Proposal

Ship signed release binaries for libmongocrypt on supported platforms.

Background & Motivation

Providing signed binaries may better conform to SSDLC Best Practices:

Sign artifacts generated during the release process to enable verification.

The GitHub release only includes the signed Windows binary, since it is the only binary download listed in the install instructions. For example in 1.15.1:

• libmongocrypt-windows-x86_64-1.15.1.asc
• libmongocrypt-windows-x86_64-1.15.1.tar.gz

However, drivers get libmongocrypt binaries from an S3 bucket to repackage. See Which drivers package libmongocrypt. MONGOCRYPT-838 proposes further restricting access to the S3 bucket containing binaries. But I expect this is not a full solution.

Though the Java package containing libmongocrypt binaries is signed, Node downloads libmongocrypt builds as part of install. So I expect its signature does not cover the libmongocrypt binaries.

pymongocrypt documentation links to the unsigned libmongocrypt-all.tar.gz. Though MONGOCRYPT-837 proposes signing, providing platform-specific release binaries seems better than the large (3.6GB!) libmongocrypt-all.tar.gz.

The current binaries uploaded to S3 likely have many unneeded files. For example:

% tree -L 2
├── include
│   ├── kms_message
│   └── mongocrypt
├── lib64
│   ├── cmake
│   ├── libbson-static-for-libmongocrypt.a
│   ├── libkms_message-static.a
│   ├── libkms_message.so
│   ├── libkms_message.so.0
│   ├── libkms_message.so.0.0.0
│   ├── libmongocrypt-static.a
│   ├── libmongocrypt.so
│   ├── libmongocrypt.so.0
│   ├── libmongocrypt.so.0.0.0
│   └── pkgconfig
├── nocrypto
│   ├── include
│   └── lib64
└── sharedbson
    ├── include
    └── lib64

I expect only the shared libmongocrypt libraries and headers (for cgo) are needed. The nocrypto variant may be better uploaded as a separate tarball.

Consider using the restricted S3 bucket created in DEVPROD-20712 for releases.