diff --git a/dev/README_RELEASE_AIRFLOW.md b/dev/README_RELEASE_AIRFLOW.md index ef5640f134d7b..cfa045aad82fe 100644 --- a/dev/README_RELEASE_AIRFLOW.md +++ b/dev/README_RELEASE_AIRFLOW.md @@ -991,12 +991,17 @@ release packages: ```shell script cd ${PATH_TO_AIRFLOW_SVN}/${VERSION_RC} -``` - -And running this: - - -```shell script +echo +echo "Checking Airflow ${VERSION_RC} Signatures" +echo +for i in *.asc +do + echo -e "Checking $i\n"; gpg --verify $i +done +cd ../task-sdk/${TASK_SDK_VERSION_RC} +echo +echo "Checking TaskSDK ${TASK_SDK_VERSION_RC} Signatures" +echo for i in *.asc do echo -e "Checking $i\n"; gpg --verify $i @@ -1012,32 +1017,74 @@ this is a valid key already. To suppress the warning you may edit the key's tru by running `gpg --edit-key trust` and entering `5` to assign trust level `ultimate`. ``` -Checking apache-airflow-3.0.5rc4.tar.gz.asc -gpg: assuming signed data in 'apache-airflow-3.0.5rc4.tar.gz' -gpg: Signature made sob, 22 sie 2020, 20:28:28 CEST -gpg: using RSA key 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B -gpg: Good signature from "Kaxil Naik " [unknown] +Checking Airflow 3.1.8rc1 Signatures + +Checking apache_airflow-3.1.8-py3-none-any.whl.asc + +gpg: assuming signed data in 'apache_airflow-3.1.8-py3-none-any.whl' +gpg: Signature made Fri 06 Mar 2026 11:13:05 AM CET +gpg: using EDDSA key 5055919906242571E5B0CC5A1846E140F733C4B2 +gpg: Good signature from "Rahul Vats " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 5055 9199 0624 2571 E5B0 CC5A 1846 E140 F733 C4B2 +Checking apache_airflow-3.1.8-source.tar.gz.asc + +gpg: assuming signed data in 'apache_airflow-3.1.8-source.tar.gz' +gpg: Signature made Fri 06 Mar 2026 11:13:06 AM CET +gpg: using EDDSA key 5055919906242571E5B0CC5A1846E140F733C4B2 +gpg: Good signature from "Rahul Vats " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 5055 9199 0624 2571 E5B0 CC5A 1846 E140 F733 C4B2 +Checking apache_airflow-3.1.8.tar.gz.asc + +gpg: assuming signed data in 'apache_airflow-3.1.8.tar.gz' +gpg: Signature made Fri 06 Mar 2026 11:13:06 AM CET +gpg: using EDDSA key 5055919906242571E5B0CC5A1846E140F733C4B2 +gpg: Good signature from "Rahul Vats " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: 1271 7556 040E EF2E EAF1 B9C2 75FC CD0A 25FA 0E4B +Primary key fingerprint: 5055 9199 0624 2571 E5B0 CC5A 1846 E140 F733 C4B2 +Checking apache_airflow_core-3.1.8-py3-none-any.whl.asc -Checking apache_airflow-3.0.5rc4-py2.py3-none-any.whl.asc -gpg: assuming signed data in 'apache_airflow-3.0.5rc4-py2.py3-none-any.whl' -gpg: Signature made sob, 22 sie 2020, 20:28:31 CEST -gpg: using RSA key 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B -gpg: Good signature from "Kaxil Naik " [unknown] +gpg: assuming signed data in 'apache_airflow_core-3.1.8-py3-none-any.whl' +gpg: Signature made Fri 06 Mar 2026 11:13:05 AM CET +gpg: using EDDSA key 5055919906242571E5B0CC5A1846E140F733C4B2 +gpg: Good signature from "Rahul Vats " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: 1271 7556 040E EF2E EAF1 B9C2 75FC CD0A 25FA 0E4B +Primary key fingerprint: 5055 9199 0624 2571 E5B0 CC5A 1846 E140 F733 C4B2 +Checking apache_airflow_core-3.1.8.tar.gz.asc -Checking apache-airflow-3.0.5rc4-source.tar.gz.asc -gpg: assuming signed data in 'apache-airflow-3.0.5rc4-source.tar.gz' -gpg: Signature made sob, 22 sie 2020, 20:28:25 CEST -gpg: using RSA key 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B -gpg: Good signature from "Kaxil Naik " [unknown] +gpg: assuming signed data in 'apache_airflow_core-3.1.8.tar.gz' +gpg: Signature made Fri 06 Mar 2026 11:13:05 AM CET +gpg: using EDDSA key 5055919906242571E5B0CC5A1846E140F733C4B2 +gpg: Good signature from "Rahul Vats " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: 1271 7556 040E EF2E EAF1 B9C2 75FC CD0A 25FA 0E4B +Primary key fingerprint: 5055 9199 0624 2571 E5B0 CC5A 1846 E140 F733 C4B2 + +Checking TaskSDK 1.1.8rc1 Signatures + +Checking apache_airflow_task_sdk-1.1.8-py3-none-any.whl.asc + +gpg: assuming signed data in 'apache_airflow_task_sdk-1.1.8-py3-none-any.whl' +gpg: Signature made Fri 06 Mar 2026 11:13:05 AM CET +gpg: using EDDSA key 5055919906242571E5B0CC5A1846E140F733C4B2 +gpg: Good signature from "Rahul Vats " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 5055 9199 0624 2571 E5B0 CC5A 1846 E140 F733 C4B2 +Checking apache_airflow_task_sdk-1.1.8.tar.gz.asc + +gpg: assuming signed data in 'apache_airflow_task_sdk-1.1.8.tar.gz' +gpg: Signature made Fri 06 Mar 2026 11:13:05 AM CET +gpg: using EDDSA key 5055919906242571E5B0CC5A1846E140F733C4B2 +gpg: Good signature from "Rahul Vats " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 5055 9199 0624 2571 E5B0 CC5A 1846 E140 F733 C4B2 ``` ## SHA512 sum check @@ -1045,6 +1092,18 @@ Primary key fingerprint: 1271 7556 040E EF2E EAF1 B9C2 75FC CD0A 25FA 0E4B Run this: ```shell script +cd ${PATH_TO_AIRFLOW_SVN}/${VERSION_RC} +echo +echo "Checking Airflow ${VERSION_RC} Checksums" +echo +for i in *.sha512 +do + echo "Checking $i"; shasum -a 512 `basename $i .sha512 ` | diff - $i +done +cd ../task-sdk/${TASK_SDK_VERSION_RC} +echo +echo "Checking TaskSDK ${TASK_SDK_VERSION_RC} Checksums" +echo for i in *.sha512 do echo "Checking $i"; shasum -a 512 `basename $i .sha512 ` | diff - $i @@ -1054,9 +1113,18 @@ done You should get output similar to: ``` -Checking apache-airflow-3.1.3rc4.tar.gz.sha512 -Checking apache_airflow-3.1.3rc4-py2.py3-none-any.whl.sha512 -Checking apache_airflow-3.1.3rc4-source.tar.gz.sha512 +Checking Airflow 3.1.8rc1 Checksums + +Checking apache_airflow-3.1.8-py3-none-any.whl.sha512 +Checking apache_airflow-3.1.8-source.tar.gz.sha512 +Checking apache_airflow-3.1.8.tar.gz.sha512 +Checking apache_airflow_core-3.1.8-py3-none-any.whl.sha512 +Checking apache_airflow_core-3.1.8.tar.gz.sha512 + +Checking TaskSDK 1.1.8rc1 Checksums + +Checking apache_airflow_task_sdk-1.1.8-py3-none-any.whl.sha512 +Checking apache_airflow_task_sdk-1.1.8.tar.gz.sha512 ``` ## Optional: Automated verification using Breeze