MONGOCRYPT-837 sign libmongocrypt-all.tar.gz#1143
Merged
kevinAlbs merged 4 commits intomongodb:masterfrom Mar 31, 2026
Merged
Conversation
Add a sign-all task. Use a separate task that can be marked not patchable. The Garasign credentials are (by request) marked "Admin only" to reduce exposure during patches.
This reverts commit ad8669c.
rcsanchez97
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
sign-alltask to signlibmongocrypt-all.tar.gz.Background & Motivation
See MONGOCRYPT-837 for motivation. I would like to eventually remove
libmongocrypt-all.tar.gz. But providing a signature seemed like a low-effort way to address this concern in the short-term.Tested in an Evergreen patch including the upload-all task listing
libmongocrypt-all.tar.gzand a new sign-all task listinglibmongocrypt-all.asc.To verify the signature:
Signing credentials are stored in the Evergreen repo settings as "Admin Only". I think "Admin Only" was requested by the Server Security team to limit exposure, but I did not find a reference.
The new
sign-alltask is marked withpatchable: false. Quoting Evergreen docs:To test in a patch, I temporarily unselected "Admin Only".
The Publish variant is migrated to use
ubuntu2404-latest. This was motivated by an observed error ondocker login: