From e95259919698396208fde9fa5acf55c0c1801815 Mon Sep 17 00:00:00 2001
From: Basit <baasit121@icloud.com>
Date: Fri, 26 Jan 2024 17:37:06 +0100
Subject: [PATCH] sign using package

---
 .../actions/test-and-build/action.yaml        |  9 ++-
 package-lock.json                             | 65 ++++++++++++++++++-
 package.json                                  |  1 +
 scripts/sign-vsix.js                          | 13 ++++
 scripts/sign-vsix.sh                          | 45 -------------
 5 files changed, 84 insertions(+), 49 deletions(-)
 create mode 100644 scripts/sign-vsix.js
 delete mode 100644 scripts/sign-vsix.sh

diff --git a/.github/workflows/actions/test-and-build/action.yaml b/.github/workflows/actions/test-and-build/action.yaml
index 07f558515..f69e43675 100644
--- a/.github/workflows/actions/test-and-build/action.yaml
+++ b/.github/workflows/actions/test-and-build/action.yaml
@@ -89,13 +89,18 @@ runs:
     - name: Sign .vsix
       if: runner.os == 'Linux'
       env:
-        ARTIFACTORY_HOST: ${{ inputs.ARTIFACTORY_HOST }}
         ARTIFACTORY_PASSWORD: ${{ inputs.ARTIFACTORY_PASSWORD }}
         ARTIFACTORY_USERNAME: ${{ inputs.ARTIFACTORY_USERNAME }}
         GARASIGN_PASSWORD: ${{ inputs.GARASIGN_PASSWORD }}
         GARASIGN_USERNAME: ${{ inputs.GARASIGN_USERNAME }}
       run: |
-        bash scripts/sign-vsix.sh
+        set -e
+        FILE_TO_SIGN=$(find . -maxdepth 1 -name '*.vsix' -print -quit)
+        if [ -z "$FILE_TO_SIGN" ]; then
+          echo "Error: No .vsix file found in the current directory." >&2
+          exit 1
+        fi
+        node scripts/sign-vsix.js "${FILE_TO_SIGN}"
         ls *.vsix.sig
       shell: bash
 
diff --git a/package-lock.json b/package-lock.json
index bf3007bfe..e981e8c50 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -50,6 +50,7 @@
         "@mongodb-js/oidc-plugin": "^0.3.0",
         "@mongodb-js/prettier-config-devtools": "^1.0.1",
         "@mongodb-js/sbom-tools": "^0.5.4",
+        "@mongodb-js/signing-utils": "^0.3.1",
         "@mongosh/service-provider-core": "^2.0.2",
         "@testing-library/react": "^12.1.5",
         "@types/babel__core": "^7.20.1",
@@ -4961,6 +4962,17 @@
         "mongodb-sbom-tools": "bin/mongodb-sbom-tools.js"
       }
     },
+    "node_modules/@mongodb-js/signing-utils": {
+      "version": "0.3.1",
+      "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.1.tgz",
+      "integrity": "sha512-/zAg9vdxTQstu6kNkfOPr9WvLodz88k7egetKw8c5eZyPLBQgm3JfTaH7vQe/iSCuCwvXSk0tNcgo+6AdQNbTw==",
+      "dev": true,
+      "dependencies": {
+        "@types/ssh2": "^1.11.19",
+        "debug": "^4.3.4",
+        "ssh2": "^1.15.0"
+      }
+    },
     "node_modules/@mongodb-js/ssh-tunnel": {
       "version": "2.1.10",
       "resolved": "https://registry.npmjs.org/@mongodb-js/ssh-tunnel/-/ssh-tunnel-2.1.10.tgz",
@@ -6434,6 +6446,24 @@
       "resolved": "https://registry.npmjs.org/@types/sinonjs__fake-timers/-/sinonjs__fake-timers-8.1.2.tgz",
       "integrity": "sha512-9GcLXF0/v3t80caGs5p2rRfkB+a8VBGLJZVih6CNFkx8IZ994wiKKLSRs9nuFwk1HevWs/1mnUmkApGrSGsShA=="
     },
+    "node_modules/@types/ssh2": {
+      "version": "1.11.19",
+      "resolved": "https://registry.npmjs.org/@types/ssh2/-/ssh2-1.11.19.tgz",
+      "integrity": "sha512-ydbQAqEcdNVy2t1w7dMh6eWMr+iOgtEkqM/3K9RMijMaok/ER7L8GW6PwsOypHCN++M+c8S/UR9SgMqNIFstbA==",
+      "dev": true,
+      "dependencies": {
+        "@types/node": "^18.11.18"
+      }
+    },
+    "node_modules/@types/ssh2/node_modules/@types/node": {
+      "version": "18.19.10",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.10.tgz",
+      "integrity": "sha512-IZD8kAM02AW1HRDTPOlz3npFava678pr8Ie9Vp8uRhBROXAv8MXT2pCnGZZAKYdromsNQLHQcfWQ6EOatVLtqA==",
+      "dev": true,
+      "dependencies": {
+        "undici-types": "~5.26.4"
+      }
+    },
     "node_modules/@types/stack-utils": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/@types/stack-utils/-/stack-utils-2.0.1.tgz",
@@ -22322,7 +22352,7 @@
       "version": "5.26.5",
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
       "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
-      "optional": true
+      "devOptional": true
     },
     "node_modules/union-value": {
       "version": "1.0.1",
@@ -27482,6 +27512,17 @@
         "spdx-satisfies": "^5.0.1"
       }
     },
+    "@mongodb-js/signing-utils": {
+      "version": "0.3.1",
+      "resolved": "https://registry.npmjs.org/@mongodb-js/signing-utils/-/signing-utils-0.3.1.tgz",
+      "integrity": "sha512-/zAg9vdxTQstu6kNkfOPr9WvLodz88k7egetKw8c5eZyPLBQgm3JfTaH7vQe/iSCuCwvXSk0tNcgo+6AdQNbTw==",
+      "dev": true,
+      "requires": {
+        "@types/ssh2": "^1.11.19",
+        "debug": "^4.3.4",
+        "ssh2": "^1.15.0"
+      }
+    },
     "@mongodb-js/ssh-tunnel": {
       "version": "2.1.10",
       "resolved": "https://registry.npmjs.org/@mongodb-js/ssh-tunnel/-/ssh-tunnel-2.1.10.tgz",
@@ -28704,6 +28745,26 @@
       "resolved": "https://registry.npmjs.org/@types/sinonjs__fake-timers/-/sinonjs__fake-timers-8.1.2.tgz",
       "integrity": "sha512-9GcLXF0/v3t80caGs5p2rRfkB+a8VBGLJZVih6CNFkx8IZ994wiKKLSRs9nuFwk1HevWs/1mnUmkApGrSGsShA=="
     },
+    "@types/ssh2": {
+      "version": "1.11.19",
+      "resolved": "https://registry.npmjs.org/@types/ssh2/-/ssh2-1.11.19.tgz",
+      "integrity": "sha512-ydbQAqEcdNVy2t1w7dMh6eWMr+iOgtEkqM/3K9RMijMaok/ER7L8GW6PwsOypHCN++M+c8S/UR9SgMqNIFstbA==",
+      "dev": true,
+      "requires": {
+        "@types/node": "^18.11.18"
+      },
+      "dependencies": {
+        "@types/node": {
+          "version": "18.19.10",
+          "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.10.tgz",
+          "integrity": "sha512-IZD8kAM02AW1HRDTPOlz3npFava678pr8Ie9Vp8uRhBROXAv8MXT2pCnGZZAKYdromsNQLHQcfWQ6EOatVLtqA==",
+          "dev": true,
+          "requires": {
+            "undici-types": "~5.26.4"
+          }
+        }
+      }
+    },
     "@types/stack-utils": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/@types/stack-utils/-/stack-utils-2.0.1.tgz",
@@ -40952,7 +41013,7 @@
       "version": "5.26.5",
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
       "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
-      "optional": true
+      "devOptional": true
     },
     "union-value": {
       "version": "1.0.1",
diff --git a/package.json b/package.json
index e21f6cf35..38997d53e 100644
--- a/package.json
+++ b/package.json
@@ -1117,6 +1117,7 @@
     "@mongodb-js/oidc-plugin": "^0.3.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/sbom-tools": "^0.5.4",
+    "@mongodb-js/signing-utils": "^0.3.1",
     "@mongosh/service-provider-core": "^2.0.2",
     "@testing-library/react": "^12.1.5",
     "@types/babel__core": "^7.20.1",
diff --git a/scripts/sign-vsix.js b/scripts/sign-vsix.js
new file mode 100644
index 000000000..5a45f7c1f
--- /dev/null
+++ b/scripts/sign-vsix.js
@@ -0,0 +1,13 @@
+const { sign } = require('@mongodb-js/signing-utils');
+
+(async () => {
+  const file = process.argv[2];
+  if (!file) {
+    throw new Error('File is required.');
+  }
+  console.log(`Signing vsix: ${file}`);
+  await sign(file, {
+    client: 'local',
+    signingMethod: 'gpg',
+  });
+})();
diff --git a/scripts/sign-vsix.sh b/scripts/sign-vsix.sh
deleted file mode 100644
index 5cf417adb..000000000
--- a/scripts/sign-vsix.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-FILE_TO_SIGN=$(find . -maxdepth 1 -name '*.vsix' -print -quit)
-
-if [ -z "$FILE_TO_SIGN" ]; then
-    echo "Error: No .vsix file found in the current directory." >&2
-    exit 1
-fi
-
-required_vars=("ARTIFACTORY_PASSWORD" "ARTIFACTORY_HOST" "ARTIFACTORY_USERNAME" "GARASIGN_USERNAME" "GARASIGN_PASSWORD")
-for var in "${required_vars[@]}"; do
-    if [ -z "${!var}" ]; then
-        echo "Error: Environment variable $var is not set." >&2
-        exit 1
-    fi
-done
-
-logout_artifactory() {
-    docker logout "${ARTIFACTORY_HOST}" > /dev/null 2>&1
-    echo "logged out from artifactory"
-}
-
-trap logout_artifactory EXIT
-
-
-echo "${ARTIFACTORY_PASSWORD}" | docker login "${ARTIFACTORY_HOST}" -u "${ARTIFACTORY_USERNAME}" --password-stdin > /dev/null 2>&1
-
-if [ $? -ne 0 ]; then
-    echo "Docker login failed" >&2
-    exit 1
-fi
-
-docker run \
-  --rm \
-  -e GRS_CONFIG_USER1_USERNAME="${GARASIGN_USERNAME}" \
-  -e GRS_CONFIG_USER1_PASSWORD="${GARASIGN_PASSWORD}" \
-  -v "$(pwd):/tmp/workdir" \
-  -w /tmp/workdir \
-  ${ARTIFACTORY_HOST}/release-tools-container-registry-local/garasign-gpg \
-  /bin/bash -c "gpgloader && gpg --yes -v --armor -o /tmp/workdir/${FILE_TO_SIGN}.sig --detach-sign /tmp/workdir/${FILE_TO_SIGN}"
-
-if [ $? -ne 0 ]; then
-    echo "Signing failed" >&2
-    exit 1
-fi