From dba1421c6f32776760e23dfe981fd528565087b5 Mon Sep 17 00:00:00 2001 From: Basit Date: Thu, 25 Jan 2024 11:04:50 +0100 Subject: [PATCH 1/3] wip rpm signing --- .evergreen/functions.yml | 7 ------- .evergreen/verify-artifacts.sh | 14 ++++++++++++-- packages/hadron-build/lib/signtool.js | 15 ++++++++++++++- packages/hadron-build/lib/target.js | 5 ----- 4 files changed, 26 insertions(+), 15 deletions(-) diff --git a/.evergreen/functions.yml b/.evergreen/functions.yml index a985f53e517..d18bac2e1ab 100644 --- a/.evergreen/functions.yml +++ b/.evergreen/functions.yml @@ -664,13 +664,6 @@ functions: remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_filename} content_type: application/x-redhat-package-manager optional: true - - command: s3.put - params: - <<: *save-artifact-params-public - local_file: src/packages/compass/dist/${linux_rpm_sign_filename} - remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_sign_filename} - content_type: application/pgp-signature - optional: true - command: s3.put params: <<: *save-artifact-params-public diff --git a/.evergreen/verify-artifacts.sh b/.evergreen/verify-artifacts.sh index c2ebb96c678..2aa7f7346d6 100755 --- a/.evergreen/verify-artifacts.sh +++ b/.evergreen/verify-artifacts.sh @@ -9,6 +9,7 @@ ls -l $ARTIFACTS_DIR # Use tmp directory for all gpg operations GPG_HOME=$(mktemp -d) TMP_FILE=$(mktemp) +COMPASS_KEY="https://pgp.mongodb.com/compass.asc" trap_handler() { local code=$? @@ -40,9 +41,18 @@ verify_using_codesign() { codesign -dv --verbose=4 $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1 } +verify_using_rpm() { + # RPM packages are signed using gpg and the signature is embedded in the package. + # Here, we need to import the key in `rpm` and then verify the signature. + echo "Importing key into rpm" + rpm --import $COMPASS_KEY > "$TMP_FILE" 2>&1 + echo "Verifying $1 using rpm" + rpm -K $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1 +} + setup_gpg() { echo "Importing Compass public key" - curl https://pgp.mongodb.com/compass.asc | gpg --homedir $GPG_HOME --import > "$TMP_FILE" 2>&1 + curl $COMPASS_KEY | gpg --homedir $GPG_HOME --import > "$TMP_FILE" 2>&1 } if [ "$IS_WINDOWS" = true ]; then @@ -55,7 +65,7 @@ elif [ "$IS_UBUNTU" = true ]; then verify_using_gpg $LINUX_TAR_NAME elif [ "$IS_RHEL" = true ]; then setup_gpg - verify_using_gpg $RHEL_RPM_NAME + verify_using_rpm $RHEL_RPM_NAME verify_using_gpg $RHEL_TAR_NAME elif [ "$IS_OSX" = true ]; then setup_gpg diff --git a/packages/hadron-build/lib/signtool.js b/packages/hadron-build/lib/signtool.js index 5091d4e79da..c02cc71ede3 100644 --- a/packages/hadron-build/lib/signtool.js +++ b/packages/hadron-build/lib/signtool.js @@ -36,6 +36,19 @@ function signArchive(target, cb) { sign(target.dest(app_archive_name)).then(cb).catch(cb); } +/** + * @param {string} src + */ +function getSigningMethod(src) { + const ext = path.extname(src); + if (ext === '.rpm') { + return 'rpm_gpg'; + } else if (ext === '.exe' || ext === '.msi') { + return 'jsign'; + } + return 'gpg'; +} + /** * We are signing the file using `gpg` or `jsign` depending on the * file extension. If the extension is `.exe` or `.msi`, we use `jsign` @@ -58,7 +71,7 @@ async function sign(src, garasign = _garasign) { username: process.env.SIGNING_SERVER_USERNAME, port: process.env.SIGNING_SERVER_PORT, privateKey: process.env.SIGNING_SERVER_PRIVATE_KEY, - signingMethod: path.extname(src) === '.exe' || path.extname(src) === '.msi' ? 'jsign' : 'gpg' + signingMethod: getSigningMethod(src), }; return await garasign(src, clientOptions); diff --git a/packages/hadron-build/lib/target.js b/packages/hadron-build/lib/target.js index 2ecc3746e7c..c0486296306 100644 --- a/packages/hadron-build/lib/target.js +++ b/packages/hadron-build/lib/target.js @@ -639,7 +639,6 @@ class Target { this.linux_rpm_filename = `${this.slug}-${this.version}.${rhelArch}.rpm`; this.rhel_tar_filename = `${this.slug}-${this.version}-rhel-${this.arch}.tar.gz`; - this.linux_rpm_sign_filename = getSignedFilename(this.linux_rpm_filename); this.rhel_tar_sign_filename = getSignedFilename(this.rhel_tar_filename); this.assets = [ @@ -657,10 +656,6 @@ class Target { path: this.dest(this.linux_rpm_filename), downloadCenter: true }, - { - name: this.linux_rpm_sign_filename, - path: this.dest(this.linux_rpm_sign_filename), - }, { name: this.linux_tar_filename, path: this.dest(this.linux_tar_filename) From 1d16e45bbede97f9d04a47fc99b07241920fb6ce Mon Sep 17 00:00:00 2001 From: Basit Date: Thu, 25 Jan 2024 11:56:12 +0100 Subject: [PATCH 2/3] update package --- package-lock.json | 38 +++++++++++++-------------- packages/hadron-build/lib/signtool.js | 14 +++++----- packages/hadron-build/package.json | 2 +- 3 files changed, 27 insertions(+), 27 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7390dd3195e..44b8c39b3b0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8634,10 +8634,11 @@ } }, "node_modules/@mongodb-js/signing-utils": { - "version": "0.2.3", - "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.2.3.tgz", - "integrity": "sha512-9JofubOY8B2I9+SoQCkDV3DC4xNU0Vevb6L/7FC3OmLz/5jzrmLkJ5B6VmLOi1nlIV+q0leEopIZUvJZ9BIPrQ==", + "version": "0.3.0", + "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.0.tgz", + "integrity": "sha512-1tpbe6dDeXDL4pS1Ir2asNi9u4E92DrQwuDNpWXKVfnVXIXsi2hc8GGBx8Kdm/YJ6v7IFMnp8uKRyitoB8LHag==", "dependencies": { + "@types/ssh2": "^1.11.19", "debug": "^4.3.4", "ssh2": "^1.15.0" } @@ -13981,10 +13982,9 @@ "dev": true }, "node_modules/@types/ssh2": { - "version": "1.11.8", - "resolved": "https://registry.npmjs.org/@types/ssh2/-/ssh2-1.11.8.tgz", - "integrity": "sha512-BsD9yrKmD8avjbR+N5tvv0jxYHzizcrC156YkPbNjqbu81tCm4ZdS7D6KtXbZfz+CFHgFrTC7j046Lr39W5eig==", - "dev": true, + "version": "1.11.19", + "resolved": "https://registry.npmjs.org/@types/ssh2/-/ssh2-1.11.19.tgz", + "integrity": "sha512-ydbQAqEcdNVy2t1w7dMh6eWMr+iOgtEkqM/3K9RMijMaok/ER7L8GW6PwsOypHCN++M+c8S/UR9SgMqNIFstbA==", "dependencies": { "@types/node": "^18.11.18" } @@ -13992,8 +13992,7 @@ "node_modules/@types/ssh2/node_modules/@types/node": { "version": "18.15.11", "resolved": "https://registry.npmjs.org/@types/node/-/node-18.15.11.tgz", - "integrity": "sha512-E5Kwq2n4SbMzQOn6wnmBjuK9ouqlURrcZDVfbo9ftDDTFt3nk7ZKK4GMOzoYgnpQJKcxwQw+lGaBvvlMo0qN/Q==", - "dev": true + "integrity": "sha512-E5Kwq2n4SbMzQOn6wnmBjuK9ouqlURrcZDVfbo9ftDDTFt3nk7ZKK4GMOzoYgnpQJKcxwQw+lGaBvvlMo0qN/Q==" }, "node_modules/@types/stream-chain": { "version": "2.0.1", @@ -48939,7 +48938,7 @@ "@mongodb-js/devtools-github-repo": "^1.4.1", "@mongodb-js/dl-center": "^1.0.1", "@mongodb-js/electron-wix-msi": "^3.0.0", - "@mongodb-js/signing-utils": "^0.2.3", + "@mongodb-js/signing-utils": "^0.3.0", "@npmcli/arborist": "^6.2.0", "@octokit/rest": "^18.6.2", "asar": "^3.0.3", @@ -62326,10 +62325,11 @@ } }, "@mongodb-js/signing-utils": { - "version": "0.2.3", - "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.2.3.tgz", - "integrity": "sha512-9JofubOY8B2I9+SoQCkDV3DC4xNU0Vevb6L/7FC3OmLz/5jzrmLkJ5B6VmLOi1nlIV+q0leEopIZUvJZ9BIPrQ==", + "version": "0.3.0", + "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.0.tgz", + "integrity": "sha512-1tpbe6dDeXDL4pS1Ir2asNi9u4E92DrQwuDNpWXKVfnVXIXsi2hc8GGBx8Kdm/YJ6v7IFMnp8uKRyitoB8LHag==", "requires": { + "@types/ssh2": "^1.11.19", "debug": "^4.3.4", "ssh2": "^1.15.0" }, @@ -67133,10 +67133,9 @@ "dev": true }, "@types/ssh2": { - "version": "1.11.8", - "resolved": "https://registry.npmjs.org/@types/ssh2/-/ssh2-1.11.8.tgz", - "integrity": "sha512-BsD9yrKmD8avjbR+N5tvv0jxYHzizcrC156YkPbNjqbu81tCm4ZdS7D6KtXbZfz+CFHgFrTC7j046Lr39W5eig==", - "dev": true, + "version": "1.11.19", + "resolved": "https://registry.npmjs.org/@types/ssh2/-/ssh2-1.11.19.tgz", + "integrity": "sha512-ydbQAqEcdNVy2t1w7dMh6eWMr+iOgtEkqM/3K9RMijMaok/ER7L8GW6PwsOypHCN++M+c8S/UR9SgMqNIFstbA==", "requires": { "@types/node": "^18.11.18" }, @@ -67144,8 +67143,7 @@ "@types/node": { "version": "18.15.11", "resolved": "https://registry.npmjs.org/@types/node/-/node-18.15.11.tgz", - "integrity": "sha512-E5Kwq2n4SbMzQOn6wnmBjuK9ouqlURrcZDVfbo9ftDDTFt3nk7ZKK4GMOzoYgnpQJKcxwQw+lGaBvvlMo0qN/Q==", - "dev": true + "integrity": "sha512-E5Kwq2n4SbMzQOn6wnmBjuK9ouqlURrcZDVfbo9ftDDTFt3nk7ZKK4GMOzoYgnpQJKcxwQw+lGaBvvlMo0qN/Q==" } } }, @@ -77550,7 +77548,7 @@ "@mongodb-js/devtools-github-repo": "^1.4.1", "@mongodb-js/dl-center": "^1.0.1", "@mongodb-js/electron-wix-msi": "^3.0.0", - "@mongodb-js/signing-utils": "^0.2.3", + "@mongodb-js/signing-utils": "^0.3.0", "@npmcli/arborist": "^6.2.0", "@octokit/rest": "^18.6.2", "asar": "^3.0.3", diff --git a/packages/hadron-build/lib/signtool.js b/packages/hadron-build/lib/signtool.js index c02cc71ede3..2ed30323880 100644 --- a/packages/hadron-build/lib/signtool.js +++ b/packages/hadron-build/lib/signtool.js @@ -40,13 +40,15 @@ function signArchive(target, cb) { * @param {string} src */ function getSigningMethod(src) { - const ext = path.extname(src); - if (ext === '.rpm') { - return 'rpm_gpg'; - } else if (ext === '.exe' || ext === '.msi') { - return 'jsign'; + switch (path.extname(src)) { + case '.exe': + case '.msi': + return 'jsign'; + case '.rpm': + return 'rpm_gpg'; + default: + return 'gpg'; } - return 'gpg'; } /** diff --git a/packages/hadron-build/package.json b/packages/hadron-build/package.json index 9a1f79778bc..d2d432e25af 100644 --- a/packages/hadron-build/package.json +++ b/packages/hadron-build/package.json @@ -23,7 +23,7 @@ "@mongodb-js/devtools-github-repo": "^1.4.1", "@mongodb-js/dl-center": "^1.0.1", "@mongodb-js/electron-wix-msi": "^3.0.0", - "@mongodb-js/signing-utils": "^0.2.3", + "@mongodb-js/signing-utils": "^0.3.0", "@npmcli/arborist": "^6.2.0", "@octokit/rest": "^18.6.2", "asar": "^3.0.3", From 51c1c362ad38b08cde55d85d9ec815f874e57672 Mon Sep 17 00:00:00 2001 From: Basit Date: Thu, 25 Jan 2024 15:58:30 +0100 Subject: [PATCH 3/3] verify correctly --- .evergreen/verify-artifacts.sh | 12 +++++++++++- package-lock.json | 16 ++++++++-------- packages/hadron-build/package.json | 2 +- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/.evergreen/verify-artifacts.sh b/.evergreen/verify-artifacts.sh index 2aa7f7346d6..007e300843e 100755 --- a/.evergreen/verify-artifacts.sh +++ b/.evergreen/verify-artifacts.sh @@ -46,8 +46,18 @@ verify_using_rpm() { # Here, we need to import the key in `rpm` and then verify the signature. echo "Importing key into rpm" rpm --import $COMPASS_KEY > "$TMP_FILE" 2>&1 + # Even if the file is not signed, the command below will exit with 0 and output something like: sha1 md5 OK + # So we need to check the output of the command to see if the file is signed successfully. echo "Verifying $1 using rpm" - rpm -K $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1 + output=$(rpm -K $ARTIFACTS_DIR/$1) + # Remove the imported key from rpm + rpm -e $(rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release}:%{summary}\n' | grep compass | awk -F: '{print $1}') + + # Check if the output contains the string "pgp md5 OK" + if [[ $output != *"pgp md5 OK"* ]]; then + echo "File $1 is not signed" + exit 1 + fi } setup_gpg() { diff --git a/package-lock.json b/package-lock.json index 44b8c39b3b0..8f88ee35f79 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8634,9 +8634,9 @@ } }, "node_modules/@mongodb-js/signing-utils": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.0.tgz", - "integrity": "sha512-1tpbe6dDeXDL4pS1Ir2asNi9u4E92DrQwuDNpWXKVfnVXIXsi2hc8GGBx8Kdm/YJ6v7IFMnp8uKRyitoB8LHag==", + "version": "0.3.1", + "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.1.tgz", + "integrity": "sha512-/zAg9vdxTQstu6kNkfOPr9WvLodz88k7egetKw8c5eZyPLBQgm3JfTaH7vQe/iSCuCwvXSk0tNcgo+6AdQNbTw==", "dependencies": { "@types/ssh2": "^1.11.19", "debug": "^4.3.4", @@ -48938,7 +48938,7 @@ "@mongodb-js/devtools-github-repo": "^1.4.1", "@mongodb-js/dl-center": "^1.0.1", "@mongodb-js/electron-wix-msi": "^3.0.0", - "@mongodb-js/signing-utils": "^0.3.0", + "@mongodb-js/signing-utils": "^0.3.1", "@npmcli/arborist": "^6.2.0", "@octokit/rest": "^18.6.2", "asar": "^3.0.3", @@ -62325,9 +62325,9 @@ } }, "@mongodb-js/signing-utils": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.0.tgz", - "integrity": "sha512-1tpbe6dDeXDL4pS1Ir2asNi9u4E92DrQwuDNpWXKVfnVXIXsi2hc8GGBx8Kdm/YJ6v7IFMnp8uKRyitoB8LHag==", + "version": "0.3.1", + "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.1.tgz", + "integrity": "sha512-/zAg9vdxTQstu6kNkfOPr9WvLodz88k7egetKw8c5eZyPLBQgm3JfTaH7vQe/iSCuCwvXSk0tNcgo+6AdQNbTw==", "requires": { "@types/ssh2": "^1.11.19", "debug": "^4.3.4", @@ -77548,7 +77548,7 @@ "@mongodb-js/devtools-github-repo": "^1.4.1", "@mongodb-js/dl-center": "^1.0.1", "@mongodb-js/electron-wix-msi": "^3.0.0", - "@mongodb-js/signing-utils": "^0.3.0", + "@mongodb-js/signing-utils": "^0.3.1", "@npmcli/arborist": "^6.2.0", "@octokit/rest": "^18.6.2", "asar": "^3.0.3", diff --git a/packages/hadron-build/package.json b/packages/hadron-build/package.json index d2d432e25af..ee9b434968e 100644 --- a/packages/hadron-build/package.json +++ b/packages/hadron-build/package.json @@ -23,7 +23,7 @@ "@mongodb-js/devtools-github-repo": "^1.4.1", "@mongodb-js/dl-center": "^1.0.1", "@mongodb-js/electron-wix-msi": "^3.0.0", - "@mongodb-js/signing-utils": "^0.3.0", + "@mongodb-js/signing-utils": "^0.3.1", "@npmcli/arborist": "^6.2.0", "@octokit/rest": "^18.6.2", "asar": "^3.0.3",