Skip to content

Latest commit

 

History

History
157 lines (106 loc) · 6.4 KB

installing-providers-from-sources.rst

File metadata and controls

157 lines (106 loc) · 6.4 KB

Installing from sources

Released packages

.. jinja:: official_download_page

    This page describes downloading and verifying ``{{ package_name}}`` provider version
    ``{{ package_version }}`` using officially released packages.
    You can also install the provider package - as most Python packages - via
    `PyPI <https://pypi.org/project/{{ package_name }}/{{ package_version }}>`__ .
    You can choose different version of the provider by selecting different version from the drop-down at
    the top-left of the page.

The sdist and whl packages released are the "official" sources of installation that you can use if you want to verify the origin of the packages and want to verify checksums and signatures of the packages. The packages are available via the Official Apache Software Foundations Mirrors

The downloads are available at:

.. jinja:: official_download_page

    * `Sdist package <{{ closer_lua_url }}/{{ package_name }}-{{ package_version }}.tar.gz>`__ (`asc <{{ base_url }}/{{ package_name }}-{{ package_version }}.tar.gz.asc>`__, `sha512 <{{ base_url }}/{{ package_name }}-{{ package_version }}.tar.gz.sha512>`__) - those are also official sources for the package
    * `Whl package <{{ closer_lua_url }}/{{ package_name_underscores }}-{{ package_version }}-py3-none-any.whl>`__ (`asc <{{ base_url }}/{{ package_name_underscores }}-{{ package_version }}-py3-none-any.whl.asc>`__, `sha512 <{{ base_url }}/{{ package_name_underscores }}-{{ package_version }}-py3-none-any.whl.sha512>`__)

If you want to install from the source code, you can download from the sources link above, it will contain a INSTALL file containing details on how you can build and install the provider.

Release integrity

PGP signatures KEYS

It is essential that you verify the integrity of the downloaded files using the PGP or SHA signatures. The PGP signatures can be verified using GPG or PGP. Please download the KEYS as well as the asc signature files for relevant distribution. It is recommended to get these files from the main distribution directory and not from the mirrors.

gpg -i KEYS

or

pgpk -a KEYS

or

pgp -ka KEYS

To verify the binaries/sources you can download the relevant asc files for it from main distribution directory and follow the below guide.

gpg --verify apache-airflow-providers-********.asc apache-airflow-*********

or

pgpv apache-airflow-providers-********.asc

or

pgp apache-airflow-providers-********.asc

Example:

.. jinja:: official_download_page

    .. code-block:: console
        :substitutions:

        $ gpg --verify {{ package_name }}-{{ package_version }}.tar.gz.asc {{ package_name }}-{{ package_version }}.tar.gz
          gpg: Signature made Sat 11 Sep 12:49:54 2021 BST
          gpg:                using RSA key CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
          gpg:                issuer "[email protected]"
          gpg: Good signature from "Kaxil Naik <[email protected]>" [unknown]
          gpg:                 aka "Kaxil Naik <[email protected]>" [unknown]
          gpg: WARNING: The key's User ID is not certified with a trusted signature!
          gpg:          There is no indication that the signature belongs to the owner.
          Primary key fingerprint: CDE1 5C6E 4D3A 8EC4 ECF4  BA4B 6674 E08A D7DE 406F

    The "Good signature from ..." is indication that the signatures are correct.
    Do not worry about the "not certified with a trusted signature" warning. Most of the certificates used
    by release managers are self signed, that's why you get this warning. By importing the server in the
    previous step and importing it via ID from ``KEYS`` page, you know that this is a valid Key already.

    For SHA512 sum check, download the relevant ``sha512`` and run the following:

    .. code-block:: bash

        shasum -a 512 apache-airflow-providers-********  | diff - apache-airflow-providers-********.sha512

    The ``SHASUM`` of the file should match the one provided in ``.sha512`` file.

    Example:

    .. code-block:: bash
        :substitutions:

        shasum -a 512 {{ package_name }}-{{ package_version }}.tar.gz  | diff - {{ package_name }}-{{ package_version }}.tar.gz.sha512

Verifying PyPI releases

You can verify the Provider .whl packages from PyPI by locally downloading the package and signature and SHA sum files with the script below:

.. jinja:: official_download_page

    .. code-block:: bash

        #!/bin/bash
        PACKAGE_VERSION={{ package_version }}
        PACKAGE_NAME={{ package_name }}
        provider_download_dir=$(mktemp -d)
        pip download --no-deps "${PACKAGE_NAME}==${PACKAGE_VERSION}" --dest "${provider_download_dir}"
        curl "{{ base_url }}/{{ package_name_underscores }}-{{ package_version }}-py3-none-any.whl.asc" \
            -L -o "${provider_download_dir}/{{ package_name_underscores }}-{{ package_version }}-py3-none-any.whl.asc"
        curl "{{ base_url }}/{{ package_name_underscores }}-{{ package_version }}-py3-none-any.whl.sha512" \
            -L -o "${provider_download_dir}/{{ package_name_underscores }}-{{ package_version }}-py3-none-any.whl.sha512"
        echo
        echo "Please verify files downloaded to ${provider_download_dir}"
        ls -la "${provider_download_dir}"
        echo

Once you verify the files following the instructions from previous chapter you can remove the temporary folder created.