fix: sign the windows setup .exe COMPASS-8945 COMPASS-8950 (#6709)

lerouxb · web-flow · commit 89eb2f2f1225 · 2025-02-12T11:45:06.000Z
diff --git a/.evergreen/verify-artifacts.sh b/.evergreen/verify-artifacts.sh
@@ -34,6 +34,13 @@ verify_using_gpg() {
 verify_using_powershell() {
   echo "Verifying $1 using powershell"
   powershell Get-AuthenticodeSignature -FilePath $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1
+
+  # Get-AuthenticodeSignature just outputs text, it doesn't exit with a non-zero
+  # code if the file is not signed
+  if grep -q NotSigned "$TMP_FILE"; then
+    echo "File $1 is not signed"
+    exit 1
+  fi
 }
 
 verify_using_codesign() {
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/compass/.depcheckrc b/packages/compass/.depcheckrc
@@ -13,5 +13,7 @@ ignores: [
     'mongodb-client-encryption',
     'interruptor',
     # webpack always externalizes 'clipboard' for legacy reasons
-    'clipboard'
+    'clipboard',
+    # include signing-utils so that signtool.go can get to it
+    '@mongodb-js/signing-utils'
   ]
diff --git a/packages/compass/package.json b/packages/compass/package.json
@@ -231,6 +231,7 @@
     "@mongodb-js/my-queries-storage": "^0.22.0",
     "@mongodb-js/prettier-config-compass": "^1.2.0",
     "@mongodb-js/sbom-tools": "^0.7.0",
+    "@mongodb-js/signing-utils": "^0.3.7",
     "@mongodb-js/testing-library-compass": "^1.2.0",
     "@mongodb-js/tsconfig-compass": "^1.2.0",
     "@mongodb-js/webpack-config-compass": "^1.6.0",
diff --git a/packages/hadron-build/signtool/signtool.exe b/packages/hadron-build/signtool/signtool.exe
diff --git a/packages/hadron-build/signtool/signtool.go b/packages/hadron-build/signtool/signtool.go
@@ -27,6 +27,10 @@ func main() {
 	}
 
 	allowedExtensions := []string{
+		"GARASIGN_USERNAME",
+		"GARASIGN_PASSWORD",
+		"ARTIFACTORY_USERNAME",
+		"ARTIFACTORY_PASSWORD",
 		"SIGNING_SERVER_HOSTNAME",
 		"SIGNING_SERVER_PRIVATE_KEY",
 		"SIGNING_SERVER_USERNAME",
@@ -55,12 +59,15 @@ func main() {
 	cmd := exec.Command("node", "-e", script)
 	fmt.Println("Running command:", cmd.String())
 
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
+	stdoutStderr, err := cmd.CombinedOutput()
 
-	err := cmd.Run()
 	if err != nil {
 		fmt.Println("Error signing the file")
+		fmt.Printf("%s\n", stdoutStderr)
+		log.Println(err)
+		// if we error out then we won't see much because of how
+		// electron-windows-installer fails. We'll have to rely on package
+		// verification elsewhere to fail CI
 		return
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -13,5 +13,7 @@ ignores: [`
`13`	`13`	`'mongodb-client-encryption',`
`14`	`14`	`'interruptor',`
`15`	`15`	`# webpack always externalizes 'clipboard' for legacy reasons`
`16`		`- 'clipboard'`
	`16`	`+ 'clipboard',`
	`17`	`+ # include signing-utils so that signtool.go can get to it`
	`18`	`+ '@mongodb-js/signing-utils'`
`17`	`19`	`]`