ci: Setup signing for binaries (#27)

* Initial binary signing implementation

* fixes install macos notarization service

* fixes windows_notarize.sh

* fix window notarization

* fixes mac signing

* mac fix

* fixes post check

* Shellcheck fix and disable release on patch

Author: cveticm

build/ci/release.yml

@@ -53,6 +53,18 @@ functions:
           set -Eeou pipefail
 
           curl -sfL ${goreleaser_pro_tar_gz} | tar zx
+  "install macos notarization service":
+    - command: shell.exec
+      type: setup
+      params:
+        working_dir: src/github.com/mongodb/atlas-cli-plugin-kubernetes
+        include_expansions_in_env:
+          - notary_service_url
+        script: |
+          set -Eeou pipefail
+          curl "${notary_service_url}" --output macos-notary.zip
+          unzip -u macos-notary.zip
+          chmod 755 ./linux_amd64/macnotary
   "generate notices":
     - command: subprocess.exec
       type: test
@@ -73,6 +85,7 @@ functions:
           ARTIFACTORY_PASSWORD: ${artifactory_password}
           GRS_USERNAME: ${garasign_username}
           GRS_PASSWORD: ${garasign_password}
+          AUTHENTICODE_KEY_NAME: ${authenticode_key_name}
           GITHUB_TOKEN: ${github_token}
         include_expansions_in_env:
           - go_base_path
@@ -127,6 +140,7 @@ tasks:
     commands:
       - func: "generate notices"
       - func: "install goreleaser"
+      - func: "install macos notarization service"
       - func: "install gh-token"
       - func: "package"
   - name: copybara

build/package/.goreleaser.yml

@@ -23,11 +23,21 @@ builds:
     id: macos
     goos: [darwin]
     goarch: [amd64,arm64]
+    hooks:
+      # This will notarize Apple binaries and replace goreleaser bins with the notarized ones
+      post:
+        - cmd: ./build/package/mac_notarize.sh
+          output: true
   - <<: *build_defaults
     id: windows
     goos: [windows]
     goarch: [amd64]
     goamd64: [v1]
+    hooks:
+      # This will notarize the Windows binary and replace goreleaser bin with the notarized one
+      post:
+        - cmd: ./build/package/windows_notarize.sh
+          output: true
 gomod: # https://goreleaser.com/customization/verifiable_builds/
   # Proxy a module from proxy.golang.org, making the builds verifiable.
   # This will only be effective if running against a tag. Snapshots will ignore

build/package/mac_notarize.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+# mac_notarize generated binaries with Apple and replace the original binary with the notarized one
+# This depends on binaries being generated in a goreleaser manner and gon being set up.
+# goreleaser should already take care of calling this script as a hook.
+
+if [[ -f "./dist/macos_darwin_amd64_v1/atlas-cli-plugin-kubernetes" && -f "./dist/macos_darwin_arm64/atlas-cli-plugin-kubernetes" && ! -f "./dist/atlas-cli-plugin-kubernetes_macos_signed.zip" ]]; then
+	echo "notarizing macOs binaries"
+	zip -r ./dist/atlas-cli-plugin-kubernetes_amd64_arm64_bin.zip ./dist/macos_darwin_amd64_v1/atlas-cli-plugin-kubernetes ./dist/macos_darwin_arm64/atlas-cli-plugin-kubernetes # The Notarization Service takes an archive as input
+	./linux_amd64/macnotary \
+		-f ./dist/atlas-cli-plugin-kubernetes_amd64_arm64_bin.zip \
+		-m notarizeAndSign -u https://dev.macos-notary.build.10gen.cc/api \
+		-b com.mongodb.atlas-cli-plugin-kubernetes \
+		-o ./dist/atlas-cli-plugin-kubernetes_macos_signed.zip
+
+	echo "replacing original files"
+	unzip -oj ./dist/atlas-cli-plugin-kubernetes_macos_signed.zip dist/macos_darwin_amd64_v1/atlas-cli-plugin-kubernetes -d ./dist/macos_darwin_amd64_v1/
+	unzip -oj ./dist/atlas-cli-plugin-kubernetes_macos_signed.zip dist/macos_darwin_arm64/atlas-cli-plugin-kubernetes -d ./dist/macos_darwin_arm64/
+fi

build/package/package.sh

@@ -32,3 +32,12 @@ make generate-all-manifests
 
 # avoid race conditions on the notarization step by using `-p 1`
 ./bin/goreleaser release --config "build/package/.goreleaser.yml" --clean -p 1
+
+# check that the notarization service signed the mac binaries
+SIGNED_FILE_NAME=atlas-cli-plugin-kubernetes_macos_signed.zip
+if [[ -f "dist/$SIGNED_FILE_NAME" ]]; then
+	echo "$SIGNED_FILE_NAME exists. The Mac notarization service has run."
+else
+	echo "ERROR: $SIGNED_FILE_NAME does not exist. The Mac notarization service has not run."
+	exit 1 # ERROR
+fi

build/package/windows_notarize.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+EXE_FILE="./dist/windows_windows_amd64_v1/atlas-cli-plugin-kubernetes.exe"
+
+if [[ -f "$EXE_FILE" ]]; then
+	echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
+
+	echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" > .env
+	echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}" >> .env
+
+	echo "signing $EXE_FILE"
+	podman run \
+		--env-file=.env \
+		--rm \
+		-v "$(pwd):$(pwd)" \
+		-w "$(pwd)" \
+		artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-jsign \
+		/bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${AUTHENTICODE_KEY_NAME} \"$EXE_FILE\""
+	
+	rm .env
+fi