Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(ci): rpm signing COMPASS-7588 #5379

Merged
merged 5 commits into from
Jan 26, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
wip rpm signing
  • Loading branch information
mabaasit committed Jan 25, 2024
commit dba1421c6f32776760e23dfe981fd528565087b5
7 changes: 0 additions & 7 deletions .evergreen/functions.yml
Original file line number Diff line number Diff line change
@@ -664,13 +664,6 @@ functions:
remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_filename}
content_type: application/x-redhat-package-manager
optional: true
- command: s3.put
params:
<<: *save-artifact-params-public
local_file: src/packages/compass/dist/${linux_rpm_sign_filename}
remote_file: ${project}/${revision}_${revision_order_id}/${linux_rpm_sign_filename}
content_type: application/pgp-signature
optional: true
- command: s3.put
params:
<<: *save-artifact-params-public
14 changes: 12 additions & 2 deletions .evergreen/verify-artifacts.sh
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ ls -l $ARTIFACTS_DIR
# Use tmp directory for all gpg operations
GPG_HOME=$(mktemp -d)
TMP_FILE=$(mktemp)
COMPASS_KEY="https://pgp.mongodb.com/compass.asc"

trap_handler() {
local code=$?
@@ -40,9 +41,18 @@ verify_using_codesign() {
codesign -dv --verbose=4 $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1
}

verify_using_rpm() {
# RPM packages are signed using gpg and the signature is embedded in the package.
# Here, we need to import the key in `rpm` and then verify the signature.
echo "Importing key into rpm"
rpm --import $COMPASS_KEY > "$TMP_FILE" 2>&1
echo "Verifying $1 using rpm"
rpm -K $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1
}

setup_gpg() {
echo "Importing Compass public key"
curl https://pgp.mongodb.com/compass.asc | gpg --homedir $GPG_HOME --import > "$TMP_FILE" 2>&1
curl $COMPASS_KEY | gpg --homedir $GPG_HOME --import > "$TMP_FILE" 2>&1
}

if [ "$IS_WINDOWS" = true ]; then
@@ -55,7 +65,7 @@ elif [ "$IS_UBUNTU" = true ]; then
verify_using_gpg $LINUX_TAR_NAME
elif [ "$IS_RHEL" = true ]; then
setup_gpg
verify_using_gpg $RHEL_RPM_NAME
verify_using_rpm $RHEL_RPM_NAME
verify_using_gpg $RHEL_TAR_NAME
elif [ "$IS_OSX" = true ]; then
setup_gpg
15 changes: 14 additions & 1 deletion packages/hadron-build/lib/signtool.js
Original file line number Diff line number Diff line change
@@ -36,6 +36,19 @@ function signArchive(target, cb) {
sign(target.dest(app_archive_name)).then(cb).catch(cb);
}

/**
* @param {string} src
*/
function getSigningMethod(src) {
const ext = path.extname(src);
if (ext === '.rpm') {
return 'rpm_gpg';
} else if (ext === '.exe' || ext === '.msi') {
return 'jsign';
}
return 'gpg';
}

/**
* We are signing the file using `gpg` or `jsign` depending on the
* file extension. If the extension is `.exe` or `.msi`, we use `jsign`
@@ -58,7 +71,7 @@ async function sign(src, garasign = _garasign) {
username: process.env.SIGNING_SERVER_USERNAME,
port: process.env.SIGNING_SERVER_PORT,
privateKey: process.env.SIGNING_SERVER_PRIVATE_KEY,
signingMethod: path.extname(src) === '.exe' || path.extname(src) === '.msi' ? 'jsign' : 'gpg'
signingMethod: getSigningMethod(src),
};

return await garasign(src, clientOptions);
5 changes: 0 additions & 5 deletions packages/hadron-build/lib/target.js
Original file line number Diff line number Diff line change
@@ -639,7 +639,6 @@ class Target {
this.linux_rpm_filename = `${this.slug}-${this.version}.${rhelArch}.rpm`;
this.rhel_tar_filename = `${this.slug}-${this.version}-rhel-${this.arch}.tar.gz`;

this.linux_rpm_sign_filename = getSignedFilename(this.linux_rpm_filename);
this.rhel_tar_sign_filename = getSignedFilename(this.rhel_tar_filename);

this.assets = [
@@ -657,10 +656,6 @@ class Target {
path: this.dest(this.linux_rpm_filename),
downloadCenter: true
},
{
name: this.linux_rpm_sign_filename,
path: this.dest(this.linux_rpm_sign_filename),
},
{
name: this.linux_tar_filename,
path: this.dest(this.linux_tar_filename)