Check the contents of zip or tar.gz packages against allow lists

Author: lerouxb

.evergreen/verify-artifacts.sh

@@ -67,18 +67,23 @@ if [ "$IS_WINDOWS" = true ]; then
   verify_using_powershell $WINDOWS_EXE_NAME
   verify_using_powershell $WINDOWS_MSI_NAME
   echo "Skipping verification for Windows artifacts using gpg: $WINDOWS_ZIP_NAME, $WINDOWS_NUPKG_NAME"
+  npm run -w mongodb-compass verify-package-contents
+
 elif [ "$IS_UBUNTU" = true ]; then
   setup_gpg
   verify_using_gpg $LINUX_DEB_NAME
   verify_using_gpg $LINUX_TAR_NAME
+  npm run -w mongodb-compass verify-package-contents
 elif [ "$IS_RHEL" = true ]; then
   setup_gpg
   verify_using_rpm $RHEL_RPM_NAME
   verify_using_gpg $RHEL_TAR_NAME
+  npm run -w mongodb-compass verify-package-contents
 elif [ "$IS_OSX" = true ]; then
   setup_gpg
   verify_using_gpg $OSX_ZIP_NAME
   verify_using_codesign $OSX_DMG_NAME
+  npm run -w mongodb-compass verify-package-contents
 else
   echo "Unknown OS, failed to verify file signing"
   exit 1

package-lock.json

@@ -168,7 +168,8 @@
     "depcheck": "depcheck",
     "test-ci-electron": "npm run test-electron",
     "typecheck": "tsc -p tsconfig-lint.json --noEmit",
-    "reformat": "npm run eslint . -- --fix && npm run prettier -- --write ."
+    "reformat": "npm run eslint . -- --fix && npm run prettier -- --write .",
+    "verify-package-contents": "ts-node ./scripts/verify-package-contents.ts"
   },
   "repository": {
     "type": "git",
@@ -250,6 +251,7 @@
     "electron-squirrel-startup": "^1.0.1",
     "ensure-error": "^3.0.1",
     "eslint": "^7.25.0",
+    "glob": "^10.2.5",
     "hadron-app-registry": "^9.4.0",
     "hadron-build": "^25.7.0",
     "hadron-ipc": "^3.4.0",