VS-144: Add signing info to ssdlc report

evergreen/evergreen.yml

@@ -209,6 +209,7 @@ functions:
  params:
  working_dir: "mongo-csharp-analyzer"
  env:
+ NUGET_SIGN_CERTIFICATE_FINGERPRINT: ${NUGET_SIGN_CERTIFICATE_FINGERPRINT}
  PRODUCT_NAME: "mongo-csharp-analyzer"
  github_commit: ${github_commit}
  script: |

evergreen/generate-ssdlc-report.sh

@@ -2,6 +2,7 @@
 set -o errexit # Exit the script with error if any of the commands fail
 
 # Environment variables used as input:
+# NUGET_SIGN_CERTIFICATE_FINGERPRINT
 # PRODUCT_NAME
 # PACKAGE_VERSION
 # github_commit
@@ -31,5 +32,6 @@ sed "${SED_EDIT_IN_PLACE_OPTION[@]}" \
  -e "s/\${PACKAGE_VERSION}/$PACKAGE_VERSION/g" \
  -e "s/\${github_commit}/$github_commit/g" \
  -e "s/\${REPORT_DATE_UTC}/$(date -u +%Y-%m-%d)/g" \
+ -e "s/\${NUGET_SIGN_CERTIFICATE_FINGERPRINT}/${NUGET_SIGN_CERTIFICATE_FINGERPRINT}/g" \
  "${SSDLC_REPORT_PATH}"
 ls "${SSDLC_REPORT_PATH}"

evergreen/template_ssdlc_compliance_report.md

@@ -53,4 +53,10 @@ Coverity static analysis report is available <a href="https://us-west-2.console.
 
 ## Signature information
 
-Blocked on <https://jira.mongodb.org/browse/VS-124>.
+Packages are signed with certificate with fingerprint: ${NUGET_SIGN_CERTIFICATE_FINGERPRINT}.
+Signature can be validated by running ```dotnet nuget verify``` command.
+
+For example signature of ```MongoDB.Analyzer."${PACKAGE_VERSION}".nupkg``` package can be verified by running:
+```
+dotnet nuget verify MongoDB.Analyzer."${PACKAGE_VERSION}".nupkg --certificate-fingerprint ${NUGET_SIGN_CERTIFICATE_FINGERPRINT}
+```