File tree Expand file tree Collapse file tree 5 files changed +103
-10
lines changed Expand file tree Collapse file tree 5 files changed +103
-10
lines changed Original file line number Diff line number Diff line change 1+ # 15m timeout for all the tasks
2+ exec_timeout_secs : 900
3+
14variables :
25 - &go_env
36 XDG_CONFIG_HOME : ${go_base_path}${workdir}
47 GO111MODULE : " on"
58 GOROOT : " /opt/golang/go1.21"
6- functions :
79
10+ functions :
811 " clone "
912 - command : subprocess.exec
1013 type : setup
@@ -14,12 +17,10 @@ functions:
1417 type : setup
1518 params :
1619 directory : src/github.com/mongodb/mongodb-enterprise-kubernetes
17-
20+
1821 " install goreleaser "
1922 - command : shell.exec
2023 type : setup
21- include_expansions_in_env :
22- - goreleaser_pro_tar_gz
2324 params :
2425 script : |
2526 set -Eeu pipefail
@@ -42,7 +43,6 @@ functions:
4243 chmod 755 ./linux_amd64/macnotary
4344" release "
4445 - command : shell.exec
45- type : setup
4646 params :
4747 working_dir : src/github.com/mongodb/mongodb-enterprise-kubernetes/tools/multicluster
4848 include_expansions_in_env :
@@ -51,6 +51,13 @@ functions:
5151 - macos_notary_secret
5252 - workdir
5353 - triggered_by_git_tag
54+ - GRS_USERNAME
55+ - GRS_PASSWORD
56+ - ARTIFACTORY_URL
57+ - SIGNING_IMAGE_URI
58+ - ARTIFACTORY_USERNAME
59+ - ARTIFACTORY_PASSWORD
60+ - PKCS11_URI
5461 env :
5562 << : *go_env
5663 MACOS_NOTARY_KEY : ${macos_notary_keyid}
@@ -61,7 +68,8 @@ functions:
6168 set -Eeu pipefail
6269
6370 export PATH=$GOROOT/bin:$PATH
64- ${workdir}/goreleaser release --rm-dist
71+ # Avoid race conditions on signing and notarizing with parallelism=1
72+ ${workdir}/goreleaser release --clean --timeout 300s --parallelism 1
6573
6674tasks :
6775 - name : package_goreleaser
Original file line number Diff line number Diff line change @@ -13,16 +13,28 @@ builds:
1313 goarch :
1414 - amd64
1515 - arm64
16-
1716 hooks :
18- # This will notarize Apple binaries and replace goreleaser bins with the notarized ones
1917 post :
2018 - cmd : ./kubectl_mac_notarize.sh
2119 output : true
22-
20+ - cmd : ./sign.sh {{ .Path }}
21+ env :
22+ - GRS_USERNAME={{ .Env.GRS_USERNAME }}
23+ - GRS_PASSWORD={{ .Env.GRS_PASSWORD }}
24+ - PKCS11_URI={{ .Env.PKCS11_URI }}
25+ - ARTIFACTORY_URL={{ .Env.ARTIFACTORY_URL }}
26+ - SIGNING_IMAGE_URI={{ .Env.SIGNING_IMAGE_URI }}
27+ - ARTIFACTORY_USERNAME=mongodb-enterprise-kubernetes-operator
28+ - ARTIFACTORY_PASSWORD={{ .Env.ARTIFACTORY_PASSWORD }}
29+ - cmd : ./verify.sh {{ .Path }} && echo "VERIFIED OK"
30+
2331archives :
2432 - format : tar.gz
2533 name_template : " kubectl-mongodb_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
34+ files :
35+ # Include signature files in each archive along with the binary, strip_parent avoid nested folders
36+ - src : " ./dist/kubectl-mongodb_{{ .Os }}_{{ .Arch }}*{{ .Amd64 }}/kubectl-mongodb.sig"
37+ strip_parent : true
2638checksum :
2739 name_template : ' checksums.txt'
2840snapshot :
Original file line number Diff line number Diff line change @@ -32,4 +32,4 @@ if [[ -f "./dist/kubectl-mongodb_darwin_amd64_v1/kubectl-mongodb" && -f "./dist/
3232 echo " replacing original files"
3333 unzip -oj ./dist/kubectl-mongodb_macos_signed.zip dist/kubectl-mongodb_darwin_amd64_v1/kubectl-mongodb -d ./dist/kubectl-mongodb_darwin_amd64_v1/
3434 unzip -oj ./dist/kubectl-mongodb_macos_signed.zip dist/kubectl-mongodb_darwin_arm64/kubectl-mongodb -d ./dist/kubectl-mongodb_darwin_arm64/
35- fi
35+ fi
Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+
3+ set -euo pipefail
4+
5+ # Sign a binary using garasign credentials
6+ # goreleaser takes care of calling this script as a hook.
7+
8+ ARTIFACT=$1
9+ SIGNATURE=" ${ARTIFACT} .sig"
10+
11+ TMPDIR=${TMPDIR:-/ tmp}
12+ SIGNING_ENVFILE=" ${TMPDIR} /signing-envfile"
13+
14+ GRS_USERNAME=${GRS_USERNAME}
15+ GRS_PASSWORD=${GRS_PASSWORD}
16+ PKCS11_URI=${PKCS11_URI}
17+ ARTIFACTORY_URL=${ARTIFACTORY_URL}
18+ SIGNING_IMAGE_URI=${SIGNING_IMAGE_URI}
19+ ARTIFACTORY_PASSWORD=${ARTIFACTORY_PASSWORD}
20+ ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME}
21+
22+ echo " Signing artifact ${ARTIFACT} and saving signature to ${SIGNATURE} "
23+
24+ {
25+ echo " GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME} " ;
26+ echo " GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD} " ;
27+ echo " PKCS11_URI=${PKCS11_URI} " ;
28+ } > " ${SIGNING_ENVFILE} "
29+
30+ echo " Logging in artifactory.corp"
31+ echo ${ARTIFACTORY_PASSWORD} | docker login --password-stdin --username ${ARTIFACTORY_USERNAME} ${ARTIFACTORY_URL}
32+
33+ echo " Signing artifact"
34+ echo " Envfile is ${SIGNING_ENVFILE} "
35+ docker run \
36+ --env-file=" ${SIGNING_ENVFILE} "
37+ --rm \
38+ -v $( pwd) $( pwd)
39+ -w $( pwd)
40+ ${SIGNING_IMAGE_URI} \
41+ cosign sign-blob --key " ${PKCS11_URI} " ${SIGNATURE} ${ARTIFACT} --yes
Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+
3+ set -euo pipefail
4+
5+ # Verify the signature of a binary with the operator's public key
6+ # goreleaser takes care of calling this script as a hook.
7+
8+ ARTIFACT=$1
9+ SIGNATURE=" ${ARTIFACT} .sig"
10+
11+ HOSTED_SIGN_PUBKEY=" https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem" # to complete
12+ TMPDIR=${TMPDIR:-/ tmp}
13+ KEY_FILE=" ${TMPDIR} /host-public.key"
14+ SIGNING_IMAGE_URI=${SIGNING_IMAGE_URI}
15+
16+ curl -o ${KEY_FILE} " ${HOSTED_SIGN_PUBKEY} "
17+ echo " Verifying signature ${SIGNATURE} of artifact ${ARTIFACT} "
18+ echo " Keyfile is ${KEY_FILE} "
19+
20+ # When working locally, the following command can be used instead of Docker
21+ # cosign verify-blob --key ${KEY_FILE} --signature ${SIGNATURE} ${ARTIFACT}
22+
23+ docker run \
24+ --rm \
25+ -v $( pwd) $( pwd)
26+ -v ${KEY_FILE} :${KEY_FILE} \
27+ -w $( pwd)
28+ ${SIGNING_IMAGE_URI} \
29+ cosign verify-blob --key ${KEY_FILE} --signature ${SIGNATURE} ${ARTIFACT}
30+
31+ # Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.sig: permission denied
32+ sudo chmod 666 ${SIGNATURE}
You can’t perform that action at this time.
0 commit comments