[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: calcite git commit: [CALCITE-2574] Update download page to include instructions for verifying a downloaded artifact

Fixed in CALCITE-2577

On 20/09/2018 9:42 AM, Julian Hyde wrote:
Can you please change those URLs to use https?

On Sep 19, 2018, at 4:37 PM, francischuang@xxxxxxxxxx wrote:

Repository: calcite
Updated Branches:
  refs/heads/master d262c860a -> d3b02ae2c

[CALCITE-2574] Update download page to include instructions for verifying
a downloaded artifact

Project: http://git-wip-us.apache.org/repos/asf/calcite/repo
Commit: http://git-wip-us.apache.org/repos/asf/calcite/commit/d3b02ae2
Tree: http://git-wip-us.apache.org/repos/asf/calcite/tree/d3b02ae2
Diff: http://git-wip-us.apache.org/repos/asf/calcite/diff/d3b02ae2

Branch: refs/heads/master
Commit: d3b02ae2cb9dce786270d6657b8e758ce3aa55f1
Parents: d262c86
Author: Francis Chuang <francischuang@xxxxxxxxxx>
Authored: Thu Sep 20 09:37:09 2018 +1000
Committer: Francis Chuang <francischuang@xxxxxxxxxx>
Committed: Thu Sep 20 09:37:09 2018 +1000

site/downloads/index.md | 38 +++++++++++++++++++++++++++++++-------
1 file changed, 31 insertions(+), 7 deletions(-)

diff --git a/site/downloads/index.md b/site/downloads/index.md
index 4770e44..0d00c41 100644
--- a/site/downloads/index.md
+++ b/site/downloads/index.md
@@ -70,16 +70,11 @@ Release          | Date       | Commit   | Download
{% endcomment %}
{% endfor %}

-Choose a source distribution in either *tar* or *zip* format,
-and [verify](http://www.apache.org/dyn/closer.cgi#verify)
-using the corresponding *pgp* signature (using the committer file in
-If you cannot do that, use the *digest* file
-to check that the download has completed OK.
+Choose a source distribution in either *tar* or *zip* format.

For fast downloads, current source distributions are hosted on mirror servers;
older source distributions are in the
or [incubator archive](http://archive.apache.org/dist/incubator/calcite/).
If a download from a mirror fails, retry, and the second download will likely
@@ -87,6 +82,35 @@ succeed.
For security, hash and signature files are always hosted at

+# Verify the integrity of the files
+You must verify the integrity of the downloaded file using the PGP signature (.asc file) or a hash (.sha256, .md5 for older
+releases). For more information why this must be done, please read [Verifying Apache Software Foundation Releases](https://www.apache.org/info/verification.html).
+To verify the signature using GPG or PGP, please do the following:
+1. Download the release artifact and the corresponding PGP signature from the table above.
+2. Download the [Apache Calcite KEYS](http://www.apache.org/dist/calcite/KEYS) file.
+3. Import the KEYS file and verify the downloaded artifact using one of the following methods:
+{% highlight shell %}
+% gpg --import KEYS
+% gpg --verify downloaded_file.asc downloaded_file
+{% endhighlight %}
+{% highlight shell %}
+% pgpk -a KEYS
+% pgpv downloaded_file.asc
+{% endhighlight %}
+{% highlight shell %}
+% pgp -ka KEYS
+% pgp downloaded_file.asc
+{% endhighlight %}
# Maven artifacts

Add the following to the dependencies section of your `pom.xml` file: