+1
Attaching an updated validation script; maybe we should have a central repo
w/the scripts to validate our various releases...
On Fri, Oct 10, 2025, at 3:12 PM, Francisco Guerrero wrote:
> +1 thanks for driving this release!
>
> On 2025/10/10 18:46:45 Yifan Cai wrote:
> > +1 (nb)
> >
> > Thanks for providing the validate script. I was able to run the script
> > after some minor modifications.
> >
> > - Yifan
> >
> > On Thu, Oct 9, 2025 at 3:09 PM Doug Rohrer <[email protected]> wrote:
> >
> > > Ok - let's try this again:
> > >
> > > Candidate SHA:
> > >
> > > https://github.com/apache/cassandra-in-jvm-dtest-api/commit/775bfd5283ec77960713e3de2abeb4d068199ef7
> > >
> > > Tagged 0.0.18
> > >
> > > Artifacts:
> > >
> > > https://repository.apache.org/content/repositories/orgapachecassandra-1420/org/apache/cassandra/dtest-api/0.0.18
> > >
> > > Key signature (this is my RSA key, in KEYS file):
> > > 9A648E3DEDA36EECCCC374C4277B602ED2C52277
> > >
> > > See changes/info below.
> > >
> > > Attached is a script that will pull down all of the artifacts, verify the
> > > GPG signatures, and validate the md5/sha1 files match.
> > > NOTE: it'll create a `tmp` directory wherever you run it, so I'd recommend
> > > running it in an empty directory somewhere, or just use the text and run
> > > the commands manually wherever).
> > >
> > >
> > > Script based very loosely on
> > > https://github.com/apache/cassandra-builds/pull/32/files - but since
> > > we're not building RPMs/Debian packages it's just to do the validation.
> > >
> > >
> > > New vote will be open for 72 hours. Everyone who has tested the build lis
> > > invited to vote. Votes by PMC members are considered binding. A vote
> > > passes
> > > if there are at least three binding +1s.
> > >
> > >
> > > Thanks,
> > >
> > > Doug
> > >
> > > On Oct 9, 2025, at 5:52 PM, Doug Rohrer <[email protected]> wrote:
> > >
> > > Hey folks,
> > >
> > > In an effort to document/automate validiting the release, I noticed that
> > > GPG picked a more recent key for me, which is an ECC key, not RSA, which
> > > it
> > > seems will break things if we have it in the KEYS file, so I'm going to
> > > close this proposed release/vote, re-release it with my RSA key, and
> > > re-call for the vote along with a handy script to pull down the artifacts
> > > and check the sha1/md5/gpg signatures you can run.
> > >
> > > Thanks,
> > >
> > > Doug
> > >
> > > On Oct 7, 2025, at 5:56 PM, Doug Rohrer <[email protected]> wrote:
> > >
> > > Hey folks,
> > >
> > > I'd like to propose a new release of the dtest-api that includes some
> > > updates to make it easier for Cassandra maintainers to deal with some of
> > > the jmx support classes, and for external consumers of the dtest api to
> > > use
> > > the jmx client without having to jump through some somewhat ugly hoops.
> > >
> > > Repository:
> > > https://gitbox.apache.org/repos/asf?p=cassandra-in-jvm-dtest-api.git
> > >
> > > Candidate SHA:
> > >
> > > https://github.com/apache/cassandra-in-jvm-dtest-api/commit/421fe11b8fd862d82f89607c1ae2807657ba6578
> > > Tagged with 0.0.18
> > >
> > > Artifacts:
> > >
> > > https://repository.apache.org/content/repositories/orgapachecassandra-1419/org/apache/cassandra/dtest-api/0.0.18/
> > >
> > > Key signature: 2C94EBA59C0BA7E0EDAAE142BF79EF32B05FB5CA
> > >
> > > Changes since last release:
> > >
> > > * CASSANDRA-20884 - Move JMX classes to the in-jvm-dtest API project
> > >
> > > I have patches available for 4.0, 4.1, 5.0, and trunk Cassandra branches
> > > to take advantage of these changes as well, which can be updated to use
> > > this release and committed once the vote passes.
> > >
> > > The vote will be open for 72 hours. Everyone who has tested the build lis
> > > invited to vote. Votes by PMC members are considered binding. A vote
> > > passes
> > > if there are at least three binding +1s.
> > >
> > > See https://issues.apache.org/jira/browse/CASSANDRA-20884 for branches of
> > > Cassandra for testing the dtest-api change (which currently use a snapshot
> > > build of this).
> > >
> > > Thanks,
> > >
> > > Doug Rohrer
> > >
> > >
> > >
> > >
> >
>
#!/bin/bash
show_help() {
cat << EOF
Usage: $(basename "$0") <release-type> <version> [staging-repo-id]
Validates Apache Cassandra dtest-api release artifacts by verifying GPG
signatures,
SHA1 and MD5 checksums.
ARGUMENTS:
release-type Type of release to validate (required)
Valid values: 'staged' or 'released'
version Release version number to validate (required)
Example: 0.0.18
staging-repo-id Maven staging repository ID (required only for 'staged')
This is the numeric ID found in the staging repo URL from
the vote email (e.g., 1419)
Extract from URL: In
https://repository.apache.org/content/repositories/orgapachecassandra-1420/...
the staging repo ID is 1420
Must NOT be provided when release-type is 'released'
PREREQUISITES:
- wget (for downloading artifacts)
- gpg (for signature verification)
- sha1sum (for checksum verification)
EXAMPLES:
# Validate a staged release with staging repo ID 1419
$(basename "$0") staged 0.0.18 1419
# Validate a released version
$(basename "$0") released 0.0.18
NOTES:
- Artifacts are downloaded to ./tmp/<version>/
- For 'staged': Downloads from repository.apache.org staging area
- For 'released': Downloads from repository.apache.org releases area
- Script verifies GPG signatures and checksums for all .pom and .jar files
EOF
exit 1;
}
# Show help if requested
if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
show_help
exit 0
fi
###################
# prerequisites
# set -x
command -v wget >/dev/null 2>&1 || { echo >&2 "wget needs to be installed";
exit 1; }
command -v gpg >/dev/null 2>&1 || { echo >&2 "gpg needs to be installed"; exit
1; }
command -v sha1sum >/dev/null 2>&1 || { echo >&2 "sha1sum needs to be
installed"; exit 1; }
( [ "staged" == "$1" ] || [ "released" == "$1" ] ) || { echo >&2 "ERROR: first
argument must be 'staged' or 'released'"; show_help; }
( [ $# -ge 2 ] ) || { echo >&2 "ERROR: minimum two arguments must be provided";
show_help; }
if [ -z "$3" ] ; then
[ "released" == "$1" ] || { echo >&2 "ERROR: staging-repo-id (third
argument) is required when release-type is 'staged'"; show_help; }
maven_repo_url="https://repository.apache.org/content/repositories/releases/org/apache/cassandra/dtest-api/$2";
else
[ "staged" == "$1" ] || { echo >&2 "ERROR: staging-repo-id (third argument)
must NOT be provided when release-type is 'released'"; show_help; }
maven_repo_url="https://repository.apache.org/content/repositories/orgapachecassandra-$3/org/apache/cassandra/dtest-api/$2";
fi
(curl --output /dev/null --silent --head --fail "${maven_repo_url}") || { echo
>&2 "Not found: ${maven_repo_url}"; exit 1; }
###################
mkdir -p ./tmp/$2
cd ./tmp/$2
if [ ! -f KEYS ]; then
echo "No KEYS file found in current directory."
read -p "Would you like to download the Cassandra KEYS file? (y/n): " -n 1
-r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
echo "Downloading KEYS"
wget -q https://downloads.apache.org/cassandra/KEYS
gpg --import KEYS
else
echo "Skipping KEYS import. GPG verification may fail without the
proper keys."
fi
else
gpg --import KEYS
fi
echo "Downloading ${maven_repo_url}"
wget -Nvnd -e robots=off --recursive --no-parent ${maven_repo_url} > wget.log
2>&1 || { echo "ERROR: wget failed to download artifacts. Log:"; cat wget.log;
exit 1; }
echo
echo "====== CHECK RESULTS ======"
echo
(compgen -G "*.asc" >/dev/null) || { echo >&2 "No *.asc files found in $(pwd)";
exit 1; }
for f in *.asc ; do gpg --verify $f ; done
(compgen -G "*.pom" >/dev/null) || { echo >&2 "No *.pom files found in $(pwd)";
exit 1; }
(compgen -G "*.jar" >/dev/null) || { echo >&2 "No *.jar files found in $(pwd)";
exit 1; }
for f in *.pom *.jar ; do echo -n "sha1: " ; echo "$(cat $f.sha1) $f" |
sha1sum -c - ; echo -n "md5: " ; echo "$(cat $f.md5) $f" | md5sum -c - ; done
echo "Done."
