Release Testing: Verifying that the stage files are signed and verifiable

When testing a release candidate, it is necessary to test whether the stage files are signed and those are verifiable ( md5, sha and asc verification). This can be a tedious task if not automated.

This guide uses Apache Airavata project to demonstrate the examples. 

• First you need to install gpg You can download gpg from http://www.gnupg.org/download/
• Create directoryThis is where you will be doing the gpg testing.
• Import the signing keys to gpg Download the keys (https://svn.apache.org/repos/asf/airavata/KEYS) and store them in a file.( simply copy and paste the content into a file).import the keys into the gpg

  gpg --import filename

Download all the files(.zip, .tar.gz, .asc, .sha, .md5..etc) you need to test and store them all in that directory you created. ex: All the files from the Apache Airavata 0.11-RC3 (https://dist.apache.org/repos/dist/dev/airavata/0.11/RC3/)

SHA signing validation Create a bash script in the same folder and copy the code below

 for file in `find . -type f -not -name '*.asc' -not -name '*.md5' -not -name '*.sh' -not -name '*.sha'`
 do
       gpg --print-md SHA512 ${file} | diff - "${file}"".sha" | echo "testing : $file"".sha" 
 done 

This code will verify the SHA signings.

MD5 validation 

 gpg --print-md md5 ${file} | diff - "${file}"".md5" | echo "testing : $file"".md5" 

ASC validation 

gpg --verify ${file} 

You can have all these validations in one bash script if required.