ci: Setup signing packages (#25)

* Initial package sig

* Clean-up

* Adds to readme and releasing markdowns

* Renumber list

Author: cveticm

README.md

@@ -0,0 +1,3 @@
+# Atlas CLI Kubernetes Plugin
+
+The Atlas CLI Kubernetes Plugin is a first class plugin, providing kubernetes commands for the MongoDB Atlas CLI.

RELEASING.md

@@ -15,5 +15,6 @@ git push origin "v1.0.0"
 
 This will do the following things:
 1. The [evergreen](build/ci/release.yml) release task will run after a tag event from main.
-2. If everything goes smoothly, the release will be published in the [releases page](https://github.com/mongodb/atlas-cli-plugin-kubernetes/releases).
-3. The [evergreen](build/ci/release.yml) copybara task will automatically open a PR on docs repositories with any document changes for the docs team to review and merge. 
+2. This task signs all packages and includes both them and the public key in the release.
+3. If everything goes smoothly, the release will be published in the [releases page](https://github.com/mongodb/atlas-cli-plugin-kubernetes/releases).
+4. The [evergreen](build/ci/release.yml) copybara task will automatically open a PR on docs repositories with any document changes for the docs team to review and merge. 

build/ci/release.yml

@@ -69,10 +69,17 @@ functions:
         <<: *go_options
         env:
           <<: *go_env
+          ARTIFACTORY_USERNAME: ${artifactory_username}
+          ARTIFACTORY_PASSWORD: ${artifactory_password}
+          GRS_USERNAME: ${garasign_username}
+          GRS_PASSWORD: ${garasign_password}
           GITHUB_TOKEN: ${github_token}
         include_expansions_in_env:
           - go_base_path
           - workdir
+          - notary_service_key_id
+          - notary_service_secret
+          - notary_service_url
           - goreleaser_key
           - version
         binary: build/package/package.sh

build/package/.goreleaser.yml

@@ -3,6 +3,11 @@ project_name: atlas-cli-plugin-kubernetes
 
 version: 2
 
+before:
+  hooks:
+    - go mod tidy
+    - curl https://pgp.mongodb.com/atlas-cli.asc -o atlas-cli.asc
+
 builds:
   - <<: &build_defaults
       env:
@@ -35,7 +40,7 @@ gomod: # https://goreleaser.com/customization/verifiable_builds/
   mod: mod
 
 archives:
-- id: linux_archives
+- id: linux
   name_template: atlas-cli-plugin-kubernetes_{{ .Version }}_{{ .Os }}_{{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end }}
   builds: [linux]
   <<: &archive_defaults
@@ -61,6 +66,18 @@ archives:
   format: zip
 checksum:
   name_template: checksums.txt
+signs:
+  - id: all_artifacts
+    signature: "${artifact}.sig"
+    cmd: "./build/package/notarize.sh"
+    ids:
+      - linux
+      - macos
+      - windows
+    artifacts: all
+    output: true
 release:
   prerelease: auto
   name_template: "Atlas CLI Plugin Kubernetes v{{.Version}}"
+  extra_files:
+    - glob: ./*.asc

build/package/notarize.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+# notarize generates the detached sign of all packages via garasign-gpg.
+# This depends on binaries being generated in a goreleaser manner and gon being set up.
+# goreleaser should already take care of calling this script as a part of a custom publisher.
+
+echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" >> "signing-envfile"
+echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}" >> "signing-envfile"
+
+if [[ -f "${artifact:?}" ]]; then
+  echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
+
+  echo "notarizing package ${artifact}"
+
+  podman run \
+    --env-file=signing-envfile \
+    --rm \
+    -v "$(pwd)":"$(pwd)" \
+    -w "$(pwd)" \
+    artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg \
+    /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${artifact}.sig --detach-sign ${artifact}"
+fi
+
+echo "Signing of ${artifact} completed."
+

build/package/package.sh

@@ -17,6 +17,10 @@
 set -Eeou pipefail
 
 export GOROOT="${GOROOT:?}"
+
+export NOTARY_SERVICE_URL=${notary_service_url:?}
+export MACOS_NOTARY_KEY=${notary_service_key_id:?}
+export MACOS_NOTARY_SECRET=${notary_service_secret:?}
 export GORELEASER_KEY=${goreleaser_key:?}
 export VERSION_GIT=${version:?}
 VERSION=$(git tag --list 'v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)