Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add verification code to RC email

See original GitHub issue

The script that generates an RC and an email gives a suggested command to download the staging repo. If could also suggest a short script to verify sigs and hashes like the following.

for file in $(find . -type f -regex '.*\.\(pom\|jar\|gz\)'); do
  echo $file
  gpg --verify "$file".asc $file
  diff -Z "$file".md5 <(md5sum $file | cut -d ' ' -f 1)
  diff -Z "$file".sha1 <(sha1sum $file | cut -d ' ' -f 1)
done

Issue Analytics

State:
Created 7 years ago
Comments:6 (6 by maintainers)

Top GitHub Comments

1reaction

keith-turnercommented, Oct 24, 2016

Instead of putting this info in the email, we should have the email point to web page with information on how to download and verify the release.

0reactions

ctubbsiicommented, Jun 13, 2017

Here’s one that checks all files downloaded:

function checkFile {
  echo '='
  echo "$1"
  gpg2 --verify "$1".asc "$1"
  echo "$(cat "$1".md5) *$1" >> MD5SUM
  echo "$(cat "$1".sha1) *$1" >> SHA1SUM
}
export -f checkFile
rm MD5SUM SHA1SUM
find . -type f -not -name '*.asc' -not -name '*.md5' -not -name '*.sha1' -exec bash -c 'checkFile "$0"' {} \;
md5sum --quiet -c MD5SUM
sha1sum --quiet -c SHA1SUM

This assumes the download of the staging repo skipped webserver generated content, and maven repo content, as in:

    wget -erobots=off --no-verbose \
      --recursive --level inf --no-parent --no-host-directories \
      --reject 'index.html,maven-metadata.xml*,archetype-catalog.xml' \
      -P download \
      "$url"