The purpose of this ticket is to produce an associated .sig file for each .so extension file via the bazel build system. This section of the design document is relevant.

The mongo_cc_extension_shared_library will need to be modified to not just generate the .so file for an extension, but also sign it after its produced (dropping it in the same place as the .so file).

We will need a test PGP key pair to sign with. This will be generated dynamically at extensions build time. So, choose a sensical path (and key name) under the bazel-bin directory that the key pair is expected to live once it is generated. Each extension thats being built will first have to check this location to see if the key pair exists, and if not generate it. This is because its possible to run extensions build commands multiple times, and all extensions need to be signed with the same key. When the key pair is generated, it should also be added to the gpg key ring at that time (so it is only added once).

To sign the extension after the .so file has been generated, we will use gpg. There is python library that could be useful, if its compatible with bazel. If not it should be possible to call gpg directly in the command line via a sub-process.

After this ticket you should be able to build any extension, either individually or via the 'bazel build install-extensions', and see its associated .sig file living side-by-side with its .so file wherever it has been deposited.