chore(build): create and upload .sig files for download artifacts MONGOSH-1074 (#1169)

addaleax · web-flow · commit 144b368aae2b · 2021-12-13T16:09:22.000+01:00
diff --git a/packages/build/src/packaging/index.ts b/packages/build/src/packaging/index.ts
@@ -5,3 +5,7 @@ export {
   PackageFile,
   PackageInformation
 } from './package';
+
+export {
+  notarizeArtifact
+} from './notary-service';
diff --git a/packages/build/src/packaging/notary-service.spec.ts b/packages/build/src/packaging/notary-service.spec.ts
@@ -1,30 +1,29 @@
 import { expect } from 'chai';
-import os from 'os';
 import path from 'path';
 import sinon from 'sinon';
-import { notarizeMsi, NotarizeMsiOptions } from './msi-sign';
+import { notarizeArtifact, NotarizeOptions } from './notary-service';
 
-describe('packaging msi-sign', () => {
+describe('packaging artifact signing', () => {
   context('with invalid options', () => {
     it('fails when file is missing', async() => {
-      const e = await notarizeMsi('', {} as any).catch(e => e);
+      const e = await notarizeArtifact('', {} as any).catch(e => e);
       expect(e).to.not.be.undefined;
       expect(e.message).to.match(/missing file/);
     });
     it('fails when signingKeyName is missing', async() => {
-      const e = await notarizeMsi('a file', {} as any).catch(e => e);
+      const e = await notarizeArtifact('a file', {} as any).catch(e => e);
       expect(e).to.not.be.undefined;
       expect(e.message).to.match(/missing signing key name/);
     });
     it('fails when authToken is missing', async() => {
-      const e = await notarizeMsi('a file', {
+      const e = await notarizeArtifact('a file', {
         signingKeyName: 'keyName'
       } as any).catch(e => e);
       expect(e).to.not.be.undefined;
       expect(e.message).to.match(/missing auth token/);
     });
     it('fails when signingComment is missing', async() => {
-      const e = await notarizeMsi('a file', {
+      const e = await notarizeArtifact('a file', {
         signingKeyName: 'keyName',
         authToken: 'token'
       } as any).catch(e => e);
@@ -35,7 +34,7 @@ describe('packaging msi-sign', () => {
 
   context('with correct options', () => {
     let spawnSync: sinon.SinonStub;
-    const signingOptions: NotarizeMsiOptions = {
+    const signingOptions: NotarizeOptions = {
       signingKeyName: 'keyName',
       authToken: 'authToken',
       signingComment: 'A Comment'
@@ -46,18 +45,25 @@ describe('packaging msi-sign', () => {
     });
 
     it('runs notary client', async() => {
-      await notarizeMsi(
+      await notarizeArtifact(
         __filename,
         signingOptions,
         spawnSync
       );
 
+      const authTokenFile = spawnSync
+        .getCall(0)
+        .args[1]
+        .find((arg: string) => arg.includes('notary-mongosh-token'));
+
       expect(spawnSync).to.have.been.calledWith(
         'python',
         [
-          'C:\\cygwin\\usr\\local\\bin\\notary-client.py',
+          process.platform === 'win32' ?
+            'C:\\cygwin\\usr\\local\\bin\\notary-client.py' :
+            '/usr/local/bin/notary-client.py',
           '--key-name', 'keyName',
-          '--auth-token-file', path.join(os.homedir(), '.notary-mongosh-token.tmp'),
+          '--auth-token-file', authTokenFile,
           '--comment', 'A Comment',
           '--notary-url', 'http://notary-service.build.10gen.cc:5000/',
           '--outputs', 'sig',
diff --git a/packages/build/src/packaging/notary-service.ts b/packages/build/src/packaging/notary-service.ts
@@ -3,13 +3,15 @@ import os from 'os';
 import path from 'path';
 import { spawnSync as spawnSyncFn } from '../helpers';
 
-const DEFAULT_OPTIONS: Partial<NotarizeMsiOptions> = {
+const DEFAULT_OPTIONS: Partial<NotarizeOptions> = {
   serverUrl: 'http://notary-service.build.10gen.cc:5000/',
-  clientPath: 'C:\\cygwin\\usr\\local\\bin\\notary-client.py',
+  clientPath: process.platform === 'win32' ?
+    'C:\\cygwin\\usr\\local\\bin\\notary-client.py' :
+    '/usr/local/bin/notary-client.py',
   pythonExecutable: 'python'
 };
 
-export interface NotarizeMsiOptions {
+export interface NotarizeOptions {
   signingKeyName: string;
   authToken: string;
   signingComment: string;
@@ -18,19 +20,20 @@ export interface NotarizeMsiOptions {
   pythonExecutable?: string;
 }
 
-export async function notarizeMsi(
+export async function notarizeArtifact(
   file: string,
-  opts: NotarizeMsiOptions,
+  opts: NotarizeOptions,
   spawnSync: typeof spawnSyncFn = spawnSyncFn
 ): Promise<void> {
   if (!file) {
-    throw new Error('notarize MSI: missing file');
+    throw new Error('notarize artifact: missing file');
   }
   const options = validateOptions(opts);
 
-  const authTokenFile = path.join(os.homedir(), '.notary-mongosh-token.tmp');
+  const authTokenFile = path.join(os.homedir(), `.notary-mongosh-token.${Date.now()}.tmp`);
   await fs.writeFile(authTokenFile, options.authToken, {
-    encoding: 'utf8'
+    encoding: 'utf8',
+    mode: 0o600
   });
 
   try {
@@ -56,19 +59,19 @@ export async function notarizeMsi(
   }
 }
 
-function validateOptions(options: NotarizeMsiOptions): Required<NotarizeMsiOptions> {
+function validateOptions(options: NotarizeOptions): Required<NotarizeOptions> {
   const opts = {
     ...DEFAULT_OPTIONS,
     ...options
   };
   if (!opts.signingKeyName) {
-    throw new Error('notarize MSI: missing signing key name');
+    throw new Error('notarize artifact: missing signing key name');
   }
   if (!opts.authToken) {
-    throw new Error('notarize MSI: missing auth token');
+    throw new Error('notarize artifact: missing auth token');
   }
   if (!opts.signingComment) {
-    throw new Error('notarize MSI: missing signing comment');
+    throw new Error('notarize artifact: missing signing comment');
   }
-  return opts as Required<NotarizeMsiOptions>;
+  return opts as Required<NotarizeOptions>;
 }
diff --git a/packages/build/src/packaging/run-package.ts b/packages/build/src/packaging/run-package.ts
@@ -5,7 +5,7 @@ import { Config, Platform, validateBuildVariant } from '../config';
 import { downloadMongocrypt } from './download-mongocryptd';
 import { downloadManpage } from './download-manpage';
 import { macOSSignAndNotarize } from './macos-sign';
-import { notarizeMsi } from './msi-sign';
+import { notarizeArtifact } from './notary-service';
 import { createPackage, PackageFile } from './package';
 
 export async function runPackage(
@@ -60,7 +60,7 @@ export async function runPackage(
   const packaged = await runCreatePackage();
 
   if (distributionBuildVariant === 'win32msi-x64') {
-    await notarizeMsi(
+    await notarizeArtifact(
       packaged.path,
       {
         signingKeyName: config.notarySigningKeyName || '',
diff --git a/packages/build/src/run-draft.spec.ts b/packages/build/src/run-draft.spec.ts
@@ -3,6 +3,7 @@ import sinon from 'ts-sinon';
 import { ALL_BUILD_VARIANTS, Config } from './config';
 import { uploadArtifactToDownloadCenter as uploadArtifactToDownloadCenterFn } from './download-center';
 import { downloadArtifactFromEvergreen as downloadArtifactFromEvergreenFn } from './evergreen';
+import { notarizeArtifact as notarizeArtifactFn } from './packaging';
 import { generateChangelog as generateChangelogFn } from './git';
 import { GithubRepo } from '@mongodb-js/devtools-github-repo';
 import { ensureGithubReleaseExistsAndUpdateChangelogFn, runDraft } from './run-draft';
@@ -19,12 +20,14 @@ describe('draft', () => {
   let githubRepo: GithubRepo;
   let uploadArtifactToDownloadCenter: typeof uploadArtifactToDownloadCenterFn;
   let downloadArtifactFromEvergreen: typeof downloadArtifactFromEvergreenFn;
+  let notarizeArtifact: typeof notarizeArtifactFn;
 
   beforeEach(() => {
     config = { ...dummyConfig };
 
     uploadArtifactToDownloadCenter = sinon.spy();
     downloadArtifactFromEvergreen = sinon.spy();
+    notarizeArtifact = sinon.spy();
   });
 
   describe('runDraft', () => {
@@ -49,7 +52,8 @@ describe('draft', () => {
           githubRepo,
           uploadArtifactToDownloadCenter,
           downloadArtifactFromEvergreen,
-          ensureGithubReleaseExistsAndUpdateChangelog
+          ensureGithubReleaseExistsAndUpdateChangelog,
+          notarizeArtifact
         );
       });
 
@@ -63,12 +67,16 @@ describe('draft', () => {
         expect(downloadArtifactFromEvergreen).to.have.been.callCount(ALL_BUILD_VARIANTS.length);
       });
 
+      it('asks the notary service to sign files', () => {
+        expect(notarizeArtifact).to.have.been.callCount(ALL_BUILD_VARIANTS.length);
+      });
+
       it('uploads artifacts to download center', () => {
-        expect(uploadArtifactToDownloadCenter).to.have.been.callCount(ALL_BUILD_VARIANTS.length);
+        expect(uploadArtifactToDownloadCenter).to.have.been.callCount(ALL_BUILD_VARIANTS.length * 2);
       });
 
       it('uploads the artifacts to the github release', () => {
-        expect(uploadReleaseAsset).to.have.been.callCount(ALL_BUILD_VARIANTS.length);
+        expect(uploadReleaseAsset).to.have.been.callCount(ALL_BUILD_VARIANTS.length * 2);
       });
     });
 
@@ -83,7 +91,8 @@ describe('draft', () => {
         githubRepo,
         uploadArtifactToDownloadCenter,
         downloadArtifactFromEvergreen,
-        ensureGithubReleaseExistsAndUpdateChangelog
+        ensureGithubReleaseExistsAndUpdateChangelog,
+        notarizeArtifact
       );
       expect(ensureGithubReleaseExistsAndUpdateChangelog).to.not.have.been.called;
       expect(downloadArtifactFromEvergreen).to.not.have.been.called;
@@ -105,14 +114,16 @@ describe('draft', () => {
           githubRepo,
           uploadArtifactToDownloadCenter,
           downloadArtifactFromEvergreen,
-          ensureGithubReleaseExistsAndUpdateChangelog
+          ensureGithubReleaseExistsAndUpdateChangelog,
+          notarizeArtifact
         );
       } catch (e) {
         expect(e.message).to.contain('Missing package information from config');
         expect(ensureGithubReleaseExistsAndUpdateChangelog).to.not.have.been.called;
         expect(downloadArtifactFromEvergreen).to.not.have.been.called;
         expect(uploadArtifactToDownloadCenter).to.not.have.been.called;
         expect(uploadReleaseAsset).to.not.have.been.called;
+        expect(notarizeArtifact).to.not.have.been.called;
         return;
       }
       expect.fail('Expected error');
diff --git a/packages/build/src/run-draft.ts b/packages/build/src/run-draft.ts
@@ -3,6 +3,7 @@ import path from 'path';
 import { ALL_BUILD_VARIANTS, Config, getReleaseVersionFromTag } from './config';
 import { uploadArtifactToDownloadCenter as uploadArtifactToDownloadCenterFn } from './download-center';
 import { downloadArtifactFromEvergreen as downloadArtifactFromEvergreenFn } from './evergreen';
+import { notarizeArtifact as notarizeArtifactFn } from './packaging';
 import { generateChangelog as generateChangelogFn } from './git';
 import { GithubRepo } from '@mongodb-js/devtools-github-repo';
 import { getPackageFile } from './packaging';
@@ -12,7 +13,8 @@ export async function runDraft(
   githubRepo: GithubRepo,
   uploadToDownloadCenter: typeof uploadArtifactToDownloadCenterFn = uploadArtifactToDownloadCenterFn,
   downloadArtifactFromEvergreen: typeof downloadArtifactFromEvergreenFn = downloadArtifactFromEvergreenFn,
-  ensureGithubReleaseExistsAndUpdateChangelog: typeof ensureGithubReleaseExistsAndUpdateChangelogFn = ensureGithubReleaseExistsAndUpdateChangelogFn
+  ensureGithubReleaseExistsAndUpdateChangelog: typeof ensureGithubReleaseExistsAndUpdateChangelogFn = ensureGithubReleaseExistsAndUpdateChangelogFn,
+  notarizeArtifact: typeof notarizeArtifactFn = notarizeArtifactFn
 ): Promise<void> {
   if (!config.triggeringGitTag || !getReleaseVersionFromTag(config.triggeringGitTag)) {
     console.error('mongosh: skipping draft as not triggered by a git tag that matches a draft/release tag');
@@ -42,19 +44,31 @@ export async function runDraft(
       tmpDir
     );
 
-    await uploadToDownloadCenter(
-      downloadedArtifact,
-      config.downloadCenterAwsKey as string,
-      config.downloadCenterAwsSecret as string
-    );
-
-    await githubRepo.uploadReleaseAsset(
-      githubReleaseTag,
+    await notarizeArtifact(
+      tarballFile.path,
       {
-        path: downloadedArtifact,
-        contentType: tarballFile.contentType
+        signingKeyName: config.notarySigningKeyName || '',
+        authToken: config.notaryAuthToken || '',
+        signingComment: 'Evergreen Automatic Signing (mongosh)'
       }
     );
+    const signatureFile = tarballFile.path + '.sig';
+
+    await Promise.all([
+      [ downloadedArtifact, tarballFile.contentType ],
+      [ signatureFile, 'application/pgp-signature' ]
+    ].flatMap(([ path, contentType ]) => [
+      uploadToDownloadCenter(
+        path,
+        config.downloadCenterAwsKey as string,
+        config.downloadCenterAwsSecret as string
+      ),
+
+      githubRepo.uploadReleaseAsset(
+        githubReleaseTag,
+        { path, contentType }
+      )
+    ]));
   }
 }
 
diff --git a/packages/build/test/helpers.ts b/packages/build/test/helpers.ts
@@ -45,6 +45,8 @@ export const dummyConfig: Config = Object.freeze({
   appleNotarizationUsername: 'appleNotarizationUsername',
   appleNotarizationApplicationPassword: 'appleNotarizationApplicationPassword',
   appleCodesignIdentity: 'appleCodesignIdentity',
+  notarySigningKeyName: 'notarySigningKey',
+  notaryAuthToken: 'notaryAuthToken',
   isCi: true,
   platform: 'linux',
   repo: {
