added support to sign linux artifacts

[abhinavGupta16]

Signed-off-by: Abhinav Gupta abhng@amazon.com

Description

Automate linux signing to sign any artifact or all artifacts in a directory

Issues Resolved

#1351
#1382

Check List

• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #1352 (eed9b7f) into main (ea5a964) will increase coverage by 0.06%.
The diff coverage is 97.05%.

@@             Coverage Diff              @@
##               main    #1352      +/-   ##
============================================
+ Coverage     94.02%   94.08%   +0.06%     
  Complexity       11       11              
============================================
  Files           136      139       +3     
  Lines          3011     3061      +50     
  Branches          8        8              
============================================
+ Hits           2831     2880      +49     
- Misses          172      173       +1     
  Partials          8        8              

Impacted Files	Coverage Δ
src/sign_workflow/signer.py	94.11% <90.00%> (-2.66%)	⬇️
src/sign_workflow/sign_artifacts.py	98.03% <98.03%> (ø)
src/run_sign.py	95.23% <100.00%> (+2.64%)	⬆️
tests/jenkins/jobs/PromoteArtifacts_Jenkinsfile	100.00% <0.00%> (ø)
.../jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile	100.00% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ea5a964...eed9b7f. Read the comment docs.

[dblock]

Close!

[dblock]

Isn't this already Signer.ACCEPTED_FILE_TYPES? Use that.

[abhinavGupta16]

No, this is accepted Signature types, different from accepted file types

[dblock]

These variables aren't reused, just pass the arguments as is below.

Add __sign_artifact__ that takes one artifact.

[abhinavGupta16]

Variables just make it clear as to what is being passed to the function. I think we can leave it like this

[dblock]

Split up in separate tests.

[abhinavGupta16]

I think it should be one method, since it just verifies multiple if conditions with no workflow. It would just increase verbosity and complexity. This is clear too.

[dblock]

It's not a must have, but my reasoning is that these tests can fail independently, and methods are cheap.

[dblock]

Same as above, split up into individual tests for each type.

[abhinavGupta16]

Same reason as before.

[dblock]

It's not a must have, but my reasoning is that these tests can fail independently, and methods are cheap.

[peternied]

Thanks for addressing my comments, great work enhancing this flow.

[abhinavGupta16]

Thanks @dblock for helping out with the test cases

[dblock]

Works for me.

I would also remove all the passing around of Signer() which is always the same class, and create an instance of it at the lowest level.

[dblock]

Use os.path.splitext to get the extension from the file name, then in to check ether it’s one of the accepted types.

[abhinavGupta16]

That does not work since we have artifacts with names like opensearch-1.0.0.tar.gz. That is why I changed it to endswith

[dblock]

We could just change .tar.gz into .gz. Technically the extension of that file is not .tar.gz, it’s .gz.

@dblock approved the changes on behalf of opensearch-project/engineering-effectiveness