feat: Sign release packages (#23)

* sign packages and Windows binary

* leftover

Author: lantoli

.github/workflows/release.yml

@@ -51,9 +51,19 @@ jobs:
           GITHUB_REPOSITORY_NAME: ${{ github.event.repository.name }}
           VERSION: ${{ inputs.version_number }}
         run: make generate-all-manifests
+      - name: Log in to MongoDB Docker registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
+          username: ${{ secrets.ARTIFACTORY_USER }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3
         with:
           args: release --clean        
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AUTHENTICODE_KEY_NAME: ${{ secrets.AUTHENTICODE_KEY_NAME }}
+          ARTIFACTORY_REGISTRY: ${{ secrets.ARTIFACTORY_REGISTRY }}
+          ARTIFACTORY_SIGN_USER: ${{ secrets.ARTIFACTORY_SIGN_USER }}
+          ARTIFACTORY_SIGN_PASSWORD: ${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}

.goreleaser.yaml

@@ -3,15 +3,68 @@ project_name: atlas-cli-plugin-terraform
 
 version: 2
 
+before:
+  hooks:
+    - curl https://pgp.mongodb.com/atlas-cli.asc -o signature.asc
+
 builds:
-  - id: "atlas-cli-plugin-terraform"
-    main: ./cmd/plugin/main.go
-    binary: ./binary
+  - id: linux
+    goos: [linux]
+    goarch: [amd64, arm64]
+    <<: &build_defaults
+      binary: ./binary
+      main: ./cmd/plugin
+  - id: macos
+    goos: [darwin]
+    goarch: [amd64, arm64]
+    <<: *build_defaults
+  - id: windows
+    goos: [windows]
+    goarch: [amd64]
+    goamd64: [v1]
+    <<: *build_defaults
+    hooks:
+      post: # Notarize the Windows binary replacing the one created by goreleaser
+        - cmd: ./scripts/windows_notarize.sh
+          output: true
 
 archives:
-  - files:
-      - src: './bin/manifest{{ if eq .Os "windows" }}.windows{{end}}.yml'
-        dst: ./manifest.yml
+  - id: linux
+    builds: [linux]
+    <<: &archive_defaults
+      files:
+        - src: './bin/manifest{{ if eq .Os "windows" }}.windows{{end}}.yml'
+          dst: ./manifest.yml
+  - id: macos
+    builds: [macos]
+    <<: *archive_defaults
+  - id: windows
+    builds: [windows]
+    <<: *archive_defaults
+
+signs:
+  - id: all_artifacts
+    signature: "${artifact}.sig"
+    cmd: "./scripts/notarize.sh"
+    ids:
+      - linux
+      - macos
+      - windows
+    artifacts: all
+    output: true
 
 release:
   prerelease: auto
+  extra_files:
+    - glob: ./*.asc
+
+gomod: # https://goreleaser.com/customization/verifiable_builds/
+  # Proxy a module from proxy.golang.org, making the builds verifiable.
+  # This will only be effective if running against a tag. Snapshots will ignore
+  # this setting.
+  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
+  proxy: false
+  # Sets the `-mod` flag value.
+  #
+  # Since: v1.7
+  mod: mod

scripts/notarize.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -Eeou pipefail
+
+if [[ -f "${artifact:?}" ]]; then
+  echo "notarizing package ${artifact}"
+
+  docker run \
+    -e GRS_CONFIG_USER1_USERNAME="${ARTIFACTORY_SIGN_USER}" \
+    -e GRS_CONFIG_USER1_PASSWORD="${ARTIFACTORY_SIGN_PASSWORD}" \
+    --rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \
+    "${ARTIFACTORY_REGISTRY}/release-tools-container-registry-local/garasign-gpg" \
+    /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${artifact}.sig --detach-sign ${artifact}"
+fi
+
+echo "Signing of ${artifact} completed."

scripts/windows_notarize.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -Eeou pipefail
+
+EXE_FILE="./dist/windows_windows_amd64_v1/binary.exe"
+
+if [[ -f "$EXE_FILE" ]]; then
+	echo "signing Windows binary: ${EXE_FILE}"
+
+  docker run \
+    -e GRS_CONFIG_USER1_USERNAME="${ARTIFACTORY_SIGN_USER}" \
+    -e GRS_CONFIG_USER1_PASSWORD="${ARTIFACTORY_SIGN_PASSWORD}" \
+		--rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \
+    "${ARTIFACTORY_REGISTRY}/release-tools-container-registry-local/garasign-jsign" \
+		/bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${AUTHENTICODE_KEY_NAME} \"${EXE_FILE}\""
+fi