diff --git a/scripts/README.md b/scripts/README.md index dbf51b966019..0d721e64880f 100644 --- a/scripts/README.md +++ b/scripts/README.md @@ -16,7 +16,7 @@ OPENDAL_VERSION=0.30.2 OPENDAL_VERSION_RC=rc1 ./scripts/release.sh ## Check ```shell -./scripts/check.sh apache-opendal-0.33.3-src.tar.gz +./scripts/check.py ``` > Before running the check, please ensure that you have completed the following preparations. diff --git a/scripts/check.py b/scripts/check.py new file mode 100755 index 000000000000..0bd185b35b85 --- /dev/null +++ b/scripts/check.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import subprocess +import os + +# Define colors for output +YELLOW = "\033[37;1m" +GREEN = "\033[32;1m" +ENDCOLOR = "\033[0m" + + +def check_signature(pkg): + """Check the GPG signature of the package.""" + try: + subprocess.check_call(["gpg", "--verify", f"{pkg}.asc", pkg]) + print(GREEN + "Success to verify the gpg sign for " + pkg + ENDCOLOR) + except subprocess.CalledProcessError: + print(YELLOW + "Failed to verify the gpg sign for " + pkg + ENDCOLOR) + + +def check_sha512sum(pkg): + """Check the sha512 checksum of the package.""" + try: + subprocess.check_call(["sha512sum", "--check", f"{pkg}.sha512"]) + print(GREEN + "Success to verify the checksum for " + pkg + ENDCOLOR) + except subprocess.CalledProcessError: + print(YELLOW + "Failed to verify the checksum for " + pkg + ENDCOLOR) + + +def main(): + # Get a list of all files in the current directory + files = [f for f in os.listdir(".") if os.path.isfile(f)] + + for pkg in files: + # Skip files that don't have a corresponding .asc or .sha512 file + if not os.path.exists(f"{pkg}.asc") or not os.path.exists(f"{pkg}.sha512"): + continue + + print(f"> Checking {pkg}") + + # Perform the checks + check_signature(pkg) + check_sha512sum(pkg) + + +if __name__ == "__main__": + main() diff --git a/scripts/check.sh b/scripts/check.sh deleted file mode 100755 index 3b935a1b8d9e..000000000000 --- a/scripts/check.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -set -e - -YELLOW="\033[37;1m" -GREEN="\033[32;1m" -ENDCOLOR="\033[0m" - -if [ "$#" -ne 1 ]; then - echo "Usage: $0 {YOUR RELEASE TAR FILE}" >&2 - exit 1 -fi - -PKG=$1 - -if [ ! -f "$PKG" ]; then - echo "File '$PKG' does not exist." - exit 1 -fi - -echo "> Check signature" -gpg --verify "$PKG.asc" "$PKG" - -if [ $? -eq 0 ] -then - printf $GREEN"Success to verify the gpg sign"$ENDCOLOR"\n" -else - printf $YELLOW"Failed to verify the gpg sign"$ENDCOLOR"\n" -fi - -echo "> Check sha512sum" -sha512sum --check "$PKG.sha512" - -if [ $? -eq 0 ] -then - printf $GREEN"Success to verify the checksum"$ENDCOLOR"\n" -else - printf $YELLOW"Failed to verify the checksum"$ENDCOLOR"\n" -fi diff --git a/website/community/committers/verify.md b/website/community/committers/verify.md index 09e1de0a3452..6fb6fe5c6571 100644 --- a/website/community/committers/verify.md +++ b/website/community/committers/verify.md @@ -93,17 +93,17 @@ Now, we could start the verification. We've provided a script to verify the checksum and signature of the release candidate. The script is in the `scripts` directory of our repository. -You can download it directly from [here](https://raw.githubusercontent.com/apache/opendal/main/scripts/check.sh) +You can download it directly from [here](https://raw.githubusercontent.com/apache/opendal/main/scripts/check.py) or check it out from the repository: ```shell -git clone git@github.com:apache/opendal.git +git clone https://github.com/apache/opendal ``` -Run the script on a specific release candidate: +Run the script in a specific release candidate's folder: ```shell -./scripts/check.sh apache-opendal-${release_version}-${rc_version}-src.tar.gz +./scripts/check.py ``` You will see the following output if the verification is successful: