diff options
author | Tural Farhadov <tural.ferhadov@gmail.com> | 2023-04-26 03:05:36 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2023-04-26 15:17:33 +0000 |
commit | 0e750ce3d22c41640100295d71e9e452db835212 (patch) | |
tree | 1a6ffa67bcdad22bf678709e7218f904484d6ea5 | |
parent | 943e6718cd7c1dc17e8f0abea4c81678921db677 (diff) | |
download | mongo-0e750ce3d22c41640100295d71e9e452db835212.tar.gz |
SERVER-76519: migrate crypt push task to Garasign
-rw-r--r-- | etc/evergreen_yml_components/definitions.yml | 13 | ||||
-rw-r--r-- | evergreen/garasign_gpg_crypt_sign.sh | 31 | ||||
-rw-r--r-- | evergreen/notary_client_crypt_run.sh | 20 | ||||
-rw-r--r-- | evergreen/notary_client_run.sh | 23 |
4 files changed, 40 insertions, 47 deletions
diff --git a/etc/evergreen_yml_components/definitions.yml b/etc/evergreen_yml_components/definitions.yml index 5d944aa558d..dc86e7b1462 100644 --- a/etc/evergreen_yml_components/definitions.yml +++ b/etc/evergreen_yml_components/definitions.yml @@ -7279,7 +7279,7 @@ tasks: 'destination': {'path': '${push_path}/mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext|tgz}.md5', 'bucket': '${push_bucket}'}} - name: crypt_push - run_on: rhel80-small + run_on: rhel8.7-small tags: ["publish_crypt"] patchable: false stepback: false @@ -7316,13 +7316,18 @@ tasks: aws_key_remote: ${repo_aws_key} aws_secret_remote: ${repo_aws_secret} - func: "f_expansions_write" - - func: "set up notary client credentials" + # login to container registry + - command: shell.exec + params: + shell: bash + script: | + set -oe + podman login --username ${release_tools_container_registry_username} --password ${release_tools_container_registry_password} ${release_tools_container_registry} - command: subprocess.exec - type: test params: binary: bash args: - - "./src/evergreen/notary_client_crypt_run.sh" + - "./src/evergreen/garasign_gpg_crypt_sign.sh" # Put the crypt tarball/zipfile - command: s3.put params: diff --git a/evergreen/garasign_gpg_crypt_sign.sh b/evergreen/garasign_gpg_crypt_sign.sh new file mode 100644 index 00000000000..233a598ce56 --- /dev/null +++ b/evergreen/garasign_gpg_crypt_sign.sh @@ -0,0 +1,31 @@ +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" +. "$DIR/prelude.sh" + +cd src + +set -o errexit +set -o verbose + +ext="${ext:-tgz}" + +crypt_file_name=mongo_crypt_shared_v1-${push_name}-${push_arch}-${suffix}.${ext} +mv "mongo_crypt_shared_v1.$ext" $crypt_file_name + +# generating checksums +shasum -a 1 $crypt_file_name | tee $crypt_file_name.sha1 +shasum -a 256 $crypt_file_name | tee $crypt_file_name.sha256 +md5sum $crypt_file_name | tee $crypt_file_name.md5 + +# signing crypt linux artifact with gpg +cat << EOF >> gpg_signing_commands.sh +gpgloader # loading gpg keys. +gpg --yes -v --armor -o $crypt_file_name.sig --detach-sign $crypt_file_name +EOF + +podman run \ + -e GRS_CONFIG_USER1_USERNAME=${garasign_gpg_username_60} \ + -e GRS_CONFIG_USER1_PASSWORD=${garasign_gpg_password_60} \ + --rm \ + -v $(pwd):$(pwd) -w $(pwd) \ + ${garasign_gpg_image} \ + /bin/bash -c "$(cat ./gpg_signing_commands.sh)" diff --git a/evergreen/notary_client_crypt_run.sh b/evergreen/notary_client_crypt_run.sh deleted file mode 100644 index 2d9b6b3d689..00000000000 --- a/evergreen/notary_client_crypt_run.sh +++ /dev/null @@ -1,20 +0,0 @@ -DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" -. "$DIR/prelude.sh" - -cd src - -. ./notary_env.sh - -set -o errexit -set -o verbose - -ext="${ext:-tgz}" - -mv "mongo_crypt_shared_v1.$ext" mongo_crypt_shared_v1-${push_name}-${push_arch}-${suffix}.${ext} - -/usr/local/bin/notary-client.py \ - --key-name "server-6.0" \ - --auth-token-file ${workdir}/src/signing_auth_token \ - --comment "Evergreen Automatic Signing ${revision} - ${build_variant} - ${branch_name}" \ - --notary-url http://notary-service.build.10gen.cc:5000 \ - mongo_crypt_shared_v1-${push_name}-${push_arch}-${suffix}.${ext} diff --git a/evergreen/notary_client_run.sh b/evergreen/notary_client_run.sh deleted file mode 100644 index 82526660d96..00000000000 --- a/evergreen/notary_client_run.sh +++ /dev/null @@ -1,23 +0,0 @@ -DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" -. "$DIR/prelude.sh" - -cd src - -. ./notary_env.sh - -set -o errexit -set -o verbose - -long_ext=${ext} -if [ "$long_ext" == "tgz" ]; then - long_ext="tar.gz" -fi - -mv mongo-binaries.tgz mongodb-${push_name}-${push_arch}-${suffix}.${ext} -mv mongo-cryptd.tgz mongodb-cryptd-${push_name}-${push_arch}-${suffix}.${ext} || true -mv mh.tgz mh-${push_name}-${push_arch}-${suffix}.${ext} || true -mv mongo-debugsymbols.tgz mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext} || true -mv distsrc.${ext} mongodb-src-${src_suffix}.${long_ext} || true -/usr/bin/find build/ -type f | grep msi$ | xargs -I original_filename cp original_filename mongodb-${push_name}-${push_arch}-${suffix}.msi || true - -/usr/local/bin/notary-client.py --key-name "server-6.0" --auth-token-file ${workdir}/src/signing_auth_token --comment "Evergreen Automatic Signing ${revision} - ${build_variant} - ${branch_name}" --notary-url http://notary-service.build.10gen.cc:5000 --skip-missing mongodb-${push_name}-${push_arch}-${suffix}.${ext} mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext} mongodb-${push_name}-${push_arch}-${suffix}.msi mongodb-src-${src_suffix}.${long_ext} mongodb-cryptd-${push_name}-${push_arch}-${suffix}.${ext} |