ASF review guide
When we make ASF-compliant release, there are some constraints to follow, this guide will list methods to verify if it's valid.
There are mainly 3 files in each release, for example
apache-horaedb-incubating-rust-client-v2.0.0-src.tar.gz
apache-horaedb-incubating-rust-client-v2.0.0-src.tar.gz.asc
apache-horaedb-incubating-rust-client-v2.0.0-src.tar.gz.sha512After download all files, using following commands to check if they are valid.
Note: In order to gpg to work, you need to import keys from https://downloads.apache.org/incubator/horaedb/KEYS
wget https://downloads.apache.org/incubator/horaedb/KEYS
gpg --import KEYS
$ sha512sum -c apache-horaedb-incubating-rust-client-v2.0.0-src.tar.gz.sha512
apache-horaedb-incubating-rust-client-v2.0.0-src.tar.gz: OK
$ gpg --verify apache-horaedb-incubating-rust-client-v2.0.0-src.tar.gz.asc
gpg: Signature made Wed 12 Jun 2024 11:05:04 AM CST using RSA key ID 08A0BAB4
gpg: Good signature from "jiacai2050@apache.org"
gpg: aka "Jiacai Liu <hello@liujiacai.net>"
gpg: aka "Jiacai Liu <dev@liujiacai.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6F73 4AE4 297C 7F62 B605 4F91 D302 6E5C 08A0 BAB4As you can see, there is a warning in gpg, you can check the fingerprint here https://keys.openpgp.org/
If the fingerprint on the page match what we see in terminal, then we can ensure the signatures is signed by right owner.
If you see other output, then something maybe wrong.
fd -t file --exclude target --exec file {} \; | grep -v ASCII | grep -v UTF-8This will output files which are not ASCII and UTF-8.
Note: fd is required for this check
hawkeye checkNote: hawkeye is required for this check