Tidy sign_artifacts.sh (#749)

FGasper · web-flow · commit 8ece9ae5e596 · 2025-03-12T15:02:05.000-04:00
This applies 3 changes:
- Teach `macos_notarize_and_sign()` to fetch architecture-specific
`macnotary` binaries. (Thus, if Rosetta breaks again, we won’t lose our
ability to push builds.)
- Fix shellcheck warnings.
- Switch to long-form CLI args for `podman`.
diff --git a/scripts/sign_artifacts.sh b/scripts/sign_artifacts.sh
@@ -1,3 +1,5 @@
+#!/bin/bash
+
 set -o errexit
 
 pgp_sign() {
@@ -7,8 +9,8 @@ pgp_sign() {
   podman run \
     --env-file=signing-envfile \
     --rm \
-    -v $PWD:$PWD \
-    -w $PWD \
+    --volume "$PWD:$PWD" \
+    --workdir "$PWD" \
     artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg \
     /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${signature_name} --detach-sign ${file_name}"
 }
@@ -19,16 +21,16 @@ authenticode_sign() {
   podman run \
   --env-file=signing-envfile \
   --rm \
-  -v $PWD:$PWD \
-  -w $PWD \
+  --volume "$PWD:$PWD" \
+  --workdir "$PWD" \
   artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-jsign \
   /bin/bash -c "jsign -a ${AUTHENTICODE_KEY_NAME} --replace --tsaurl http://timestamp.digicert.com -d SHA-256 ${file_name}"
 }
 
 setup_garasign_authentication() {
   set +x
 
-  echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username ${ARTIFACTORY_USERNAME} artifactory.corp.mongodb.com
+  echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
 
   echo "GRS_CONFIG_USER1_USERNAME=${GARASIGN_USERNAME}" >> "signing-envfile"
   echo "GRS_CONFIG_USER1_PASSWORD=${GARASIGN_PASSWORD}" >> "signing-envfile"
@@ -50,15 +52,32 @@ macos_notarize_and_sign() {
   # turn the untarred package into a zip
   zip -r unsigned.zip "$pkgname"
 
-  curl -LO https://macos-notary-1628249594.s3.amazonaws.com/releases/client/v3.3.3/darwin_amd64.zip
-  unzip darwin_amd64.zip
-  chmod 0755 ./darwin_amd64/macnotary
-  ./darwin_amd64/macnotary -v
+  uname_arch=$(uname -m)
+
+  case "$uname_arch" in
+    arm64)
+      myarch=arm64
+      ;;
+    x86_64)
+      myarch=amd64
+      ;;
+    *)
+      echo "Unknown architecture: $uname_arch"
+      exit 1
+  esac
+
+  macnotary_dir=darwin_${myarch}
+  zip_filename=${macnotary_dir}.zip
+
+  curl -LO "https://macos-notary-1628249594.s3.amazonaws.com/releases/client/v3.3.3/$zip_filename"
+  unzip "$zip_filename"
+  chmod 0755 "./$macnotary_dir/macnotary"
+  "./$macnotary_dir/macnotary" -v
 
   # The key id and secret were set as MACOS_NOTARY_KEY and MACOS_NOTARY_SECRET
   # env vars from the expansions. The macnotary client will look for these env
   # vars so we don't need to pass the credentials as CLI options.
-  ./darwin_amd64/macnotary \
+  "./$macnotary_dir/macnotary" \
       --task-comment "signing the mongo-database-tools release" \
       --task-id "$TASK_ID" \
       --file "$PWD/unsigned.zip" \
@@ -83,7 +102,9 @@ case $MONGO_OS in
 
   *)
     setup_garasign_authentication
-    for file in $(ls mongodb-database-tools*.{tgz,deb,rpm}); do
+    for file in mongodb-database-tools*.{tgz,deb,rpm}; do
+        [ -e "$file" ] || continue
+        
         pgp_sign "$file" "$file.sig"
     done
     ;;
