sign packages and Windows binary

Author: lantoli

.github/workflows/release.yml

@@ -51,9 +51,19 @@ jobs:
           GITHUB_REPOSITORY_NAME: ${{ github.event.repository.name }}
           VERSION: ${{ inputs.version_number }}
         run: make generate-all-manifests
+      - name: Log in to MongoDB Docker registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
+          username: ${{ secrets.ARTIFACTORY_USER }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3
         with:
           args: release --clean        
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AUTHENTICODE_KEY_NAME: ${{ secrets.AUTHENTICODE_KEY_NAME }}
+          ARTIFACTORY_REGISTRY: ${{ secrets.ARTIFACTORY_REGISTRY }}
+          ARTIFACTORY_SIGN_USER: ${{ secrets.ARTIFACTORY_SIGN_USER }}
+          ARTIFACTORY_SIGN_PASSWORD: ${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}

.goreleaser.yaml

@@ -3,15 +3,68 @@ project_name: atlas-cli-plugin-terraform
 
 version: 2
 
+before:
+  hooks:
+    - curl https://pgp.mongodb.com/atlas-cli.asc -o signature.asc
+
 builds:
-  - id: "atlas-cli-plugin-terraform"
-    main: ./cmd/plugin/main.go
-    binary: ./binary
+  - id: linux
+    goos: [linux]
+    goarch: [amd64, arm64]
+    <<: &build_defaults
+      binary: ./binary
+      main: ./cmd/plugin
+  - id: macos
+    goos: [darwin]
+    goarch: [amd64, arm64]
+    <<: *build_defaults
+  - id: windows
+    goos: [windows]
+    goarch: [amd64]
+    goamd64: [v1]
+    <<: *build_defaults
+    hooks:
+      post: # Notarize the Windows binary replacing the one created by goreleaser
+        - cmd: ./scripts/windows_notarize.sh
+          output: true
 
 archives:
-  - files:
-      - src: './bin/manifest{{ if eq .Os "windows" }}.windows{{end}}.yml'
-        dst: ./manifest.yml
+  - id: linux
+    builds: [linux]
+    <<: &archive_defaults
+      files:
+        - src: './bin/manifest{{ if eq .Os "windows" }}.windows{{end}}.yml'
+          dst: ./manifest.yml
+  - id: macos
+    builds: [macos]
+    <<: *archive_defaults
+  - id: windows
+    builds: [windows]
+    <<: *archive_defaults
+
+signs:
+  - id: all_artifacts
+    signature: "${artifact}.sig"
+    cmd: "./scripts/notarize.sh"
+    ids:
+      - linux
+      - macos
+      - windows
+    artifacts: all
+    output: true
 
 release:
   prerelease: auto
+  extra_files:
+    - glob: ./*.asc
+
+gomod: # https://goreleaser.com/customization/verifiable_builds/
+  # Proxy a module from proxy.golang.org, making the builds verifiable.
+  # This will only be effective if running against a tag. Snapshots will ignore
+  # this setting.
+  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
+  proxy: false
+  # Sets the `-mod` flag value.
+  #
+  # Since: v1.7
+  mod: mod

scripts/.goreleaser.yml

@@ -0,0 +1,93 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
+project_name: atlas-cli-plugin-kubernetes
+
+version: 2
+
+before:
+  hooks:
+    - go mod tidy
+    - curl https://pgp.mongodb.com/atlas-cli.asc -o atlas-cli.asc
+
+builds:
+  - <<: &build_defaults
+      env:
+        - CGO_ENABLED=0
+      binary: atlas-cli-plugin-kubernetes
+      main: ./cmd/plugin
+      ldflags:
+        - -s -w -X github.com/mongodb/atlas-cli-plugin-kubernetes/internal/version.Version={{.Version}} -X github.com/mongodb/atlas-cli-plugin-kubernetes/internal/version.GitCommit={{.FullCommit}}
+    id: linux
+    goos: [linux]
+    goarch: [amd64,arm64]
+  - <<: *build_defaults
+    id: macos
+    goos: [darwin]
+    goarch: [amd64,arm64]
+    hooks:
+      # This will notarize Apple binaries and replace goreleaser bins with the notarized ones
+      post:
+        - cmd: ./build/package/mac_notarize.sh
+          output: true
+  - <<: *build_defaults
+    id: windows
+    goos: [windows]
+    goarch: [amd64]
+    goamd64: [v1]
+    hooks:
+      # This will notarize the Windows binary and replace goreleaser bin with the notarized one
+      post:
+        - cmd: ./build/package/windows_notarize.sh
+          output: true
+gomod: # https://goreleaser.com/customization/verifiable_builds/
+  # Proxy a module from proxy.golang.org, making the builds verifiable.
+  # This will only be effective if running against a tag. Snapshots will ignore
+  # this setting.
+  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
+  proxy: false
+  # Sets the `-mod` flag value.
+  #
+  # Since: v1.7
+  mod: mod
+
+archives:
+- id: linux
+  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
+  builds: [linux]
+  <<: &archive_defaults
+    files:
+      - README.md
+      - LICENSE
+      - third_party_notices/**/*
+      - src: "./manifest{{ if eq .Os \"windows\" }}.windows{{end}}.yml"
+        dst: ./manifest.yml
+  wrap_in_directory: true
+  format: tar.gz
+- id: macos
+  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
+  builds: [macos]
+  <<: *archive_defaults
+  format: zip
+  wrap_in_directory: false
+- id: windows
+  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
+  builds: [windows]
+  <<: *archive_defaults
+  wrap_in_directory: false
+  format: zip
+checksum:
+  name_template: checksums.txt
+signs:
+  - id: all_artifacts
+    signature: "${artifact}.sig"
+    cmd: "./build/package/notarize.sh"
+    ids:
+      - linux
+      - macos
+      - windows
+    artifacts: all
+    output: true
+release:
+  prerelease: auto
+  name_template: "Atlas CLI Plugin Kubernetes v{{.Version}}"
+  extra_files:
+    - glob: ./*.asc

scripts/notarize.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -Eeou pipefail
+
+if [[ -f "${artifact:?}" ]]; then
+  echo "notarizing package ${artifact}"
+
+  docker run \
+    -e GRS_CONFIG_USER1_USERNAME="${ARTIFACTORY_SIGN_USER}" \
+    -e GRS_CONFIG_USER1_PASSWORD="${ARTIFACTORY_SIGN_PASSWORD}" \
+    --rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \
+    "${ARTIFACTORY_REGISTRY}/release-tools-container-registry-local/garasign-gpg" \
+    /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${artifact}.sig --detach-sign ${artifact}"
+fi
+
+echo "Signing of ${artifact} completed."

scripts/windows_notarize.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -Eeou pipefail
+
+EXE_FILE="./dist/windows_windows_amd64_v1/binary.exe"
+
+if [[ -f "$EXE_FILE" ]]; then
+	echo "signing Windows binary: ${EXE_FILE}"
+
+  docker run \
+    -e GRS_CONFIG_USER1_USERNAME="${ARTIFACTORY_SIGN_USER}" \
+    -e GRS_CONFIG_USER1_PASSWORD="${ARTIFACTORY_SIGN_PASSWORD}" \
+		--rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \
+    "${ARTIFACTORY_REGISTRY}/release-tools-container-registry-local/garasign-jsign" \
+		/bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${AUTHENTICODE_KEY_NAME} \"${EXE_FILE}\""
+fi