chore(garasign): sign linux artifacts (#5334)

mabaasit · web-flow · commit 52a5795dac8f · 2024-01-16T14:46:22.000+01:00
* sign deb

* sign linux tar

* almost blew windows signing

* package update
diff --git a/.evergreen/functions.yml b/.evergreen/functions.yml
@@ -80,6 +80,10 @@ variables:
     MONGODB_RUNNER_LOG_DIR: ${workdir}/src/.testserver/
     E2E_TESTS_ATLAS_CS_WITHOUT_SEARCH: ${e2e_tests_atlas_cs_without_search}
     E2E_TESTS_ATLAS_CS_WITH_SEARCH: ${e2e_tests_atlas_cs_with_search}
+    GARASIGN_USERNAME: ${garasign_username}
+    GARASIGN_PASSWORD: ${garasign_password}
+    ARTIFACTORY_USERNAME: ${artifactory_username}
+    ARTIFACTORY_PASSWORD: ${artifactory_password}
 
 # This is here with the variables because anchors aren't supported across includes
 post:
@@ -551,13 +555,27 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_deb_filename}
         content_type: application/vnd.debian.binary-package
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${linux_deb_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${linux_deb_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${linux_tar_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_tar_filename}
         content_type: application/x-gzip
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${linux_tar_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${linux_tar_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
 
   get-all-artifacts:
     - command: shell.exec
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/hadron-build/lib/target.js b/packages/hadron-build/lib/target.js
@@ -18,10 +18,20 @@ const mongodbNotaryServiceClient = require('@mongodb-js/mongodb-notary-service-c
 const which = require('which');
 const plist = require('plist');
 const { signtool } = require('./signtool');
+const { sign: garasign } = require('@mongodb-js/signing-utils');
 const tarGz = require('./tar-gz');
 
-async function signLinuxPackage(src) {
-  debug('Signing ... %s', src);
+async function signLocallyWithGpg(src) {
+  debug('Signing locally with gpg ... %s', src);
+  await garasign(src, {
+    client: 'local',
+    signingMethod: 'gpg',
+  });
+  debug('Successfully signed %s', src);
+}
+
+async function signRpmPackage(src) {
+  debug('Signing rpm .. %s', src);
   await mongodbNotaryServiceClient(src);
   debug('Successfully signed %s', src);
 }
@@ -646,6 +656,9 @@ class Target {
     const debianArch = this.arch === 'x64' ? 'amd64' : 'i386';
     const debianSection = _.get(platformSettings, 'deb_section');
     this.linux_deb_filename = `${this.slug}_${debianVersion}_${debianArch}.deb`;
+    this.linux_deb_sign_filename = `${this.linux_deb_filename}.sig`;
+    this.linux_tar_filename = `${this.slug}-${this.version}-${this.platform}-${this.arch}.tar.gz`;
+    this.linux_tar_sign_filename = `${this.linux_tar_filename}.sig`;
 
     const rhelVersion = [
       this.semver.major,
@@ -656,7 +669,6 @@ class Target {
     const rhelArch = this.arch === 'x64' ? 'x86_64' : 'i386';
     const rhelCategories = _.get(platformSettings, 'rpm_categories');
     this.linux_rpm_filename = `${this.slug}-${this.version}.${rhelArch}.rpm`;
-    this.linux_tar_filename = `${this.slug}-${this.version}-${this.platform}-${this.arch}.tar.gz`;
     this.rhel_tar_filename = `${this.slug}-${this.version}-rhel-${this.arch}.tar.gz`;
 
     this.assets = [
@@ -665,6 +677,10 @@ class Target {
         path: this.dest(this.linux_deb_filename),
         downloadCenter: true
       },
+      {
+        name: this.linux_deb_sign_filename,
+        path: this.dest(this.linux_deb_sign_filename),
+      },
       {
         name: this.linux_rpm_filename,
         path: this.dest(this.linux_rpm_filename),
@@ -674,6 +690,10 @@ class Target {
         name: this.linux_tar_filename,
         path: this.dest(this.linux_tar_filename)
       },
+      {
+        name: this.linux_tar_sign_filename,
+        path: this.dest(this.linux_tar_sign_filename)
+      },
       {
         name: this.rhel_tar_filename,
         path: this.dest(this.rhel_tar_filename)
@@ -731,7 +751,7 @@ class Target {
         const createRpm = require('electron-installer-redhat');
         debug('creating rpm...', this.installerOptions.rpm);
         return createRpm(this.installerOptions.rpm).then(() => {
-          return signLinuxPackage(this.dest(this.linux_rpm_filename));
+          return signRpmPackage(this.dest(this.linux_rpm_filename));
         });
       });
     };
@@ -741,12 +761,7 @@ class Target {
         const createDeb = require('electron-installer-debian');
         debug('creating deb...', this.installerOptions.deb);
         return createDeb(this.installerOptions.deb).then(() => {
-          // We do not sign debs because it doesn't work, see
-          // this thread for context:
-          //   https://mongodb.slack.com/archives/G2L10JAV7/p1623169331107600
-          //
-          // return sign(this.dest(this.linux_deb_filename));
-          return this.dest(this.linux_deb_filename);
+          return signLocallyWithGpg(this.dest(this.linux_deb_filename));
         });
       });
     };
@@ -758,7 +773,12 @@ class Target {
         this.dest(this.app_archive_name)
       );
 
-      return tarGz(this.appPath, this.dest(this.app_archive_name));
+      return tarGz(this.appPath, this.dest(this.app_archive_name)).then(() => {
+        if (process.env.EVERGREEN_BUILD_VARIANT === 'rhel') {
+          return;
+        }
+        return signLocallyWithGpg(this.dest(this.app_archive_name));
+      });
     };
 
     this.createInstaller = () => {
diff --git a/packages/hadron-build/package.json b/packages/hadron-build/package.json
@@ -19,10 +19,12 @@
     "url": "https://github.com/mongodb-js/compass.git"
   },
   "dependencies": {
+    "@electron/rebuild": "^3.4.1",
     "@mongodb-js/devtools-github-repo": "^1.4.1",
     "@mongodb-js/dl-center": "^1.0.1",
     "@mongodb-js/electron-wix-msi": "^3.0.0",
     "@mongodb-js/mongodb-notary-service-client": "^2.0.4",
+    "@mongodb-js/signing-utils": "^0.2.3",
     "@npmcli/arborist": "^6.2.0",
     "@octokit/rest": "^18.6.2",
     "asar": "^3.0.3",
@@ -36,7 +38,6 @@
     "electron": "^28.1.0",
     "electron-packager": "^15.5.1",
     "electron-packager-plugin-non-proprietary-codecs-ffmpeg": "^1.0.2",
-    "@electron/rebuild": "^3.4.1",
     "flatnest": "^1.0.0",
     "fs-extra": "^8.1.0",
     "getos": "^3.1.4",
