chore(ci): rpm signing COMPASS-7588 (#5379)

* wip rpm signing

* update package

* verify correctly

Author: mabaasit

.evergreen/functions.yml

@@ -664,13 +664,6 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_filename}
         content_type: application/x-redhat-package-manager
         optional: true
-    - command: s3.put
-      params:
-        <<: *save-artifact-params-public
-        local_file: src/packages/compass/dist/${linux_rpm_sign_filename}
-        remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_sign_filename}
-        content_type: application/pgp-signature
-        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public

.evergreen/verify-artifacts.sh

@@ -9,6 +9,7 @@ ls -l $ARTIFACTS_DIR
 # Use tmp directory for all gpg operations
 GPG_HOME=$(mktemp -d)
 TMP_FILE=$(mktemp)
+COMPASS_KEY="https://pgp.mongodb.com/compass.asc"
 
 trap_handler() {
   local code=$?
@@ -40,9 +41,28 @@ verify_using_codesign() {
   codesign -dv --verbose=4 $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1
 }
 
+verify_using_rpm() {
+  # RPM packages are signed using gpg and the signature is embedded in the package.
+  # Here, we need to import the key in `rpm` and then verify the signature.
+  echo "Importing key into rpm"
+  rpm --import $COMPASS_KEY > "$TMP_FILE" 2>&1
+  # Even if the file is not signed, the command below will exit with 0 and output something like: sha1 md5 OK
+  # So we need to check the output of the command to see if the file is signed successfully.
+  echo "Verifying $1 using rpm"
+  output=$(rpm -K $ARTIFACTS_DIR/$1)
+  # Remove the imported key from rpm
+  rpm -e $(rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release}:%{summary}\n' | grep compass | awk -F: '{print $1}')
+  
+  # Check if the output contains the string "pgp md5 OK"
+  if [[ $output != *"pgp md5 OK"* ]]; then
+    echo "File $1 is not signed"
+    exit 1
+  fi
+}
+
 setup_gpg() {
   echo "Importing Compass public key"
-  curl https://pgp.mongodb.com/compass.asc | gpg --homedir $GPG_HOME --import > "$TMP_FILE" 2>&1
+  curl $COMPASS_KEY | gpg --homedir $GPG_HOME --import > "$TMP_FILE" 2>&1
 }
 
 if [ "$IS_WINDOWS" = true ]; then
@@ -55,7 +75,7 @@ elif [ "$IS_UBUNTU" = true ]; then
   verify_using_gpg $LINUX_TAR_NAME
 elif [ "$IS_RHEL" = true ]; then
   setup_gpg
-  verify_using_gpg $RHEL_RPM_NAME
+  verify_using_rpm $RHEL_RPM_NAME
   verify_using_gpg $RHEL_TAR_NAME
 elif [ "$IS_OSX" = true ]; then
   setup_gpg

package-lock.json

@@ -36,6 +36,21 @@ function signArchive(target, cb) {
   sign(target.dest(app_archive_name)).then(cb).catch(cb);
 }
 
+/**
+ * @param {string} src
+ */
+function getSigningMethod(src) {
+  switch (path.extname(src)) {
+    case '.exe':
+    case '.msi':
+      return 'jsign';
+    case '.rpm':
+      return 'rpm_gpg';
+    default:
+      return 'gpg';
+  }
+}
+
 /**
  * We are signing the file using `gpg` or `jsign` depending on the
  * file extension. If the extension is `.exe` or `.msi`, we use `jsign`
@@ -58,7 +73,7 @@ async function sign(src, garasign = _garasign) {
     username: process.env.SIGNING_SERVER_USERNAME,
     port: process.env.SIGNING_SERVER_PORT,
     privateKey: process.env.SIGNING_SERVER_PRIVATE_KEY,
-    signingMethod: path.extname(src) === '.exe' || path.extname(src) === '.msi' ? 'jsign' : 'gpg'
+    signingMethod: getSigningMethod(src),
   };
 
   return await garasign(src, clientOptions);

packages/hadron-build/lib/signtool.js

@@ -639,7 +639,6 @@ class Target {
     this.linux_rpm_filename = `${this.slug}-${this.version}.${rhelArch}.rpm`;
     this.rhel_tar_filename = `${this.slug}-${this.version}-rhel-${this.arch}.tar.gz`;
 
-    this.linux_rpm_sign_filename = getSignedFilename(this.linux_rpm_filename);
     this.rhel_tar_sign_filename = getSignedFilename(this.rhel_tar_filename);
 
     this.assets = [
@@ -657,10 +656,6 @@ class Target {
         path: this.dest(this.linux_rpm_filename),
         downloadCenter: true
       },
-      {
-        name: this.linux_rpm_sign_filename,
-        path: this.dest(this.linux_rpm_sign_filename),
-      },
       {
         name: this.linux_tar_filename,
         path: this.dest(this.linux_tar_filename)

packages/hadron-build/lib/target.js

@@ -23,7 +23,7 @@
     "@mongodb-js/devtools-github-repo": "^1.4.1",
     "@mongodb-js/dl-center": "^1.0.1",
     "@mongodb-js/electron-wix-msi": "^3.0.0",
-    "@mongodb-js/signing-utils": "^0.2.3",
+    "@mongodb-js/signing-utils": "^0.3.1",
     "@npmcli/arborist": "^6.2.0",
     "@octokit/rest": "^18.6.2",
     "asar": "^3.0.3",