Merge remote-tracking branch 'origin/main' into beta-releases

Author: github-actions[bot]

.evergreen/functions.yml

@@ -64,10 +64,6 @@ variables:
     E2E_TESTS_ATLAS_READANYDATABASE_STRING: ${e2e_tests_atlas_readanydatabase_string}
     E2E_TESTS_ATLAS_CUSTOMROLE_STRING: ${e2e_tests_atlas_customrole_string}
     E2E_TESTS_ATLAS_SPECIFICPERMISSION_STRING: ${e2e_tests_atlas_specificpermission_string}
-    NOTARY_URL: http://notary-service.build.10gen.cc:5000
-    NOTARY_AUTH_TOKEN: ${signing_auth_token}
-    NOTARY_SIGNING_KEY: ${signing_key_name}
-    NOTARY_SIGNING_COMMENT: Evergreen project mongodb/compass ${revision} - ${build_variant} - ${branch_name}
     MACOS_NOTARY_KEY: ${macos_notary_key}
     MACOS_NOTARY_SECRET: ${macos_notary_secret}
     MACOS_NOTARY_CLIENT_URL: 'https://macos-notary-1628249594.s3.amazonaws.com/releases/client/latest/darwin_amd64.zip'
@@ -80,6 +76,10 @@ variables:
     MONGODB_RUNNER_LOG_DIR: ${workdir}/src/.testserver/
     E2E_TESTS_ATLAS_CS_WITHOUT_SEARCH: ${e2e_tests_atlas_cs_without_search}
     E2E_TESTS_ATLAS_CS_WITH_SEARCH: ${e2e_tests_atlas_cs_with_search}
+    GARASIGN_USERNAME: ${garasign_username}
+    GARASIGN_PASSWORD: ${garasign_password}
+    ARTIFACTORY_USERNAME: ${artifactory_username}
+    ARTIFACTORY_PASSWORD: ${artifactory_password}
 
 # This is here with the variables because anchors aren't supported across includes
 post:
@@ -306,6 +306,85 @@ functions:
         # and be able to find the binary that is used for the tests
         file: src/packages/compass/expansions.yml
 
+  spawn-signing-server:
+    # spawn
+    - command: host.create
+      type: setup
+      params:
+        provider: ec2
+        distro: ubuntu2004-large
+        security_group_ids:
+          - sg-097bff6dd0d1d31d0 # Magic string that's needed for SSH'ing.
+    # write host info (this file will be read by signingtool when connection to ssh server)
+    - command: host.list
+      params:
+        num_hosts: 1
+        path: spawned_hosts.json
+        timeout_seconds: 1200
+        wait: true
+    # copy ssh key (this key will be used to connect to ssh server)
+    - command: shell.exec
+      params:
+        shell: bash
+        script: |
+          set -e
+          {
+          set +x
+          echo '${__project_aws_ssh_key_value}' > ~/.ssh/mcipacker.pem
+          chmod 0600 ~/.ssh/mcipacker.pem
+          set -x
+          }
+    # wait for host to be ready
+    - command: shell.exec
+      params:
+        exec_as_string: true
+        shell: bash
+        script: |
+          set -e
+          user=ubuntu
+          hostname=$(tr -d '"[]{}' < spawned_hosts.json | cut -d , -f 1 | awk -F : '{print $2}')
+          identity_file=$(echo ~/.ssh/mcipacker.pem)
+
+          attempts=0
+          connection_attempts=25
+
+          ## Check for remote connectivity
+          while ! ssh \
+            -i "$identity_file" \
+            -o ConnectTimeout=10 \
+            -o ForwardAgent=yes \
+            -o IdentitiesOnly=yes \
+            -o StrictHostKeyChecking=no \
+            "$(printf "%s@%s" "$user" "$hostname")" \
+            exit
+          do
+            if [ "$attempts" -ge "$connection_attempts" ]; then
+              echo "SSH connection failed after $connection_attempts attempts. Exiting..."
+              exit 1
+            fi
+            printf "SSH connection attempt %d/%d failed. Retrying...\n" "$((attempts++))" "$connection_attempts"
+            ## sleep for Permission denied (publickey) errors
+            sleep 20
+          done
+          echo "SSH connection established after $attempts attempts"
+    
+          # Write the host info so that it can be used by the signing tool
+          if [[ $OSTYPE == "cygwin" ]]; then
+            identity_file=$(cygpath -wa "$identity_file")
+          else
+            identity_file=$(eval echo "$identity_file")
+          fi
+          cat <<EOL > signing_host_info.yml
+          SIGNING_SERVER_HOSTNAME: $hostname
+          SIGNING_SERVER_PRIVATE_KEY: $identity_file
+          SIGNING_SERVER_USERNAME: $user
+          SIGNING_SERVER_PORT: 22
+          EOL
+    # Update the expansions
+    - command: expansions.update
+      params:
+        file: signing_host_info.yml
+
   package:
     - command: shell.exec
       params:
@@ -316,6 +395,10 @@ functions:
           DEBUG: ${debug}
           npm_config_loglevel: ${npm_loglevel}
           COMPASS_DISTRIBUTION: ${compass_distribution}
+          SIGNING_SERVER_HOSTNAME: ${SIGNING_SERVER_HOSTNAME}
+          SIGNING_SERVER_PRIVATE_KEY: ${SIGNING_SERVER_PRIVATE_KEY}
+          SIGNING_SERVER_USERNAME: ${SIGNING_SERVER_USERNAME}
+          SIGNING_SERVER_PORT: ${SIGNING_SERVER_PORT}
         script: |
           set -e
 
@@ -504,12 +587,26 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${windows_zip_filename}
         content_type: application/zip
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${windows_zip_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${windows_zip_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${windows_nupkg_full_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${windows_nupkg_full_filename}
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${windows_nupkg_full_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${windows_nupkg_full_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
@@ -530,34 +627,69 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${osx_zip_filename}
         content_type: application/zip
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${osx_zip_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${osx_zip_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${linux_rpm_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_filename}
         content_type: application/x-redhat-package-manager
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${linux_rpm_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${rhel_tar_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${rhel_tar_filename}
         content_type: application/x-gzip
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${rhel_tar_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${rhel_tar_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${linux_deb_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_deb_filename}
         content_type: application/vnd.debian.binary-package
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${linux_deb_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${linux_deb_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${linux_tar_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_tar_filename}
         content_type: application/x-gzip
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${linux_tar_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${linux_tar_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
 
   get-all-artifacts:
     - command: shell.exec

.evergreen/tasks.yml

@@ -105,6 +105,7 @@ tasks:
       - func: apply-compass-target-expansion
         vars:
           compass_distribution: compass
+      - func: spawn-signing-server
       - func: package
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'
@@ -124,6 +125,7 @@ tasks:
       - func: apply-compass-target-expansion
         vars:
           compass_distribution: compass-readonly
+      - func: spawn-signing-server
       - func: package
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'
@@ -143,6 +145,7 @@ tasks:
       - func: apply-compass-target-expansion
         vars:
           compass_distribution: compass-isolated
+      - func: spawn-signing-server
       - func: package
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'

.snyk

@@ -13,8 +13,8 @@ ignore:
   SNYK-JS-AGGRIDCOMMUNITY-1932011:
     - '*':
         reason: None Given
-        expires: 2024-02-09T14:01:23.838Z
-        created: 2024-01-10T14:01:23.846Z
+        expires: 2024-07-17T18:27:24.346Z
+        created: 2024-01-18T18:27:24.353Z
   SNYK-JS-AXIOS-6032459:
     - '*':
         reason: Not applicable to axios usage inside node-analytics package

README.md

@@ -57,7 +57,6 @@ Is there anything else you’d like to see in Compass? Let us know by submitting
 - [**@mongodb-js/databases-collections-list**](packages/databases-collections-list): List view for the databases and collections
 - [**@mongodb-js/explain-plan-helper**](packages/explain-plan-helper): Explain plan utility methods for MongoDB Compass
 - [**@mongodb-js/hadron-plugin-manager**](packages/hadron-plugin-manager): Hadron Plugin Manager
-- [**@mongodb-js/mongodb-notary-service-client**](packages/notary-service-client): A client for our notary-service: an API for codesigning
 - [**@mongodb-js/ssh-tunnel**](packages/ssh-tunnel): Yet another ssh tunnel based on ssh2
 - [**bson-transpilers**](packages/bson-transpilers): Source to source compilers using ANTLR
 - [**compass-e2e-tests**](packages/compass-e2e-tests): E2E test suite for Compass app that follows smoke tests / feature testing matrix