fix(verify-release): fix bash pipe FD leak causing deadlock on maven checksum verification

[adnanhemani]

Without this fix, the verify script deadlocks and stalls past a amount of artifacts processed during the Maven Repo Signature and Checksum Verification:

As I am no expert at this, I am relying on Claude's explanation that the process substitution used earlier doesn't close the pipe FDs reliably, which eventually ends up in a deadlock. The new code eliminates pipes altogether and therefore has nothing to leak.

If anyone has a better way of doing this, please suggest to raise a different PR - I am only going with this as this suggestion worked for me, but unsure if it is the correct long-term fix.

Checklist

• 🛡️ Don't disclose security issues! (contact security@apache.org)
• 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
• 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
• 💡 Added comments for complex logic
• 🧾 Updated CHANGELOG.md (if needed)
• 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

[snazy]

Can you verify that this works fine on both macOS and Linux?
Testing against ubuntu:latest is fine.

[adnanhemani]

Tested it locally on MacOS, and ran it against Docker Ubuntu:

docker run --rm -it -v ~/Development/polaris:/polaris -w /polaris ubuntu:latest bash -c "apt-get update -qq && apt-get install -y -qq wget git default-jdk gnupg curl zip unzip cmake build-essential libssl-dev zlib1g-dev && curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash && wget -q https://libzip.org/download/libzip-1.10.1.tar.gz && tar xzf libzip-1.10.1.tar.gz && cd libzip-1.10.1 && mkdir build && cd build && cmake -DBUILD_TOOLS=ON  .. -DBUILD_SHARED_LIBS=OFF > /dev/null && make zipcmp > /dev/null 2>&1 && cp src/zipcmp /usr/local/bin/ && cd /polaris && bash tools/verify-release/verify-release.sh --git-sha b91281989fe57435d22fbef347df6293412331b3 --version 1.4.0-rc0 --maven-repo-id 1062"

...


************************************************************************************************************
** Automatic release check FAILED !
************************************************************************************************************

One or more staged release artifacts did not pass the required checks.
A detailed report is available in the file

  /polaris/polaris-release-verify-2026-03-30-21-10-06.log

INSPECT THE CONTENTS OF THE ABOVE FILE _BEFORE_ REPORTING THE RELEASE CONTENTS AS INVALID!

* Git SHA mismatches MUST be treated as fatal.
* GPG signature verification errors MUST be treated as fatal.
* Checksum mismatches MUST be treated as fatal.
* Files being reported as missing MUST be treated as fatal.

The Polaris build is not yet fully reproducible.
A list of known reproducible build issues is maintained in https://github.com/apache/polaris/issues/2204.

Pending on full support for reproducible builds in Quarkus:
* Jars containing generated code are not guaranteed to be reproducible. Affects the following jars:
  * */quarkus/generated-bytecode.jar
  * */quarkus/transformed-bytecode.jar
  * */quarkus/quarkus-application.jar
* Re-assembled jars are not guaranteed to be reproducible: Affects the following jars:
  * admin/app/polaris-admin-*.jar
  * server/app/polaris-server-*.jar
* Zips and tarballs containing any of the above are not guaranteed to be reproducible.

⚠ NOT purging temporary directory /tmp/polaris-release-verify-2026-03-30-21-10-06-BtQ8qDNl0 - errors were reported!