CSHARP-5050: Sign release artifacts or tags with MongoDB-managed keys

Author: BorisDog

evergreen/build-packages.sh

@@ -1,6 +1,9 @@
 #!/usr/bin/env bash
 set -o errexit  # Exit the script with error if any of the commands fail
 
+# Environment variables used as input:
+# PACKAGE_VERSION
+
 if [ -z "$PACKAGE_VERSION" ]; then
   PACKAGE_VERSION=$(bash ./evergreen/get-version.sh)
   echo Calculated PACKAGE_VERSION value: "$PACKAGE_VERSION"
@@ -9,4 +12,4 @@ fi
 echo Creating nuget package...
 
 dotnet clean ./CSharpDriver.sln
-dotnet pack ./CSharpDriver.sln -o ./artifacts/nuget -c Release -p:Version="$PACKAGE_VERSION" --include-symbols -p:SymbolPackageFormat=snupkg -p:ContinuousIntegrationBuild=true
+dotnet pack ./CSharpDriver.sln -o ./artifacts/nuget -c Release -p:Version="$PACKAGE_VERSION" --include-symbols -p:SymbolPackageFormat=snupkg -p:ContinuousIntegrationBuild=true

evergreen/evergreen.yml

@@ -1008,12 +1008,29 @@ functions:
           ${PREPARE_SHELL}
           . ./evergreen/build-packages.sh
 
+  sign-packages:
+    - command: shell.exec
+      params:
+        shell: bash
+        working_dir: mongo-csharp-driver
+        env:
+          ARTIFACTORY_PASSWORD: ${ARTIFACTORY_PASSWORD}
+          ARTIFACTORY_USERNAME: ${ARTIFACTORY_USERNAME}
+          AZURE_NUGET_SIGN_TENANT_ID: ${AZURE_NUGET_SIGN_TENANT_ID}
+          AZURE_NUGET_SIGN_CLIENT_ID: ${AZURE_NUGET_SIGN_CLIENT_ID}
+          AZURE_NUGET_SIGN_CLIENT_SECRET: ${AZURE_NUGET_SIGN_CLIENT_SECRET}
+          PACKAGE_VERSION: "$PACKAGE_VERSION"
+        script: |
+          ${PREPARE_SHELL}
+          . ./evergreen/sign-packages.sh
+
   push-packages:
     - command: shell.exec
       params:
         shell: bash
         working_dir: mongo-csharp-driver
         env:
+          NUGET_SIGN_CERTIFICATE_FINGERPRINT: ${NUGET_SIGN_CERTIFICATE_FINGERPRINT}
           PACKAGES_SOURCE: ${PACKAGES_SOURCE}
           PACKAGES_SOURCE_KEY: ${PACKAGES_SOURCE_KEY}
         script: |
@@ -1857,6 +1874,7 @@ tasks:
       commands:
         - func: install-dotnet
         - func: download-packages
+        - func: sign-packages
         - func: push-packages
           vars:
             PACKAGES_SOURCE: "https://api.nuget.org/v3/index.json"
@@ -1866,6 +1884,7 @@ tasks:
       commands:
         - func: install-dotnet
         - func: download-packages
+        - func: sign-packages
         - func: push-packages
           vars:
             PACKAGES_SOURCE: "https://www.myget.org/F/mongodb/api/v3/index.json"
@@ -2690,7 +2709,7 @@ buildvariants:
 # Package release variants
 - matrix_name: build-packages
   matrix_spec:
-    os: "windows-64" # should produce package on Windows to make sure full framework binaries created.
+    os: "windows-64" # should produce package on Windows to build .NET framework (net472) packages.
   display_name: "Packages Pack"
   tags: ["build-packages", "release-tag"]
   tasks:

evergreen/push-packages.sh

@@ -2,6 +2,12 @@
 set -o errexit # Exit the script with error if any of the commands fail
 set +o xtrace  # Disable tracing.
 
+# Environment variables used as inpu
+# NUGET_SIGN_CERTIFICATE_FINGERPRINT
+# PACKAGES_SOURCE
+# PACKAGES_SOURCE_KEY
+# PACKAGE_VERSION
+
 # querying nuget source to find search base url
 packages_search_url=$(curl -X GET -s "${PACKAGES_SOURCE}" | jq -r 'first(.resources[] | select(."@type"=="SearchQueryService") | ."@id")')
 
@@ -50,6 +56,11 @@ if [ "$PACKAGES_SOURCE" = "https://api.nuget.org/v3/index.json" ] && [[ ! "$PACK
 fi
 
 PACKAGES=("MongoDB.Bson" "MongoDB.Driver.Core" "MongoDB.Driver" "MongoDB.Driver.GridFS" "mongocsharpdriver")
+
+for package in ${PACKAGES[*]}; do
+  dotnet nuget verify ./artifacts/nuget/"$package"."$PACKAGE_VERSION".nupkg --certificate-fingerprint "$NUGET_SIGN_CERTIFICATE_FINGERPRINT"
+done
+
 for package in ${PACKAGES[*]}; do
   dotnet nuget push --source "$PACKAGES_SOURCE" --api-key "$PACKAGES_SOURCE_KEY" ./artifacts/nuget/"$package"."$PACKAGE_VERSION".nupkg
 done

evergreen/sign-packages.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -o errexit  # Exit the script with error if any of the commands fail
+
+# Environment variables used as input:
+# ARTIFACTORY_PASSWORD
+# ARTIFACTORY_USERNAME
+# AZURE_NUGET_SIGN_TENANT_ID
+# AZURE_NUGET_SIGN_CLIENT_ID
+# AZURE_NUGET_SIGN_CLIENT_SECRET
+# PACKAGE_VERSION
+
+echo "${ARTIFACTORY_PASSWORD}" | docker login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
+
+docker run --platform="linux/amd64" --rm -v $(pwd):/workdir -w /workdir \
+  artifactory.corp.mongodb.com/release-tools-container-registry-local/azure-keyvault-nuget \
+  NuGetKeyVaultSignTool sign "artifacts/nuget/*.$PACKAGE_VERSION.nupkg" \
+    --force \
+    --file-digest=sha256 \
+    --timestamp-rfc3161=http://timestamp.digicert.com \
+    --timestamp-digest=sha256 \
+    --azure-key-vault-url=https://mdb-authenticode.vault.azure.net \
+    --azure-key-vault-tenant-id="$AZURE_NUGET_SIGN_TENANT_ID" \
+    --azure-key-vault-client-secret="$AZURE_NUGET_SIGN_CLIENT_SECRET" \
+    --azure-key-vault-client-id="$AZURE_NUGET_SIGN_CLIENT_ID" \
+    --azure-key-vault-certificate=authenticode-2021