Hey there and welcome all :)
The following article helps you to get the checks required by the AGE community for new releases I hope it helps anyone has struggling in understanding any of them.
Let's get started:
Following the release of AGE 1.3.0 and PG 12 to show our case on:
https://dist.apache.org/repos/dist/dev/age/PG12/1.3.0.rc1/ https://github.com/apache/age/releases/tag/PG12%2Fv1.3.0-rc1
We can see 3 files there:
apache-age-1.3.0-src.tar.gz
apache-age-1.3.0-src.tar.gz.asc
apache-age-1.3.0-src.tar.gz.sha512
All of them are needed for the verification:
Definitions
apache-age-1.3.0-src.tar.gz.sha512: That's a hash file for the release apache-age-1.3.0-src.tar.gz.
apache-age-1.3.0-src.tar.gz.asc: Signature verification file.
apache-age-1.3.0-src.tar.gz: Source code of the project.
Let's check our todo list
TODO:
Signature and Hash
Tags and links
No unexpected binary files
Validity of release notes
Regression tests
Let's try to solve them :)
1- HASH
So that, we will need to reproduce the sha512 hash of the apache-age-1.3.0-src.tar.gz and compare that with the content of apache-age-1.3.0-src.tar.gz.sha512
sha512sum apache-age-1.3.0-src.tar.gz
# Output
71e8fb7eed7de3460d6bac7cc37a7ac8bea2164a59043250d7278f4ca17181eb4459db239c19a9b87cc3e4f00e0c0618aff751549a346a3c87f8806ba6b64f11 apache-age-1.3.0-src.tar.gz
Compare that with the content of apache-age-1.3.0-src.tar.gz.sha512
2- Signature
Firstly we need to download the KEYS file of the AGE maintainers
https://downloads.apache.org/age/KEYS
# download that
wget https://downloads.apache.org/age/KEYS
# import that
gpg --import KEYS
Then we will verify the output of that signature
gpg --verify apache-age-1.3.0-src.tar.gz.asc apache-age-1.3.0-src.tar.gz
# output
gpg: Signature made 22 أبر, 2023 EET 12:55:43 ص
gpg: using RSA key 26B6CD9DCD5B0045
gpg: Good signature from "John Gemignani (Apache GPG key) <jgemignani@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4293 0603 8E35 AC05 4DBB 4B58 26B6 CD9D CD5B 0045
3- Binary files
It is done through two methods
Manually
Script
find . -type f -executable
# output
./drivers/jdbc/gradlew
./tools/gen_keywordlist.pl
./tools/git/commit-msg
4- Regression tests
It can done inside the source code of AGE through the following command
make installcheck PG_CONFIG=pg_config
5- Tags and links (manual check)
6- Validity of release notes (manual check)
Conclusion:
✅ Signature and Hash [DONE]
✅ Tags and links [DONE]
✅ No unexpected binary files [DONE]
✅ Validity of release notes [DONE]
✅ Regression tests [DONE]