diff --git a/package-lock.json b/package-lock.json index 7b21e6a4d..8a650953b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -6898,6 +6898,16 @@ "node": ">=8" } }, + "node_modules/@mongodb-js/signing-utils": { + "version": "0.3.3", + "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.3.tgz", + "integrity": "sha512-QX3sfkvMxYlF2pVsvU8kkce2D2jqlI5sWidCiLjHmLarZ48j6qyQzTrSErN5h4yx4+yiUp/GHEeOzCuCoeB3BA==", + "dependencies": { + "@types/ssh2": "^1.11.19", + "debug": "^4.3.4", + "ssh2": "^1.15.0" + } + }, "node_modules/@mongodb-js/tsconfig-mongosh": { "resolved": "configs/tsconfig-mongosh", "link": true @@ -10371,6 +10381,22 @@ "@types/node": "*" } }, + "node_modules/@types/ssh2": { + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/@types/ssh2/-/ssh2-1.15.0.tgz", + "integrity": "sha512-YcT8jP5F8NzWeevWvcyrrLB3zcneVjzYY9ZDSMAMboI+2zR1qYWFhwsyOFVzT7Jorn67vqxC0FRiw8YyG9P1ww==", + "dependencies": { + "@types/node": "^18.11.18" + } + }, + "node_modules/@types/ssh2/node_modules/@types/node": { + "version": "18.19.22", + "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.22.tgz", + "integrity": "sha512-p3pDIfuMg/aXBmhkyanPshdfJuX5c5+bQjYLIikPLXAUycEogij/c50n/C+8XOA5L93cU4ZRXtn+dNQGi0IZqQ==", + "dependencies": { + "undici-types": "~5.26.4" + } + }, "node_modules/@types/tar": { "version": "4.0.5", "resolved": "https://registry.npmjs.org/@types/tar/-/tar-4.0.5.tgz", @@ -11571,7 +11597,6 @@ "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", - "dev": true, "dependencies": { "safer-buffer": "~2.1.0" } @@ -11919,7 +11944,6 @@ "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", - "dev": true, "dependencies": { "tweetnacl": "^0.14.3" } @@ -12310,6 +12334,15 @@ "integrity": "sha1-JuYe0UIvtw3ULm42cp7VHYVf6Nk=", "dev": true }, + "node_modules/buildcheck": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/buildcheck/-/buildcheck-0.0.6.tgz", + "integrity": "sha512-8f9ZJCUXyT1M35Jx7MkBgmBMo3oHTTBIPLiY9xyL0pl3T5RwcPEY8cUHr5LBNfu/fk6c2T4DJZuVM/8ZZT2D2A==", + "optional": true, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/builtin-status-codes": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz", @@ -13441,6 +13474,20 @@ "node": ">=10" } }, + "node_modules/cpu-features": { + "version": "0.0.9", + "resolved": "https://registry.npmjs.org/cpu-features/-/cpu-features-0.0.9.tgz", + "integrity": "sha512-AKjgn2rP2yJyfbepsmLfiYcmtNn/2eUvocUyM/09yB0YDiz39HteK/5/T4Onf0pmdYDMgkBoGvRLvEguzyL7wQ==", + "hasInstallScript": true, + "optional": true, + "dependencies": { + "buildcheck": "~0.0.6", + "nan": "^2.17.0" + }, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/create-ecdh": { "version": "4.0.4", "resolved": "https://registry.npmjs.org/create-ecdh/-/create-ecdh-4.0.4.tgz", @@ -23045,6 +23092,12 @@ "integrity": "sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA==", "optional": true }, + "node_modules/nan": { + "version": "2.19.0", + "resolved": "https://registry.npmjs.org/nan/-/nan-2.19.0.tgz", + "integrity": "sha512-nO1xXxfh/RWNxfd/XPfbIfFk5vgLsAxUR9y5O0cHMJu/AW9U95JLXqthYHjEp+8gQ5p96K9jUp8nbVOxCdRbtw==", + "optional": true + }, "node_modules/nanoassert": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/nanoassert/-/nanoassert-1.1.0.tgz", @@ -28085,6 +28138,23 @@ "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" }, + "node_modules/ssh2": { + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/ssh2/-/ssh2-1.15.0.tgz", + "integrity": "sha512-C0PHgX4h6lBxYx7hcXwu3QWdh4tg6tZZsTfXcdvc5caW/EMxaB4H9dWsl7qk+F7LAW762hp8VbXOX7x4xUYvEw==", + "hasInstallScript": true, + "dependencies": { + "asn1": "^0.2.6", + "bcrypt-pbkdf": "^1.0.2" + }, + "engines": { + "node": ">=10.16.0" + }, + "optionalDependencies": { + "cpu-features": "~0.0.9", + "nan": "^2.18.0" + } + }, "node_modules/sshpk": { "version": "1.17.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.17.0.tgz", @@ -29156,8 +29226,7 @@ "node_modules/tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", - "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==", - "dev": true + "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "node_modules/type-check": { "version": "0.4.0", @@ -29320,6 +29389,11 @@ "ieee754": "^1.1.13" } }, + "node_modules/undici-types": { + "version": "5.26.5", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", + "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==" + }, "node_modules/unicode-canonical-property-names-ecmascript": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-2.0.0.tgz", @@ -31089,6 +31163,7 @@ "@mongodb-js/devtools-github-repo": "^1.0.1", "@mongodb-js/dl-center": "^1.1.1", "@mongodb-js/mongodb-downloader": "^0.2.7", + "@mongodb-js/signing-utils": "^0.3.3", "@octokit/rest": "^17.9.0", "aws-sdk": "^2.674.0", "boxednode": "^2.4.0", @@ -37440,6 +37515,16 @@ } } }, + "@mongodb-js/signing-utils": { + "version": "0.3.3", + "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.3.tgz", + "integrity": "sha512-QX3sfkvMxYlF2pVsvU8kkce2D2jqlI5sWidCiLjHmLarZ48j6qyQzTrSErN5h4yx4+yiUp/GHEeOzCuCoeB3BA==", + "requires": { + "@types/ssh2": "^1.11.19", + "debug": "^4.3.4", + "ssh2": "^1.15.0" + } + }, "@mongodb-js/tsconfig-mongosh": { "version": "file:configs/tsconfig-mongosh", "requires": { @@ -37724,6 +37809,7 @@ "@mongodb-js/mongodb-downloader": "^0.2.7", "@mongodb-js/monorepo-tools": "^1.1.10", "@mongodb-js/prettier-config-devtools": "^1.0.1", + "@mongodb-js/signing-utils": "^0.3.3", "@mongodb-js/tsconfig-mongosh": "^1.0.0", "@octokit/rest": "^17.9.0", "@types/command-exists": "^1.2.0", @@ -41204,6 +41290,24 @@ "@types/node": "*" } }, + "@types/ssh2": { + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/@types/ssh2/-/ssh2-1.15.0.tgz", + "integrity": "sha512-YcT8jP5F8NzWeevWvcyrrLB3zcneVjzYY9ZDSMAMboI+2zR1qYWFhwsyOFVzT7Jorn67vqxC0FRiw8YyG9P1ww==", + "requires": { + "@types/node": "^18.11.18" + }, + "dependencies": { + "@types/node": { + "version": "18.19.22", + "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.22.tgz", + "integrity": "sha512-p3pDIfuMg/aXBmhkyanPshdfJuX5c5+bQjYLIikPLXAUycEogij/c50n/C+8XOA5L93cU4ZRXtn+dNQGi0IZqQ==", + "requires": { + "undici-types": "~5.26.4" + } + } + } + }, "@types/tar": { "version": "4.0.5", "resolved": "https://registry.npmjs.org/@types/tar/-/tar-4.0.5.tgz", @@ -42134,7 +42238,6 @@ "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", - "dev": true, "requires": { "safer-buffer": "~2.1.0" } @@ -42406,7 +42509,6 @@ "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", - "dev": true, "requires": { "tweetnacl": "^0.14.3" } @@ -42738,6 +42840,12 @@ "integrity": "sha1-JuYe0UIvtw3ULm42cp7VHYVf6Nk=", "dev": true }, + "buildcheck": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/buildcheck/-/buildcheck-0.0.6.tgz", + "integrity": "sha512-8f9ZJCUXyT1M35Jx7MkBgmBMo3oHTTBIPLiY9xyL0pl3T5RwcPEY8cUHr5LBNfu/fk6c2T4DJZuVM/8ZZT2D2A==", + "optional": true + }, "builtin-status-codes": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz", @@ -43620,6 +43728,16 @@ "yaml": "^1.10.0" } }, + "cpu-features": { + "version": "0.0.9", + "resolved": "https://registry.npmjs.org/cpu-features/-/cpu-features-0.0.9.tgz", + "integrity": "sha512-AKjgn2rP2yJyfbepsmLfiYcmtNn/2eUvocUyM/09yB0YDiz39HteK/5/T4Onf0pmdYDMgkBoGvRLvEguzyL7wQ==", + "optional": true, + "requires": { + "buildcheck": "~0.0.6", + "nan": "^2.17.0" + } + }, "create-ecdh": { "version": "4.0.4", "resolved": "https://registry.npmjs.org/create-ecdh/-/create-ecdh-4.0.4.tgz", @@ -50960,6 +51078,12 @@ "integrity": "sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA==", "optional": true }, + "nan": { + "version": "2.19.0", + "resolved": "https://registry.npmjs.org/nan/-/nan-2.19.0.tgz", + "integrity": "sha512-nO1xXxfh/RWNxfd/XPfbIfFk5vgLsAxUR9y5O0cHMJu/AW9U95JLXqthYHjEp+8gQ5p96K9jUp8nbVOxCdRbtw==", + "optional": true + }, "nanoassert": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/nanoassert/-/nanoassert-1.1.0.tgz", @@ -54851,6 +54975,17 @@ "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" }, + "ssh2": { + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/ssh2/-/ssh2-1.15.0.tgz", + "integrity": "sha512-C0PHgX4h6lBxYx7hcXwu3QWdh4tg6tZZsTfXcdvc5caW/EMxaB4H9dWsl7qk+F7LAW762hp8VbXOX7x4xUYvEw==", + "requires": { + "asn1": "^0.2.6", + "bcrypt-pbkdf": "^1.0.2", + "cpu-features": "~0.0.9", + "nan": "^2.18.0" + } + }, "sshpk": { "version": "1.17.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.17.0.tgz", @@ -55674,8 +55809,7 @@ "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", - "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==", - "dev": true + "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "type-check": { "version": "0.4.0", @@ -55779,6 +55913,11 @@ } } }, + "undici-types": { + "version": "5.26.5", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", + "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==" + }, "unicode-canonical-property-names-ecmascript": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-2.0.0.tgz", diff --git a/packages/build/package.json b/packages/build/package.json index 1947d5398..29d2d4130 100644 --- a/packages/build/package.json +++ b/packages/build/package.json @@ -40,9 +40,9 @@ }, "devDependencies": { "@mongodb-js/eslint-config-mongosh": "^1.0.0", + "@mongodb-js/monorepo-tools": "^1.1.10", "@mongodb-js/prettier-config-devtools": "^1.0.1", "@mongodb-js/tsconfig-mongosh": "^1.0.0", - "@mongodb-js/monorepo-tools": "^1.1.10", "@types/command-exists": "^1.2.0", "@types/cross-spawn": "^6.0.2", "@types/download": "^8.0.1", @@ -61,8 +61,9 @@ }, "dependencies": { "@mongodb-js/devtools-github-repo": "^1.0.1", - "@mongodb-js/mongodb-downloader": "^0.2.7", "@mongodb-js/dl-center": "^1.1.1", + "@mongodb-js/mongodb-downloader": "^0.2.7", + "@mongodb-js/signing-utils": "^0.3.3", "@octokit/rest": "^17.9.0", "aws-sdk": "^2.674.0", "boxednode": "^2.4.0", diff --git a/packages/build/src/packaging/index.ts b/packages/build/src/packaging/index.ts index 80113653a..fc5d5d158 100644 --- a/packages/build/src/packaging/index.ts +++ b/packages/build/src/packaging/index.ts @@ -6,5 +6,3 @@ export { PackageInformation, PackageInformationProvider, } from './package'; - -export { notarizeArtifact } from './notary-service'; diff --git a/packages/build/src/packaging/notary-service.spec.ts b/packages/build/src/packaging/notary-service.spec.ts deleted file mode 100644 index a303e24c0..000000000 --- a/packages/build/src/packaging/notary-service.spec.ts +++ /dev/null @@ -1,82 +0,0 @@ -import { expect } from 'chai'; -import path from 'path'; -import sinon from 'sinon'; -import type { NotarizeOptions } from './notary-service'; -import { notarizeArtifact } from './notary-service'; - -describe('packaging artifact signing', function () { - context('with invalid options', function () { - it('fails when file is missing', async function () { - const e = await notarizeArtifact('', {} as any).catch((e) => e); - expect(e).to.not.be.undefined; - expect(e.message).to.match(/missing file/); - }); - it('fails when signingKeyName is missing', async function () { - const e = await notarizeArtifact('a file', {} as any).catch((e) => e); - expect(e).to.not.be.undefined; - expect(e.message).to.match(/missing signing key name/); - }); - it('fails when authToken is missing', async function () { - const e = await notarizeArtifact('a file', { - signingKeyName: 'keyName', - } as any).catch((e) => e); - expect(e).to.not.be.undefined; - expect(e.message).to.match(/missing auth token/); - }); - it('fails when signingComment is missing', async function () { - const e = await notarizeArtifact('a file', { - signingKeyName: 'keyName', - authToken: 'token', - } as any).catch((e) => e); - expect(e).to.not.be.undefined; - expect(e.message).to.match(/missing signing comment/); - }); - }); - - context('with correct options', function () { - let spawnSync: sinon.SinonStub; - const signingOptions: NotarizeOptions = { - signingKeyName: 'keyName', - authToken: 'authToken', - signingComment: 'A Comment', - }; - - beforeEach(function () { - spawnSync = sinon.stub(); - }); - - it('runs notary client', async function () { - await notarizeArtifact(__filename, signingOptions, spawnSync); - - const authTokenFile = spawnSync - .getCall(0) - .args[1].find((arg: string) => arg.includes('notary-mongosh-token')); - - expect(spawnSync).to.have.been.calledWith( - process.platform === 'win32' ? 'python' : '/usr/bin/python', - [ - process.platform === 'win32' - ? 'C:\\cygwin\\usr\\local\\bin\\notary-client.py' - : '/usr/local/bin/notary-client.py', - '--key-name', - 'keyName', - '--auth-token-file', - authTokenFile, - '--comment', - 'A Comment', - '--notary-url', - 'http://notary-service.build.10gen.cc:5000/', - '--outputs', - 'sig', - '--package-file-suffix', - '', - path.basename(__filename), - ], - { - encoding: 'utf8', - cwd: path.dirname(__filename), - } - ); - }); - }); -}); diff --git a/packages/build/src/packaging/notary-service.ts b/packages/build/src/packaging/notary-service.ts deleted file mode 100644 index 327938c8f..000000000 --- a/packages/build/src/packaging/notary-service.ts +++ /dev/null @@ -1,97 +0,0 @@ -import { promises as fs } from 'fs'; -import os from 'os'; -import path from 'path'; -import { spawnSync as spawnSyncFn } from '../helpers'; - -const DEFAULT_OPTIONS: Partial = { - serverUrl: 'http://notary-service.build.10gen.cc:5000/', - clientPath: - process.platform === 'win32' - ? 'C:\\cygwin\\usr\\local\\bin\\notary-client.py' - : '/usr/local/bin/notary-client.py', - pythonExecutable: process.platform === 'win32' ? 'python' : '/usr/bin/python', -}; - -export interface NotarizeOptions { - signingKeyName: string; - authToken: string; - signingComment: string; - serverUrl?: string; - clientPath?: string; - pythonExecutable?: string; -} - -export async function notarizeArtifact( - file: string, - opts: NotarizeOptions, - spawnSync: typeof spawnSyncFn = spawnSyncFn -): Promise { - if (!file) { - throw new Error('notarize artifact: missing file'); - } - const options = validateOptions(opts); - - const authTokenFile = path.join( - os.homedir(), - `.notary-mongosh-token.${Date.now()}.tmp` - ); - await fs.writeFile(authTokenFile, options.authToken, { - encoding: 'utf8', - mode: 0o600, - }); - console.info( - 'Notarizing file', - options.signingKeyName, - options.signingComment, - file - ); - - try { - spawnSync( - options.pythonExecutable, - [ - options.clientPath, - '--key-name', - options.signingKeyName, - '--auth-token-file', - authTokenFile, - '--comment', - options.signingComment, - '--notary-url', - options.serverUrl, - '--outputs', - 'sig', - '--package-file-suffix', - '', - path.basename(file), - ], - { - cwd: path.dirname(file), - encoding: 'utf8', - } - ); - } finally { - try { - await fs.unlink(authTokenFile); - } catch (e: any) { - console.error('mongosh: Failed to remove auth token file', e); - } - } -} - -function validateOptions(options: NotarizeOptions): Required { - const opts = { - ...DEFAULT_OPTIONS, - ...options, - }; - if (!opts.signingKeyName) { - throw new Error('notarize artifact: missing signing key name'); - } - if (!opts.authToken) { - throw new Error('notarize artifact: missing auth token'); - } - if (!opts.signingComment) { - throw new Error('notarize artifact: missing signing comment'); - } - return opts as Required; -} diff --git a/packages/build/src/packaging/run-package.ts b/packages/build/src/packaging/run-package.ts index 6f2d39cb9..8f4130410 100644 --- a/packages/build/src/packaging/run-package.ts +++ b/packages/build/src/packaging/run-package.ts @@ -4,7 +4,6 @@ import type { Config } from '../config'; import { validatePackageVariant } from '../config'; import { downloadCryptLibrary } from './download-crypt-library'; import { downloadManpage } from './download-manpage'; -import { notarizeArtifact } from './notary-service'; import type { PackageFile } from './package'; import { createPackage } from './package'; @@ -39,14 +38,5 @@ export async function runPackage(config: Config): Promise { }; const packaged = await runCreatePackage(); - - if (packageVariant === 'win32msi-x64') { - await notarizeArtifact(packaged.path, { - signingKeyName: config.notarySigningKeyName || '', - authToken: config.notaryAuthToken || '', - signingComment: 'Evergreen Automatic Signing (mongosh)', - }); - } - return packaged; } diff --git a/packages/build/src/run-draft.spec.ts b/packages/build/src/run-draft.spec.ts index 485d79c9e..7f739bb25 100644 --- a/packages/build/src/run-draft.spec.ts +++ b/packages/build/src/run-draft.spec.ts @@ -4,7 +4,7 @@ import type { Config } from './config'; import { ALL_PACKAGE_VARIANTS } from './config'; import type { uploadArtifactToDownloadCenter as uploadArtifactToDownloadCenterFn } from './download-center'; import type { downloadArtifactFromEvergreen as downloadArtifactFromEvergreenFn } from './evergreen'; -import type { notarizeArtifact as notarizeArtifactFn } from './packaging'; +import type { sign as signArtifactFn } from '@mongodb-js/signing-utils'; import type { generateChangelog as generateChangelogFn } from './git'; import { GithubRepo } from '@mongodb-js/devtools-github-repo'; import { @@ -27,7 +27,7 @@ describe('draft', function () { let githubRepo: GithubRepo; let uploadArtifactToDownloadCenter: typeof uploadArtifactToDownloadCenterFn; let downloadArtifactFromEvergreen: typeof downloadArtifactFromEvergreenFn; - let notarizeArtifact: typeof notarizeArtifactFn; + let signArtifact: typeof signArtifactFn; beforeEach(function () { config = { ...dummyConfig }; @@ -36,7 +36,8 @@ describe('draft', function () { downloadArtifactFromEvergreen = sinon.spy(() => Promise.resolve('filename') ); - notarizeArtifact = sinon.spy(); + + signArtifact = sinon.spy(); }); describe('runDraft', function () { @@ -62,7 +63,7 @@ describe('draft', function () { uploadArtifactToDownloadCenter, downloadArtifactFromEvergreen, ensureGithubReleaseExistsAndUpdateChangelog, - notarizeArtifact + signArtifact ); }); @@ -82,8 +83,8 @@ describe('draft', function () { ); }); - it('asks the notary service to sign files', function () { - expect(notarizeArtifact).to.have.been.callCount( + it('signs files', function () { + expect(signArtifact).to.have.been.callCount( ALL_PACKAGE_VARIANTS.length ); }); @@ -113,7 +114,7 @@ describe('draft', function () { uploadArtifactToDownloadCenter, downloadArtifactFromEvergreen, ensureGithubReleaseExistsAndUpdateChangelog, - notarizeArtifact + signArtifact ); expect(ensureGithubReleaseExistsAndUpdateChangelog).to.not.have.been .called; @@ -137,7 +138,7 @@ describe('draft', function () { uploadArtifactToDownloadCenter, downloadArtifactFromEvergreen, ensureGithubReleaseExistsAndUpdateChangelog, - notarizeArtifact + signArtifact ); } catch (e: any) { expect(e.message).to.contain('Missing package information from config'); @@ -146,7 +147,7 @@ describe('draft', function () { expect(downloadArtifactFromEvergreen).to.not.have.been.called; expect(uploadArtifactToDownloadCenter).to.not.have.been.called; expect(uploadReleaseAsset).to.not.have.been.called; - expect(notarizeArtifact).to.not.have.been.called; + expect(signArtifact).to.not.have.been.called; return; } expect.fail('Expected error'); diff --git a/packages/build/src/run-draft.ts b/packages/build/src/run-draft.ts index 25fdebd95..a6f67f951 100644 --- a/packages/build/src/run-draft.ts +++ b/packages/build/src/run-draft.ts @@ -4,10 +4,10 @@ import type { Config } from './config'; import { ALL_PACKAGE_VARIANTS, getReleaseVersionFromTag } from './config'; import { uploadArtifactToDownloadCenter as uploadArtifactToDownloadCenterFn } from './download-center'; import { downloadArtifactFromEvergreen as downloadArtifactFromEvergreenFn } from './evergreen'; -import { notarizeArtifact as notarizeArtifactFn } from './packaging'; import { generateChangelog as generateChangelogFn } from './git'; import type { GithubRepo } from '@mongodb-js/devtools-github-repo'; import { getPackageFile } from './packaging'; +import { sign as signArtifactFn } from '@mongodb-js/signing-utils'; export async function runDraft( config: Config, @@ -15,7 +15,7 @@ export async function runDraft( uploadToDownloadCenter: typeof uploadArtifactToDownloadCenterFn = uploadArtifactToDownloadCenterFn, downloadArtifactFromEvergreen: typeof downloadArtifactFromEvergreenFn = downloadArtifactFromEvergreenFn, ensureGithubReleaseExistsAndUpdateChangelog: typeof ensureGithubReleaseExistsAndUpdateChangelogFn = ensureGithubReleaseExistsAndUpdateChangelogFn, - notarizeArtifact: typeof notarizeArtifactFn = notarizeArtifactFn + signArtifact: typeof signArtifactFn = signArtifactFn ): Promise { if ( !config.triggeringGitTag || @@ -61,13 +61,14 @@ export async function runDraft( tmpDir ); + const clientOptions = { + client: 'local' as const, + signingMethod: getSigningMethod(tarballFile.path), + }; + let signatureFile: string | undefined; try { - await notarizeArtifact(downloadedArtifact, { - signingKeyName: config.notarySigningKeyName || '', - authToken: config.notaryAuthToken || '', - signingComment: 'Evergreen Automatic Signing (mongosh)', - }); + await signArtifact(downloadedArtifact, clientOptions); signatureFile = downloadedArtifact + '.sig'; await fs.access(signatureFile, fsConstants.R_OK); } catch (err: any) { @@ -101,6 +102,18 @@ export async function runDraft( } } +function getSigningMethod(src: string) { + switch (path.extname(src)) { + case '.exe': + case '.msi': + return 'jsign' as const; + case '.rpm': + return 'rpm_gpg' as const; + default: + return 'gpg' as const; + } +} + export async function ensureGithubReleaseExistsAndUpdateChangelogFn( releaseVersion: string, releaseTag: string,