verify using KEYS from dist.apache.org

Author: jdaugherty

etc/bin/verify-jar-artifacts.sh

@@ -24,6 +24,7 @@ PROJECT_NAME='grails-spring-security'
 RELEASE_TAG=$1
 DOWNLOAD_LOCATION="${2:-downloads}"
 DOWNLOAD_LOCATION=$(realpath "${DOWNLOAD_LOCATION}")
+CWD=$(pwd)
 
 if [ -z "${RELEASE_TAG}" ]; then
   echo "Usage: $0 [release-tag] <optional download location>"
@@ -35,7 +36,6 @@ VERSION=${RELEASE_TAG#v}
 ARTIFACTS_FILE="${DOWNLOAD_LOCATION}/${PROJECT_NAME}/PUBLISHED_ARTIFACTS"
 CHECKSUMS_FILE="${DOWNLOAD_LOCATION}/${PROJECT_NAME}/CHECKSUMS"
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-CWD=$(pwd)
 
 if [ ! -f "${ARTIFACTS_FILE}" ]; then
   echo "Required file ${ARTIFACTS_FILE} not found."
@@ -60,7 +60,7 @@ trap error ERR
 cd "${DOWNLOAD_LOCATION}"
 
 echo "Importing GPG key to independent GPG home ..."
-gpg --homedir "${GRAILS_GPG_HOME}" --import "${SCRIPT_DIR}/../../KEYS"
+gpg --homedir "${GRAILS_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/KEYS"
 echo "✅ GPG Key Imported"
 
 REPO_BASE_URL="https://repository.apache.org/content/groups/staging"

etc/bin/verify-source-distribution.sh

@@ -50,7 +50,7 @@ shasum -a 512 -c "apache-${PROJECT_NAME}-${VERSION}-incubating-src.zip.sha512"
 echo "✅ Checksum Verified"
 
 echo "Importing GPG key to independent GPG home ..."
-gpg --homedir "${GRAILS_GPG_HOME}" --import "${SCRIPT_DIR}/../../KEYS"
+gpg --homedir "${GRAILS_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/KEYS"
 echo "✅ GPG Key Imported"
 
 echo "Verifying GPG signature..."

etc/bin/verify.sh

@@ -38,6 +38,10 @@ cleanup() {
 }
 trap cleanup ERR
 
+echo "Downloading KEYS file ..."
+curl -sSfLO "https://dist.apache.org/repos/dist/release/grails/KEYS"
+echo "✅ KEYS Downloaded"
+
 echo "Downloading Artifacts ..."
 "${SCRIPT_DIR}/download-release-artifacts.sh" "${RELEASE_TAG}" "${DOWNLOAD_LOCATION}"
 echo "✅ Artifacts Downloaded"