ci: Refactor check.sh into check.py to get ready for multi components…

… release (#4159)

refactor check.sh

Signed-off-by: Xuanwo <github@xuanwo.io>

scripts/README.md

@@ -16,7 +16,7 @@ OPENDAL_VERSION=0.30.2 OPENDAL_VERSION_RC=rc1 ./scripts/release.sh
 ## Check
 
 ```shell
-./scripts/check.sh apache-opendal-0.33.3-src.tar.gz
+./scripts/check.py
 ```
 
 > Before running the check, please ensure that you have completed the following preparations.

scripts/check.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import subprocess
+import os
+
+# Define colors for output
+YELLOW = "\033[37;1m"
+GREEN = "\033[32;1m"
+ENDCOLOR = "\033[0m"
+
+
+def check_signature(pkg):
+    """Check the GPG signature of the package."""
+    try:
+        subprocess.check_call(["gpg", "--verify", f"{pkg}.asc", pkg])
+        print(GREEN + "Success to verify the gpg sign for " + pkg + ENDCOLOR)
+    except subprocess.CalledProcessError:
+        print(YELLOW + "Failed to verify the gpg sign for " + pkg + ENDCOLOR)
+
+
+def check_sha512sum(pkg):
+    """Check the sha512 checksum of the package."""
+    try:
+        subprocess.check_call(["sha512sum", "--check", f"{pkg}.sha512"])
+        print(GREEN + "Success to verify the checksum for " + pkg + ENDCOLOR)
+    except subprocess.CalledProcessError:
+        print(YELLOW + "Failed to verify the checksum for " + pkg + ENDCOLOR)
+
+
+def main():
+    # Get a list of all files in the current directory
+    files = [f for f in os.listdir(".") if os.path.isfile(f)]
+
+    for pkg in files:
+        # Skip files that don't have a corresponding .asc or .sha512 file
+        if not os.path.exists(f"{pkg}.asc") or not os.path.exists(f"{pkg}.sha512"):
+            continue
+
+        print(f"> Checking {pkg}")
+
+        # Perform the checks
+        check_signature(pkg)
+        check_sha512sum(pkg)
+
+
+if __name__ == "__main__":
+    main()

website/community/committers/verify.md

@@ -93,17 +93,17 @@ Now, we could start the verification.
 We've provided a script to verify the checksum and signature of the release candidate.
 
 The script is in the `scripts` directory of our repository.
-You can download it directly from [here](https://raw.githubusercontent.com/apache/opendal/main/scripts/check.sh)
+You can download it directly from [here](https://raw.githubusercontent.com/apache/opendal/main/scripts/check.py)
 or check it out from the repository:
 
 ```shell
-git clone git@github.com:apache/opendal.git
+git clone https://github.com/apache/opendal
 ```
 
-Run the script on a specific release candidate:
+Run the script in a specific release candidate's folder:
 
 ```shell
-./scripts/check.sh apache-opendal-${release_version}-${rc_version}-src.tar.gz
+./scripts/check.py
 ```
 
 You will see the following output if the verification is successful: