Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/iotdb it must be validated and voted on in order to proceed.

Team members must do the following.  

Only the Release Manager need perform the items tagged with '[RM]' though all are encouraged to.

1. download staged artifacts. Check their signature and hashes.
   1. cd ~/tmp
   2. ./tools/download_staged_release.sh 0.8.0 1  # <version> <rc-num>
   3. [RM] verify the reported signature is for an "apache.org" address ("gpg: Good signature from ...")

      1. gpg --verify apache-iotdb-0.8.0-incubating-source-release.zip.asc apache-iotdb-0.8.0-incubating-source-release.zip

      2. 
         

2. extract src bundle
   1. cd downloaded-iotdb-0.8.0rc1

   2. unzip 0.8.0/rc1/apache-iotdb-0.8.0-source-release.zip

   3. verify the existence of LICENSE, NOTICE, README, RELEASE_NOTES files in the extracted source bundle
   4. [RM] verify the staged source README, RELEASE_NOTE files correspond to those in the extracted source bundle
3. staged src bundle items: content, can compile & test
   1. cd apache-iotdb-0.8.0
   2. check the contents of LICENSE, NOTICE, README, RELEASE_NOTES
      1. Check the any year references (NOTICE file contains at least one in the Copyright notice, that could need updating)
   3. UNPACK the binary artefact and check the contents of LICENSE-binary and NOTICE-binary
   4. build from directions in README
      1. In addition to the build directions it it advisable to ensure building with an empty maven local repo, as this ensures all dependencies are currently available, by adding the following argument to the maven execution: "-Dmaven.repo.local=../.m2"
   5. [RM] review target/rat.txt (though the build should fail if RAT constraints aren't met)

   1. Find and files containing binary content with this command:

      1. find . -type f -name 'rat.txt' -exec grep -l " B " {} \;

   2. Then review for B (binary) content in those files:   grep " B " target/rat.txt

   6. Search for SNAPSHOT references
      1. find . -type f -name 'pom.xml' -exec grep -| "SNAPSHOT" {} \;
   7. ./mvnw install 
      1. the tests should all pass
   8. NOTE: can't do this in a source-bundle (only in a repo) ./mvnw site:site  # generate reports
      
      1. the tests should all pass

Verifying the signature (ASC)

In order to check the signature (ASC) of the release:

gpg --verify apache-iotdb-0.8.0-incubating-source-release.zip.asc apache-iotdb-0.8.0-incubating-source-release.zip

This should produce something like this:

gpg: Signatur vom Fr  2 Aug 14:30:42 2019 CEST
gpg:                mittels RSA-Schlüssel ADBD428CB5BF6C9FFC77B907C336E0143A553B89
gpg: Korrekte Signatur von "Julian Feinauer <jfeinauer@apache.org>" [ultimativ]

The important part is that it's a "correct signature" (Above is on my German Mac Book). And that the email assigned to the signature is an Apache email. The "ultimativ" at the end depends on your PGP trust environment. If you are not yet trusting any Apache people, this might be different.