Installing Helm Chart from sources¶
Released packages¶
This page describes downloading and verifying Apache Airflow Official Helm Chart
version
1.4.0
using officially released source packages. You can also install the chart
directly from the airflow.apache.org
repo as described in
Installing the chart.
You can choose different version of the chart by selecting different version from the drop-down at
the top-left of the page.
The sources and packages released are the “official” sources of installation that you can use if you want to verify the origin of the packages and want to verify checksums and signatures of the packages. The packages are available via the Official Apache Software Foundations Downloads
The downloads are available at:
If you want to install from the source code, you can download from the sources link above, it will contain
a INSTALL
file containing details on how you can build and install the chart.
Release integrity¶
It is essential that you verify the integrity of the downloaded files using the PGP or SHA signatures. The PGP signatures can be verified using GPG or PGP. Please download the KEYS as well as the asc signature files for relevant distribution. It is recommended to get these files from the main distribution directory and not from the mirrors.
gpg -i KEYS
or
pgpk -a KEYS
or
pgp -ka KEYS
To verify the binaries/sources you can download the relevant asc files for it from main distribution directory and follow the below guide.
gpg --verify airflow-********.asc airflow-*********
or
pgpv airflow-********.asc
or
pgp airflow-********.asc
Example:
$ gpg --verify airflow-1.4.0.tgz.asc airflow-1.4.0.tgz
gpg: Signature made Sat 11 Sep 12:49:54 2021 BST
gpg: using RSA key CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
gpg: issuer "kaxilnaik@apache.org"
gpg: Good signature from "Kaxil Naik <kaxilnaik@apache.org>" [unknown]
gpg: aka "Kaxil Naik <kaxilnaik@gmail.com>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: CDE1 5C6E 4D3A 8EC4 ECF4 BA4B 6674 E08A D7DE 406F
The “Good signature from …” is indication that the signatures are correct.
Do not worry about the “not certified with a trusted signature” warning. Most of the certificates used
by release managers are self signed, that’s why you get this warning. By importing the server in the
previous step and importing it via ID from KEYS
page, you know that this is a valid Key already.
For SHA512 sum check, download the relevant sha512
and run the following:
shasum -a 512 airflow-******** | diff - airflow-********.sha512
The SHASUM
of the file should match the one provided in .sha512
file.
Example:
shasum -a 512 airflow-1.4.0.tgz | diff - airflow-1.4.0.tgz.sha512