Merge remote-tracking branch 'origin/main' into beta-releases

Author: github-actions[bot]

.evergreen/functions.yml

@@ -566,6 +566,29 @@ functions:
             tar -xvz)
           export COMPASS_CRYPT_LIBRARY_PATH=$(echo $PWD/mongodb-crypt/lib/mongo_*_v1.*)
           npm run test-csfle --workspace mongodb-data-service
+  
+  verify-artifacts:
+    - command: shell.exec
+      params:
+        working_dir: src
+        shell: bash
+        env:
+          # These are set in the apply-compass-target-expansion func
+          WINDOWS_EXE_NAME: ${windows_setup_filename}
+          WINDOWS_MSI_NAME: ${windows_msi_filename}
+          WINDOWS_ZIP_NAME: ${windows_zip_filename}
+          WINDOWS_NUPKG_NAME: ${windows_nupkg_full_filename}
+          OSX_DMG_NAME: ${osx_dmg_filename}
+          OSX_ZIP_NAME: ${osx_zip_filename}
+          RHEL_RPM_NAME: ${linux_rpm_filename}
+          RHEL_TAR_NAME: ${rhel_tar_filename}
+          LINUX_DEB_NAME: ${linux_deb_filename}
+          LINUX_TAR_NAME: ${linux_tar_filename}
+        script: |
+          set -e
+          # Load environment variables
+          eval $(.evergreen/print-compass-env.sh)
+          .evergreen/verify-artifacts.sh
 
   save-all-artifacts:
     - command: s3.put
@@ -641,13 +664,6 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_filename}
         content_type: application/x-redhat-package-manager
         optional: true
-    - command: s3.put
-      params:
-        <<: *save-artifact-params-public
-        local_file: src/packages/compass/dist/${linux_rpm_sign_filename}
-        remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_sign_filename}
-        content_type: application/pgp-signature
-        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public

.evergreen/tasks.in.yml

@@ -105,10 +105,12 @@ tasks:
       - func: apply-compass-target-expansion
         vars:
           compass_distribution: <% out(packageTask.vars.compass_distribution) %>
+      - func: spawn-signing-server
       - func: package
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'
           compass_distribution: <% out(packageTask.vars.compass_distribution) %>
+      - func: verify-artifacts
       - func: save-all-artifacts
         vars:
           compass_distribution: <% out(packageTask.vars.compass_distribution) %>

.evergreen/tasks.yml

@@ -110,6 +110,7 @@ tasks:
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'
           compass_distribution: compass
+      - func: verify-artifacts
       - func: save-all-artifacts
         vars:
           compass_distribution: compass
@@ -130,6 +131,7 @@ tasks:
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'
           compass_distribution: compass-readonly
+      - func: verify-artifacts
       - func: save-all-artifacts
         vars:
           compass_distribution: compass-readonly
@@ -150,6 +152,7 @@ tasks:
         vars:
           debug: 'hadron*,mongo*,compass*,electron*'
           compass_distribution: compass-isolated
+      - func: verify-artifacts
       - func: save-all-artifacts
         vars:
           compass_distribution: compass-isolated

.evergreen/verify-artifacts.sh

@@ -0,0 +1,87 @@
+#! /usr/bin/env bash
+
+set -e
+
+ARTIFACTS_DIR="packages/compass/dist"
+echo "Verifying artifacts at $ARTIFACTS_DIR"
+ls -l $ARTIFACTS_DIR
+
+# Use tmp directory for all gpg operations
+GPG_HOME=$(mktemp -d)
+TMP_FILE=$(mktemp)
+COMPASS_KEY="https://pgp.mongodb.com/compass.asc"
+
+trap_handler() {
+  local code=$?
+  if [ $code -eq 0 ]; then
+    echo "Verification successful"
+  else
+    echo "Verification failed with exit code $code"
+    cat "$TMP_FILE"
+  fi
+  rm -f "$TMP_FILE"
+  rm -rf "$GPG_HOME"
+  exit $code
+}
+
+trap trap_handler ERR EXIT
+
+verify_using_gpg() {
+  echo "Verifying $1 using gpg"
+  gpg --homedir $GPG_HOME --verify $ARTIFACTS_DIR/$1.sig $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1
+}
+
+verify_using_powershell() {
+  echo "Verifying $1 using powershell"
+  powershell Get-AuthenticodeSignature -FilePath $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1
+}
+
+verify_using_codesign() {
+  echo "Verifying $1 using codesign"
+  codesign -dv --verbose=4 $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1
+}
+
+verify_using_rpm() {
+  # RPM packages are signed using gpg and the signature is embedded in the package.
+  # Here, we need to import the key in `rpm` and then verify the signature.
+  echo "Importing key into rpm"
+  rpm --import $COMPASS_KEY > "$TMP_FILE" 2>&1
+  # Even if the file is not signed, the command below will exit with 0 and output something like: sha1 md5 OK
+  # So we need to check the output of the command to see if the file is signed successfully.
+  echo "Verifying $1 using rpm"
+  output=$(rpm -K $ARTIFACTS_DIR/$1)
+  # Remove the imported key from rpm
+  rpm -e $(rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release}:%{summary}\n' | grep compass | awk -F: '{print $1}')
+  
+  # Check if the output contains the string "pgp md5 OK"
+  if [[ $output != *"pgp md5 OK"* ]]; then
+    echo "File $1 is not signed"
+    exit 1
+  fi
+}
+
+setup_gpg() {
+  echo "Importing Compass public key"
+  curl $COMPASS_KEY | gpg --homedir $GPG_HOME --import > "$TMP_FILE" 2>&1
+}
+
+if [ "$IS_WINDOWS" = true ]; then
+  verify_using_powershell $WINDOWS_EXE_NAME
+  verify_using_powershell $WINDOWS_MSI_NAME
+  echo "Skipping verification for Windows artifacts using gpg: $WINDOWS_ZIP_NAME, $WINDOWS_NUPKG_NAME"
+elif [ "$IS_UBUNTU" = true ]; then
+  setup_gpg
+  verify_using_gpg $LINUX_DEB_NAME
+  verify_using_gpg $LINUX_TAR_NAME
+elif [ "$IS_RHEL" = true ]; then
+  setup_gpg
+  verify_using_rpm $RHEL_RPM_NAME
+  verify_using_gpg $RHEL_TAR_NAME
+elif [ "$IS_OSX" = true ]; then
+  setup_gpg
+  verify_using_gpg $OSX_ZIP_NAME
+  verify_using_codesign $OSX_DMG_NAME
+else
+  echo "Unknown OS, failed to verify file signing"
+  exit 1
+fi

THIRD-PARTY-NOTICES.md

@@ -1,5 +1,5 @@
 The following third-party software is used by and included in **Mongodb Compass**.
-This document was automatically generated on Sun Jan 21 2024.
+This document was automatically generated on Sun Jan 28 2024.
 
 ## List of dependencies
 

configs/eslint-config-compass/plugin.js

@@ -24,8 +24,7 @@ module.exports = {
       // restrictedProviderImport('@mongodb-js/my-queries-storage'),
       // TODO(COMPASS-7412): enable when possible
       // restrictedProviderImport('@mongodb-js/atlas-service'),
-      // TODO(COMPASS-7559): enable when possible
-      // restrictedProviderImport('compass-preferences-model'),
+      restrictedProviderImport('compass-preferences-model'),
       {
         paths: require('module').builtinModules,
         message: 'Using Node.js built-in modules in plugins is not allowed.',

configs/webpack-config-compass/package.json

@@ -13,7 +13,7 @@
     "email": "[email protected]"
   },
   "homepage": "https://github.com/mongodb-js/compass",
-  "version": "1.3.2",
+  "version": "1.3.3",
   "repository": {
     "type": "git",
     "url": "https://github.com/mongodb-js/compass.git"
@@ -69,7 +69,7 @@
     "@pmmmwh/react-refresh-webpack-plugin": "^0.5.5",
     "babel-loader": "^8.2.5",
     "babel-plugin-istanbul": "^5.2.0",
-    "browserslist": "^4.22.2",
+    "browserslist": "^4.22.3",
     "chalk": "^4.1.2",
     "cli-progress": "^3.9.1",
     "core-js": "^3.17.3",