From 0dd2bd0ded841522b58a3fc0afe7de1c929dc59d Mon Sep 17 00:00:00 2001
From: Dianjin Wang <wangdianjin@gmail.com>
Date: Thu, 26 Feb 2026 18:16:22 +0800
Subject: [PATCH] Fix GPG verify path for staged release artifacts

Use absolute artifact paths in the GPG verification step of
devops/release/cloudberry-release.sh.

Previously, the script verified SHA-512 using an absolute path but
called `gpg --verify` with relative file names. When running with
`--repo` from a different working directory, this could fail with
"No such file or directory" even though the `.asc` file existed in
the artifacts directory.

This change aligns the GPG verify command with the SHA-512 check by
verifying:
  $ARTIFACTS_DIR/${TAR_NAME}.asc
against:
  $ARTIFACTS_DIR/$TAR_NAME

No behavior change for successful local runs besides making path
resolution robust.
---
 devops/release/cloudberry-release.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devops/release/cloudberry-release.sh b/devops/release/cloudberry-release.sh
index 641d435f26a..fbde88b87c8 100755
--- a/devops/release/cloudberry-release.sh
+++ b/devops/release/cloudberry-release.sh
@@ -677,7 +677,7 @@ section "Staging release: $TAG"
   section "Verifying GPG Signature ($ARTIFACTS_DIR/${TAR_NAME}.asc) Release Artifact"
 
   if [[ "$SKIP_SIGNING" != true ]]; then
-    gpg --verify "${TAR_NAME}.asc" "$TAR_NAME"
+    gpg --verify "$ARTIFACTS_DIR/${TAR_NAME}.asc" "$ARTIFACTS_DIR/$TAR_NAME"
   else
     echo "INFO: Signature verification skipped (--skip-signing). Signature is only available when generated via this script."
   fi