From 26939a6233fc1fd5b206d8ee860d2b5169f652d9 Mon Sep 17 00:00:00 2001 From: Basit <1305718+mabaasit@users.noreply.github.com> Date: Thu, 2 May 2024 09:05:50 +0200 Subject: [PATCH] chore(ci): verify artifacts MONGOSH-1695 (#1961) * setup artifact verification * correct path * indent 2 * release depends on verify artifacts * skip mac zip check * correct darwin check * pr feedback --- .evergreen.yml | 356 +++++++++++++++++++++++++ .evergreen/evergreen.yml.in | 50 ++++ .evergreen/verify-packaged-artifact.sh | 94 +++++++ 3 files changed, 500 insertions(+) create mode 100755 .evergreen/verify-packaged-artifact.sh diff --git a/.evergreen.yml b/.evergreen.yml index b464b1208..0b7e6a256 100644 --- a/.evergreen.yml +++ b/.evergreen.yml @@ -52,6 +52,7 @@ post: # compile_artifact - Compile the release binary. # package_artifact - Upload the release binary together with other files to S3. # sign_artifact - Get a package file from S3, sign it, put it back into S3. +# verify_artifact - Verify if the package was successfully signed using Garasign. # test_linux_artifact - Test that the built artifact works where we expect it to. # We use this to verify that e.g. the Ubuntu-built release # binary also works on RHEL and Debian. @@ -6631,6 +6632,19 @@ functions: PACKAGE_VARIANT: ${package_variant} MACOS_NOTARY_KEY: ${macos_notary_key} MACOS_NOTARY_SECRET: ${macos_notary_secret} + verify_artifact: + - command: expansions.write + type: setup + params: + file: tmp/expansions.yaml + redacted: true + - command: shell.exec + params: + working_dir: src + shell: bash + script: | + set -e + .evergreen/verify-packaged-artifact.sh put_artifact_url: - command: s3.put params: @@ -11841,6 +11855,18 @@ tasks: vars: package_variant: darwin-x64 signature_tag: signed + - name: verify_artifact_darwin_x64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_darwin_x64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: darwin-x64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_darwin_arm64 depends_on: - name: compile_artifact @@ -11886,6 +11912,18 @@ tasks: vars: package_variant: darwin-arm64 signature_tag: signed + - name: verify_artifact_darwin_arm64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_darwin_arm64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: darwin-arm64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_linux_x64 depends_on: - name: compile_artifact @@ -11931,6 +11969,18 @@ tasks: vars: package_variant: linux-x64 signature_tag: signed + - name: verify_artifact_linux_x64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_linux_x64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: linux-x64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_deb_x64 depends_on: - name: compile_artifact @@ -11976,6 +12026,18 @@ tasks: vars: package_variant: deb-x64 signature_tag: signed + - name: verify_artifact_deb_x64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_deb_x64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: deb-x64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_rpm_x64 depends_on: - name: compile_artifact @@ -12021,6 +12083,18 @@ tasks: vars: package_variant: rpm-x64 signature_tag: signed + - name: verify_artifact_rpm_x64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_rpm_x64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: rpm-x64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_linux_x64_openssl11 depends_on: - name: compile_artifact @@ -12066,6 +12140,18 @@ tasks: vars: package_variant: linux-x64-openssl11 signature_tag: signed + - name: verify_artifact_linux_x64_openssl11 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_linux_x64_openssl11 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: linux-x64-openssl11 + signature_tag: signed + - func: verify_artifact - name: package_artifact_deb_x64_openssl11 depends_on: - name: compile_artifact @@ -12111,6 +12197,18 @@ tasks: vars: package_variant: deb-x64-openssl11 signature_tag: signed + - name: verify_artifact_deb_x64_openssl11 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_deb_x64_openssl11 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: deb-x64-openssl11 + signature_tag: signed + - func: verify_artifact - name: package_artifact_rpm_x64_openssl11 depends_on: - name: compile_artifact @@ -12156,6 +12254,18 @@ tasks: vars: package_variant: rpm-x64-openssl11 signature_tag: signed + - name: verify_artifact_rpm_x64_openssl11 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_rpm_x64_openssl11 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: rpm-x64-openssl11 + signature_tag: signed + - func: verify_artifact - name: package_artifact_linux_x64_openssl3 depends_on: - name: compile_artifact @@ -12201,6 +12311,18 @@ tasks: vars: package_variant: linux-x64-openssl3 signature_tag: signed + - name: verify_artifact_linux_x64_openssl3 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_linux_x64_openssl3 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: linux-x64-openssl3 + signature_tag: signed + - func: verify_artifact - name: package_artifact_deb_x64_openssl3 depends_on: - name: compile_artifact @@ -12246,6 +12368,18 @@ tasks: vars: package_variant: deb-x64-openssl3 signature_tag: signed + - name: verify_artifact_deb_x64_openssl3 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_deb_x64_openssl3 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: deb-x64-openssl3 + signature_tag: signed + - func: verify_artifact - name: package_artifact_rpm_x64_openssl3 depends_on: - name: compile_artifact @@ -12291,6 +12425,18 @@ tasks: vars: package_variant: rpm-x64-openssl3 signature_tag: signed + - name: verify_artifact_rpm_x64_openssl3 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_rpm_x64_openssl3 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: rpm-x64-openssl3 + signature_tag: signed + - func: verify_artifact - name: package_artifact_linux_arm64 depends_on: - name: compile_artifact @@ -12336,6 +12482,18 @@ tasks: vars: package_variant: linux-arm64 signature_tag: signed + - name: verify_artifact_linux_arm64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_linux_arm64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: linux-arm64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_deb_arm64 depends_on: - name: compile_artifact @@ -12381,6 +12539,18 @@ tasks: vars: package_variant: deb-arm64 signature_tag: signed + - name: verify_artifact_deb_arm64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_deb_arm64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: deb-arm64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_rpm_arm64 depends_on: - name: compile_artifact @@ -12426,6 +12596,18 @@ tasks: vars: package_variant: rpm-arm64 signature_tag: signed + - name: verify_artifact_rpm_arm64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_rpm_arm64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: rpm-arm64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_linux_arm64_openssl11 depends_on: - name: compile_artifact @@ -12471,6 +12653,18 @@ tasks: vars: package_variant: linux-arm64-openssl11 signature_tag: signed + - name: verify_artifact_linux_arm64_openssl11 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_linux_arm64_openssl11 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: linux-arm64-openssl11 + signature_tag: signed + - func: verify_artifact - name: package_artifact_deb_arm64_openssl11 depends_on: - name: compile_artifact @@ -12516,6 +12710,18 @@ tasks: vars: package_variant: deb-arm64-openssl11 signature_tag: signed + - name: verify_artifact_deb_arm64_openssl11 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_deb_arm64_openssl11 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: deb-arm64-openssl11 + signature_tag: signed + - func: verify_artifact - name: package_artifact_rpm_arm64_openssl11 depends_on: - name: compile_artifact @@ -12561,6 +12767,18 @@ tasks: vars: package_variant: rpm-arm64-openssl11 signature_tag: signed + - name: verify_artifact_rpm_arm64_openssl11 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_rpm_arm64_openssl11 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: rpm-arm64-openssl11 + signature_tag: signed + - func: verify_artifact - name: package_artifact_linux_arm64_openssl3 depends_on: - name: compile_artifact @@ -12606,6 +12824,18 @@ tasks: vars: package_variant: linux-arm64-openssl3 signature_tag: signed + - name: verify_artifact_linux_arm64_openssl3 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_linux_arm64_openssl3 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: linux-arm64-openssl3 + signature_tag: signed + - func: verify_artifact - name: package_artifact_deb_arm64_openssl3 depends_on: - name: compile_artifact @@ -12651,6 +12881,18 @@ tasks: vars: package_variant: deb-arm64-openssl3 signature_tag: signed + - name: verify_artifact_deb_arm64_openssl3 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_deb_arm64_openssl3 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: deb-arm64-openssl3 + signature_tag: signed + - func: verify_artifact - name: package_artifact_rpm_arm64_openssl3 depends_on: - name: compile_artifact @@ -12696,6 +12938,18 @@ tasks: vars: package_variant: rpm-arm64-openssl3 signature_tag: signed + - name: verify_artifact_rpm_arm64_openssl3 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_rpm_arm64_openssl3 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: rpm-arm64-openssl3 + signature_tag: signed + - func: verify_artifact - name: package_artifact_linux_ppc64le depends_on: - name: compile_artifact @@ -12741,6 +12995,18 @@ tasks: vars: package_variant: linux-ppc64le signature_tag: signed + - name: verify_artifact_linux_ppc64le + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_linux_ppc64le + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: linux-ppc64le + signature_tag: signed + - func: verify_artifact - name: package_artifact_rpm_ppc64le depends_on: - name: compile_artifact @@ -12786,6 +13052,18 @@ tasks: vars: package_variant: rpm-ppc64le signature_tag: signed + - name: verify_artifact_rpm_ppc64le + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_rpm_ppc64le + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: rpm-ppc64le + signature_tag: signed + - func: verify_artifact - name: package_artifact_linux_s390x depends_on: - name: compile_artifact @@ -12831,6 +13109,18 @@ tasks: vars: package_variant: linux-s390x signature_tag: signed + - name: verify_artifact_linux_s390x + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_linux_s390x + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: linux-s390x + signature_tag: signed + - func: verify_artifact - name: package_artifact_rpm_s390x depends_on: - name: compile_artifact @@ -12876,6 +13166,18 @@ tasks: vars: package_variant: rpm-s390x signature_tag: signed + - name: verify_artifact_rpm_s390x + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_rpm_s390x + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: rpm-s390x + signature_tag: signed + - func: verify_artifact - name: package_artifact_win32_x64 depends_on: - name: compile_artifact @@ -12921,6 +13223,18 @@ tasks: vars: package_variant: win32-x64 signature_tag: signed + - name: verify_artifact_win32_x64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_win32_x64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: win32-x64 + signature_tag: signed + - func: verify_artifact - name: package_artifact_win32msi_x64 depends_on: - name: compile_artifact @@ -12966,6 +13280,18 @@ tasks: vars: package_variant: win32msi-x64 signature_tag: signed + - name: verify_artifact_win32msi_x64 + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_win32msi_x64 + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: win32msi-x64 + signature_tag: signed + - func: verify_artifact ### # SMOKE TESTS @@ -14624,36 +14950,42 @@ buildvariants: - name: sign_artifact_linux_x64 - name: package_artifact_deb_x64 - name: sign_artifact_deb_x64 + - name: verify_artifact_deb_x64 - name: package_artifact_rpm_x64 - name: sign_artifact_rpm_x64 - name: package_artifact_linux_x64_openssl11 - name: sign_artifact_linux_x64_openssl11 - name: package_artifact_deb_x64_openssl11 - name: sign_artifact_deb_x64_openssl11 + - name: verify_artifact_deb_x64_openssl11 - name: package_artifact_rpm_x64_openssl11 - name: sign_artifact_rpm_x64_openssl11 - name: package_artifact_linux_x64_openssl3 - name: sign_artifact_linux_x64_openssl3 - name: package_artifact_deb_x64_openssl3 - name: sign_artifact_deb_x64_openssl3 + - name: verify_artifact_deb_x64_openssl3 - name: package_artifact_rpm_x64_openssl3 - name: sign_artifact_rpm_x64_openssl3 - name: package_artifact_linux_arm64 - name: sign_artifact_linux_arm64 - name: package_artifact_deb_arm64 - name: sign_artifact_deb_arm64 + - name: verify_artifact_deb_arm64 - name: package_artifact_rpm_arm64 - name: sign_artifact_rpm_arm64 - name: package_artifact_linux_arm64_openssl11 - name: sign_artifact_linux_arm64_openssl11 - name: package_artifact_deb_arm64_openssl11 - name: sign_artifact_deb_arm64_openssl11 + - name: verify_artifact_deb_arm64_openssl11 - name: package_artifact_rpm_arm64_openssl11 - name: sign_artifact_rpm_arm64_openssl11 - name: package_artifact_linux_arm64_openssl3 - name: sign_artifact_linux_arm64_openssl3 - name: package_artifact_deb_arm64_openssl3 - name: sign_artifact_deb_arm64_openssl3 + - name: verify_artifact_deb_arm64_openssl3 - name: package_artifact_rpm_arm64_openssl3 - name: sign_artifact_rpm_arm64_openssl3 - name: package_artifact_linux_ppc64le @@ -14666,6 +14998,30 @@ buildvariants: - name: sign_artifact_rpm_s390x - name: sign_artifact_win32_x64 - name: sign_artifact_win32msi_x64 + - name: verify_rhel_artifact + display_name: "RHEL (Signature Verification)" + run_on: rhel80-small + tasks: + - name: verify_artifact_rpm_x64 + - name: verify_artifact_rpm_x64_openssl11 + - name: verify_artifact_rpm_x64_openssl3 + - name: verify_artifact_rpm_arm64 + - name: verify_artifact_rpm_arm64_openssl11 + - name: verify_artifact_rpm_arm64_openssl3 + - name: verify_artifact_rpm_ppc64le + - name: verify_artifact_rpm_s390x + - name: verify_windows_artifact + display_name: "Windows (Signature Verification)" + run_on: windows-vsCurrent-small + tasks: + - name: verify_artifact_win32_x64 + - name: verify_artifact_win32msi_x64 + - name: verify_mac_artifact + display_name: "MacOS (Signature Verification)" + run_on: macos-1100 + tasks: + - name: verify_artifact_darwin_arm64 + - name: verify_artifact_darwin_x64 - name: linux_x64_build display_name: "RHEL 7.0 x64 (build)" run_on: rhel70-build diff --git a/.evergreen/evergreen.yml.in b/.evergreen/evergreen.yml.in index 38e9fcdf6..55408b2a7 100644 --- a/.evergreen/evergreen.yml.in +++ b/.evergreen/evergreen.yml.in @@ -117,6 +117,7 @@ post: # compile_artifact - Compile the release binary. # package_artifact - Upload the release binary together with other files to S3. # sign_artifact - Get a package file from S3, sign it, put it back into S3. +# verify_artifact - Verify if the package was successfully signed using Garasign. # test_linux_artifact - Test that the built artifact works where we expect it to. # We use this to verify that e.g. the Ubuntu-built release # binary also works on RHEL and Debian. @@ -497,6 +498,19 @@ functions: PACKAGE_VARIANT: ${package_variant} MACOS_NOTARY_KEY: ${macos_notary_key} MACOS_NOTARY_SECRET: ${macos_notary_secret} + verify_artifact: + - command: expansions.write + type: setup + params: + file: tmp/expansions.yaml + redacted: true + - command: shell.exec + params: + working_dir: src + shell: bash + script: | + set -e + .evergreen/verify-packaged-artifact.sh put_artifact_url: - command: s3.put params: @@ -1178,6 +1192,18 @@ tasks: vars: package_variant: <% out(packageVariant) %> signature_tag: signed + - name: verify_artifact_<% out(packageVariant.replace(/-/g, '_')) %> + tags: ["smoke-test"] + depends_on: + - name: sign_artifact_<% out(packageVariant.replace(/-/g, '_')) %> + variant: "*" + commands: + - func: checkout + - func: get_artifact_url + vars: + package_variant: <% out(packageVariant) %> + signature_tag: signed + - func: verify_artifact <% } } %> ### @@ -1362,9 +1388,33 @@ buildvariants: if (executableOsId.startsWith('linux')) { %> - name: package_artifact_<% out(packageVariant.replace(/-/g, '_')) %> - name: sign_artifact_<% out(packageVariant.replace(/-/g, '_')) %> + <% if (packageVariant.startsWith('deb')) { %> + - name: verify_artifact_<% out(packageVariant.replace(/-/g, '_')) %> + <% } %> <% } } } %> - name: sign_artifact_win32_x64 - name: sign_artifact_win32msi_x64 + - name: verify_rhel_artifact + display_name: "RHEL (Signature Verification)" + run_on: rhel80-small + tasks: + <% for (const { packages } of RELEASE_PACKAGE_MATRIX) { + for (const { name: packageVariant } of packages) { + if (packageVariant.startsWith('rpm')) { %> + - name: verify_artifact_<% out(packageVariant.replace(/-/g, '_')) %> + <% } } } %> + - name: verify_windows_artifact + display_name: "Windows (Signature Verification)" + run_on: windows-vsCurrent-small + tasks: + - name: verify_artifact_win32_x64 + - name: verify_artifact_win32msi_x64 + - name: verify_mac_artifact + display_name: "MacOS (Signature Verification)" + run_on: macos-1100 + tasks: + - name: verify_artifact_darwin_arm64 + - name: verify_artifact_darwin_x64 - name: linux_x64_build display_name: "RHEL 7.0 x64 (build)" run_on: rhel70-build diff --git a/.evergreen/verify-packaged-artifact.sh b/.evergreen/verify-packaged-artifact.sh new file mode 100755 index 000000000..0fdbadf79 --- /dev/null +++ b/.evergreen/verify-packaged-artifact.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env bash +set -e +set -x + +# Use tmp directory for all gpg operations/the rpm database +GPG_HOME=$(mktemp -d) +TMP_FILE=$(mktemp) +MONGOSH_KEY="https://pgp.mongodb.com/mongosh.asc" +ARTIFACTS_DIR="dist" + +trap_handler() { + local code=$? + if [ $code -eq 0 ]; then + echo "Verification successful" + else + echo "Verification failed with exit code $code" + cat "$TMP_FILE" + fi + rm -f "$TMP_FILE" + rm -rf "$GPG_HOME" + exit $code +} + +trap trap_handler ERR EXIT + +verify_using_gpg() { + echo "Verifying $1 using gpg" + gpg --homedir $GPG_HOME --verify $ARTIFACTS_DIR/$1.sig $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1 +} + +verify_using_powershell() { + echo "Verifying $1 using powershell" + powershell Get-AuthenticodeSignature -FilePath $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1 +} + +verify_using_codesign() { + echo "Verifying $1 using codesign" + codesign -dv --verbose=4 $ARTIFACTS_DIR/$1 > "$TMP_FILE" 2>&1 +} + +verify_using_rpm() { + # RPM packages are signed using gpg and the signature is embedded in the package. + # Here, we need to import the key in `rpm` and then verify the signature. + echo "Importing key into rpm" + rpm --dbpath "$GPG_HOME" --import $MONGOSH_KEY > "$TMP_FILE" 2>&1 + # Even if the file is not signed, the command below will exit with 0 and output something like: digests OK + # So we need to check the output of the command to see if the file is signed successfully. + echo "Verifying $1 using rpm" + output=$(rpm --dbpath "$GPG_HOME" -K $ARTIFACTS_DIR/$1) + + # Check if the output contains the string "digests signatures OK" + if [[ $output != *"digests signatures OK"* ]]; then + echo "File $1 is not signed" + exit 1 + fi +} + +setup_gpg() { + echo "Importing mongosh public key" + curl $MONGOSH_KEY | gpg --homedir $GPG_HOME --import > "$TMP_FILE" 2>&1 +} + +BASEDIR="$PWD/.evergreen" +ARTIFACT_URL_FILE="$PWD/../artifact-url.txt" + +echo "Downloading artifact from URL: $(cat $ARTIFACT_URL_FILE)" +(mkdir -p "$ARTIFACTS_DIR" && cd "$ARTIFACTS_DIR" && bash "$BASEDIR/retry-with-backoff.sh" curl -sSfLO --url "$(cat "$ARTIFACT_URL_FILE")") +ls -lh "$ARTIFACTS_DIR" + +ARTIFACT_FILE_NAME=$(basename $(cat "$ARTIFACT_URL_FILE")) + +if [[ $ARTIFACT_FILE_NAME == *.dmg ]]; then + verify_using_codesign $ARTIFACT_FILE_NAME +elif [[ $ARTIFACT_FILE_NAME == *.msi ]] || [[ $ARTIFACT_FILE_NAME == *.exe ]]; then + verify_using_powershell $ARTIFACT_FILE_NAME +else + # If we are on windows or mac, we skip the gpg verification + # 1. Windows because it requires gpg setup + # 2. MacOS as the archives are not signed but the contents of the zip are signed + # (check './sign-packaged-artifact.sh') and hence we don't have any .sig file. + if [[ $OSTYPE == "cygwin" ]] || [[ $OSTYPE == "darwin"* ]]; then + echo "Skipping GPG verification on {$OSTYPE}" + exit 0 + fi + + setup_gpg + if [[ $ARTIFACT_FILE_NAME == *.rpm ]]; then + verify_using_rpm $ARTIFACT_FILE_NAME + else + echo "Downloading the GPG signature file" + (cd "$ARTIFACTS_DIR" && bash "$BASEDIR/retry-with-backoff.sh" curl -sSfLO --url "$(cat "$ARTIFACT_URL_FILE").sig") + verify_using_gpg $ARTIFACT_FILE_NAME + fi +fi \ No newline at end of file