From 5913a9ff3e9e278091d818d0613eff1fa2e86cb0 Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 19 Feb 2025 17:35:42 +0100
Subject: [PATCH 1/2] sign packages and Windows binary

---
 .github/workflows/release.yml | 10 ++++
 .goreleaser.yaml              | 65 +++++++++++++++++++++---
 scripts/.goreleaser.yml       | 93 +++++++++++++++++++++++++++++++++++
 scripts/notarize.sh           | 16 ++++++
 scripts/windows_notarize.sh   | 16 ++++++
 5 files changed, 194 insertions(+), 6 deletions(-)
 create mode 100644 scripts/.goreleaser.yml
 create mode 100755 scripts/notarize.sh
 create mode 100755 scripts/windows_notarize.sh

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f9fa763..b973313 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,9 +51,19 @@ jobs:
           GITHUB_REPOSITORY_NAME: ${{ github.event.repository.name }}
           VERSION: ${{ inputs.version_number }}
         run: make generate-all-manifests
+      - name: Log in to MongoDB Docker registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
+          username: ${{ secrets.ARTIFACTORY_USER }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3
         with:
           args: release --clean        
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AUTHENTICODE_KEY_NAME: ${{ secrets.AUTHENTICODE_KEY_NAME }}
+          ARTIFACTORY_REGISTRY: ${{ secrets.ARTIFACTORY_REGISTRY }}
+          ARTIFACTORY_SIGN_USER: ${{ secrets.ARTIFACTORY_SIGN_USER }}
+          ARTIFACTORY_SIGN_PASSWORD: ${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index d1829af..1d22994 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -3,15 +3,68 @@ project_name: atlas-cli-plugin-terraform
 
 version: 2
 
+before:
+  hooks:
+    - curl https://pgp.mongodb.com/atlas-cli.asc -o signature.asc
+
 builds:
-  - id: "atlas-cli-plugin-terraform"
-    main: ./cmd/plugin/main.go
-    binary: ./binary
+  - id: linux
+    goos: [linux]
+    goarch: [amd64, arm64]
+    <<: &build_defaults
+      binary: ./binary
+      main: ./cmd/plugin
+  - id: macos
+    goos: [darwin]
+    goarch: [amd64, arm64]
+    <<: *build_defaults
+  - id: windows
+    goos: [windows]
+    goarch: [amd64]
+    goamd64: [v1]
+    <<: *build_defaults
+    hooks:
+      post: # Notarize the Windows binary replacing the one created by goreleaser
+        - cmd: ./scripts/windows_notarize.sh
+          output: true
 
 archives:
-  - files:
-      - src: './bin/manifest{{ if eq .Os "windows" }}.windows{{end}}.yml'
-        dst: ./manifest.yml
+  - id: linux
+    builds: [linux]
+    <<: &archive_defaults
+      files:
+        - src: './bin/manifest{{ if eq .Os "windows" }}.windows{{end}}.yml'
+          dst: ./manifest.yml
+  - id: macos
+    builds: [macos]
+    <<: *archive_defaults
+  - id: windows
+    builds: [windows]
+    <<: *archive_defaults
+
+signs:
+  - id: all_artifacts
+    signature: "${artifact}.sig"
+    cmd: "./scripts/notarize.sh"
+    ids:
+      - linux
+      - macos
+      - windows
+    artifacts: all
+    output: true
 
 release:
   prerelease: auto
+  extra_files:
+    - glob: ./*.asc
+
+gomod: # https://goreleaser.com/customization/verifiable_builds/
+  # Proxy a module from proxy.golang.org, making the builds verifiable.
+  # This will only be effective if running against a tag. Snapshots will ignore
+  # this setting.
+  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
+  proxy: false
+  # Sets the `-mod` flag value.
+  #
+  # Since: v1.7
+  mod: mod
diff --git a/scripts/.goreleaser.yml b/scripts/.goreleaser.yml
new file mode 100644
index 0000000..42b702e
--- /dev/null
+++ b/scripts/.goreleaser.yml
@@ -0,0 +1,93 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
+project_name: atlas-cli-plugin-kubernetes
+
+version: 2
+
+before:
+  hooks:
+    - go mod tidy
+    - curl https://pgp.mongodb.com/atlas-cli.asc -o atlas-cli.asc
+
+builds:
+  - <<: &build_defaults
+      env:
+        - CGO_ENABLED=0
+      binary: atlas-cli-plugin-kubernetes
+      main: ./cmd/plugin
+      ldflags:
+        - -s -w -X github.com/mongodb/atlas-cli-plugin-kubernetes/internal/version.Version={{.Version}} -X github.com/mongodb/atlas-cli-plugin-kubernetes/internal/version.GitCommit={{.FullCommit}}
+    id: linux
+    goos: [linux]
+    goarch: [amd64,arm64]
+  - <<: *build_defaults
+    id: macos
+    goos: [darwin]
+    goarch: [amd64,arm64]
+    hooks:
+      # This will notarize Apple binaries and replace goreleaser bins with the notarized ones
+      post:
+        - cmd: ./build/package/mac_notarize.sh
+          output: true
+  - <<: *build_defaults
+    id: windows
+    goos: [windows]
+    goarch: [amd64]
+    goamd64: [v1]
+    hooks:
+      # This will notarize the Windows binary and replace goreleaser bin with the notarized one
+      post:
+        - cmd: ./build/package/windows_notarize.sh
+          output: true
+gomod: # https://goreleaser.com/customization/verifiable_builds/
+  # Proxy a module from proxy.golang.org, making the builds verifiable.
+  # This will only be effective if running against a tag. Snapshots will ignore
+  # this setting.
+  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
+  proxy: false
+  # Sets the `-mod` flag value.
+  #
+  # Since: v1.7
+  mod: mod
+
+archives:
+- id: linux
+  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
+  builds: [linux]
+  <<: &archive_defaults
+    files:
+      - README.md
+      - LICENSE
+      - third_party_notices/**/*
+      - src: "./manifest{{ if eq .Os \"windows\" }}.windows{{end}}.yml"
+        dst: ./manifest.yml
+  wrap_in_directory: true
+  format: tar.gz
+- id: macos
+  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
+  builds: [macos]
+  <<: *archive_defaults
+  format: zip
+  wrap_in_directory: false
+- id: windows
+  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
+  builds: [windows]
+  <<: *archive_defaults
+  wrap_in_directory: false
+  format: zip
+checksum:
+  name_template: checksums.txt
+signs:
+  - id: all_artifacts
+    signature: "${artifact}.sig"
+    cmd: "./build/package/notarize.sh"
+    ids:
+      - linux
+      - macos
+      - windows
+    artifacts: all
+    output: true
+release:
+  prerelease: auto
+  name_template: "Atlas CLI Plugin Kubernetes v{{.Version}}"
+  extra_files:
+    - glob: ./*.asc
diff --git a/scripts/notarize.sh b/scripts/notarize.sh
new file mode 100755
index 0000000..7b12362
--- /dev/null
+++ b/scripts/notarize.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -Eeou pipefail
+
+if [[ -f "${artifact:?}" ]]; then
+  echo "notarizing package ${artifact}"
+
+  docker run \
+    -e GRS_CONFIG_USER1_USERNAME="${ARTIFACTORY_SIGN_USER}" \
+    -e GRS_CONFIG_USER1_PASSWORD="${ARTIFACTORY_SIGN_PASSWORD}" \
+    --rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \
+    "${ARTIFACTORY_REGISTRY}/release-tools-container-registry-local/garasign-gpg" \
+    /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${artifact}.sig --detach-sign ${artifact}"
+fi
+
+echo "Signing of ${artifact} completed."
diff --git a/scripts/windows_notarize.sh b/scripts/windows_notarize.sh
new file mode 100755
index 0000000..ca1156f
--- /dev/null
+++ b/scripts/windows_notarize.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -Eeou pipefail
+
+EXE_FILE="./dist/windows_windows_amd64_v1/binary.exe"
+
+if [[ -f "$EXE_FILE" ]]; then
+	echo "signing Windows binary: ${EXE_FILE}"
+
+  docker run \
+    -e GRS_CONFIG_USER1_USERNAME="${ARTIFACTORY_SIGN_USER}" \
+    -e GRS_CONFIG_USER1_PASSWORD="${ARTIFACTORY_SIGN_PASSWORD}" \
+		--rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \
+    "${ARTIFACTORY_REGISTRY}/release-tools-container-registry-local/garasign-jsign" \
+		/bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${AUTHENTICODE_KEY_NAME} \"${EXE_FILE}\""
+fi

From 4bf19690ac08cec254349bfbdbd6e5f5741644ab Mon Sep 17 00:00:00 2001
From: Leo Antoli <430982+lantoli@users.noreply.github.com>
Date: Wed, 19 Feb 2025 17:43:05 +0100
Subject: [PATCH 2/2] leftover

---
 scripts/.goreleaser.yml | 93 -----------------------------------------
 1 file changed, 93 deletions(-)
 delete mode 100644 scripts/.goreleaser.yml

diff --git a/scripts/.goreleaser.yml b/scripts/.goreleaser.yml
deleted file mode 100644
index 42b702e..0000000
--- a/scripts/.goreleaser.yml
+++ /dev/null
@@ -1,93 +0,0 @@
-# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
-project_name: atlas-cli-plugin-kubernetes
-
-version: 2
-
-before:
-  hooks:
-    - go mod tidy
-    - curl https://pgp.mongodb.com/atlas-cli.asc -o atlas-cli.asc
-
-builds:
-  - <<: &build_defaults
-      env:
-        - CGO_ENABLED=0
-      binary: atlas-cli-plugin-kubernetes
-      main: ./cmd/plugin
-      ldflags:
-        - -s -w -X github.com/mongodb/atlas-cli-plugin-kubernetes/internal/version.Version={{.Version}} -X github.com/mongodb/atlas-cli-plugin-kubernetes/internal/version.GitCommit={{.FullCommit}}
-    id: linux
-    goos: [linux]
-    goarch: [amd64,arm64]
-  - <<: *build_defaults
-    id: macos
-    goos: [darwin]
-    goarch: [amd64,arm64]
-    hooks:
-      # This will notarize Apple binaries and replace goreleaser bins with the notarized ones
-      post:
-        - cmd: ./build/package/mac_notarize.sh
-          output: true
-  - <<: *build_defaults
-    id: windows
-    goos: [windows]
-    goarch: [amd64]
-    goamd64: [v1]
-    hooks:
-      # This will notarize the Windows binary and replace goreleaser bin with the notarized one
-      post:
-        - cmd: ./build/package/windows_notarize.sh
-          output: true
-gomod: # https://goreleaser.com/customization/verifiable_builds/
-  # Proxy a module from proxy.golang.org, making the builds verifiable.
-  # This will only be effective if running against a tag. Snapshots will ignore
-  # this setting.
-  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
-  proxy: false
-  # Sets the `-mod` flag value.
-  #
-  # Since: v1.7
-  mod: mod
-
-archives:
-- id: linux
-  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
-  builds: [linux]
-  <<: &archive_defaults
-    files:
-      - README.md
-      - LICENSE
-      - third_party_notices/**/*
-      - src: "./manifest{{ if eq .Os \"windows\" }}.windows{{end}}.yml"
-        dst: ./manifest.yml
-  wrap_in_directory: true
-  format: tar.gz
-- id: macos
-  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
-  builds: [macos]
-  <<: *archive_defaults
-  format: zip
-  wrap_in_directory: false
-- id: windows
-  name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
-  builds: [windows]
-  <<: *archive_defaults
-  wrap_in_directory: false
-  format: zip
-checksum:
-  name_template: checksums.txt
-signs:
-  - id: all_artifacts
-    signature: "${artifact}.sig"
-    cmd: "./build/package/notarize.sh"
-    ids:
-      - linux
-      - macos
-      - windows
-    artifacts: all
-    output: true
-release:
-  prerelease: auto
-  name_template: "Atlas CLI Plugin Kubernetes v{{.Version}}"
-  extra_files:
-    - glob: ./*.asc