diff options
| author | Tural Farhadov <tural.ferhadov@gmail.com> | 2023-04-18 19:58:02 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2023-04-18 20:21:21 +0000 |
| commit | 3385e421ad50bb726436b1a6a482ee29d1630b36 (patch) | |
| tree | ec0ced8ae67cca8d4fb9c62f555706a0961e99fb | |
| parent | b286b30653fccd7bc4ab491843abbd966fcb839a (diff) | |
| download | mongo-3385e421ad50bb726436b1a6a482ee29d1630b36.tar.gz | |
SERVER-75652: migrate from notary_client to garasign for push task v5.0
| -rw-r--r-- | etc/evergreen.yml | 28 | ||||
| -rw-r--r-- | evergreen/garasign_gpg_sign.sh | 66 | ||||
| -rw-r--r-- | evergreen/garasign_jsign_sign.sh | 42 | ||||
| -rw-r--r-- | evergreen/garasign_setup.sh | 7 |
4 files changed, 136 insertions, 7 deletions
diff --git a/etc/evergreen.yml b/etc/evergreen.yml index a8a768cff49..99224c4f9f6 100644 --- a/etc/evergreen.yml +++ b/etc/evergreen.yml @@ -6316,13 +6316,27 @@ tasks: aws_key_remote: ${repo_aws_key} aws_secret_remote: ${repo_aws_secret} - func: "f_expansions_write" - - func: "set up notary client credentials" + + # setup garasign: login to container registry + - command: subprocess.exec + params: + binary: bash + args: + - "./src/evergreen/garasign_setup.sh" + + # signing windows artifacts + - command: subprocess.exec + params: + binary: bash + args: + - "./src/evergreen/garasign_jsign_sign.sh" + + # signing linux artifacts - command: subprocess.exec - type: test params: binary: bash args: - - "./src/evergreen/notary_client_run.sh" + - "./src/evergreen/garasign_gpg_sign.sh" # Put the binaries tarball/zipfile - command: s3.put @@ -6456,7 +6470,7 @@ tasks: aws_secret: ${aws_secret} permissions: public-read build_variants: ["enterprise-windows", "windows"] - local_file: src/mongodb-${push_name}-${push_arch}-${suffix}-signed.msi + local_file: src/mongodb-${push_name}-${push_arch}-${suffix}.msi bucket: build-push-testing content_type: application/x-msi remote_file: ${push_path}-STAGE/${push_name}/mongodb-${push_name}-${push_arch}-${suffix}-${task_id}-signed.msi @@ -6526,7 +6540,7 @@ tasks: aws_secret: ${aws_secret} permissions: public-read build_variants: ["enterprise-windows", "windows"] - local_file: src/mongodb-${push_name}-${push_arch}-${suffix}-signed.msi.sha1 + local_file: src/mongodb-${push_name}-${push_arch}-${suffix}.msi.sha1 bucket: build-push-testing content_type: text/plain remote_file: ${push_path}-STAGE/${push_name}/mongodb-${push_name}-${push_arch}-${suffix}-${task_id}-signed.msi.sha1 @@ -6595,7 +6609,7 @@ tasks: aws_key: ${aws_key} aws_secret: ${aws_secret} build_variants: ["enterprise-windows", "windows"] - local_file: src/mongodb-${push_name}-${push_arch}-${suffix}-signed.msi.sha256 + local_file: src/mongodb-${push_name}-${push_arch}-${suffix}.msi.sha256 bucket: build-push-testing permissions: public-read remote_file: ${push_path}-STAGE/${push_name}/mongodb-${push_name}-${push_arch}-${suffix}-${task_id}-signed.msi.sha256 @@ -6665,7 +6679,7 @@ tasks: aws_key: ${aws_key} aws_secret: ${aws_secret} build_variants: ["enterprise-windows", "windows"] - local_file: src/mongodb-${push_name}-${push_arch}-${suffix}-signed.msi.md5 + local_file: src/mongodb-${push_name}-${push_arch}-${suffix}.msi.md5 bucket: build-push-testing permissions: public-read content_type: text/plain diff --git a/evergreen/garasign_gpg_sign.sh b/evergreen/garasign_gpg_sign.sh new file mode 100644 index 00000000000..14423e5d2ea --- /dev/null +++ b/evergreen/garasign_gpg_sign.sh @@ -0,0 +1,66 @@ +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" +. "$DIR/prelude.sh" + +set -o errexit +set -o verbose + +cd src + +long_ext=${ext} +if [ "$long_ext" == "tgz" ]; then + long_ext="tar.gz" +fi + +mv mongo-binaries.tgz mongodb-${push_name}-${push_arch}-${suffix}.${ext} +mv mongo-shell.tgz mongodb-shell-${push_name}-${push_arch}-${suffix}.${ext} +mv mongo-cryptd.tgz mongodb-cryptd-${push_name}-${push_arch}-${suffix}.${ext} || true +mv mh.tgz mh-${push_name}-${push_arch}-${suffix}.${ext} || true +mv mongo-debugsymbols.tgz mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext} || true +mv distsrc.${ext} mongodb-src-${src_suffix}.${long_ext} || true + +# generating checksums +function gen_checksums() { + if [ -e $1 ]; then + shasum -a 1 $1 | tee $1.sha1 + shasum -a 256 $1 | tee $1.sha256 + md5sum $1 | tee $1.md5 + else + echo "$1 does not exist. Skipping checksum generation" + fi +} + +gen_checksums mongodb-$push_name-$push_arch-$suffix.$ext +gen_checksums mongodb-shell-$push_name-$push_arch-$suffix.$ext +gen_checksums mongodb-$push_name-$push_arch-debugsymbols-$suffix.$ext +gen_checksums mongodb-src-$src_suffix.$long_ext +gen_checksums mongodb-cryptd-$push_name-$push_arch-$suffix.$ext + +# signing linux artifacts with gpg +cat << 'EOF' > gpg_signing_commands.sh +gpgloader # loading gpg keys. +function sign(){ + if [ -e $1 ] + then + gpg --yes -v --armor -o $1.sig --detach-sign $1 + else + echo "$1 does not exist. Skipping signing" + fi +} + +EOF + +cat << EOF >> gpg_signing_commands.sh +sign mongodb-$push_name-$push_arch-$suffix.$ext +sign mongodb-shell-$push_name-$push_arch-$suffix.$ext +sign mongodb-$push_name-$push_arch-debugsymbols-$suffix.$ext +sign mongodb-src-$src_suffix.$long_ext +sign mongodb-cryptd-$push_name-$push_arch-$suffix.$ext +EOF + +podman run \ + -e GRS_CONFIG_USER1_USERNAME=${garasign_gpg_username_50} \ + -e GRS_CONFIG_USER1_PASSWORD=${garasign_gpg_password_50} \ + --rm \ + -v $(pwd):$(pwd) -w $(pwd) \ + ${garasign_gpg_image} \ + /bin/bash -c "$(cat ./gpg_signing_commands.sh)" diff --git a/evergreen/garasign_jsign_sign.sh b/evergreen/garasign_jsign_sign.sh new file mode 100644 index 00000000000..3ae3176cae9 --- /dev/null +++ b/evergreen/garasign_jsign_sign.sh @@ -0,0 +1,42 @@ +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" +. "$DIR/prelude.sh" + +set -o errexit +set -o verbose + +cd src + +msi_filename=mongodb-${push_name}-${push_arch}-${suffix}.msi +/usr/bin/find build/ -type f | grep msi$ | xargs -I original_filename cp original_filename $msi_filename || true + +# generating checksums +if [ -e $msi_filename ]; then + shasum -a 1 $msi_filename | tee $msi_filename.sha1 + shasum -a 256 $msi_filename | tee $msi_filename.sha256 + md5sum $msi_filename | tee $msi_filename.md5 +else + echo "$msi_filename does not exist. Skipping checksum generation" +fi + +# signing windows artifacts with jsign +cat << 'EOF' > jsign_signing_commands.sh +function sign(){ + if [ -e $1 ] + then + jsign -a mongo-authenticode-2021 --replace --tsaurl http://timestamp.digicert.com -d SHA-256 $1 + else + echo "$1 does not exist. Skipping signing" + fi +} +EOF +cat << EOF >> jsign_signing_commands.sh +sign $msi_filename +EOF + +podman run \ + -e GRS_CONFIG_USER1_USERNAME=${garasign_jsign_username} \ + -e GRS_CONFIG_USER1_PASSWORD=${garasign_jsign_password} \ + --rm \ + -v $(pwd):$(pwd) -w $(pwd) \ + ${garasign_jsign_image} \ + /bin/bash -c "$(cat ./jsign_signing_commands.sh)" diff --git a/evergreen/garasign_setup.sh b/evergreen/garasign_setup.sh new file mode 100644 index 00000000000..2cc115ef3c4 --- /dev/null +++ b/evergreen/garasign_setup.sh @@ -0,0 +1,7 @@ +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" +. "$DIR/prelude.sh" + +set -o errexit +set -o verbose + +podman login --username ${release_tools_container_registry_username} --password ${release_tools_container_registry_password} ${release_tools_container_registry} |