diff --git a/.evergreen/verify-artifacts.sh b/.evergreen/verify-artifacts.sh index 11864a81b55..a223d8fb4c2 100755 --- a/.evergreen/verify-artifacts.sh +++ b/.evergreen/verify-artifacts.sh @@ -34,6 +34,13 @@ verify_using_gpg() { verify_using_powershell() { echo "Verifying $1 using powershell" powershell Get-AuthenticodeSignature -FilePath $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1 + + # Get-AuthenticodeSignature just outputs text, it doesn't exit with a non-zero + # code if the file is not signed + if grep -q NotSigned "$TMP_FILE"; then + echo "File $1 is not signed" + exit 1 + fi } verify_using_codesign() { diff --git a/package-lock.json b/package-lock.json index 9c486fd9200..fb610cade48 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8518,6 +8518,17 @@ "node": ">=8" } }, + "node_modules/@mongodb-js/signing-utils": { + "version": "0.3.7", + "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.7.tgz", + "integrity": "sha512-f3ZKCxVDkosfOETarmhuTYdOLQxKCinBtcoX5FjcKsYSNRhE+tth7Wy223lyn/hiA3S2MQ4mKTznliEAUj+Siw==", + "license": "SSPL", + "dependencies": { + "@types/ssh2": "^1.11.19", + "debug": "^4.3.4", + "ssh2": "^1.15.0" + } + }, "node_modules/@mongodb-js/socksv5": { "version": "0.0.10", "resolved": "https://registry.npmjs.org/@mongodb-js/socksv5/-/socksv5-0.0.10.tgz", @@ -43243,6 +43254,7 @@ "@mongodb-js/my-queries-storage": "^0.22.0", "@mongodb-js/prettier-config-compass": "^1.2.0", "@mongodb-js/sbom-tools": "^0.7.0", + "@mongodb-js/signing-utils": "^0.3.7", "@mongodb-js/testing-library-compass": "^1.2.0", "@mongodb-js/tsconfig-compass": "^1.2.0", "@mongodb-js/webpack-config-compass": "^1.6.0", @@ -48344,17 +48356,6 @@ "electron-winstaller": "^5.1.0" } }, - "packages/hadron-build/node_modules/@mongodb-js/signing-utils": { - "version": "0.3.7", - "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.7.tgz", - "integrity": "sha512-f3ZKCxVDkosfOETarmhuTYdOLQxKCinBtcoX5FjcKsYSNRhE+tth7Wy223lyn/hiA3S2MQ4mKTznliEAUj+Siw==", - "license": "SSPL", - "dependencies": { - "@types/ssh2": "^1.11.19", - "debug": "^4.3.4", - "ssh2": "^1.15.0" - } - }, "packages/hadron-build/node_modules/ansi-regex": { "version": "4.1.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.1.tgz", @@ -59934,6 +59935,16 @@ } } }, + "@mongodb-js/signing-utils": { + "version": "0.3.7", + "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.7.tgz", + "integrity": "sha512-f3ZKCxVDkosfOETarmhuTYdOLQxKCinBtcoX5FjcKsYSNRhE+tth7Wy223lyn/hiA3S2MQ4mKTznliEAUj+Siw==", + "requires": { + "@types/ssh2": "^1.11.19", + "debug": "^4.3.4", + "ssh2": "^1.15.0" + } + }, "@mongodb-js/socksv5": { "version": "0.0.10", "resolved": "https://registry.npmjs.org/@mongodb-js/socksv5/-/socksv5-0.0.10.tgz", @@ -73469,16 +73480,6 @@ "zip-folder": "^1.0.0" }, "dependencies": { - "@mongodb-js/signing-utils": { - "version": "0.3.7", - "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.7.tgz", - "integrity": "sha512-f3ZKCxVDkosfOETarmhuTYdOLQxKCinBtcoX5FjcKsYSNRhE+tth7Wy223lyn/hiA3S2MQ4mKTznliEAUj+Siw==", - "requires": { - "@types/ssh2": "^1.11.19", - "debug": "^4.3.4", - "ssh2": "^1.15.0" - } - }, "ansi-regex": { "version": "4.1.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.1.tgz", @@ -79242,6 +79243,7 @@ "@mongodb-js/my-queries-storage": "^0.22.0", "@mongodb-js/prettier-config-compass": "^1.2.0", "@mongodb-js/sbom-tools": "^0.7.0", + "@mongodb-js/signing-utils": "^0.3.7", "@mongodb-js/testing-library-compass": "^1.2.0", "@mongodb-js/tsconfig-compass": "^1.2.0", "@mongodb-js/webpack-config-compass": "^1.6.0", diff --git a/packages/compass/.depcheckrc b/packages/compass/.depcheckrc index 7d40c0c4d23..4456ebdc20d 100644 --- a/packages/compass/.depcheckrc +++ b/packages/compass/.depcheckrc @@ -13,5 +13,7 @@ ignores: [ 'mongodb-client-encryption', 'interruptor', # webpack always externalizes 'clipboard' for legacy reasons - 'clipboard' + 'clipboard', + # include signing-utils so that signtool.go can get to it + '@mongodb-js/signing-utils' ] diff --git a/packages/compass/package.json b/packages/compass/package.json index 276efb84688..e14b82898b7 100644 --- a/packages/compass/package.json +++ b/packages/compass/package.json @@ -231,6 +231,7 @@ "@mongodb-js/my-queries-storage": "^0.22.0", "@mongodb-js/prettier-config-compass": "^1.2.0", "@mongodb-js/sbom-tools": "^0.7.0", + "@mongodb-js/signing-utils": "^0.3.7", "@mongodb-js/testing-library-compass": "^1.2.0", "@mongodb-js/tsconfig-compass": "^1.2.0", "@mongodb-js/webpack-config-compass": "^1.6.0", diff --git a/packages/hadron-build/signtool/signtool.exe b/packages/hadron-build/signtool/signtool.exe index 70bfe4ce524..c29f239fd44 100755 Binary files a/packages/hadron-build/signtool/signtool.exe and b/packages/hadron-build/signtool/signtool.exe differ diff --git a/packages/hadron-build/signtool/signtool.go b/packages/hadron-build/signtool/signtool.go index 0a0297d07cd..11fe4db9954 100644 --- a/packages/hadron-build/signtool/signtool.go +++ b/packages/hadron-build/signtool/signtool.go @@ -27,6 +27,10 @@ func main() { } allowedExtensions := []string{ + "GARASIGN_USERNAME", + "GARASIGN_PASSWORD", + "ARTIFACTORY_USERNAME", + "ARTIFACTORY_PASSWORD", "SIGNING_SERVER_HOSTNAME", "SIGNING_SERVER_PRIVATE_KEY", "SIGNING_SERVER_USERNAME", @@ -55,12 +59,15 @@ func main() { cmd := exec.Command("node", "-e", script) fmt.Println("Running command:", cmd.String()) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr + stdoutStderr, err := cmd.CombinedOutput() - err := cmd.Run() if err != nil { fmt.Println("Error signing the file") + fmt.Printf("%s\n", stdoutStderr) + log.Println(err) + // if we error out then we won't see much because of how + // electron-windows-installer fails. We'll have to rely on package + // verification elsewhere to fail CI return }