Monday, December 30, 2013

Release Testing: Verifying that the stage files are signed and verifiable

When testing a release candidate, it is necessary to test whether the stage files are signed and those are verifiable ( md5, sha and asc verification). This can be a tedious task if not automated.

This guide uses Apache Airavata project to demonstrate the examples. 


  • Download all the files(.zip, .tar.gz, .asc, .sha, .md5..etc) you need to test and store them all in that directory you created. ex: All the files from the Apache Airavata 0.11-RC3 (https://dist.apache.org/repos/dist/dev/airavata/0.11/RC3/)
  • SHA signing validation Create a bash script in the same folder and copy the code below
     for file in `find . -type f -not -name '*.asc' -not -name '*.md5' -not -name '*.sh' -not -name '*.sha'`
     do
           gpg --print-md SHA512 ${file} | diff - "${file}"".sha" | echo "testing : $file"".sha" 
     done 
    
  • This code will verify the SHA signings.
  • MD5 validation 
     gpg --print-md md5 ${file} | diff - "${file}"".md5" | echo "testing : $file"".md5" 
  • ASC validation 
    gpg --verify ${file} 
  • You can have all these validations in one bash script if required. 

    No comments:

    Post a Comment