Changes quickstart to look at Maven central as Bintray is no longer used (#11)

adriancole · web-flow · commit b82eedd26a7f · 2019-05-11T17:45:39.000+08:00
Right now, people can't download zipkin anymore. This fixes it by using
central until there is a better way.

Note: This drops GPG verification, as the assumption about who signed
the dist is no longer valid. This is better than scaring people.

Note: There's no requirement to sign the md5 file, even if Bintray did
that by default. ASF projects do not sign the md5.
diff --git a/quickstart.sh b/quickstart.sh
@@ -3,8 +3,8 @@
 set -euo pipefail
 
 # This will be set to 1 if we instruct the user to manually verify signatures,
-# when they have GPG but don't have the BinTray public key. Would be super confusing
-# to tell the user to use files that we've cleaned up.
+# when they have GPG but don't have the public key of the signer. Would be super
+# confusing to tell the user to use files that we've cleaned up.
 DO_CLEANUP=0
 
 # shellcheck disable=SC2015
@@ -15,6 +15,8 @@ color_bad=$(tput setaf 1 || true)
 color_warn=$(tput setaf 3 || true)
 color_reset=$(tput sgr0 || true)
 
+repo=https://repo.maven.apache.org/maven2
+
 usage() {
     cat <<EOF
 ${color_title}$0${color_reset}
@@ -25,16 +27,16 @@ Downloads the "VERSION" version of GROUP:ARTIFACT with classifier "CLASSIFIER"
 to path "TARGET" on the local file system. "VERSION" can take the special value
 "LATEST", in which case the latest Zipkin release will be used. For example:
 
-${color_title}$0 io.zipkin.java:zipkin-autoconfigure-collector-scribe:LATEST:module scribe.jar${color_reset}
+${color_title}$0 io.zipkin.aws:zipkin-autoconfigure-collector-kinesis:LATEST:module kinesis.jar${color_reset}
 downloads the latest version of the artifact with group "io.zipkin.aws",
-artifact id "zipkin-autoconfigure-collector-scribe", and classifier "module"
-to PWD/scribe.jar
+artifact id "zipkin-autoconfigure-collector-kinesis", and classifier "module"
+to PWD/kinesis.jar
 EOF
 }
 
 welcome() {
     cat <<EOF
-${color_title}Thank you for trying OpenZipkin!${color_reset}
+${color_title}Thank you for trying Zipkin!${color_reset}
 This installer is provided as a quick-start helper, so you can try Zipkin out
 without a lengthy installation process.
 
@@ -64,7 +66,7 @@ cleanup() {
     local base_filename="$1"; shift
     if [[ "$DO_CLEANUP" -eq 0 ]]; then
         printf '\n%s\n' "${color_title}Cleaning up checksum and signature files${color_reset}"
-        execute_and_log rm -f "$base_filename"{.md5,.asc,.md5.asc}
+        execute_and_log rm -f "$base_filename"{.md5,.asc}
         DO_CLEANUP=1
     fi
 }
@@ -79,15 +81,15 @@ handle_shutdown() {
 ${color_bad}
 It looks like quick-start setup has failed. Please run the command again
 with the debug flag like below, and open an issue on
-https://github.com/openzipkin/zipkin/issues/new. Make sure to include the
-full output of the run.
+https://github.com/apache/incubator-zipkin-website/issues/new. Make sure
+to include the full output of the run.
 ${color_reset}
-    \\curl -sSL http://zipkin.io/quickstart.sh | bash -sx -- $@
+    \\curl -sSL https://zipkin.apache.org/quickstart.sh | bash -sx -- $@
 
 In the meanwhile, you can manually download and run the latest executable jar
 from the following URL:
 
-https://dl.bintray.com/openzipkin/maven/io/zipkin/java/zipkin-server/
+https://search.maven.org/remote_content?g=org.apache.zipkin&a=zipkin-server&v=LATEST&c=exec
 EOF
     fi
 }
@@ -107,48 +109,8 @@ fetch() {
 fetch_latest_version() {
     local artifact_group="$1"; shift
     local artifact_id="$1"; shift
-    local url="https://api.bintray.com/search/packages/maven?g=${artifact_group}&a=${artifact_id}&subject=openzipkin"
-    local package_data
-    local package_count
-    local have_jq
-
-    # We'll have more robustness if jq is present, but will do our best without it as well
-    if command -v jq >/dev/null 2>&1; then
-        have_jq=0
-    else
-        have_jq=1
-        printf >&2 '%s\n' \
-                   "${color_warn}jq not found on path. This script will still do its best, but installing jq" \
-                   "will allow it to parse data from Bintray in a more robust fashion.${color_reset}"
-    fi
-
-    # Call the Bintray API to search for releases
-    package_data="$(execute_and_log curl -SL "'$url'")"
-
-    # Count how many packages we got from the search
-    if [[ $have_jq -eq 0 ]]; then
-        package_count="$(jq length <<< "$package_data")"
-    else
-        package_count="$(grep -c latest_version <<< "${package_data//,/$'\n'}")"
-    fi
-    # We want exactly one result.
-    if [[ "$package_count" -eq 0 ]]; then
-        printf >&2 '%s%s%s\n' \
-                   "${color_bad}" \
-                   'No package information found; the provided group or artifact ID may be invalid.' \
-                   "${color_reset}"
-        exit 1
-    elif [[ "$package_count" -gt 1 ]]; then
-        printf >&2 '%s\n' "${color_bad}More than one package returned from search by Maven group and artifact ID.${color_reset}"
-        exit 1
-    fi
-
-    # Finally, extract the actual package version
-    if [[ $have_jq -eq 0 ]]; then
-        jq '.[0].latest_version' -r <<< "$package_data"
-    else
-        grep latest_version <<< "${package_data//,/$'\n'}" | sed 's/^.*"latest_version" *: *"*\([^"]*\)".*$/\1/'
-    fi
+    local url="${repo}/${artifact_group_with_slashes}/${artifact_id}/maven-metadata.xml"
+    printf $(curl -sSL $url | sed -n '/<version>/s/.*<version>\([^<]*\)<\/version>.*/\1/p'|tail -1)
 }
 
 artifact_part() {
@@ -198,22 +160,21 @@ verify_signature() {
 
     printf '\n%s\n' "${color_title}Verifying GPG signature of $filename...${color_reset}"
 
-    local bintray_gpg_key='D401AB61'
+    local gpg_key='D401AB61'
 
     if command -v gpg >/dev/null 2>&1; then
         fetch "$url.asc" "$filename.asc"
-        if gpg --list-keys "$bintray_gpg_key" >/dev/null 2>&1; then
+        if gpg --list-keys "$gpg_key" >/dev/null 2>&1; then
             execute_and_log gpg --verify "$filename.asc" "$filename"
             printf '%s\n' "${color_good}GPG signature for ${filename} passes verification${color_reset}"
         else
             cat <<EOF
 ${color_warn}
-JFrog BinTray GPG signing key is not known, skipping signature verification.
-You can import it, then verify the signature of $filename, using the following
-commands:
+GPG signing key is not known, skipping signature verification.
+Use the following commands to manually verify the signature of $filename:
 
-    gpg --keyserver keyserver.ubuntu.com --recv $bintray_gpg_key
-    # Optionally trust the key via 'gpg --edit-key $bintray_gpg_key', then typing 'trust',
+    gpg --keyserver keyserver.ubuntu.com --recv $gpg_key
+    # Optionally trust the key via 'gpg --edit-key $gpg_key', then typing 'trust',
     # choosing a trust level, and exiting the interactive GPG session by 'quit'
     gpg --verify $filename.asc $filename
 ${color_reset}
@@ -226,7 +187,7 @@ EOF
 }
 
 main() {
-    local artifact_group=io.zipkin.java
+    local artifact_group=org.apache.zipkin
     local artifact_id=zipkin-server
     local artifact_version=LATEST
     local artifact_version_lowercase=latest
@@ -263,6 +224,7 @@ main() {
 
     welcome
 
+    artifact_group_with_slashes="${artifact_group//.//}"
     artifact_version_lowercase="$(tr '[:upper:]' '[:lower:]' <<< "$artifact_version")"
     if [  "${artifact_version_lowercase}" = 'latest' ]; then
         printf '%s\n' "${color_title}Fetching version number of latest ${artifact_group}:${artifact_id} release...${color_reset}"
@@ -272,12 +234,12 @@ main() {
     printf '%s\n\n' "${color_good}Latest release of ${artifact_group}:${artifact_id} seems to be ${artifact_version}${color_reset}"
 
     printf '%s\n' "${color_title}Downloading $artifact_group:$artifact_id:$artifact_version:$artifact_classifier to $filename...${color_reset}"
-    artifact_group_with_slashes="${artifact_group//.//}"
-    artifact_url="https://dl.bintray.com/openzipkin/maven/${artifact_group_with_slashes}/${artifact_id}/$artifact_version/${artifact_id}-${artifact_version}${artifact_classifier_suffix}.jar"
+    artifact_url="${repo}/${artifact_group_with_slashes}/${artifact_id}/$artifact_version/${artifact_id}-${artifact_version}${artifact_classifier_suffix}.jar"
     fetch "$artifact_url" "$filename"
     verify_checksum "$artifact_url" "$filename"
-    verify_signature "$artifact_url" "$filename"
-    verify_signature "$artifact_url.md5" "$filename.md5"
+    # Disabled as it is assuming the GPG key is from Bintray, which it won't be. This is better than
+    # scaring people. In the future, we can do fancy things to determine which of the ASF keys it is.
+    # verify_signature "$artifact_url" "$filename"
 
     cleanup "$filename"
     farewell "$artifact_classifier" "$filename"
