This is an automated email from the ASF dual-hosted git repository. paulk pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/groovy.git
commit d41fa3a63e65782732cb7c14983745faa2b8d95d Author: Carl Marcum <[email protected]> AuthorDate: Sun Mar 29 14:01:04 2026 -0400 fix for running without an optional download dir and add script descriptions in headers. Co-authored-by: Paul King <[email protected]> Co-authored-by: Jonny Carter <[email protected]> --- etc/bin/download-release-artifacts.sh | 21 ++++++++++++++++---- etc/bin/verify-binary-distribution.sh | 36 +++++++++++++++++++++++++---------- etc/bin/verify-docs-distribution.sh | 36 +++++++++++++++++++++++++---------- etc/bin/verify-sdk-distribution.sh | 36 +++++++++++++++++++++++++---------- etc/bin/verify-source-distribution.sh | 36 +++++++++++++++++++++++++---------- etc/bin/verify.sh | 21 ++++++++++++++++++++ 6 files changed, 142 insertions(+), 44 deletions(-) diff --git a/etc/bin/download-release-artifacts.sh b/etc/bin/download-release-artifacts.sh index 9b21a41250..f52f818a83 100755 --- a/etc/bin/download-release-artifacts.sh +++ b/etc/bin/download-release-artifacts.sh @@ -17,6 +17,19 @@ # specific language governing permissions and limitations # under the License. # +# +# download-release-artifacts.sh - Download Groovy release artifacts from dist.apache.org. +# +# Fetches the source, binary, doc, and sdk distribution zip files, their GPG signatures (.asc), and checksum +# files (.sha256) into a local directory for offline verification. +# +# Artifacts are downloaded from: +# https://dist.apache.org/repos/dist/{dev|release}/groovy/<version>/ +# +# Usage: +# download-release-artifacts.sh <dev|release> <version> [download-dir] +# + set -e if [ $# -lt 2 ]; then @@ -49,24 +62,24 @@ VERSION=${VERSION#v} # in case someone prefixes a v # download into subdirs because they unpack into the same directory name # Source distro -echo "Downloading SVN source release files" +echo "Downloading source release files" curl -f -L -o "${DOWNLOAD_LOCATION}/src/apache-${PROJECT_NAME}-src-${VERSION}.zip" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/sources/apache-${PROJECT_NAME}-src-${VERSION}.zip"; curl -f -L -o "${DOWNLOAD_LOCATION}/src/apache-${PROJECT_NAME}-src-${VERSION}.zip.asc" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/sources/apache-${PROJECT_NAME}-src-${VERSION}.zip.asc"; curl -f -L -o "${DOWNLOAD_LOCATION}/src/apache-${PROJECT_NAME}-src-${VERSION}.zip.sha256" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/sources/apache-${PROJECT_NAME}-src-${VERSION}.zip.sha256"; # Binary distro -echo "Downloading SVN distribution binary files" +echo "Downloading distribution binary files" curl -f -L -o "${DOWNLOAD_LOCATION}/binary/apache-${PROJECT_NAME}-binary-${VERSION}.zip" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-binary-${VERSION}.zip"; curl -f -L -o "${DOWNLOAD_LOCATION}/binary/apache-${PROJECT_NAME}-binary-${VERSION}.zip.asc" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-binary-${VERSION}.zip.asc"; curl -f -L -o "${DOWNLOAD_LOCATION}/binary/apache-${PROJECT_NAME}-binary-${VERSION}.zip.sha256" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-binary-${VERSION}.zip.sha256"; -echo "Downloading SVN distribution docs files" +echo "Downloading distribution docs files" curl -f -L -o "${DOWNLOAD_LOCATION}/docs/apache-${PROJECT_NAME}-docs-${VERSION}.zip" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-docs-${VERSION}.zip"; curl -f -L -o "${DOWNLOAD_LOCATION}/docs/apache-${PROJECT_NAME}-docs-${VERSION}.zip.asc" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-docs-${VERSION}.zip.asc"; curl -f -L -o "${DOWNLOAD_LOCATION}/docs/apache-${PROJECT_NAME}-docs-${VERSION}.zip.sha256" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-docs-${VERSION}.zip.sha256"; -echo "Downloading SVN distribution sdk files" +echo "Downloading distribution sdk files" curl -f -L -o "${DOWNLOAD_LOCATION}/sdk/apache-${PROJECT_NAME}-sdk-${VERSION}.zip" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-sdk-${VERSION}.zip"; curl -f -L -o "${DOWNLOAD_LOCATION}/sdk/apache-${PROJECT_NAME}-sdk-${VERSION}.zip.asc" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-sdk-${VERSION}.zip.asc"; curl -f -L -o "${DOWNLOAD_LOCATION}/sdk/apache-${PROJECT_NAME}-sdk-${VERSION}.zip.sha256" "https://dist.apache.org/repos/dist/${DIST_TYPE}/groovy/${VERSION}/distribution/apache-${PROJECT_NAME}-sdk-${VERSION}.zip.sha256"; diff --git a/etc/bin/verify-binary-distribution.sh b/etc/bin/verify-binary-distribution.sh index a4253d8f99..bd78655b2d 100755 --- a/etc/bin/verify-binary-distribution.sh +++ b/etc/bin/verify-binary-distribution.sh @@ -17,6 +17,22 @@ # specific language governing permissions and limitations # under the License. # +# +# verify-binary-distribution.sh - Verify a downloaded Groovy binary distribution. +# +# Expects the download directory to contain SVN_KEYS (the Groovy project KEYS +# file) and a binary/ subdirectory with the zip, .asc, and .sha256 files, as +# produced by download-release-artifacts.sh. +# +# Performs the following checks: +# 1. SHA-256 checksum verification +# 2. GPG signature verification (using an isolated temporary keyring) +# 3. Extraction and presence of LICENSE and NOTICE +# +# Usage: +# verify-binary-distribution.sh <version> [download-dir] +# + set -euo pipefail if [ $# -lt 1 ]; then @@ -30,6 +46,16 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) VERSION=${VERSION#v} # in case someone prefixes a v +export GROOVY_GPG_HOME=$(mktemp -d) +cleanup() { + rm -rf "${GROOVY_GPG_HOME}" +} +trap cleanup EXIT + +echo "Importing GPG key to independent GPG home ..." +gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" +echo "✅ GPG Key Imported" + cd "${DOWNLOAD_LOCATION}/binary" ZIP_FILE=$(ls "apache-groovy-binary-${VERSION}.zip" 2>/dev/null | head -n 1) @@ -38,12 +64,6 @@ if [ -z "${ZIP_FILE}" ]; then exit 1 fi -export GROOVY_GPG_HOME=$(mktemp -d) -cleanup() { - rm -rf "${GROOVY_GPG_HOME}" -} -trap cleanup EXIT - echo "Verifying checksum..." EXPECTED_HASH=$(cat apache-groovy-binary-${VERSION}.zip.sha256 | tr -d '\r\n') ACTUAL_HASH=$(shasum -a 256 apache-groovy-binary-${VERSION}.zip | awk '{print $1}') @@ -54,10 +74,6 @@ else echo "✅ Checksum Verified" fi -echo "Importing GPG key to independent GPG home ..." -gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" -echo "✅ GPG Key Imported" - echo "Verifying GPG signature..." gpg --homedir "${GROOVY_GPG_HOME}" --verify "apache-groovy-binary-${VERSION}.zip.asc" "apache-groovy-binary-${VERSION}.zip" echo "✅ GPG Verified" diff --git a/etc/bin/verify-docs-distribution.sh b/etc/bin/verify-docs-distribution.sh index 0082c9d0bc..df544f4b76 100755 --- a/etc/bin/verify-docs-distribution.sh +++ b/etc/bin/verify-docs-distribution.sh @@ -17,6 +17,22 @@ # specific language governing permissions and limitations # under the License. # +# +# verify-docs-distribution.sh - Verify a downloaded Groovy docs distribution. +# +# Expects the download directory to contain SVN_KEYS (the Groovy project KEYS +# file) and a docs/ subdirectory with the zip, .asc, and .sha256 files, as +# produced by download-release-artifacts.sh. +# +# Performs the following checks: +# 1. SHA-256 checksum verification +# 2. GPG signature verification (using an isolated temporary keyring) +# 3. Extraction and presence of LICENSE and NOTICE +# +# Usage: +# verify-docs-distribution.sh <version> [download-dir] +# + set -euo pipefail if [ $# -lt 1 ]; then @@ -30,6 +46,16 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) VERSION=${VERSION#v} # in case someone prefixes a v +export GROOVY_GPG_HOME=$(mktemp -d) +cleanup() { + rm -rf "${GROOVY_GPG_HOME}" +} +trap cleanup EXIT + +echo "Importing GPG key to independent GPG home ..." +gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" +echo "✅ GPG Key Imported" + cd "${DOWNLOAD_LOCATION}/docs" ZIP_FILE=$(ls "apache-groovy-docs-${VERSION}.zip" 2>/dev/null | head -n 1) @@ -38,12 +64,6 @@ if [ -z "${ZIP_FILE}" ]; then exit 1 fi -export GROOVY_GPG_HOME=$(mktemp -d) -cleanup() { - rm -rf "${GROOVY_GPG_HOME}" -} -trap cleanup EXIT - echo "Verifying checksum..." EXPECTED_HASH=$(cat apache-groovy-docs-${VERSION}.zip.sha256 | tr -d '\r\n') ACTUAL_HASH=$(shasum -a 256 apache-groovy-docs-${VERSION}.zip | awk '{print $1}') @@ -54,10 +74,6 @@ else echo "✅ Checksum Verified" fi -echo "Importing GPG key to independent GPG home ..." -gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" -echo "✅ GPG Key Imported" - echo "Verifying GPG signature..." gpg --homedir "${GROOVY_GPG_HOME}" --verify "apache-groovy-docs-${VERSION}.zip.asc" "apache-groovy-docs-${VERSION}.zip" echo "✅ GPG Verified" diff --git a/etc/bin/verify-sdk-distribution.sh b/etc/bin/verify-sdk-distribution.sh index d41e710fc7..8ca0a03911 100755 --- a/etc/bin/verify-sdk-distribution.sh +++ b/etc/bin/verify-sdk-distribution.sh @@ -17,6 +17,22 @@ # specific language governing permissions and limitations # under the License. # +# +# verify-source-distribution.sh - Verify a downloaded Groovy sdk distribution. +# +# Expects the download directory to contain SVN_KEYS (the Groovy project KEYS +# file) and a sdk/ subdirectory with the zip, .asc, and .sha256 files, as +# produced by download-release-artifacts.sh. +# +# Performs the following checks: +# 1. SHA-256 checksum verification +# 2. GPG signature verification (using an isolated temporary keyring) +# 3. Extraction and presence of LICENSE and NOTICE +# +# Usage: +# verify-sdk-distribution.sh <version> [download-dir] +# + set -euo pipefail if [ $# -lt 1 ]; then @@ -30,6 +46,16 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) VERSION=${VERSION#v} # in case someone prefixes a v +export GROOVY_GPG_HOME=$(mktemp -d) +cleanup() { + rm -rf "${GROOVY_GPG_HOME}" +} +trap cleanup EXIT + +echo "Importing GPG key to independent GPG home ..." +gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" +echo "✅ GPG Key Imported" + cd "${DOWNLOAD_LOCATION}/sdk" ZIP_FILE=$(ls "apache-groovy-sdk-${VERSION}.zip" 2>/dev/null | head -n 1) @@ -38,12 +64,6 @@ if [ -z "${ZIP_FILE}" ]; then exit 1 fi -export GROOVY_GPG_HOME=$(mktemp -d) -cleanup() { - rm -rf "${GROOVY_GPG_HOME}" -} -trap cleanup EXIT - echo "Verifying checksum..." EXPECTED_HASH=$(cat apache-groovy-sdk-${VERSION}.zip.sha256 | tr -d '\r\n') ACTUAL_HASH=$(shasum -a 256 apache-groovy-sdk-${VERSION}.zip | awk '{print $1}') @@ -54,10 +74,6 @@ else echo "✅ Checksum Verified" fi -echo "Importing GPG key to independent GPG home ..." -gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" -echo "✅ GPG Key Imported" - echo "Verifying GPG signature..." gpg --homedir "${GROOVY_GPG_HOME}" --verify "apache-groovy-sdk-${VERSION}.zip.asc" "apache-groovy-sdk-${VERSION}.zip" echo "✅ GPG Verified" diff --git a/etc/bin/verify-source-distribution.sh b/etc/bin/verify-source-distribution.sh index 7e2726ed2a..30397c382d 100755 --- a/etc/bin/verify-source-distribution.sh +++ b/etc/bin/verify-source-distribution.sh @@ -17,6 +17,22 @@ # specific language governing permissions and limitations # under the License. # +# +# verify-source-distribution.sh - Verify a downloaded Groovy source distribution. +# +# Expects the download directory to contain SVN_KEYS (the Groovy project KEYS +# file) and a src/ subdirectory with the zip, .asc, and .sha256 files, as +# produced by download-release-artifacts.sh. +# +# Performs the following checks: +# 1. SHA-256 checksum verification +# 2. GPG signature verification (using an isolated temporary keyring) +# 3. Extraction and presence of LICENSE, NOTICE, and README.md +# +# Usage: +# verify-source-distribution.sh <version> [download-dir] +# + set -euo pipefail if [ $# -lt 1 ]; then @@ -30,6 +46,16 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) VERSION=${VERSION#v} # in case someone prefixes a v +export GROOVY_GPG_HOME=$(mktemp -d) +cleanup() { + rm -rf "${GROOVY_GPG_HOME}" +} +trap cleanup EXIT + +echo "Importing GPG key to independent GPG home ..." +gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" +echo "✅ GPG Key Imported" + cd "${DOWNLOAD_LOCATION}/src" ZIP_FILE=$(ls "apache-groovy-src-${VERSION}.zip" 2>/dev/null | head -n 1) @@ -38,12 +64,6 @@ if [ -z "${ZIP_FILE}" ]; then exit 1 fi -export GROOVY_GPG_HOME=$(mktemp -d) -cleanup() { - rm -rf "${GROOVY_GPG_HOME}" -} -trap cleanup EXIT - echo "Verifying checksum..." EXPECTED_HASH=$(cat apache-groovy-src-${VERSION}.zip.sha256 | tr -d '\r\n') ACTUAL_HASH=$(shasum -a 256 apache-groovy-src-${VERSION}.zip | awk '{print $1}') @@ -54,10 +74,6 @@ else echo "✅ Checksum Verified" fi -echo "Importing GPG key to independent GPG home ..." -gpg --homedir "${GROOVY_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/SVN_KEYS" -echo "✅ GPG Key Imported" - echo "Verifying GPG signature..." gpg --homedir "${GROOVY_GPG_HOME}" --verify "apache-groovy-src-${VERSION}.zip.asc" "apache-groovy-src-${VERSION}.zip" echo "✅ GPG Verified" diff --git a/etc/bin/verify.sh b/etc/bin/verify.sh index f138e45112..91404807f5 100755 --- a/etc/bin/verify.sh +++ b/etc/bin/verify.sh @@ -17,6 +17,25 @@ # specific language governing permissions and limitations # under the License. # +# +# verify.sh - End-to-end release verification for Apache Groovy. +# +# Downloads staged artifacts from dist.apache.org, verifies their checksums +# and GPG signatures, checks for required files (LICENSE, NOTICE, README.md), +# and runs the Apache RAT license audit against the extracted source. +# +# The individual steps are delegated to companion scripts in this directory: +# download-release-artifacts.sh - fetches the distribution artifacts and hashes +# verify-<type>-distribution.sh - checks integrity, signatures, and contents +# +# Usage: +# verify.sh <dev|release> <version> [download-dir] +# +# Examples: +# verify.sh dev 8.0.1 /tmp/geb-verify # verify a staging candidate +# verify.sh release 8.0.0 # verify a published release +# + set -euo pipefail if [ $# -lt 2 ]; then @@ -96,6 +115,8 @@ else echo "Gradle Bootstrap not needed ..." fi +cd - + echo "Applying License Audit ..." cd "${DOWNLOAD_LOCATION}/src/groovy-${VERSION}" ./gradlew rat
