[Release] Add support for verifying .{asc,sha256,512} for .jar related files in `dev/release/verify_rc.sh`

[kou]

Describe the enhancement requested

We should:

• Download binary artifacts from GitHub Release
• Verify signature by gpg --verify XXX.asc XXX
• Verify checksum by sha256 -c XXX.sha256 and sha512 -c XXX.sha512

[jbonofre]

From an ASF standpoint, the most important is to verify the source distribution from dist.apache.org.
So, maybe we can verify artifacts from GitHub Release, but also from dist.apache.org.

Do you want me to give it a shoot ?

[kou]

Oh, really!?
https://www.apache.org/legal/release-policy.html#host-rc uses "SHOULD":

Projects should use the /dev tree of the dist repository or the staging features of repository.apache.org to host release candidates posted for developer testing/voting (prior to being, potentially, formally blessed as a GA release).

So, I thought that we can use other ASF approved locations such as Artifactory https://apache.jfrog.io/ and GitHub Release.

[jbonofre]

@kou for staging, it's fine, we can use GitHub Release location. As we also push to dist.apache.org (release location, not dev after release), it's OK.

@kou so you are right, GitHub Release is good enough for verification.

[kou]

@yyossy5 You may be interested in this.

We need to vote before we publish an "official" release based on the Apache Software Foundation policy: https://infra.apache.org/release-publishing.html#voting

We have a verification script to help the process: https://github.com/apache/arrow-java/blob/main/dev/release/verify_rc.sh

But it's not completed. This issue focus on

arrow-java/dev/release/verify_rc.sh

Line 142 in 4b4d928

# TODO: jar test

We want to add auto verification for .asc/.sha256/.sha512 in this issue as the first step. We'll run unit tests against built .jar in follow-up tasks.

We'll be able to run the code by VERIFY_DEFAULT=0 VERIFY_BINARY=1 dev/release/verify_rc.sh 18.2.0 5.

See also: https://github.com/apache/arrow-java/blob/main/dev/release/README.md#verify

[xpgcrx]

Thank you @kou , I'll check this when I have a moment.