See https://github.com/mongodb-js/compass/blob/main/.evergreen/verify-artifacts.sh

I noticed that verify_using_powershell didn't fail the script and therefore the CI task when the windows setup exe wasn't signed. I fixed that, but I don't know if verify_using_gpg, verify_using_codesign or verify_using_rpm would fail the task if the artifact isn't signed.

One way to do this would be to refactor that code to be easily callable from JavaScript.

Then during the signing process we can essentially do:

// this is pseudo-code:
assert(isSigned(unsignedFiled) === false);
signTheFile();
assert(isSigned(signedFiled) === true); 

This would then test both true/false paths of isSigned() and we can be sure that it can correctly tell signed files apart from unsigned parts. And the package task would fail if signing fails as expected.

We can then remove that check from verify_artifacts.sh, but do keep in mind that I'm probably adding more things to that file so if that holds we can't just remove the file. See https://github.com/mongodb-js/compass/pull/6702.

Actually thinking about it some more the specific bug that caused me to find it was because signing never executed for that one file in the first place, so tying the two together too tightly will miss that sort of thing. So it is probably a good idea to also keep verify-artifacts.sh. Then the two sets of checks can work together - the one makes sure that isSigned() works at all and the other one checks that every package is signed.