CXX-3010 sign and upload dist tarball during release (#1136)

eramongodb · web-flow · commit 4b1d8c2193b4 · 2024-05-14T16:03:30.000-05:00
diff --git a/etc/garasign_dist_file.sh b/etc/garasign_dist_file.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+# Used by make_release.py.
+# See: https://docs.devprod.prod.corp.mongodb.com/release-tools-container-images/garasign/garasign_signing/
+
+set -o errexit
+set -o pipefail
+
+: "${1:?"missing dist_file as first argument"}"
+
+# Allow customization point to use docker in place of podman.
+launcher="${GARASIGN_LAUNCHER:-"podman"}"
+
+if ! command -v "${launcher:?}" >/dev/null; then
+  echo "${launcher:?} is required to sign distribution tarball" 1>&2
+fi
+
+if ! command -v gpg >/dev/null; then
+  echo "gpg is required to verify distribution tarball signature" 1>&2
+fi
+
+creds=~/.secrets/garasign-creds.txt
+
+if [[ ! -f "${creds:?}" ]]; then
+  echo "missing file ${creds:?}" 1>&2
+  exit 1
+fi
+
+# Avoid conflict/use of creds defined in the environment.
+unset ARTIFACTORY_USER
+unset ARTIFACTORY_PASSWORD
+unset GRS_CONFIG_USER1_USERNAME
+unset GRS_CONFIG_USER1_PASSWORD
+
+. "${creds:?}"
+
+: "${ARTIFACTORY_USER:?"missing ARTIFACTORY_USER in ${creds:?}"}"
+: "${ARTIFACTORY_PASSWORD:?"missing ARTIFACTORY_PASSWORD in ${creds:?}"}"
+: "${GRS_CONFIG_USER1_USERNAME:?"missing GRS_CONFIG_USER1_USERNAME in ${creds:?}"}"
+: "${GRS_CONFIG_USER1_PASSWORD:?"missing GRS_CONFIG_USER1_PASSWORD in ${creds:?}"}"
+
+dist_file="${1:?}"
+dist_file_signed="${dist_file:?}.asc"
+
+"${launcher:?}" login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}"
+
+plugin_commands=(
+  gpg --yes -v --armor -o "${dist_file_signed:?}" --detach-sign "${dist_file:?}"
+)
+"${launcher:?}" run \
+  --env-file="${creds:?}" \
+  -e "PLUGIN_COMMANDS=${plugin_commands[*]:?}" \
+  --rm \
+  -v "$(pwd):$(pwd)" \
+  -w "$(pwd)" \
+  artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg
+
+# Validate the signature file works as intended.
+keyring="$(mktemp)"
+curl -sS https://pgp.mongodb.com/cpp-driver.pub | gpg -q --no-default-keyring --keyring "${keyring:?}" --import -
+gpgv --keyring "${keyring:?}" "${dist_file_signed:?}" "${dist_file:?}"
diff --git a/etc/make_release.py b/etc/make_release.py
@@ -187,6 +187,10 @@ def release(jira_creds_file,
             click.echo('C++ driver distribution not built or not found...exiting!', err=True)
             sys.exit(1)
 
+    click.echo('Signing distribution...')
+    run_shell_script(f'./.evergreen/garasign_dist_file.sh {dist_file}')
+    click.echo('Signing distribution... done.')
+
     jira_vers_dict = get_jira_project_versions(auth_jira)
 
     if release_version not in jira_vers_dict.keys():
@@ -573,6 +577,9 @@ def generate_release_notes(release_version: str, changelog_contents: str) -> str
     - [Create an account](https://jira.mongodb.org) and login.
     - Navigate to the [CXX project](https://jira.mongodb.org/browse/CXX)
     - Click `Create`.
+
+    ## Signature Verification
+    Release artifacts may be verified by using the accompanying detached signature (.asc) and the cpp-driver public key obtained from https://pgp.mongodb.com.
     """).lstrip()
 
     release_notes = "".join(lines) + "\n"
@@ -650,7 +657,9 @@ def create_github_release_draft(gh_repo,
     gh_release = gh_repo.create_git_release(tag=release_tag, name=release_name,
                                             message=release_notes_text, draft=True,
                                             prerelease=is_pre_release)
+
     gh_release.upload_asset(dist_file)
+    gh_release.upload_asset(dist_file + ".asc")
 
     click.echo('Github release has been created.  Review and publish here: {}'
                .format(gh_release.html_url))
diff --git a/etc/releasing.md b/etc/releasing.md
@@ -136,22 +136,31 @@ git tag r1.2.3
 ## Run make_release.py
 
 `make_release.py` creates the distribution tarball
-(e.g. mongo-cxx-driver-r1.2.3.tar.gz), interacts with Jira, and drafts the
-release on GitHub.
+(e.g. mongo-cxx-driver-r1.2.3.tar.gz) and corresponding signature file (e.g.
+mongo-cxx-driver-r1.2.3.tar.gz.asc), interacts with Jira, and drafts the release
+on GitHub.
 
 To see all available options, run with `--help`
 
 ```
 python ./etc/make_release.py --help
 ```
 
-It requires the following:
+It requires the following (note: avoid typing secrets as command-line arguments):
 
 - A GitHub token. Go to the GitHub settings page
   [Personal Access Tokens](https://github.com/settings/tokens) and create a
   token.  Save the token secret to `~/.secrets/github_token.txt`.
 - Jira OAuth credentials. Ask for these from a team member.
   Save it to `~/.secrets/jira_creds.txt`.
+- Artifactory and Garasign credentials. Save these to `~/.secrets/garasign-creds.txt` in the form:
+  ```
+  ARTIFACTORY_USER=<username>
+  ARTIFACTORY_PASSWORD=<password>
+  GRS_CONFIG_USER1_USERNAME=<username>
+  GRS_CONFIG_USER1_PASSWORD=<password>
+  ```
+  Ask for these from a team member.
 
 Run the release script with the git tag created above as an argument and
 `--dry-run` to test for unexpected errors.
