发布手册
1. 前言
1.1 Apache 版本发布文档
参考以下链接,了解 ASF 版本发布流程:
1.2 PGP 签名
遵循 Apache 版本发布指南,对发布版本签名,用户也可据此判断下载的版本是否被篡改。
创建 pgp
密钥用于版本签名,使用 <your Apache ID>@apache.org 作为密钥 USER-ID
详情可参考 Apache Releases Signing documentation,Cryptography with OpenPGP
生成密钥的简要流程:
-
通过
gpg --full-gen-key
生成一个新的gpg
密钥, 设置密钥长度为 4096注:可设置永不过期,也可根据自己需求设置一定的过期时间,但需要在过期后更新的公钥到DEV KEYS file 和 RELEASE KEYS file
-
通过
gpg --keyserver keys.openpgp.org --send-key <your key id>
上传密钥到公钥服务器注:如若访问不通,可通过OpenPGP Keyserver (ubuntu.com) 在线上传公钥
使用该命令可查到keyid如:gpg --list-signatures --keyid-format LONG
pub rsa4096/XXXXXXXX 2024-09-19 [SC] [有效至:2027-09-19]
F2D3A28A392129B927C7FB42XXXXXXXX
uid [ 绝对 ] xxxx <xxxx@apache.org>
sig 3 XXXXXXXX 2024-09-19 [自签名]
sub rsa4096/XXXXX 2024-09-19 [E] [有效至:2027-09-19]
sig XXXXXXXX 2024-09-19 [自签名]
那么keyid为XXXXXXXX -
通过
gpg --armor --output ./public-key.txt --export XXXXXXXX
导出公钥到文本文件 -
将生成的密钥追加到DEV KEYS file 和 RELEASE KEYS file
注意:
DEV SVN 仓库可以由 Release Manager 自行添加,Release SVN 仓库需要 PMC 权限,可以由 PMC 协助将 KEY 进行上传。
Tips: 需要设置默认公钥, 若有多个公钥,请修改 ~/.gnupg/gpg.conf
参考示例:
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: (设置用户名)(使用apache id)
Email address: (设置邮件地址)(使用apache邮箱)
Comment: (填写注释)
You selected this USER-ID:
"用户名 (注释) <邮件地址>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key. (设置密码)
将生成的公钥和私钥转化为 ASCII 形式:
gpg --armor --output ./public-key.txt --export XXXXXXXX
gpg --armor --output ./private-key.txt --export-secret-keys XXXXXXXX
查看密钥列表:
[root@localhost ~]# gpg --list-signatures --keyid-format LONG
[keyboxd]
---------
pub rsa4096/XXXXXXXX 2024-09-19 [SC] [有效至:2027-09-19]
F2D3A28A392129B927C7FB42XXXXXXXX
uid [ 绝对 ] xxxx <xxxx@apache.org>
sig 3 XXXXXXXX 2024-09-19 [自签名]
sub rsa4096/XXXXX 2024-09-19 [E] [有效至:2027-09-19]
sig XXXXXXXX 2024-09-19 [自签名]
上传公钥到公钥服务器
[root@localhost gpgtest]# gpg --keyserver keys.openpgp.org --send-key XXXXXXXX
gpg: sending key XXXXXXXX to hkp server keys.openpgp.org
1.3 POM 配置
配置 POM 文件,以便将版本部署到 ASF Nexus 仓库。
① 添加 Apache POM 继承默认设置
<parent>
<groupId>org.apache</groupId>
<artifactId>apache</artifactId>
<version>XX</version>
</parent>
② Maven 配置文件 settings.xml
中添加密钥信息
<settings>
<profiles>
<profile>
<id>signed_release</id>
<properties>
<mavenExecutorId>forked-path</mavenExecutorId>
<gpg.keyname>yourKeyName</gpg.keyname>
<deploy.url>https://dist.apache.org/repos/dist/dev/incubator/seata/</deploy.url>
</properties>
</profile>
</profiles>
<servers>
<!-- To publish a snapshot of some part of Maven -->
<server>
<id>apache.snapshots.https</id>
<username>yourApacheID</username>
<!-- Use the password encryption by maven -->
<password>yourApachePassword</password>
</server>
<!-- To stage a release of some part of Maven -->
<server>
<id>apache.releases.https</id>
<username>yourApacheID</username>
<password>yourApachePassword</password>
</server>
<server>
<id>gpg.passphrase</id>
<passphrase>yourKeyPassword</passphrase>
</server>
</servers>
</settings>
Tips: 推荐使用 Maven's password encryption capabilities 加密 gpg.passphrase
1.5 发布 Release Notes
通过changelog构建出对应版本的Release Notes
2.发布流程
1. 准备分支
从主干分支拉取新分支作为发布分支,如现在要发布 ${release_version}
版本,则从开发分支拉出新分支 ${release_version}
,此后${release_version}
Release Candidates 涉及的修改及打标签等都在${release_version}
分支进行,并保证该分支的github actions ci全部通过,最终发布完成后合入主干分支。
例:如 Java SDK 需要发布 2.2.0
版本,从 2.x
分支拉出新分支 2.2.0
,并在此分支提交从 Snapshot版本号 替换为 2.2.0
版本号的 commit。
2.预发布二进制包
2.1 SDK根据 publishing maven artifacts [4] 的说明准备发布。
mvn clean deploy -Prelease -DskipTests -e -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn
此时,seata sdk被发布到 预发仓库 (需要apache账号密码登录),找到发布的版本,即 ${STAGING.RELEASE}
, 并点击 Close。
注:如果close失败很可能是因为签名的秘钥对应的公钥在keys.openpgp.org中无法获取到,请自行通过OpenPGP Keyserver (ubuntu.com) 检查
2.2 Source&Binary提交至svn仓库
2.2.1 安装svn
下载并安装Download Apache Subversion Sources
或通过 brew install subversion
一键安装
2.2.2 编译seata-server及seata-namingserver
mvn -Prelease-seata -Dmaven.test.skip=true -Dskip.npm=true -T4C -Dpmd.skip=true clean install -U
2.2.3 将Source及Binary进行签名
Source 建议直接通过github 对应版本分支如2.2.0 进行下载zip包,避免本地环境污染Source包内容,然后重命名为apache-seata-x.x.x-incubating-src.zip
shasum -b -a 512 apache-seata-x.x.x-incubating-src.zip >> apache-seata-x.x.x-incubating-src.zip.sha512
gpg --armor --output apache-seata-x.x.x-incubating-bin.zip.asc apache-seata-x.x.x-incubating-bin.zip
Binary进行签名
shasum -b -a 512 apache-seata-x.x.x-incubating-bin.tar.gz >> apache-seata-x.x.x-incubating-bin.tar.gz.sha512
gpg --armor --output apache-seata-x.x.x-incubating-bin.tar.gz.asc apache-seata-x.x.x-incubating-bin.tar.gz
sha512验证
shasum -c apache-seata-x.x.x-incubating-bin.tar.gz.sha512
asc验证
gpg --verify apache-seata-x.x.x-incubating-src.zip.asc apache-seata-x.x.x-incubating-src.zip
2.2.4 拉取svn至本地,并构建发布版本路径,并将签名文件及Source和Binary移入其中
拉取svn目录
svn co --depth=empty https://dist.apache.org/repos/dist/dev/incubator/seata/
创建发布版本路径,并将文件移入其中
cd seata
mkdir x.x.x
mv ….. x.x.x
通过以上命令,移入其中后大概如下
-rw-r--r--@ 1 fe-work staff 180M 9 20 10:16 apache-seata-2.2.0-incubating-bin.tar.gz
-rw-r--r--@ 1 fe-work staff 180M 9 20 10:16 apache-seata-2.2.0-incubating-bin.tar.gz.asc
-rw-r--r--@ 1 fe-work staff 187B 9 20 10:16 apache-seata-2.2.0-incubating-bin.tar.gz.sha512
-rw-r--r--@ 1 fe-work staff 6.7M 9 20 10:16 apache-seata-2.2.0-incubating-src.zip
-rw-r--r--@ 1 fe-work staff 6.7M 9 20 10:16 apache-seata-2.2.0-incubating-src.zip.asc
-rw-r--r-- 1 fe-work staff 300B 9 20 10:16 apache-seata-2.2.0-incubating-src.zip.sha512
而其上级seata目录中的KEYS需要保证追加了第一步所说的,将构建的公钥放入其中
执行
svn add x.x.x
svn commit -m "submit x.x.x version"
如果更新了KEYS 需要在commit之前执行 svn update KEYS
执行commit后会提示输入apache ldap账号密码,输入后即可提交成功
➜ seata svn commit -m 'submit 2.2.0 version'
正在增加 2.2.0
正在增加 (二进制) 2.2.0/apache-seata-2.2.0-incubating-bin.tar.gz
正在增加 (二进制) 2.2.0/apache-seata-2.2.0-incubating-bin.tar.gz.asc
正在增加 2.2.0/apache-seata-2.2.0-incubating-bin.tar.gz.sha512
正在增加 (二进制) 2.2.0/apache-seata-2.2.0-incubating-src.zip
正在增加 (二进制) 2.2.0/apache-seata-2.2.0-incubating-src.zip.asc
正在增加 2.2.0/apache-seata-2.2.0-incubating-src.zip.sha512
传输文件数据......done
正在读取事务
提交后的版本为 71769。