RUST-1921 Sign crate on release (#1095)

Author: abr-egn

.evergreen/release-build-papertrail-vars.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+
+source ./.evergreen/env.sh
+
+set +x
+
+CRATE_VERSION=$(cargo metadata --format-version=1 --no-deps | jq --raw-output '.packages[0].version')
+
+. ${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh drivers/rust
+rm secrets-export.sh
+
+PAPERTRAIL_PRODUCT="rust-driver"
+if [[ "${DRY_RUN}" == "yes" ]]; then
+  PAPERTRAIL_PRODUCT="rust-driver-testing"
+fi
+
+cat <<EOT >release-expansion.yml
+CRATE_VERSION: "${CRATE_VERSION}"
+PAPERTRAIL_KEY_ID: "${PAPERTRAIL_KEY_ID}"
+PAPERTRAIL_SECRET_KEY: "${PAPERTRAIL_SECRET_KEY}"
+PAPERTRAIL_PRODUCT: "${PAPERTRAIL_PRODUCT}"
+ARTIFACTORY_USERNAME: "${ARTIFACTORY_USERNAME}"
+ARTIFACTORY_PASSWORD: "${ARTIFACTORY_PASSWORD}"
+GARASIGN_USERNAME: "${GARASIGN_USERNAME}"
+GARASIGN_PASSWORD: "${GARASIGN_PASSWORD}"
+EOT

.evergreen/release-build-vars.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -o errexit
+set +x
+
+echo "${ARTIFACTORY_PASSWORD}" | docker login --password-stdin --username ${ARTIFACTORY_USERNAME} artifactory.corp.mongodb.com
+
+echo "GRS_CONFIG_USER1_USERNAME=${GARASIGN_USERNAME}" >> "signing-envfile"
+echo "GRS_CONFIG_USER1_PASSWORD=${GARASIGN_PASSWORD}" >> "signing-envfile"
+
+docker run \
+  --env-file=signing-envfile \
+  --rm \
+  -v $(pwd):$(pwd) \
+  -w $(pwd) \
+  artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg \
+  /bin/bash -c "gpgloader && gpg --yes -v --armor -o mongodb-${CRATE_VERSION}.sig --detach-sign target/package/mongodb-${CRATE_VERSION}.crate"

.evergreen/release-sign.sh

@@ -90,26 +90,27 @@ functions:
         args:
           - .evergreen/fetch-drivers-tools.sh
 
-  "build papertrail vars":
+  "build vars":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+
     - command: subprocess.exec
       params:
         working_dir: src
-        include_expansions_in_env:
-          - DRIVERS_TOOLS
-          - DRY_RUN
-          - GIT_TAG
+        add_expansions_to_env: true
         binary: bash
         args:
-          - .evergreen/release-build-papertrail-vars.sh
+          - .evergreen/release-build-vars.sh
 
     - command: expansions.update
       params:
-        file: src/papertrail-expansion.yml
+        file: src/release-expansion.yml
 
     - command: shell.exec
       params:
         working_dir: "src"
-        script: rm papertrail-expansion.yml
+        script: rm release-expansion.yml
 
   "fetch tag":
     command: subprocess.exec
@@ -137,19 +138,38 @@ functions:
         key_id: ${PAPERTRAIL_KEY_ID}
         secret_key: ${PAPERTRAIL_SECRET_KEY}
         product: ${PAPERTRAIL_PRODUCT}
-        version: ${GIT_TAG}
+        version: ${CRATE_VERSION}
         filenames:
-          - src/target/package/mongodb-*.crate
+          - src/target/package/mongodb-${CRATE_VERSION}.crate
+
+  "sign release":
+    - command: subprocess.exec
+      params:
+        working_dir: "src"
+        include_expansions_in_env:
+          - ARTIFACTORY_USERNAME
+          - ARTIFACTORY_PASSWORD
+          - GARASIGN_USERNAME
+          - GARASIGN_PASSWORD
+          - CRATE_VERSION
+        binary: bash
+        args:
+          - .evergreen/release-sign.sh
+
+  "save signature":
+    command: s3.push
 
 tasks:
   - name: "publish-release"
     commands:
       - func: "fetch source"
       - func: "install dependencies"
       - func: "fetch tag"
-      - func: "build papertrail vars"
+      - func: "build vars"
       - func: "publish release"
       - func: "publish papertrail"
+      - func: "sign release"
+      - func: "save signature"
 
 axes:
   - id: "os"