VS-124: Sign Analyzer releases

evergreen/evergreen.yml

@@ -145,9 +145,15 @@ functions:
  - command: shell.exec
  params:
  working_dir: mongo-csharp-analyzer
+ env:
+ ARTIFACTORY_PASSWORD: ${ARTIFACTORY_PASSWORD}
+ ARTIFACTORY_USERNAME: ${ARTIFACTORY_USERNAME}
+ AZURE_NUGET_SIGN_TENANT_ID: ${AZURE_NUGET_SIGN_TENANT_ID}
+ AZURE_NUGET_SIGN_CLIENT_ID: ${AZURE_NUGET_SIGN_CLIENT_ID}
+ AZURE_NUGET_SIGN_CLIENT_SECRET: ${AZURE_NUGET_SIGN_CLIENT_SECRET}
+ PACKAGE_VERSION: ${PACKAGE_VERSION}
  script: |
  ${PREPARE_SHELL}
- OS=${OS} \
  PACKAGE_VERSION=${PACKAGE_VERSION} \
  evergreen/run-pack.sh
 
@@ -157,6 +163,7 @@ functions:
  shell: bash
  working_dir: mongo-csharp-analyzer
  env:
+ NUGET_SIGN_CERTIFICATE_FINGERPRINT: ${NUGET_SIGN_CERTIFICATE_FINGERPRINT}
  PACKAGES_SOURCE: ${PACKAGES_SOURCE}
  PACKAGES_SOURCE_KEY: ${PACKAGES_SOURCE_KEY}
  PACKAGE_VERSION: ${PACKAGE_VERSION}

evergreen/run-pack.sh

@@ -2,6 +2,14 @@
 set -o errexit # Exit the script with error if any of the commands fail
 set +o xtrace # Disable tracing.
 
+# Environment variables used as input:
+# ARTIFACTORY_PASSWORD
+# ARTIFACTORY_USERNAME
+# AZURE_NUGET_SIGN_TENANT_ID
+# AZURE_NUGET_SIGN_CLIENT_ID
+# AZURE_NUGET_SIGN_CLIENT_SECRET
+# PACKAGE_VERSION
+
 if [ -z "$PACKAGE_VERSION" ]; then
  echo "PACKAGE_VERSION variable should be set"
  exit 1
@@ -11,4 +19,19 @@ echo Creating nuget package...
 
 dotnet clean "./MongoDB.Analyzer.sln"
 dotnet build "./MongoDB.Analyzer.sln" -c Release
-dotnet pack ./src/MongoDB.Analyzer.Package/MongoDB.Analyzer.Package.csproj -o ./artifacts/nuget -c Release -p:Version="$PACKAGE_VERSION" -p:ContinuousIntegrationBuild=true
+dotnet pack ./src/MongoDB.Analyzer.Package/MongoDB.Analyzer.Package.csproj -o ./artifacts/nuget -c Release -p:Version="$PACKAGE_VERSION" -p:ContinuousIntegrationBuild=true
+
+echo "${ARTIFACTORY_PASSWORD}" | docker login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
+
+docker run --platform="linux/amd64" --rm -v $(pwd):/workdir -w /workdir \
+ artifactory.corp.mongodb.com/release-tools-container-registry-local/azure-keyvault-nuget \
+ NuGetKeyVaultSignTool sign "artifacts/nuget/*"."$PACKAGE_VERSION".nupkg \
+ --force \
+ --file-digest=sha256 \
+ --timestamp-rfc3161=http://timestamp.digicert.com \
+ --timestamp-digest=sha256 \
+ --azure-key-vault-url=https://mdb-authenticode.vault.azure.net \
+ --azure-key-vault-tenant-id="$AZURE_NUGET_SIGN_TENANT_ID" \
+ --azure-key-vault-client-secret="$AZURE_NUGET_SIGN_CLIENT_SECRET" \
+ --azure-key-vault-client-id="$AZURE_NUGET_SIGN_CLIENT_ID" \
+ --azure-key-vault-certificate=authenticode-2021

evergreen/run-push.sh

@@ -2,6 +2,12 @@
 set -o errexit # Exit the script with error if any of the commands fail
 set +o xtrace # Disable tracing.
 
+# Environment variables used as input:
+# NUGET_SIGN_CERTIFICATE_FINGERPRINT
+# PACKAGES_SOURCE
+# PACKAGES_SOURCE_KEY
+# PACKAGE_VERSION
+
 if [ -z "$PACKAGES_SOURCE" ]; then
  echo "PACKAGES_SOURCE variable should be set"
  exit 1
@@ -23,5 +29,8 @@ if [ "$PACKAGES_SOURCE" = "https://api.nuget.org/v3/index.json" ] && [[ ! "$PACK
  exit 1
 fi
 
+echo Verifying signature
+dotnet nuget verify ./artifacts/nuget/MongoDB.Analyzer."$PACKAGE_VERSION".nupkg --certificate-fingerprint "$NUGET_SIGN_CERTIFICATE_FINGERPRINT"
+
 echo Pushing nuget package...
-dotnet nuget push --source "$PACKAGES_SOURCE" --api-key "$PACKAGES_SOURCE_KEY" ./artifacts/nuget/MongoDB.Analyzer."$PACKAGE_VERSION".nupkg
+dotnet nuget push --source "$PACKAGES_SOURCE" --api-key "$PACKAGES_SOURCE_KEY" ./artifacts/nuget/MongoDB.Analyzer."$PACKAGE_VERSION".nupkg