Skip to content

Fix GPG verify path for staged release artifacts#1582

Merged
tuhaihe merged 1 commit intoapache:mainfrom
tuhaihe:update-rc-shell
Feb 28, 2026
Merged

Fix GPG verify path for staged release artifacts#1582
tuhaihe merged 1 commit intoapache:mainfrom
tuhaihe:update-rc-shell

Conversation

@tuhaihe
Copy link
Member

@tuhaihe tuhaihe commented Feb 26, 2026

Use absolute artifact paths in the GPG verification step of devops/release/cloudberry-release.sh.

Previously, the script verified SHA-512 using an absolute path but called gpg --verify with relative file names. When running with --repo from a different working directory, this could fail with "No such file or directory" even though the .asc file existed in the artifacts directory.

This change aligns the GPG verify command with the SHA-512 check by verifying:
$ARTIFACTS_DIR/${TAR_NAME}.asc
against:
$ARTIFACTS_DIR/$TAR_NAME

No behavior change for successful local runs besides making path resolution robust.

Fixes #ISSUE_Number

What does this PR do?

Type of Change

  • Bug fix (non-breaking change)
  • New feature (non-breaking change)
  • Breaking change (fix or feature with breaking changes)
  • Documentation update

Breaking Changes

Test Plan

  • Unit tests added/updated
  • Integration tests added/updated
  • Passed make installcheck
  • Passed make -C src/test installcheck-cbdb-parallel

Impact

Performance:

User-facing changes:

Dependencies:

Checklist

Additional Context

CI Skip Instructions

@tuhaihe
Fix GPG verify path for staged release artifacts
0dd2bd0 
Use absolute artifact paths in the GPG verification step of
devops/release/cloudberry-release.sh.

Previously, the script verified SHA-512 using an absolute path but
called `gpg --verify` with relative file names. When running with
`--repo` from a different working directory, this could fail with
"No such file or directory" even though the `.asc` file existed in
the artifacts directory.

This change aligns the GPG verify command with the SHA-512 check by
verifying:
  $ARTIFACTS_DIR/${TAR_NAME}.asc
against:
  $ARTIFACTS_DIR/$TAR_NAME

No behavior change for successful local runs besides making path
resolution robust.
@tuhaihe
Copy link
Member Author

tuhaihe commented Feb 28, 2026

Before:

=================================================================
>> Verifying GPG Signature (/Users/djwang/workdir/artifacts/apache-cloudberry-2.1.0-incubating-rc2-src.tar.gz.asc) Release Artifact
=================================================================
gpg: can't open 'apache-cloudberry-2.1.0-incubating-rc2-src.tar.gz.asc': No such file or directory
gpg: verify signatures failed: No such file or directory

After:

=================================================================
>> Verifying GPG Signature (/Users/djwang/workdir/artifacts/apache-cloudberry-2.1.0-incubating-rc2-src.tar.gz.asc) Release Artifact
=================================================================
gpg: Signature made Sat Feb 28 16:13:07 2026 CST
gpg:                using RSA key 9A36AA272348A207E193A49C500708B75754FB7C
gpg: Good signature from "Dianjin Wang (for apache cloudberry release) <djwang@apache.org>" [ultimate]

Press Enter or type y/yes to continue, or 'n' to exit: y

=================================================================
>> Release candidate for 2.1.0-incubating-rc2 staged successfully
=================================================================

@tuhaihe tuhaihe merged commit e304d3e into apache:main Feb 28, 2026
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reshke reshke reshke approved these changes

@leborchuk leborchuk leborchuk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tuhaihe @reshke @leborchuk