-
Notifications
You must be signed in to change notification settings - Fork 171
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(build): sign all artifacts COMPASS-7549 (#5349)
* sign all artifacts * fix and tests * sign archive at one place * sign back linux where its build * use abs path * fix tests and sign linux correctly * use abs path to sign archive * use tasks instead of task_group * rewrite function * use remote signing server for everything
- Loading branch information
Showing
11 changed files
with
369 additions
and
225 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,67 @@ | ||
const debug = require('debug')('hadron-build:signtool'); | ||
const { execFileSync } = require('child_process'); | ||
const path = require('path'); | ||
const debug = require('debug')('hadron-build:target'); | ||
const { sign: _garasign } = require('@mongodb-js/signing-utils'); | ||
|
||
async function signtool(fileToSign) { | ||
const signtoolPath = path.resolve(__dirname, '..', 'signtool/signtool.exe'); | ||
|
||
const execArgs = [signtoolPath, [path.resolve(fileToSign)], { stdio: 'inherit' }]; | ||
debug(`Running signtool.exe to sign '${signtoolPath}'`, { | ||
execArgs: execArgs, | ||
env: { | ||
NOTARY_SIGNING_COMMENT: process.env.NOTARY_SIGNING_COMMENT, | ||
NOTARY_URL: process.env.NOTARY_URL, | ||
NOTARY_SIGNING_KEY: process.env.NOTARY_SIGNING_KEY, | ||
} | ||
}); | ||
|
||
// eslint-disable-next-line no-sync | ||
await execFileSync(...execArgs); | ||
const canSign = () => ( | ||
process.env.GARASIGN_USERNAME && | ||
process.env.GARASIGN_PASSWORD && | ||
process.env.ARTIFACTORY_USERNAME && | ||
process.env.ARTIFACTORY_PASSWORD | ||
); | ||
|
||
/** | ||
* When using gpg to sign a file, it creates a signature file | ||
* with same name as the original file and adds `.sig` to it. | ||
* | ||
* @param {string} filename | ||
* @returns string | ||
*/ | ||
function getSignedFilename(filename) { | ||
return `${filename}.sig`; | ||
} | ||
|
||
/** | ||
* Currently, windows and macos zip are created from `zip` step | ||
* of the release process and we sign them here. For linux, we | ||
* create and sign the archive when creating corresponding deb/rpm file. | ||
* | ||
* @param {import('./Target')} target | ||
*/ | ||
function signArchive(target, cb) { | ||
const { app_archive_name, platform } = target; | ||
if (platform === 'linux') { | ||
debug('linux archive is signed when creating deb/rpm'); | ||
return cb(); | ||
} | ||
sign(target.dest(app_archive_name)).then(cb).catch(cb); | ||
} | ||
|
||
/** | ||
* We are signing the file using `gpg` or `jsign` depending on the | ||
* file extension. If the extension is `.exe` or `.msi`, we use `jsign` | ||
* otherwise we use `gpg`. | ||
* | ||
* @param {string} src | ||
* @returns {Promise<void>} | ||
*/ | ||
async function sign(src, garasign = _garasign) { | ||
debug('Signing %s ...', src); | ||
|
||
if (!canSign()) { | ||
debug('Skipping signing. Missing credentials.'); | ||
return; | ||
} | ||
|
||
const clientOptions = { | ||
client: 'remote', | ||
host: process.env.SIGNING_SERVER_HOSTNAME, | ||
username: process.env.SIGNING_SERVER_USERNAME, | ||
port: process.env.SIGNING_SERVER_PORT, | ||
privateKey: process.env.SIGNING_SERVER_PRIVATE_KEY, | ||
signingMethod: path.extname(src) === '.exe' || path.extname(src) === '.msi' ? 'jsign' : 'gpg' | ||
}; | ||
|
||
return await garasign(src, clientOptions); | ||
} | ||
|
||
module.exports = { signtool }; | ||
module.exports = { sign, signArchive, getSignedFilename }; |
Oops, something went wrong.