From 68738eb00c6b9c8dad159329336a79e17ee20627 Mon Sep 17 00:00:00 2001
From: Kevin Albertson <kevin.albertson@mongodb.com>
Date: Fri, 27 Mar 2026 10:25:14 -0400
Subject: [PATCH 1/4] MONGOCYRPT-837 sign libmongocrypt-all.tar.gz

Add a sign-all task. Use a separate task that can be marked not patchable. The Garasign credentials are (by request) marked "Admin only" to reduce exposure during patches.
---
 .evergreen/config.yml | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/.evergreen/config.yml b/.evergreen/config.yml
index 3c7b7b1f2..ff35e4c45 100755
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@@ -899,6 +899,31 @@ tasks:
         local_file: 'unstable/libmongocrypt-all-${tag_upload_location}.tar.gz'
         content_type: '${content_type|application/x-gzip}'
 
+- name: sign-all
+  patchable: false # Garasign credentials are marked as "Admin only" in Evergreen project. "Admin only" variables are not included in patch builds. To test a patch: temporarily unselect "Admin only".
+  depends_on: upload-all
+  commands:
+  - func: "fetch source" # To get Earthfile.
+  - command: s3.get
+    params:
+      role_arn: '${upload_arn}'
+      remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-all.tar.gz'
+      bucket: ${upload_bucket}
+      local_file: 'libmongocrypt/libmongocrypt-all.tar.gz'
+  - func: "earthly" # Sign tarball.
+    vars:
+      args: --secret garasign_username=${garasign_username} --secret garasign_password=${garasign_password} +sign --file_to_sign=libmongocrypt-all.tar.gz --output_file=libmongocrypt-all.asc --is_patch="${is_patch}"
+  - command: s3.put # Upload signature.
+    params:
+      role_arn: '${upload_arn}'
+      skip_existing: true
+      remote_file: 'libmongocrypt/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      local_file: 'libmongocrypt/libmongocrypt-all.asc'
+      content_type: 'application/pgp-signature'
+
 - name: publish-packages
   depends_on: build-packages
   commands:
@@ -1694,10 +1719,11 @@ buildvariants:
     - ubuntu2004-small
 - name: publish
   display_name: "Publish"
-  run_on: ubuntu1804-test
+  run_on: ubuntu2404-latest-small
   tasks:
     - name: "upload-java"
     - name: "upload-all"
+    - name: "sign-all"
 - name: packaging
   display_name: "Linux Distro Packaging"
   tasks: [.packaging]

From cc9322dcee3e952f0689f4efe5b383440ff2263b Mon Sep 17 00:00:00 2001
From: Kevin Albertson <kevin.albertson@mongodb.com>
Date: Tue, 31 Mar 2026 09:01:41 -0400
Subject: [PATCH 2/4] upload to same locations as libmongocrypt-all.tar.gz

---
 .evergreen/config.yml | 72 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 69 insertions(+), 3 deletions(-)

diff --git a/.evergreen/config.yml b/.evergreen/config.yml
index ff35e4c45..64e8c4838 100755
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@@ -913,16 +913,82 @@ tasks:
   - func: "earthly" # Sign tarball.
     vars:
       args: --secret garasign_username=${garasign_username} --secret garasign_password=${garasign_password} +sign --file_to_sign=libmongocrypt-all.tar.gz --output_file=libmongocrypt-all.asc --is_patch="${is_patch}"
-  - command: s3.put # Upload signature.
+  # Upload to same locations as libmongocrypt-all.tar.gz
+  - command: shell.exec
     params:
-      role_arn: '${upload_arn}'
+      script: |-
+        set -o errexit
+        cd libmongocrypt
+        if [ -n "${tag_upload_location}" ]; then
+          # the "fetch source" step detected a release tag on HEAD, so we
+          # prepare a local file for upload to a location based on the tag
+          cp -a libmongocrypt-all.asc libmongocrypt-all-${tag_upload_location}.asc
+
+          if [[ "$tag_upload_location" = *-* ]]; then
+            # Unstable release, like 1.1.0-beta1 or 1.0.1-rc0.
+            mkdir unstable
+            cp -a libmongocrypt-all.asc unstable/libmongocrypt-all-${tag_upload_location}.asc
+          else
+            mkdir stable
+            cp -a libmongocrypt-all.asc stable/libmongocrypt-all-${tag_upload_location}.asc
+          fi
+        fi
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      local_file: 'libmongocrypt/libmongocrypt-all.asc'
+      content_type: 'application/pgp-signature'
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
       skip_existing: true
-      remote_file: 'libmongocrypt/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-all.asc'
+      remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt-all.asc'
       bucket: ${upload_bucket}
       permissions: ${upload_permissions}
       visibility: ${upload_visibility}
       local_file: 'libmongocrypt/libmongocrypt-all.asc'
       content_type: 'application/pgp-signature'
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/${tag_upload_location}/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for tagged release.
+      display_name: 'libmongocrypt-all-${tag_upload_location}.asc'
+      local_file: 'libmongocrypt/libmongocrypt-all-${tag_upload_location}.asc'
+      content_type: 'application/pgp-signature'
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/latest/stable/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for stable release.
+      display_name: 'stable/libmongocrypt-all-${tag_upload_location}.asc'
+      local_file: 'libmongocrypt/stable/libmongocrypt-all-${tag_upload_location}.asc'
+      content_type: 'application/pgp-signature'
+  - command: s3.put
+    params:
+      role_arn: ${upload_arn}
+      skip_existing: true
+      remote_file: 'libmongocrypt/all/latest/unstable/libmongocrypt-all.asc'
+      bucket: ${upload_bucket}
+      permissions: ${upload_permissions}
+      visibility: ${upload_visibility}
+      optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for unstable release.
+      display_name: 'unstable/libmongocrypt-all-${tag_upload_location}.asc'
+      local_file: 'libmongocrypt/unstable/libmongocrypt-all-${tag_upload_location}.asc'
+      content_type: 'application/pgp-signature'
 
 - name: publish-packages
   depends_on: build-packages

From ec9ba4967d43d983e101541b43d09d9e4d1f5531 Mon Sep 17 00:00:00 2001
From: Kevin Albertson <kevin.albertson@mongodb.com>
Date: Tue, 31 Mar 2026 09:02:04 -0400
Subject: [PATCH 3/4] temp: make patchable

---
 .evergreen/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.evergreen/config.yml b/.evergreen/config.yml
index 64e8c4838..427011dbb 100755
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@@ -900,7 +900,7 @@ tasks:
         content_type: '${content_type|application/x-gzip}'
 
 - name: sign-all
-  patchable: false # Garasign credentials are marked as "Admin only" in Evergreen project. "Admin only" variables are not included in patch builds. To test a patch: temporarily unselect "Admin only".
+  # patchable: false # Garasign credentials are marked as "Admin only" in Evergreen project. "Admin only" variables are not included in patch builds. To test a patch: temporarily unselect "Admin only".
   depends_on: upload-all
   commands:
   - func: "fetch source" # To get Earthfile.

From 5ea36b53ee35c7af3dc7cc9f31944d437e6d93b7 Mon Sep 17 00:00:00 2001
From: Kevin Albertson <kevin.albertson@mongodb.com>
Date: Tue, 31 Mar 2026 09:03:38 -0400
Subject: [PATCH 4/4] Revert "temp: make patchable"

This reverts commit ad8669c3fd9de47cd1388b5cb37b1a3eab3e72c6.
---
 .evergreen/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.evergreen/config.yml b/.evergreen/config.yml
index 427011dbb..64e8c4838 100755
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@@ -900,7 +900,7 @@ tasks:
         content_type: '${content_type|application/x-gzip}'
 
 - name: sign-all
-  # patchable: false # Garasign credentials are marked as "Admin only" in Evergreen project. "Admin only" variables are not included in patch builds. To test a patch: temporarily unselect "Admin only".
+  patchable: false # Garasign credentials are marked as "Admin only" in Evergreen project. "Admin only" variables are not included in patch builds. To test a patch: temporarily unselect "Admin only".
   depends_on: upload-all
   commands:
   - func: "fetch source" # To get Earthfile.