@mongodb-js/signing-utils 0.2.0

package/dist/signing-clients/index.js

@@ -0,0 +1,59 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSigningClient = exports.RemoteSigningClient = exports.LocalSigningClient = void 0;
+const path = __importStar(require("path"));
+const ssh_client_1 = require("../ssh-client");
+const local_signing_client_1 = require("./local-signing-client");
+const remote_signing_client_1 = require("./remote-signing-client");
+var local_signing_client_2 = require("./local-signing-client");
+Object.defineProperty(exports, "LocalSigningClient", { enumerable: true, get: function () { return local_signing_client_2.LocalSigningClient; } });
+var remote_signing_client_2 = require("./remote-signing-client");
+Object.defineProperty(exports, "RemoteSigningClient", { enumerable: true, get: function () { return remote_signing_client_2.RemoteSigningClient; } });
+async function getSigningClient(options) {
+    async function getSshClient(sshOptions) {
+        const sshClient = new ssh_client_1.SSHClient(sshOptions);
+        await sshClient.connect();
+        return sshClient;
+    }
+    const signingScript = path.join(__dirname, '../..', 'src', './garasign.sh');
+    if (options.client === 'remote') {
+        const sshClient = await getSshClient(options);
+        return new remote_signing_client_1.RemoteSigningClient(sshClient, {
+            workingDirectory: options.workingDirectory ?? '/home/ubuntu/garasign',
+            signingScript,
+            signingMethod: options.signingMethod,
+        });
+    }
+    if (options.client === 'local') {
+        return new local_signing_client_1.LocalSigningClient({
+            signingScript,
+            signingMethod: options.signingMethod,
+        });
+    }
+    throw new Error(`Unknown client type: ${options.client}`);
+}
+exports.getSigningClient = getSigningClient;
+//# sourceMappingURL=index.js.map

package/dist/signing-clients/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/signing-clients/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAEA,2CAA6B;AAC7B,8CAA0C;AAC1C,iEAA4D;AAC5D,mEAA8D;AAE9D,+DAA4D;AAAnD,0HAAA,kBAAkB,OAAA;AAC3B,iEAA8D;AAArD,4HAAA,mBAAmB,OAAA;AA4CrB,KAAK,UAAU,gBAAgB,CACpC,OAAsB;IAEtB,KAAK,UAAU,YAAY,CAAC,UAAyB;QACnD,MAAM,SAAS,GAAG,IAAI,sBAAS,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;IAE5E,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE9C,OAAO,IAAI,2CAAmB,CAAC,SAAS,EAAE;YACxC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,IAAI,uBAAuB;YACrE,aAAa;YACb,aAAa,EAAE,OAAO,CAAC,aAAa;SACrC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC/B,OAAO,IAAI,yCAAkB,CAAC;YAC5B,aAAa;YACb,aAAa,EAAE,OAAO,CAAC,aAAa;SACrC,CAAC,CAAC;IACL,CAAC;IAGD,MAAM,IAAI,KAAK,CAAC,wBAAwB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAC5D,CAAC;AA7BD,4CA6BC"}

package/dist/signing-clients/local-signing-client.d.ts

@@ -0,0 +1,7 @@
+import type { SigningClient, SigningClientOptions } from '.';
+export declare class LocalSigningClient implements SigningClient {
+    private options;
+    constructor(options: Omit<SigningClientOptions, 'workingDirectory'>);
+    sign(file: string): Promise<void>;
+}
+//# sourceMappingURL=local-signing-client.d.ts.map

package/dist/signing-clients/local-signing-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-signing-client.d.ts","sourceRoot":"","sources":["../../src/signing-clients/local-signing-client.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,GAAG,CAAC;AAU7D,qBAAa,kBAAmB,YAAW,aAAa;IAEpD,OAAO,CAAC,OAAO;gBAAP,OAAO,EAAE,IAAI,CAAC,oBAAoB,EAAE,kBAAkB,CAAC;IAGjE,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAyBlC"}

package/dist/signing-clients/local-signing-client.js

@@ -0,0 +1,38 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LocalSigningClient = void 0;
+const path_1 = __importDefault(require("path"));
+const child_process_1 = require("child_process");
+const utils_1 = require("../utils");
+const localClientDebug = utils_1.debug.extend('LocalSigningClient');
+class LocalSigningClient {
+    constructor(options) {
+        this.options = options;
+    }
+    sign(file) {
+        localClientDebug(`Signing ${file}`);
+        const directoryOfFileToSign = path_1.default.dirname(file);
+        try {
+            const env = {
+                ...(0, utils_1.getEnv)(),
+                method: this.options.signingMethod,
+            };
+            (0, child_process_1.spawnSync)('bash', [this.options.signingScript, path_1.default.basename(file)], {
+                cwd: directoryOfFileToSign,
+                env,
+                encoding: 'utf-8',
+            });
+            localClientDebug(`Signed file ${file}`);
+            return Promise.resolve();
+        }
+        catch (error) {
+            localClientDebug({ error });
+            throw error;
+        }
+    }
+}
+exports.LocalSigningClient = LocalSigningClient;
+//# sourceMappingURL=local-signing-client.js.map

package/dist/signing-clients/local-signing-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-signing-client.js","sourceRoot":"","sources":["../../src/signing-clients/local-signing-client.ts"],"names":[],"mappings":";;;;;;AAAA,gDAAwB;AACxB,iDAA0C;AAC1C,oCAAyC;AAGzC,MAAM,gBAAgB,GAAG,aAAK,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;AAQ5D,MAAa,kBAAkB;IAC7B,YACU,OAAuD;QAAvD,YAAO,GAAP,OAAO,CAAgD;IAC9D,CAAC;IAEJ,IAAI,CAAC,IAAY;QACf,gBAAgB,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAEpC,MAAM,qBAAqB,GAAG,cAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEjD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG;gBACV,GAAG,IAAA,cAAM,GAAE;gBACX,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,aAAa;aACnC,CAAC;YAEF,IAAA,yBAAS,EAAC,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,cAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE;gBACnE,GAAG,EAAE,qBAAqB;gBAC1B,GAAG;gBACH,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;YAEH,gBAAgB,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;YAExC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gBAAgB,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YAC5B,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF;AA9BD,gDA8BC"}

package/dist/signing-clients/remote-signing-client.d.ts

@@ -0,0 +1,16 @@
+import type { SSHClient } from '../ssh-client';
+import type { SigningClient, SigningClientOptions } from '.';
+export declare class RemoteSigningClient implements SigningClient {
+    private sshClient;
+    private options;
+    private sftpConnection;
+    constructor(sshClient: SSHClient, options: SigningClientOptions);
+    private init;
+    private getRemoteFilePath;
+    private copyFile;
+    private downloadFile;
+    private removeFile;
+    private signRemoteFile;
+    sign(file: string): Promise<void>;
+}
+//# sourceMappingURL=remote-signing-client.d.ts.map

package/dist/signing-clients/remote-signing-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-signing-client.d.ts","sourceRoot":"","sources":["../../src/signing-clients/remote-signing-client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE/C,OAAO,KAAK,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,GAAG,CAAC;AAE7D,qBAAa,mBAAoB,YAAW,aAAa;IAIrD,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,OAAO;IAJjB,OAAO,CAAC,cAAc,CAAe;gBAG3B,SAAS,EAAE,SAAS,EACpB,OAAO,EAAE,oBAAoB;YASzB,IAAI;IAYlB,OAAO,CAAC,iBAAiB;YAMX,QAAQ;YAWR,YAAY;YAWZ,UAAU;YAWV,cAAc;IAyBtB,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAsBxC"}

package/dist/signing-clients/remote-signing-client.js

@@ -0,0 +1,93 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RemoteSigningClient = void 0;
+const path_1 = __importDefault(require("path"));
+const utils_1 = require("../utils");
+class RemoteSigningClient {
+    constructor(sshClient, options) {
+        this.sshClient = sshClient;
+        this.options = options;
+    }
+    async init() {
+        this.sftpConnection = await this.sshClient.getSftpConnection();
+        await this.sshClient.exec(`mkdir -p ${this.options.workingDirectory}`);
+        {
+            const remoteScript = `${this.options.workingDirectory}/garasign.sh`;
+            await this.copyFile(this.options.signingScript, remoteScript);
+            await this.sshClient.exec(`chmod +x ${remoteScript}`);
+        }
+    }
+    getRemoteFilePath(file) {
+        return `${this.options.workingDirectory}/temp-${Date.now()}-${path_1.default.basename(file)}`;
+    }
+    async copyFile(file, remotePath) {
+        return new Promise((resolve, reject) => {
+            this.sftpConnection.fastPut(file, remotePath, (err) => {
+                if (err) {
+                    return reject(err);
+                }
+                return resolve();
+            });
+        });
+    }
+    async downloadFile(remotePath, file) {
+        return new Promise((resolve, reject) => {
+            this.sftpConnection.fastGet(remotePath, file, (err) => {
+                if (err) {
+                    return reject(err);
+                }
+                return resolve();
+            });
+        });
+    }
+    async removeFile(remotePath) {
+        return new Promise((resolve, reject) => {
+            this.sftpConnection.unlink(remotePath, (err) => {
+                if (err) {
+                    return reject(err);
+                }
+                return resolve();
+            });
+        });
+    }
+    async signRemoteFile(file) {
+        const env = (0, utils_1.getEnv)();
+        const cmds = [
+            `cd '${this.options.workingDirectory}'`,
+            `export garasign_username=${env.garasign_username}`,
+            `export garasign_password=${env.garasign_password}`,
+            `export artifactory_username=${env.artifactory_username}`,
+            `export artifactory_password=${env.artifactory_password}`,
+            `export method=${this.options.signingMethod}`,
+            `./garasign.sh '${file}'`,
+        ];
+        const command = cmds.join(' && ');
+        const res = await this.sshClient.exec(command);
+        (0, utils_1.debug)('Sign remote file response\n', res.trim());
+    }
+    async sign(file) {
+        const remotePath = this.getRemoteFilePath(file);
+        try {
+            await this.init();
+            await this.copyFile(file, remotePath);
+            (0, utils_1.debug)(`SFTP: Copied file ${file} to ${remotePath}`);
+            await this.signRemoteFile(path_1.default.basename(remotePath));
+            (0, utils_1.debug)(`SFTP: Signed file ${file}`);
+            await this.downloadFile(remotePath, file);
+            (0, utils_1.debug)(`SFTP: Downloaded signed file to ${file}`);
+        }
+        catch (error) {
+            (0, utils_1.debug)({ error });
+        }
+        finally {
+            await this.removeFile(remotePath);
+            (0, utils_1.debug)(`SFTP: Removed remote file ${remotePath}`);
+            this.sshClient.disconnect();
+        }
+    }
+}
+exports.RemoteSigningClient = RemoteSigningClient;
+//# sourceMappingURL=remote-signing-client.js.map

package/dist/signing-clients/remote-signing-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-signing-client.js","sourceRoot":"","sources":["../../src/signing-clients/remote-signing-client.ts"],"names":[],"mappings":";;;;;;AAAA,gDAAwB;AAGxB,oCAAyC;AAGzC,MAAa,mBAAmB;IAG9B,YACU,SAAoB,EACpB,OAA6B;QAD7B,cAAS,GAAT,SAAS,CAAW;QACpB,YAAO,GAAP,OAAO,CAAsB;IACpC,CAAC;IAQI,KAAK,CAAC,IAAI;QAChB,IAAI,CAAC,cAAc,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;QAC/D,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAAC;QAGvE,CAAC;YACC,MAAM,YAAY,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,cAAc,CAAC;YACpE,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;YAC9D,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,YAAY,YAAY,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,IAAY;QACpC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,SAAS,IAAI,CAAC,GAAG,EAAE,IAAI,cAAI,CAAC,QAAQ,CACzE,IAAI,CACL,EAAE,CAAC;IACN,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,IAAY,EAAE,UAAkB;QACrD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE;gBACpD,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBACrB,CAAC;gBACD,OAAO,OAAO,EAAE,CAAC;YACnB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,UAAkB,EAAE,IAAY;QACzD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE;gBACpD,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBACrB,CAAC;gBACD,OAAO,OAAO,EAAE,CAAC;YACnB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,UAAkB;QACzC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC7C,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBACrB,CAAC;gBACD,OAAO,OAAO,EAAE,CAAC;YACnB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,IAAY;QACvC,MAAM,GAAG,GAAG,IAAA,cAAM,GAAE,CAAC;QAMrB,MAAM,IAAI,GAAG;YACX,OAAO,IAAI,CAAC,OAAO,CAAC,gBAAgB,GAAG;YAEvC,4BAA4B,GAAG,CAAC,iBAAiB,EAAE;YAEnD,4BAA4B,GAAG,CAAC,iBAAiB,EAAE;YAEnD,+BAA+B,GAAG,CAAC,oBAAoB,EAAE;YAEzD,+BAA+B,GAAG,CAAC,oBAAoB,EAAE;YACzD,iBAAiB,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE;YAC7C,kBAAkB,IAAI,GAAG;SAC1B,CAAC;QACF,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/C,IAAA,aAAK,EAAC,6BAA6B,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAY;QACrB,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,CAAC;YAEH,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAElB,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YACtC,IAAA,aAAK,EAAC,qBAAqB,IAAI,OAAO,UAAU,EAAE,CAAC,CAAC;YAEpD,MAAM,IAAI,CAAC,cAAc,CAAC,cAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;YACrD,IAAA,aAAK,EAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC;YAEnC,MAAM,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YAC1C,IAAA,aAAK,EAAC,mCAAmC,IAAI,EAAE,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAA,aAAK,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACnB,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;YAClC,IAAA,aAAK,EAAC,6BAA6B,UAAU,EAAE,CAAC,CAAC;YACjD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;QAC9B,CAAC;IACH,CAAC;CACF;AAhHD,kDAgHC"}

package/dist/ssh-client.d.ts

@@ -0,0 +1,14 @@
+import type { ConnectConfig, SFTPWrapper } from 'ssh2';
+export declare class SSHClient {
+    private sshClientOptions;
+    private sshConnection;
+    private sftpConnection?;
+    private connected;
+    constructor(sshClientOptions: ConnectConfig);
+    setupEventListeners(): void;
+    connect(): Promise<void>;
+    disconnect(): void;
+    exec(command: string): Promise<string>;
+    getSftpConnection(): Promise<SFTPWrapper>;
+}
+//# sourceMappingURL=ssh-client.d.ts.map

package/dist/ssh-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-client.d.ts","sourceRoot":"","sources":["../src/ssh-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAiB,aAAa,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AAOtE,qBAAa,SAAS;IAMR,OAAO,CAAC,gBAAgB;IALpC,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,cAAc,CAAC,CAAc;IAErC,OAAO,CAAC,SAAS,CAAS;gBAEN,gBAAgB,EAAE,aAAa;IAKnD,mBAAmB;IAgBb,OAAO;IAgBb,UAAU;IAKJ,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA0BtC,iBAAiB,IAAI,OAAO,CAAC,WAAW,CAAC;CAUhD"}

package/dist/ssh-client.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SSHClient = void 0;
+const ssh2_1 = require("ssh2");
+const promises_1 = require("fs/promises");
+const utils_1 = require("./utils");
+const util_1 = require("util");
+const events_1 = require("events");
+class SSHClient {
+    constructor(sshClientOptions) {
+        this.sshClientOptions = sshClientOptions;
+        this.connected = false;
+        this.sshConnection = new ssh2_1.Client();
+        this.setupEventListeners();
+    }
+    setupEventListeners() {
+        this.sshConnection.on('ready', () => {
+            (0, utils_1.debug)('SSH: Connection established');
+            this.connected = true;
+        });
+        this.sshConnection.on('error', (err) => {
+            (0, utils_1.debug)('SSH: Connection error', err);
+            this.connected = false;
+        });
+        this.sshConnection.on('close', () => {
+            (0, utils_1.debug)('SSH: Connection closed');
+            this.connected = false;
+            this.sshConnection.destroy();
+        });
+    }
+    async connect() {
+        if (this.connected) {
+            return;
+        }
+        const privateKey = this.sshClientOptions.privateKey
+            ? await (0, promises_1.readFile)(this.sshClientOptions.privateKey)
+            : undefined;
+        const ready = (0, events_1.once)(this.sshConnection, 'ready');
+        this.sshConnection.connect({
+            ...this.sshClientOptions,
+            privateKey,
+        });
+        await ready;
+    }
+    disconnect() {
+        this.sshConnection.end();
+        this.connected = false;
+    }
+    async exec(command) {
+        if (!this.connected) {
+            throw new Error('Not connected to ssh server');
+        }
+        const stream = await (0, util_1.promisify)(this.sshConnection.exec.bind(this.sshConnection))(command);
+        let data = '';
+        stream.setEncoding('utf-8');
+        stream.stderr.setEncoding('utf-8');
+        stream.on('data', (chunk) => {
+            data += chunk;
+        });
+        stream.stderr.on('data', (chunk) => {
+            data += chunk;
+        });
+        const [code] = await (0, events_1.once)(stream, 'close');
+        if (code !== 0) {
+            throw new Error(`Command failed with code ${code}. Error: ${data}`);
+        }
+        return data;
+    }
+    async getSftpConnection() {
+        if (!this.connected) {
+            throw new Error('Not connected to ssh server');
+        }
+        this.sftpConnection =
+            this.sftpConnection ??
+                (await (0, util_1.promisify)(this.sshConnection.sftp.bind(this.sshConnection))());
+        return this.sftpConnection;
+    }
+}
+exports.SSHClient = SSHClient;
+//# sourceMappingURL=ssh-client.js.map

package/dist/ssh-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-client.js","sourceRoot":"","sources":["../src/ssh-client.ts"],"names":[],"mappings":";;;AACA,+BAA8B;AAC9B,0CAAuC;AACvC,mCAAgC;AAChC,+BAAiC;AACjC,mCAA8B;AAE9B,MAAa,SAAS;IAMpB,YAAoB,gBAA+B;QAA/B,qBAAgB,GAAhB,gBAAgB,CAAe;QAF3C,cAAS,GAAG,KAAK,CAAC;QAGxB,IAAI,CAAC,aAAa,GAAG,IAAI,aAAM,EAAE,CAAC;QAClC,IAAI,CAAC,mBAAmB,EAAE,CAAC;IAC7B,CAAC;IAED,mBAAmB;QACjB,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClC,IAAA,aAAK,EAAC,6BAA6B,CAAC,CAAC;YACrC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACrC,IAAA,aAAK,EAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;YACpC,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;QACzB,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClC,IAAA,aAAK,EAAC,wBAAwB,CAAC,CAAC;YAChC,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;YACvB,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;QAC/B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QACD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,UAAU;YACjD,CAAC,CAAC,MAAM,IAAA,mBAAQ,EAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC;YAClD,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,KAAK,GAAG,IAAA,aAAI,EAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QAChD,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC;YACzB,GAAG,IAAI,CAAC,gBAAgB;YACxB,UAAU;SACX,CAAC,CAAC;QACH,MAAM,KAAK,CAAC;IACd,CAAC;IAED,UAAU;QACR,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;QACzB,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe;QACxB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,MAAM,MAAM,GAAkB,MAAM,IAAA,gBAAS,EAC3C,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CACjD,CAAC,OAAO,CAAC,CAAC;QACX,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAClC,IAAI,IAAI,KAAK,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,IAAI,IAAI,KAAK,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,IAAA,aAAI,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC3C,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,4BAA4B,IAAc,YAAY,IAAI,EAAE,CAC7D,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QAED,IAAI,CAAC,cAAc;YACjB,IAAI,CAAC,cAAc;gBACnB,CAAC,MAAM,IAAA,gBAAS,EAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;CACF;AApFD,8BAoFC"}

package/dist/utils.d.ts

@@ -0,0 +1,9 @@
+/// <reference types="debug" />
+export declare const debug: import("debug").Debugger;
+export declare function getEnv(): {
+    garasign_username: string | undefined;
+    garasign_password: string | undefined;
+    artifactory_username: string | undefined;
+    artifactory_password: string | undefined;
+};
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":";AAEA,eAAO,MAAM,KAAK,0BAA2B,CAAC;AAE9C,wBAAgB,MAAM;;;;;EAgBrB"}

package/dist/utils.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getEnv = exports.debug = void 0;
+const debug_1 = require("debug");
+exports.debug = (0, debug_1.debug)('signing-utils');
+function getEnv() {
+    const garasign_username = process.env['GARASIGN_USERNAME'] ?? process.env['garasign_username'];
+    const garasign_password = process.env['GARASIGN_PASSWORD'] ?? process.env['garasign_password'];
+    const artifactory_username = process.env['ARTIFACTORY_USERNAME'] ?? process.env['artifactory_username'];
+    const artifactory_password = process.env['ARTIFACTORY_PASSWORD'] ?? process.env['artifactory_password'];
+    return {
+        garasign_username,
+        garasign_password,
+        artifactory_username,
+        artifactory_password,
+    };
+}
+exports.getEnv = getEnv;
+//# sourceMappingURL=utils.js.map

package/dist/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":";;;AAAA,iCAAyC;AAE5B,QAAA,KAAK,GAAG,IAAA,aAAO,EAAC,eAAe,CAAC,CAAC;AAE9C,SAAgB,MAAM;IACpB,MAAM,iBAAiB,GACrB,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACvE,MAAM,iBAAiB,GACrB,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACvE,MAAM,oBAAoB,GACxB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAC7E,MAAM,oBAAoB,GACxB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAE7E,OAAO;QACL,iBAAiB;QACjB,iBAAiB;QACjB,oBAAoB;QACpB,oBAAoB;KACrB,CAAC;AACJ,CAAC;AAhBD,wBAgBC"}

package/package.json

@@ -0,0 +1,74 @@
+{
+  "name": "@mongodb-js/signing-utils",
+  "description": "Utilities for signing packages in CI with Garasign.",
+  "author": {
+    "name": "MongoDB Inc",
+    "email": "compass@mongodb.com"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "bugs": {
+    "url": "https://jira.mongodb.org/projects/COMPASS/issues",
+    "email": "compass@mongodb.com"
+  },
+  "homepage": "https://github.com/mongodb-js/devtools-shared",
+  "version": "0.2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mongodb-js/devtools-shared.git"
+  },
+  "files": [
+    "dist",
+    "src"
+  ],
+  "license": "SSPL",
+  "main": "dist/index.js",
+  "exports": {
+    "require": "./dist/index.js",
+    "import": "./dist/.esm-wrapper.mjs"
+  },
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "bootstrap": "npm run compile",
+    "prepublishOnly": "npm run compile",
+    "compile": "tsc -p tsconfig.json && gen-esm-wrapper . ./dist/.esm-wrapper.mjs",
+    "typecheck": "tsc --noEmit",
+    "eslint": "eslint",
+    "prettier": "prettier",
+    "lint": "npm run eslint . && npm run prettier -- --check .",
+    "depcheck": "depcheck",
+    "check": "npm run typecheck && npm run lint && npm run depcheck",
+    "check-ci": "npm run check",
+    "test": "mocha",
+    "test-cov": "nyc -x \"**/*.spec.*\" --reporter=lcov --reporter=text --reporter=html npm run test",
+    "test-watch": "npm run test -- --watch",
+    "test-ci": "npm run test-cov",
+    "reformat": "npm run prettier -- --write ."
+  },
+  "devDependencies": {
+    "@mongodb-js/eslint-config-devtools": "0.9.10",
+    "@mongodb-js/mocha-config-devtools": "^1.0.2",
+    "@mongodb-js/prettier-config-devtools": "^1.0.1",
+    "@mongodb-js/tsconfig-devtools": "^1.0.1",
+    "@types/chai": "^4.2.21",
+    "@types/mocha": "^9.1.1",
+    "@types/node": "^17.0.35",
+    "@types/sinon-chai": "^3.2.5",
+    "@types/ssh2": "^1.11.18",
+    "chai": "^4.3.6",
+    "depcheck": "^1.4.1",
+    "eslint": "^7.25.0",
+    "gen-esm-wrapper": "^1.1.0",
+    "mocha": "^8.4.0",
+    "nyc": "^15.1.0",
+    "prettier": "^2.3.2",
+    "sinon": "^9.2.3",
+    "typescript": "^5.0.4"
+  },
+  "dependencies": {
+    "debug": "^4.3.4",
+    "ssh2": "^1.15.0"
+  },
+  "gitHead": "ad497d997a5164646475261232687c8d0ace8722"
+}

package/src/garasign.sh

@@ -0,0 +1,62 @@
+#! /usr/bin/env bash
+
+if [ -z "$1" ]; then
+  echo "Usage: garasign.sh <file>"
+  exit 1
+fi
+
+if [ -z ${garasign_username+omitted} ]; then echo "garasign_username is unset" && exit 1; fi
+if [ -z ${garasign_password+omitted} ]; then echo "garasign_password is unset" && exit 1; fi
+if [ -z ${artifactory_username+omitted} ]; then echo "artifactory_username is unset" && exit 1; fi
+if [ -z ${artifactory_password+omitted} ]; then echo "artifactory_password is unset" && exit 1; fi
+if [ -z ${method+omitted} ]; then echo "method must either be gpg or jsign" && exit 1; fi
+
+ARTIFACTORY_HOST="artifactory.corp.mongodb.com"
+
+logout_artifactory() {
+  docker logout "${ARTIFACTORY_HOST}" > /dev/null 2>&1
+  echo "Logged out from artifactory"
+}
+trap logout_artifactory EXIT
+
+echo "Logging into docker artifactory"
+echo "${artifactory_password}" | docker login --password-stdin --username ${artifactory_username} ${ARTIFACTORY_HOST} > /dev/null 2>&1
+
+# If the docker login failed, exit
+[ $? -ne 0 ] && exit $?
+
+directory=$(pwd)
+file=$1
+
+echo "File to be signed: $file"
+echo "Working directory: $directory"
+
+gpg_sign() {
+  docker run \
+    -e GRS_CONFIG_USER1_USERNAME="${garasign_username}" \
+    -e GRS_CONFIG_USER1_PASSWORD="${garasign_password}" \
+    --rm \
+    -v $directory:$directory \
+    -w $directory \
+    ${ARTIFACTORY_HOST}/release-tools-container-registry-local/garasign-gpg \
+    /bin/bash -c "gpgloader && gpg --yes -v --armor -o '$file.sig' --detach-sign '$file'"
+}
+
+jsign_sign() {
+  docker run \
+    -e GRS_CONFIG_USER1_USERNAME="${garasign_username}" \
+    -e GRS_CONFIG_USER1_PASSWORD="${garasign_password}" \
+    --rm \
+    -v $directory:$directory \
+    -w $directory \
+    artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-jsign \
+    /bin/bash -c "jsign --tsaurl "timestamp.url" -a mongo-authenticode-2021 '$file'"
+}
+
+if [[ "$method" -eq "gpg" ]]; then 
+  gpg_sign 
+elif [[ "$method" -eq "jsign" ]]; then 
+  jsign_sign
+fi
+
+echo "Finished signing $file"

package/src/index.ts

@@ -0,0 +1,27 @@
+import type { ClientOptions } from './signing-clients';
+
+import { getSigningClient } from './signing-clients';
+import { debug } from './utils';
+
+/**
+ * Signs a file using Garasign.
+ *
+ * @param file the name of the file to sign
+ * @param options options to sign with - see the docs for `SigningOptions`
+ */
+export async function sign(
+  file: string,
+  options: ClientOptions
+): Promise<void> {
+  debug(
+    `Signing file: ${file} with client ${options.client} and options:`,
+    options
+  );
+  try {
+    const signingClient = await getSigningClient(options);
+    await signingClient.sign(file);
+  } catch (err) {
+    debug(`Error signing file: ${file}`, err);
+    throw err;
+  }
+}

package/src/signing-clients/index.ts

@@ -0,0 +1,82 @@
+import type { ConnectConfig } from 'ssh2';
+
+import * as path from 'path';
+import { SSHClient } from '../ssh-client';
+import { LocalSigningClient } from './local-signing-client';
+import { RemoteSigningClient } from './remote-signing-client';
+
+export { LocalSigningClient } from './local-signing-client';
+export { RemoteSigningClient } from './remote-signing-client';
+
+export type SigningMethod = 'gpg' | 'jsign';
+
+export type SigningClientOptions = {
+  workingDirectory: string;
+  signingScript: string;
+  signingMethod: SigningMethod;
+};
+
+/** Options for signing a file remotely over an SSH connection. */
+export type RemoteSigningOptions = {
+  /** Username for authentication. */
+  username?: string;
+  /** Password for password-based user authentication. */
+  password?: string;
+  /** Port number of the ssh server. */
+  port?: number;
+  /** Buffer or string that contains a private key for either key-based or hostbased user authentication (OpenSSH format). */
+  privateKey?: Buffer | string;
+  /** The method to sign with.  Use gpg on linux and jsign on windows. */
+  signingMethod: SigningMethod;
+
+  /**
+   * The path of the working directory in which to sign files **on the remote ssh server**.  Defaults to `/home/ubuntu/garasign`.
+   */
+  workingDirectory?: string;
+  client: 'remote';
+};
+
+/** Options for signing a file locally. */
+export type LocalSigningOptions = {
+  /** The method to sign with.  Use gpg on linux and jsign on windows. */
+  signingMethod: SigningMethod;
+
+  client: 'local';
+};
+
+export type ClientOptions = RemoteSigningOptions | LocalSigningOptions;
+
+export interface SigningClient {
+  sign(file: string): Promise<void>;
+}
+
+export async function getSigningClient(
+  options: ClientOptions
+): Promise<SigningClient> {
+  async function getSshClient(sshOptions: ConnectConfig) {
+    const sshClient = new SSHClient(sshOptions);
+    await sshClient.connect();
+    return sshClient;
+  }
+
+  const signingScript = path.join(__dirname, '../..', 'src', './garasign.sh');
+
+  if (options.client === 'remote') {
+    const sshClient = await getSshClient(options);
+    // Currently only linux remote is supported to sign the artifacts
+    return new RemoteSigningClient(sshClient, {
+      workingDirectory: options.workingDirectory ?? '/home/ubuntu/garasign',
+      signingScript,
+      signingMethod: options.signingMethod,
+    });
+  }
+  if (options.client === 'local') {
+    return new LocalSigningClient({
+      signingScript,
+      signingMethod: options.signingMethod,
+    });
+  }
+  // @ts-expect-error `client` is a discriminated union - we should never reach here but we throw on the off-chance we do.
+  // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+  throw new Error(`Unknown client type: ${options.client}`);
+}