chore: Allow skipping key verification on centos7 (#240)

...because something about the gpg version on centos7 is too old ( https://github.com/apache/arrow-nanoarrow/actions/runs/5293770871/jobs/9582325801#step:4:337 ).
apache · Jun 19, 2023 · 4c5b247 · 4c5b247
1 parent a682731
commit 4c5b247
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
@@ -147,7 +147,11 @@ jobs:
           - {platform: "fedora", arch: "amd64"}
           - {platform: "archlinux", arch: "amd64"}
           - {platform: "alpine", arch: "amd64"}
-          - {platform: "centos7", arch: "amd64"}
+          - {
+              platform: "centos7",
+              arch: "amd64",
+              compose_args: "-e NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR=1"
+            }
           - {
               platform: "ubuntu",
               arch: "amd64",

diff --git a/dev/release/README.md b/dev/release/README.md
@@ -235,6 +235,11 @@ curl -L https://github.com/apache/arrow/archive/refs/tags/apache-arrow-9.0.0.tar
 export NANOARROW_CMAKE_OPTIONS="-DArrow_DIR=$(pwd)/arrow/lib/cmake/Arrow"
 export CMAKE_BIN=cmake3
 export CTEST_BIN=ctest3
+
+# gpg on centos7 errors for some keys in the Arrow KEYS file. This does
+# not skip verifying signatures, just allows errors for unsupported entries in
+# the global Arrow KEYS file.
+export NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR=1
 ```
 
 ### Big endian

diff --git a/dev/release/verify-release-candidate.sh b/dev/release/verify-release-candidate.sh
@@ -31,6 +31,10 @@
 #   If unset, the script will check out a version into NANOARROW_TMPDIR.
 # - NANOARROW_TMPDIR: Use to specify a persistent directory such that verification
 #   results are more easily retrieved.
+# - NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR: Don't stop verification even when
+#   "gpg --import KEYS" returns an error. In general, we should not use this
+#   to ensure importing all GPG keys. But newer algorithms such as ed25519 may
+#   not be supported in old GPG such as GPG on CentOS 7.
 # - TEST_SOURCE: Set to 0 to selectively run component verification.
 # - TEST_C: Builds C libraries and tests using the default CMake
 #   configuration. Defaults to the value of TEST_SOURCE.
@@ -114,7 +118,12 @@ import_gpg_keys() {
     return 0
   fi
   download_dist_file KEYS
-  gpg --import KEYS
+
+  if [ "${NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR:-0}" -gt 0 ]; then
+    gpg --import KEYS || true
+  else
+    gpg --import KEYS
+  fi
 
   GPGKEYS_ALREADY_IMPORTED=1
 }