Validate source code tarball¶

  1. Perform the following to verify the artifacts:

    1. (optional) Install GPG keys if needed:

      $ sudo apt-get install gpg
    2. Import the GPG keys stored in the source distribution’s KEYS file

      $ gpg --import KEYS

      Alternatively, download the signing keys, the IDs found in the KEYS file, individually by using a keyserver.

      For example:

      $ gpg --recv-keys CC56CEA8
    3. Verify signatures and hash files:

      $ gpg --verify apache-cloudstack-
      $ gpg --print-md MD5 apache-cloudstack- | diff - apache-cloudstack-
      $ gpg --print-md SHA512 apache-cloudstack- | diff - apache-cloudstack-

      Each of these commands should return no output. Any output from them implies that there is a difference between the hash you generated locally and the hash that has been pulled from the server.

    4. Get the commit hash from the VOTE email.

      For example: 1b8a532ba52127f388847690df70e65c6b46f4d4. The value changes between releases.

    5. Create two new temporary directories:

      $ mkdir /tmp/cloudstack/git
      $ mkdir /tmp/cloudstack/tree
    6. Check out the branch:

      $ git clone /tmp/cloudstack/git
      $ cd /tmp/cloudstack/git
      $ git archive --format=tar --prefix=/tmp/cloudstack/tree/ <commit-hash> | tar Pxf -
    7. Unpack the release artifact:

      $ cd /tmp/cloudstack
      $ tar xvfj apache-cloudstack-
    8. Compare the contents of the release artifact with the contents pulled from the repo:

      $ diff -r /tmp/cloudstack/apache-cloudstack- /tmp/cloudstack/tree

      Ensure that content is the same.

    9. Verify the Code License Headers:

      $ cd /tmp/cloudstack/apache-cloudstack-
      $ mvn --projects='org.apache.cloudstack:cloudstack' org.apache.rat:apache-rat-plugin:0.8:check

      The build fails if any non-compliant files are present that are not specifically excluded from the ASF license header requirement. You can optionally review the target/rat.txt file after the run completes. Passing the build implies that RAT certifies that the files are compliant and this test is passed.