)("p",null,"Unzip ",Object(i.b)("inlineCode",{parentName:"p"},"apache-submarine-client-${release_version}-src.tar.gz")," and ",Object(i.b)("inlineCode",{parentName:"p"}," apache-submarine-server-${release_version}-src.tar.gz"),", then check as follows:"),Object(i.b)("ul",null,Object(i.b)("li",{parentName:"ul"},"Whether the DISCLAIMER file exists and whether the content is correct."),Object(i.b)("li",{parentName:"ul"},"Whether the LICENSE and the NOTICE file exists and whether the content is correct."),Object(i.b)("li",{parentName:"ul"},"Whether the deployment is successful."),Object(i.b)("li",{parentName:"ul"},"Deploy a test environment to verify whether production and consumption can run normally."),Object(i.b)("li",{parentName:"ul"},"Verify what you think might go wrong.")))}u.isMDXComponent=!0},194:function(e,t,a){"use strict";a.d(t,"a",(function(){return h})),a.d(t,"b",(function(){return d}));var n=a(0),r=a.n(n);function i(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function c(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,n)}return a}function o(e){for(var t=1;t<arguments.length;t++){var a=null!=arguments[t]?arguments[t]:{};t%2?c(Object(a),!0).forEach((function(t){i(e,t,a[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):c(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))}))}return e}function s(e,t){if(null==e)return{};var a,n,r=function(e,t){if(null==e)return{};var a,n,r={},i=Object.keys(e);for(n=0;n<i.length;n++)a=i[n],t.indexOf(a)>=0||(r[a]=e[a]);return r}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(n=0;n<i.length;n++)a=i[n],t.indexOf(a)>=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(r[a]=e[a])}return r}var l=r.a.createContext({}),u=function(e){var t=r.a.useContext(l),a=t;return e&&(a="function"==typeof e?e(t):o(o({},t),e)),a},h=function(e){var t=u(e.components);return r.a.createElement(l.Provider,{value:t},e.children)},p={inlineCode:"code",wrapper:function(e){var t=e.children;return r.a.createElement(r.a.Fragment,{},t)}},b=r.a.forwardRef((function(e,t){var a=e.components,n=e.mdxType,i=e.originalType,c=e.parentName,l=s(e,["components","mdxType","originalType","parentName"]),h=u(a),b=n,d=h["".concat(c,".").concat(b)]||h[b]||p[b]||i;return a?r.a.createElement(d,o(o({ref:t},l),{},{components:a})):r.a.createElement(d,o({ref:t},l))}));function d(e,t){var a=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var i=a.length,c=new Array(i);c[0]=b;var o={};for(var s in t)hasOwnProperty.call(t,s)&&(o[s]=t[s]);o.originalType=e,o.mdxType="string"==typeof e?e:n,c[1]=o;for(var l=2;l<i;l++)c[l]=a[l];return r.a.createElement.apply(null,c)}return r.a.createElement.apply(null,a)}b.displayName="MDXCreateElement"}}]); |