CLOUDP-177522 Move cli signing to garasign (#2558)

Author: fmenezes

build/ci/evergreen.yml

@@ -204,7 +204,7 @@ functions:
         working_dir: src/github.com/mongodb/mongodb-atlas-cli/bin
         shell: bash
         script: |
-          set -Eeou pipefail        
+          set -Eeou pipefail
           if [ -n "$(which yum 2>/dev/null)" ]; then
             sudo yum install -y podman
           elif [ -n "$(which apt-get 2>/dev/null)" ]; then

build/ci/release.yml

@@ -73,6 +73,10 @@ functions:
           NOTARY_SIGNING_COMMENT: "Evergreen Automatic Signing (${tool_name})"
           NOTARY_AUTH_TOKEN: ${signing_auth_token_50}
           NOTARY_URL: ${notary_service_notary_url}
+          ARTIFACTORY_USERNAME: ${artifactory_username}
+          ARTIFACTORY_PASSWORD: ${artifactory_password}
+          GRS_USERNAME: ${garasign_username}
+          GRS_PASSWORD: ${garasign_password}
         include_expansions_in_env:
           - go_base_path
           - workdir
@@ -112,12 +116,12 @@ functions:
         env:
           <<: *go_env
           TOOL_NAME: ${TOOL_NAME}
-          NOTARY_SIGNING_KEY_MONGOCLI: ${notary_service_signing_key_mongocli}
-          NOTARY_SIGNING_KEY_ATLASCLI: ${notary_service_signing_key_atlascli}
-          NOTARY_SIGNING_COMMENT: "Evergreen Automatic Signing (${TOOL_NAME})"
-          NOTARY_AUTH_TOKEN: ${signing_auth_token_50}
-          NOTARY_URL: ${notary_service_notary_url}
           SECRET_API_KEY: ${chocolatey_api_key}
+          ARTIFACTORY_USERNAME: ${artifactory_username}
+          ARTIFACTORY_PASSWORD: ${artifactory_password}
+          GRS_USERNAME: ${garasign_username}
+          GRS_PASSWORD: ${garasign_password}
+          unstable: ${unstable}
         command: bash.exe -c build/package/generate-msi.sh
   "update choco":
     - command: subprocess.exec
@@ -282,6 +286,7 @@ tasks:
       - func: "generate msi"
         vars:
           TOOL_NAME: ${tool_name}
+          unstable: -unstable
       - func: "uninstall go-msi"
       - command: s3.put
         params:
@@ -323,12 +328,27 @@ tasks:
     commands:
       - func: "generate notices"
       - func: "install goreleaser"
+      - func: "install podman"
       - func: "install macos notarization service"
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src/github.com/mongodb/mongodb-atlas-cli
+          include_expansions_in_env:
+            - project
+            - revision
+            - created_at
+          env:
+            TOOL_NAME: ${tool_name}
+            BUCKET: mongodb-mongocli-build
+            unstable: -unstable
+          binary: build/package/download-msi.sh
       - func: "package"
         vars:
           unstable: -unstable
           tool_name: ${tool_name}
           goreleaser_config: ${goreleaser_file}
+          changelog_file: ${changelog_file}
       - func: "rename pkg"
         vars:
           unstable: -unstable
@@ -424,13 +444,19 @@ tasks:
     commands:
       - func: "generate notices"
       - func: "install goreleaser"
+      - func: "install podman"
       - func: "install macos notarization service"
       - command: subprocess.exec
         type: test
         params:
           working_dir: src/github.com/mongodb/mongodb-atlas-cli
+          include_expansions_in_env:
+            - project
+            - revision
+            - created_at
           env:
             TOOL_NAME: mongocli
+            BUCKET: mongodb-mongocli-build
           binary: build/package/download-msi.sh
       - func: "package"
         vars:
@@ -481,6 +507,7 @@ tasks:
             - src/github.com/mongodb/mongodb-atlas-cli/dist/*.rpm
             - src/github.com/mongodb/mongodb-atlas-cli/dist/*.tgz
             - src/github.com/mongodb/mongodb-atlas-cli/dist/*.json
+            - src/github.com/mongodb/mongodb-atlas-cli/dist/*.msi
           remote_file: mongocli/
           bucket: downloads.mongodb.org
           permissions: public-read
@@ -500,13 +527,19 @@ tasks:
     commands:
       - func: "generate notices"
       - func: "install goreleaser"
+      - func: "install podman"
       - func: "install macos notarization service"
       - command: subprocess.exec
         type: test
         params:
           working_dir: src/github.com/mongodb/mongodb-atlas-cli
+          include_expansions_in_env:
+            - project
+            - revision
+            - created_at
           env:
             TOOL_NAME: atlascli
+            BUCKET: mongodb-mongocli-build
           binary: build/package/download-msi.sh
       - func: "package"
         vars:
@@ -558,6 +591,7 @@ tasks:
             - src/github.com/mongodb/mongodb-atlas-cli/dist/*.rpm
             - src/github.com/mongodb/mongodb-atlas-cli/dist/*.tgz
             - src/github.com/mongodb/mongodb-atlas-cli/dist/*.json
+            - src/github.com/mongodb/mongodb-atlas-cli/dist/*.msi
           remote_file: mongocli/
           bucket: downloads.mongodb.org
           permissions: public-read
@@ -612,17 +646,6 @@ tasks:
           bucket: mongodb-mongocli-build
           permissions: public-read
           content_type: ${content_type|text/plain}
-      - command: s3.put
-        params:
-          aws_key: ${download_center_aws_key}
-          aws_secret: ${download_center_aws_secret}
-          local_files_include_filter:
-            - src/github.com/mongodb/mongodb-atlas-cli/dist/*.msi
-          remote_file: mongocli/
-          bucket: downloads.mongodb.org
-          permissions: public-read
-          content_type: ${content_type|application/octet-stream}
-          display_name: downloads-center-
   - name: pkg_test_repo_atlascli
     patchable: false
     git_tag_only: true
@@ -684,10 +707,14 @@ buildvariants:
       <<: *go_linux_version
       server_version: "4.4.0-rc3"
       goreleaser_file: "build/package/.mongocli.goreleaser.yml"
+      changelog_file: CHANGELOG_MONGOCLI.md
       package_name: "mongocli"
       tool_name: "mongocli"
     tasks:
       - name: package_goreleaser
+        depends_on:
+          - name: package_msi
+            variant: "go_mongocli_msi_snapshot"
   - name: goreleaser_atlascli_snapshot
     display_name: "Packaging AtlasCLI (goreleaser)"
     run_on:
@@ -696,11 +723,15 @@ buildvariants:
       <<: *go_linux_version
       server_version: "4.4.0-rc3"
       goreleaser_file: "build/package/.atlascli.goreleaser.yml"
+      changelog_file: CHANGELOG_ATLASCLI.md
       package_name: "mongodb-atlas-cli"
       meta_package_name: "mongodb-atlas"
       tool_name: "atlascli"
     tasks:
       - name: package_goreleaser
+        depends_on:
+          - name: package_msi
+            variant: "go_atlascli_msi_snapshot"
   - name: publish_mongocli_snapshot
     display_name: "Publish MongoCLI Snapshot"
     run_on:

build/package/.atlascli.goreleaser.yml

@@ -32,7 +32,12 @@ builds:
     goos: [windows]
     goarch: [amd64]
     hooks:
-      post: ./build/package/atlascli_windows_notarize.sh
+      post:
+        - cmd: ./build/package/windows_notarize.sh
+          env:
+            - TOOL_NAME=atlascli
+            - VERSION={{ .Version }}
+          output: true
 archives:
 - id: linux
   name_template: "mongodb-atlas-cli_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
@@ -114,4 +119,4 @@ release:
   prerelease: auto
   name_template: "MongoDB Atlas CLI {{.Version}}"
   extra_files:
-    - glob: ./bin/*.msi
+    - glob: ./dist/*.msi

build/package/.mongocli.goreleaser.yml

@@ -25,14 +25,19 @@ builds:
     hooks:
       # This will notarize Apple binaries and replace goreleaser bins with the notarized ones
       post:
-      - cmd: ./build/package/mongocli_mac_notarize.sh
-        output: true
+        - cmd: ./build/package/mongocli_mac_notarize.sh
+          output: true
   - <<: *build_defaults
     id: windows
     goos: [windows]
     goarch: [amd64]
     hooks:
-      post: ./build/package/mongocli_windows_notarize.sh
+      post:
+        - cmd: ./build/package/windows_notarize.sh
+          env:
+            - TOOL_NAME=mongocli
+            - VERSION={{ .Version }}
+          output: true
 archives:
 - id: linux
   builds: [linux]
@@ -85,4 +90,4 @@ release:
   prerelease: auto
   name_template: "MongoDB CLI {{.Version}}"
   extra_files:
-    - glob: ./bin/*.msi
+    - glob: ./dist/*.msi

build/package/atlascli_windows_notarize.sh

@@ -15,13 +15,22 @@
 
 set -Eeou pipefail
 
-VERSION="$(git tag --list "${TOOL_NAME:?}/v*" --sort=taggerdate | tail -1 | cut -d "v" -f 2)"
+export project
+export revision
+export created_at
 
-PACKAGE_NAME=mongocli_"${VERSION}"_windows_x86_64.msi
+VERSION_GIT="$(git tag --list "${TOOL_NAME:?}/v*" --sort=taggerdate | tail -1 | cut -d "v" -f 2)"
+VERSION_NAME="$VERSION_GIT"
+if [[ "${unstable-}" == "-unstable" ]]; then
+	VERSION_NAME="$VERSION_GIT-next"
+fi
+
+PACKAGE_NAME="mongocli_${VERSION_NAME}_windows_x86_64.msi"
 if [[ "${TOOL_NAME:?}" == atlascli ]]; then
-	PACKAGE_NAME=mongodb-atlas-cli_${VERSION}_windows_x86_64.msi
+	PACKAGE_NAME="mongodb-atlas-cli_${VERSION_NAME}_windows_x86_64.msi"
 fi
 
 pushd bin
 
-curl https://fastdl.mongodb.org/mongocli/"${PACKAGE_NAME}" --output "${PACKAGE_NAME}"
+echo "downloading https://${BUCKET}.s3.amazonaws.com/${project}/dist/${revision}_${created_at}/${PACKAGE_NAME} into $PWD"
+curl "https://${BUCKET}.s3.amazonaws.com/${project}/dist/${revision}_${created_at}/${PACKAGE_NAME}" --output "${PACKAGE_NAME}"

build/package/download-msi.sh

@@ -19,24 +19,26 @@ GOCACHE="$(cygpath --mixed "${workdir:?}\.gocache")"
 CGO_ENABLED=0
 export GOCACHE
 export CGO_ENABLED
-export NOTARY_SIGNING_KEY
 
 go-msi check-env
 
-VERSION_GIT="$(git describe --match "${TOOL_NAME:?}/v*" | cut -d "v" -f 2)"
+VERSION_GIT="$(git tag --list "${TOOL_NAME:?}/v*" --sort=taggerdate | tail -1 | cut -d "v" -f 2)"
+VERSION_NAME="$VERSION_GIT"
+if [[ "${unstable-}" == "-unstable" ]]; then
+	VERSION_NAME="$VERSION_GIT-next"
+fi
+
 COMMIT=$(git log -n1 --format=format:"%H")
 
 SOURCE_FILES=./cmd/mongocli
-PACKAGE_NAME=mongocli_${VERSION_GIT}_windows_x86_64.msi
+PACKAGE_NAME=mongocli_${VERSION_NAME}_windows_x86_64.msi
 OUTPUT=./bin/mongocli.exe
 LINKER_FLAGS="-s -w -X github.com/mongodb/mongodb-atlas-cli/internal/version.Version=${VERSION_GIT} -X github.com/mongodb/mongodb-atlas-cli/internal/version.GitCommit=${COMMIT} -X github.com/mongodb/mongodb-atlas-cli/internal/config.ToolName=${TOOL_NAME:?}"
 WIX_MANIFEST_FILE="./build/package/wix/${TOOL_NAME:?}.json"
-NOTARY_SIGNING_KEY=${NOTARY_SIGNING_KEY_MONGOCLI:?}
 
 if [[ "${TOOL_NAME:?}" == atlascli ]]; then
-	NOTARY_SIGNING_KEY=${NOTARY_SIGNING_KEY_ATLASCLI:?}
 	SOURCE_FILES=./cmd/atlas
-	PACKAGE_NAME=mongodb-atlas-cli_${VERSION_GIT}_windows_x86_64.msi
+	PACKAGE_NAME=mongodb-atlas-cli_${VERSION_NAME}_windows_x86_64.msi
 	OUTPUT=./bin/atlas.exe
 fi
 
@@ -45,9 +47,7 @@ env GOOS=windows GOARCH=amd64 go build \
 
 go-msi make --path "${WIX_MANIFEST_FILE}" --msi "dist/${PACKAGE_NAME}" --version "${VERSION_GIT}"
 
-go run ./tools/sign -file "dist/${PACKAGE_NAME}"
-
 if [[ "${TOOL_NAME:?}" == atlascli ]]; then
-	go run ./tools/chocolateypkg/chocolateypkg.go -version "${VERSION_GIT}"
+	go run ./tools/chocolateypkg/chocolateypkg.go -version "${VERSION_NAME}"
 	choco pack dist/mongodb-atlas.nuspec --outputdirectory dist -dv
 fi

build/package/generate-msi.sh

@@ -28,7 +28,7 @@ VERSION_GIT="$(git tag --list "${tool_name:?}/v*" --sort=taggerdate | tail -1 |
 
 if [[ "${unstable-}" == "-unstable" ]]; then
 	# avoid race conditions on the notarization step by using `-p 1`
-	./bin/goreleaser --config "${goreleaser_config:?}" --rm-dist --snapshot -p 1
+	./bin/goreleaser --config "${goreleaser_config:?}" --rm-dist --release-notes "${changelog_file:?}" --snapshot -p 1
 else
 	# avoid race conditions on the notarization step by using `-p 1`
 	./bin/goreleaser --config "${goreleaser_config:?}" --rm-dist --release-notes "${changelog_file:?}" -p 1

build/package/mongocli_windows_notarize.sh

@@ -29,6 +29,8 @@ META_FILENAME_ARM="${meta_package_name-}_${VERSION}_linux_arm64"
 
 pushd dist
 
+mv ../bin/*.msi . # move msi
+
 mkdir -p yum/x86_64 yum/arm64 apt/x86_64 apt/arm64
 
 function rename {