Validate 4.16.1.0 source code tarball¶

  1. Perform the following to verify the artifacts:

    1. (optional) Install GPG keys if needed:

      $ sudo apt-get install gpg
      
    2. Import the GPG keys stored in the source distribution’s KEYS file

      $ gpg --import KEYS
      

      Alternatively, download the signing keys, the IDs found in the KEYS file, individually by using a keyserver.

      For example:

      $ gpg --recv-keys CC56CEA8
      
    3. Verify signatures and hash files:

      $ gpg --verify apache-cloudstack-4.16.1.0-src.tar.bz2.asc
      $ gpg --print-md MD5 apache-cloudstack-4.16.1.0-src.tar.bz2 | diff - apache-cloudstack-4.16.1.0-src.tar.bz2.md5
      $ gpg --print-md SHA512 apache-cloudstack-4.16.1.0-src.tar.bz2 | diff - apache-cloudstack-4.16.1.0-src.tar.bz2.sha
      

      Each of these commands should return no output. Any output from them implies that there is a difference between the hash you generated locally and the hash that has been pulled from the server.

    4. Get the commit hash from the VOTE email.

      For example: 1b8a532ba52127f388847690df70e65c6b46f4d4. The value changes between releases.

    5. Create two new temporary directories:

      $ mkdir /tmp/cloudstack/git
      $ mkdir /tmp/cloudstack/tree
      
    6. Check out the 4.16.1.0 branch:

      $ git clone https://git-wip-us.apache.org/repos/asf/cloudstack.git /tmp/cloudstack/git
      $ cd /tmp/cloudstack/git
      $ git archive --format=tar --prefix=/tmp/cloudstack/tree/ <commit-hash> | tar Pxf -
      
    7. Unpack the release artifact:

      $ cd /tmp/cloudstack
      $ tar xvfj apache-cloudstack-4.16.1.0-src.tar.bz2
      
    8. Compare the contents of the release artifact with the contents pulled from the repo:

      $ diff -r /tmp/cloudstack/apache-cloudstack-4.16.1.0-src /tmp/cloudstack/tree
      

      Ensure that content is the same.

    9. Verify the Code License Headers:

      $ cd /tmp/cloudstack/apache-cloudstack-4.16.1.0-src
      $ mvn --projects='org.apache.cloudstack:cloudstack' org.apache.rat:apache-rat-plugin:0.8:check
      

      The build fails if any non-compliant files are present that are not specifically excluded from the ASF license header requirement. You can optionally review the target/rat.txt file after the run completes. Passing the build implies that RAT certifies that the files are compliant and this test is passed.