Provide a script to verify a Polaris release candidate

[snazy]

Verifying a Polaris release candidate is a quite complex effort, most of the individual tasks can be automated.

The goal is to have a script that can perform the release-candidate verification tasks that can be automated, which are:

• Downloads...
  • KEYS file
  • Files from dist.apache.org
  • Staged Maven repo
• Check GPG signatures (*.asc files)
• Verify file checksums (*.md5/sha1/sha256/sha512 files)
• Verify that all artifacts are present
• Compare the contents of the source tarball against the Git tag
• Verify that the staged artifacts are equal to locally built artifacts (reproducible build) and provide some insights (zipcmp/zipinfo/diff) if not
• Emit an informational message about the known non-reproducible artifacts as mentioned in Make all generated archives reproducible #2204
• Check Helm charts (incl downloads et al)

Non-goals

• Validate contents of LICENSE and NOTICE files