MONGOCRYPT-837 sign libmongocrypt-all.tar.gz (#1143)

kevinAlbs · web-flow · commit 2b1ea0b7a895 · 2026-03-31T14:48:25.000-04:00
Add a separate non-patchable `sign-all` task. The Garasign credentials are (by request) marked "Admin only" to reduce exposure during patches.

* upload to same locations as libmongocrypt-all.tar.gz
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -947,6 +947,97 @@ tasks:
         filenames:
           - libmongocrypt-all-${tag_upload_location!|*revision}.tar.gz
 
+- name: sign-all
+  patchable: false # Garasign credentials are marked as "Admin only" in Evergreen project. "Admin only" variables are not included in patch builds. To test a patch: temporarily unselect "Admin only".
+  depends_on: upload-all
+  commands:
+  - func: "fetch source" # To get Earthfile.
+  - command: s3.get
+    params:
+      role_arn: '${upload_arn}'
+      remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-all.tar.gz'
+      bucket: ${upload_bucket}
+      local_file: 'libmongocrypt/libmongocrypt-all.tar.gz'
+  - func: "earthly" # Sign tarball.
+    vars:
+      args: --secret garasign_username=${garasign_username} --secret garasign_password=${garasign_password} +sign --file_to_sign=libmongocrypt-all.tar.gz --output_file=libmongocrypt-all.asc --is_patch="${is_patch}"
+  # Upload to same locations as libmongocrypt-all.tar.gz
+  - command: shell.exec
+    params:
+      script: |-
+        set -o errexit
+        cd libmongocrypt
+        if [ -n "${tag_upload_location}" ]; then
+          # the "fetch source" step detected a release tag on HEAD, so we
+          # prepare a local file for upload to a location based on the tag
+          cp -a libmongocrypt-all.asc libmongocrypt-all-${tag_upload_location}.asc
+
+          if [[ "$tag_upload_location" = *-* ]]; then
+            # Unstable release, like 1.1.0-beta1 or 1.0.1-rc0.
+            mkdir unstable
+            cp -a libmongocrypt-all.asc unstable/libmongocrypt-all-${tag_upload_location}.asc
+          else
+            mkdir stable
+            cp -a libmongocrypt-all.asc stable/libmongocrypt-all-${tag_upload_location}.asc
+          fi
+        fi
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      local_file: 'libmongocrypt/libmongocrypt-all.asc'
+      content_type: 'application/pgp-signature'
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      local_file: 'libmongocrypt/libmongocrypt-all.asc'
+      content_type: 'application/pgp-signature'
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/${tag_upload_location}/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for tagged release.
+      display_name: 'libmongocrypt-all-${tag_upload_location}.asc'
+      local_file: 'libmongocrypt/libmongocrypt-all-${tag_upload_location}.asc'
+      content_type: 'application/pgp-signature'
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/latest/stable/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for stable release.
+      display_name: 'stable/libmongocrypt-all-${tag_upload_location}.asc'
+      local_file: 'libmongocrypt/stable/libmongocrypt-all-${tag_upload_location}.asc'
+      content_type: 'application/pgp-signature'
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/latest/unstable/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for unstable release.
+      display_name: 'unstable/libmongocrypt-all-${tag_upload_location}.asc'
+      local_file: 'libmongocrypt/unstable/libmongocrypt-all-${tag_upload_location}.asc'
+      content_type: 'application/pgp-signature'
+
 - name: publish-packages
   depends_on: build-packages
   commands:
@@ -1775,10 +1866,11 @@ buildvariants:
     - ubuntu2004-small
 - name: publish
   display_name: "Publish"
-  run_on: ubuntu1804-test
+  run_on: ubuntu2404-latest-small
   tasks:
     - name: "upload-java"
     - name: "upload-all"
+    - name: "sign-all"
 - name: packaging
   display_name: "Linux Distro Packaging"
   tasks: [.packaging]
