From a7f7c145ff41d3b16602428d958edae1eb510ed1 Mon Sep 17 00:00:00 2001
From: Melanija Cvetic <melanija.cvetic@mongodb.com>
Date: Tue, 28 Jan 2025 14:26:08 +0000
Subject: [PATCH] Initial binary signing implementation

---
 build/ci/release.yml              | 21 +++++++++++++----
 build/package/.goreleaser.yml     | 10 ++++++++
 build/package/mac_notarize.sh     | 35 +++++++++++++++++++++++++++
 build/package/windows_notarize.sh | 39 +++++++++++++++++++++++++++++++
 4 files changed, 101 insertions(+), 4 deletions(-)
 create mode 100755 build/package/mac_notarize.sh
 create mode 100755 build/package/windows_notarize.sh

diff --git a/build/ci/release.yml b/build/ci/release.yml
index 0c2a3bf..70cb123 100644
--- a/build/ci/release.yml
+++ b/build/ci/release.yml
@@ -53,6 +53,18 @@ functions:
           set -Eeou pipefail
 
           curl -sfL ${goreleaser_pro_tar_gz} | tar zx
+  "install macos notarization service":
+    - command: shell.exec
+      type: setup
+      params:
+        working_dir: src/github.com/mongodb/mongodb-atlas-cli
+        include_expansions_in_env:
+          - notary_service_url
+        script: |
+          set -Eeou pipefail
+          curl "${notary_service_url}" --output macos-notary.zip
+          unzip -u macos-notary.zip
+          chmod 755 ./linux_amd64/macnotary
   "generate notices":
     - command: subprocess.exec
       type: test
@@ -121,12 +133,13 @@ functions:
 tasks:
   - name: package_goreleaser
     tags: ["packaging"]
-    depends_on:
-      - name: compile
-        variant: "code_health"
+    # depends_on:
+    #   - name: compile
+    #     variant: "code_health"
     commands:
       - func: "generate notices"
       - func: "install goreleaser"
+      - func: "install macos notarization service"
       - func: "install gh-token"
       - func: "package"
   - name: copybara
@@ -156,7 +169,7 @@ tasks:
 buildvariants:
   - name: release
     display_name: "Release AtlasCLI Plugin Kubernetes (goreleaser)"
-    git_tag_only: true
+    # git_tag_only: true
     run_on:
       - rhel90-small
     expansions:
diff --git a/build/package/.goreleaser.yml b/build/package/.goreleaser.yml
index ab2c967..42b702e 100644
--- a/build/package/.goreleaser.yml
+++ b/build/package/.goreleaser.yml
@@ -23,11 +23,21 @@ builds:
     id: macos
     goos: [darwin]
     goarch: [amd64,arm64]
+    hooks:
+      # This will notarize Apple binaries and replace goreleaser bins with the notarized ones
+      post:
+        - cmd: ./build/package/mac_notarize.sh
+          output: true
   - <<: *build_defaults
     id: windows
     goos: [windows]
     goarch: [amd64]
     goamd64: [v1]
+    hooks:
+      # This will notarize the Windows binary and replace goreleaser bin with the notarized one
+      post:
+        - cmd: ./build/package/windows_notarize.sh
+          output: true
 gomod: # https://goreleaser.com/customization/verifiable_builds/
   # Proxy a module from proxy.golang.org, making the builds verifiable.
   # This will only be effective if running against a tag. Snapshots will ignore
diff --git a/build/package/mac_notarize.sh b/build/package/mac_notarize.sh
new file mode 100755
index 0000000..3698b4c
--- /dev/null
+++ b/build/package/mac_notarize.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+# mac_notarize generated binaries with Apple and replace the original binary with the notarized one
+# This depends on binaries being generated in a goreleaser manner and gon being set up.
+# goreleaser should already take care of calling this script as a hook.
+
+if [[ -f "./dist/macos_darwin_amd64_v1/bin/atlas-cli-plugin-kubernetes" && -f "./dist/macos_darwin_arm64/bin/atlas-cli-plugin-kubernetes" && ! -f "./dist/atlas-cli-plugin-kubernetes_macos_signed.zip" ]]; then
+	echo "notarizing macOs binaries"
+	zip -r ./dist/atlas-cli-plugin-kubernetes_amd64_arm64_bin.zip ./dist/macos_darwin_amd64_v1/bin/atlas-cli-plugin-kubernetes ./dist/macos_darwin_arm64/bin/atlas-cli-plugin-kubernetes # The Notarization Service takes an archive as input
+	./linux_amd64/macnotary \
+		-f ./dist/atlas-cli-plugin-kubernetes_amd64_arm64_bin.zip \
+		-m notarizeAndSign -u https://dev.macos-notary.build.10gen.cc/api \
+		-b com.mongodb.atlas-cli-plugin-kubernetes \ 
+		-o ./dist/atlas-cli-plugin-kubernetes_macos_signed.zip
+
+	echo "replacing original files"
+	unzip -oj ./dist/atlas-cli-plugin-kubernetes_macos_signed.zip dist/macos_darwin_amd64_v1/bin/atlas-cli-plugin-kubernetes -d ./dist/macos_darwin_amd64_v1/bin/
+	unzip -oj ./dist/atlas-cli-plugin-kubernetes_macos_signed.zip dist/macos_darwin_arm64/bin/atlas-cli-plugin-kubernetes -d ./dist/macos_darwin_arm64/bin/
+fi
diff --git a/build/package/windows_notarize.sh b/build/package/windows_notarize.sh
new file mode 100755
index 0000000..7affbf2
--- /dev/null
+++ b/build/package/windows_notarize.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+VERSION_GIT="$(git tag --list "v*" --sort=taggerdate | tail -1 | cut -d "v" -f 2)"
+
+EXE_FILE="./dist/windows_windows_amd64_v1/atlas-cli-plugin-kubernetes.exe"
+
+if [[ -f "$EXE_FILE"]]; then
+	echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
+
+	echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" > .env
+	echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}" >> .env
+
+	echo "signing $EXE_FILE"
+	podman run \
+		--env-file=.env \
+		--rm \
+		-v "$(pwd):$(pwd)" \
+		-w "$(pwd)" \
+		artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-jsign \
+		/bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${AUTHENTICODE_KEY_NAME} \"$EXE_FILE\""
+	
+	rm .env
+fi