chore(build): sign all artifacts COMPASS-7549 (#5349)

* sign all artifacts

* fix and tests

* sign archive at one place

* sign back linux where its build

* use abs path

* fix tests and sign linux correctly

* use abs path to sign archive

* use tasks instead of task_group

* rewrite function

* use remote signing server for everything

Author: mabaasit

.evergreen/functions.yml

@@ -310,6 +310,85 @@ functions:
         # and be able to find the binary that is used for the tests
         file: src/packages/compass/expansions.yml
 
+  spawn-signing-server:
+    # spawn
+    - command: host.create
+      type: setup
+      params:
+        provider: ec2
+        distro: ubuntu2004-large
+        security_group_ids:
+          - sg-097bff6dd0d1d31d0 # Magic string that's needed for SSH'ing.
+    # write host info (this file will be read by signingtool when connection to ssh server)
+    - command: host.list
+      params:
+        num_hosts: 1
+        path: spawned_hosts.json
+        timeout_seconds: 1200
+        wait: true
+    # copy ssh key (this key will be used to connect to ssh server)
+    - command: shell.exec
+      params:
+        shell: bash
+        script: |
+          set -e
+          {
+          set +x
+          echo '${__project_aws_ssh_key_value}' > ~/.ssh/mcipacker.pem
+          chmod 0600 ~/.ssh/mcipacker.pem
+          set -x
+          }
+    # wait for host to be ready
+    - command: shell.exec
+      params:
+        exec_as_string: true
+        shell: bash
+        script: |
+          set -e
+          user=ubuntu
+          hostname=$(tr -d '"[]{}' < spawned_hosts.json | cut -d , -f 1 | awk -F : '{print $2}')
+          identity_file=$(echo ~/.ssh/mcipacker.pem)
+
+          attempts=0
+          connection_attempts=25
+
+          ## Check for remote connectivity
+          while ! ssh \
+            -i "$identity_file" \
+            -o ConnectTimeout=10 \
+            -o ForwardAgent=yes \
+            -o IdentitiesOnly=yes \
+            -o StrictHostKeyChecking=no \
+            "$(printf "%s@%s" "$user" "$hostname")" \
+            exit
+          do
+            if [ "$attempts" -ge "$connection_attempts" ]; then
+              echo "SSH connection failed after $connection_attempts attempts. Exiting..."
+              exit 1
+            fi
+            printf "SSH connection attempt %d/%d failed. Retrying...\n" "$((attempts++))" "$connection_attempts"
+            ## sleep for Permission denied (publickey) errors
+            sleep 20
+          done
+          echo "SSH connection established after $attempts attempts"
+    
+          # Write the host info so that it can be used by the signing tool
+          if [[ $OSTYPE == "cygwin" ]]; then
+            identity_file=$(cygpath -wa "$identity_file")
+          else
+            identity_file=$(eval echo "$identity_file")
+          fi
+          cat <<EOL > signing_host_info.yml
+          SIGNING_SERVER_HOSTNAME: $hostname
+          SIGNING_SERVER_PRIVATE_KEY: $identity_file
+          SIGNING_SERVER_USERNAME: $user
+          SIGNING_SERVER_PORT: 22
+          EOL
+    # Update the expansions
+    - command: expansions.update
+      params:
+        file: signing_host_info.yml
+
   package:
     - command: shell.exec
       params:
@@ -320,6 +399,10 @@ functions:
           DEBUG: ${debug}
           npm_config_loglevel: ${npm_loglevel}
           COMPASS_DISTRIBUTION: ${compass_distribution}
+          SIGNING_SERVER_HOSTNAME: ${SIGNING_SERVER_HOSTNAME}
+          SIGNING_SERVER_PRIVATE_KEY: ${SIGNING_SERVER_PRIVATE_KEY}
+          SIGNING_SERVER_USERNAME: ${SIGNING_SERVER_USERNAME}
+          SIGNING_SERVER_PORT: ${SIGNING_SERVER_PORT}
         script: |
           set -e
 
@@ -508,12 +591,26 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${windows_zip_filename}
         content_type: application/zip
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${windows_zip_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${windows_zip_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${windows_nupkg_full_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${windows_nupkg_full_filename}
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${windows_nupkg_full_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${windows_nupkg_full_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
@@ -534,20 +631,41 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${osx_zip_filename}
         content_type: application/zip
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${osx_zip_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${osx_zip_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${linux_rpm_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_filename}
         content_type: application/x-redhat-package-manager
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${linux_rpm_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public
         local_file: src/packages/compass/dist/${rhel_tar_filename}
         remote_file: ${project}/${revision}_${revision_order_id}/${rhel_tar_filename}
         content_type: application/x-gzip
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/packages/compass/dist/${rhel_tar_sign_filename}
+        remote_file: ${project}/${revision}_${revision_order_id}/${rhel_tar_sign_filename}
+        content_type: application/pgp-signature
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public

.evergreen/tasks.yml

@@ -105,6 +105,7 @@ tasks:
       - func: apply-compass-target-expansion
         vars:
           compass_distribution: compass
+      - func: spawn-signing-server
       - func: package
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'
@@ -124,6 +125,7 @@ tasks:
       - func: apply-compass-target-expansion
         vars:
           compass_distribution: compass-readonly
+      - func: spawn-signing-server
       - func: package
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'
@@ -143,6 +145,7 @@ tasks:
       - func: apply-compass-target-expansion
         vars:
           compass_distribution: compass-isolated
+      - func: spawn-signing-server
       - func: package
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'

package-lock.json

@@ -28,6 +28,7 @@ const packager = require('electron-packager');
 const createApplicationZip = require('../lib/zip');
 const run = require('./../lib/run');
 const rebuild = require('@electron/rebuild').rebuild;
+const { signArchive } = require('./../lib/signtool');
 
 const ui = require('./ui');
 const verify = require('./verify');
@@ -541,6 +542,7 @@ exports.run = (argv, done) => {
     !noAsar && task('create application asar', createApplicationAsar),
     !skipInstaller && task('create branded installer', createBrandedInstaller),
     task('create application zip', createApplicationZip),
+    task('sign zip', signArchive),
     task('store build configuration as json', writeConfigToJson)
   ].filter(Boolean));
 

packages/hadron-build/commands/release.js

@@ -1,22 +1,67 @@
-const debug = require('debug')('hadron-build:signtool');
-const { execFileSync } = require('child_process');
 const path = require('path');
+const debug = require('debug')('hadron-build:target');
+const { sign: _garasign } = require('@mongodb-js/signing-utils');
 
-async function signtool(fileToSign) {
-  const signtoolPath = path.resolve(__dirname, '..', 'signtool/signtool.exe');
-
-  const execArgs = [signtoolPath, [path.resolve(fileToSign)], { stdio: 'inherit' }];
-  debug(`Running signtool.exe to sign '${signtoolPath}'`, {
-    execArgs: execArgs,
-    env: {
-      NOTARY_SIGNING_COMMENT: process.env.NOTARY_SIGNING_COMMENT,
-      NOTARY_URL: process.env.NOTARY_URL,
-      NOTARY_SIGNING_KEY: process.env.NOTARY_SIGNING_KEY,
-    }
-  });
-
-  // eslint-disable-next-line no-sync
-  await execFileSync(...execArgs);
+const canSign = () => (
+  process.env.GARASIGN_USERNAME &&
+  process.env.GARASIGN_PASSWORD &&
+  process.env.ARTIFACTORY_USERNAME &&
+  process.env.ARTIFACTORY_PASSWORD
+);
+
+/**
+ * When using gpg to sign a file, it creates a signature file
+ * with same name as the original file and adds `.sig` to it.
+ *
+ * @param {string} filename
+ * @returns string
+ */
+function getSignedFilename(filename) {
+  return `${filename}.sig`;
+}
+
+/**
+ * Currently, windows and macos zip are created from `zip` step
+ * of the release process and we sign them here. For linux, we
+ * create and sign the archive when creating corresponding deb/rpm file.
+ *
+ * @param {import('./Target')} target
+ */
+function signArchive(target, cb) {
+  const { app_archive_name, platform } = target;
+  if (platform === 'linux') {
+    debug('linux archive is signed when creating deb/rpm');
+    return cb();
+  }
+  sign(target.dest(app_archive_name)).then(cb).catch(cb);
+}
+
+/**
+ * We are signing the file using `gpg` or `jsign` depending on the
+ * file extension. If the extension is `.exe` or `.msi`, we use `jsign`
+ * otherwise we use `gpg`.
+ *
+ * @param {string} src
+ * @returns {Promise<void>}
+ */
+async function sign(src, garasign = _garasign) {
+  debug('Signing %s ...', src);
+
+  if (!canSign()) {
+    debug('Skipping signing. Missing credentials.');
+    return;
+  }
+
+  const clientOptions = {
+    client: 'remote',
+    host: process.env.SIGNING_SERVER_HOSTNAME,
+    username: process.env.SIGNING_SERVER_USERNAME,
+    port: process.env.SIGNING_SERVER_PORT,
+    privateKey: process.env.SIGNING_SERVER_PRIVATE_KEY,
+    signingMethod: path.extname(src) === '.exe' || path.extname(src) === '.msi' ? 'jsign' : 'gpg'
+  };
+
+  return await garasign(src, clientOptions);
 }
 
-module.exports = { signtool };
+module.exports = { sign, signArchive, getSignedFilename };