inspec 2.2.102 → 2.2.112

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6a09a7de457b9f4594e294d9e4718f7f0e310af828ce5dde58204e44767160f7
-  data.tar.gz: 42e21f6831ee20c1e133ba0d1113fb4cff14d9661d7232d03a5f48121f5bc481
+  metadata.gz: ed479c2bc17fad9ab4aefa69f119d6448332b4e2f5befac16f427fa589a8cef8
+  data.tar.gz: 6e055c297017f08684d15780060e2a9bf528f1f1579e0f8224a35202aad73c66
 SHA512:
-  metadata.gz: 8912827bfa520e5d11a837541d51355804997eb1ef1898cf4605d69a8eaa65c02d20c8416865a47b8190661c9f4f445ab86e921ea8cae4ba7901ffaafc4ca0f1
-  data.tar.gz: b6ca37fa419e180e2f6bb535f646af152618ac57a6a4d8c7c6e9ca353e337c456291834f05c3ff5dc51ffa2631af38f8802785244345aa336a5fefb1de87e052
+  metadata.gz: b3be7a2eb3219f1ceabad6ce163ae24f644475a67a3825f9163c7a572be3a54db5dad11dc5765d28f5330fa5fea5ce7b535e887e56aa86749dcf3c6453c8b9e2
+  data.tar.gz: bab90ce890a5973fc24d8d02be94c88673553a0164dd0d6f5675247223244d232fd6f6a253ff0d3141549fb0f5f4857bdd984ab60ab03d2a5620f5325927f818

data/.rubocop.yml

@@ -7,6 +7,7 @@ AllCops:
   - 'test/**/*'
   - 'examples/**/*'
   - 'vendor/**/*'
+  - 'lib/plugins/inspec-*/test/**/*'
   - 'lib/bundles/inspec-init/templates/**/*'
   - 'www/demo/**/*'
 AlignParameters:

data/CHANGELOG.md

@@ -1,20 +1,39 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.2.102 -->
-## [v2.2.102](https://github.com/inspec/inspec/tree/v2.2.102) (2018-09-17)
+<!-- latest_release 2.2.112 -->
+## [v2.2.112](https://github.com/inspec/inspec/tree/v2.2.112) (2018-09-19)
 
 #### Merged Pull Requests
-- Add json-automate to the report method [#3401](https://github.com/inspec/inspec/pull/3401) ([jquick](https://github.com/jquick))
+- Move artifact to v2 plugin  [#3406](https://github.com/inspec/inspec/pull/3406) ([jquick](https://github.com/jquick))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.2.101 -->
-### Changes since 2.2.101 release
+<!-- release_rollup since=2.2.102 -->
+### Changes since 2.2.102 release
+
+#### Enhancements
+- adding `versions` to the `gem` resource [#3398](https://github.com/inspec/inspec/pull/3398) ([majormoses](https://github.com/majormoses)) <!-- 2.2.107 -->
+- Plugins: Add support for &#39;bundles&#39; migration [#3384](https://github.com/inspec/inspec/pull/3384) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.105 -->
+
+#### New Features
+- Update AWS Security Group to work with IPV6 rules. [#3394](https://github.com/inspec/inspec/pull/3394) ([MartinLogan](https://github.com/MartinLogan)) <!-- 2.2.111 -->
+- Added db_name flag [#3383](https://github.com/inspec/inspec/pull/3383) ([kdoores](https://github.com/kdoores)) <!-- 2.2.104 -->
 
 #### Merged Pull Requests
-- Add json-automate to the report method [#3401](https://github.com/inspec/inspec/pull/3401) ([jquick](https://github.com/jquick)) <!-- 2.2.102 -->
+- Move artifact to v2 plugin  [#3406](https://github.com/inspec/inspec/pull/3406) ([jquick](https://github.com/jquick)) <!-- 2.2.112 -->
+- Move inspec init to v2 plugins [#3407](https://github.com/inspec/inspec/pull/3407) ([jquick](https://github.com/jquick)) <!-- 2.2.110 -->
+- Fix gem tests from recent merge [#3409](https://github.com/inspec/inspec/pull/3409) ([jquick](https://github.com/jquick)) <!-- 2.2.109 -->
+- Fix json automate tests and render call [#3408](https://github.com/inspec/inspec/pull/3408) ([jquick](https://github.com/jquick)) <!-- 2.2.108 -->
+- Move habitat to v2 plugin [#3404](https://github.com/inspec/inspec/pull/3404) ([jquick](https://github.com/jquick)) <!-- 2.2.106 -->
+- Fix rendering of profiles docs [#3393](https://github.com/inspec/inspec/pull/3393) ([jquick](https://github.com/jquick)) <!-- 2.2.103 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v2.2.102](https://github.com/inspec/inspec/tree/v2.2.102) (2018-09-17)
+
+#### Merged Pull Requests
+- Add json-automate to the report method [#3401](https://github.com/inspec/inspec/pull/3401) ([jquick](https://github.com/jquick))
+<!-- latest_stable_release -->
+
 ## [v2.2.101](https://github.com/inspec/inspec/tree/v2.2.101) (2018-09-14)
 
 #### New Features
@@ -44,7 +63,6 @@
 - Bump omnibus ruby to 2.5.1 [#3390](https://github.com/inspec/inspec/pull/3390) ([jquick](https://github.com/jquick))
 - Add platforms schema command [#3346](https://github.com/inspec/inspec/pull/3346) ([jquick](https://github.com/jquick))
 - Fix profile vendoring on Windows [#3378](https://github.com/inspec/inspec/pull/3378) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
-<!-- latest_stable_release -->
 
 ## [v2.2.78](https://github.com/inspec/inspec/tree/v2.2.78) (2018-08-30)
 

data/Rakefile

@@ -54,7 +54,10 @@ task default: [:lint, :test]
 
 Rake::TestTask.new do |t|
   t.libs << 'test'
-  t.pattern = 'test/unit/**/*_test.rb'
+  t.test_files = Dir.glob([
+    'test/unit/**/*_test.rb',
+    'lib/plugins/inspec-*/test/unit/**/*_test.rb',
+  ])
   t.warning = true
   t.verbose = true
   t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)
@@ -69,7 +72,10 @@ namespace :test do
 
   Rake::TestTask.new(:functional) do |t|
     t.libs << 'test'
-    t.pattern = 'test/functional/**/*_test.rb'
+    t.test_files = Dir.glob([
+      'test/functional/**/*_test.rb',
+      'lib/plugins/inspec-*/test/functional/**/*_test.rb',
+    ])
     t.warning = true
     t.verbose = true
     t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)

data/docs/profiles.md

@@ -348,6 +348,7 @@ Attributes may contain the following options:
 
 
 You can specify attributes in your `inspec.yml` using the `attributes` setting. For example, to add a `user` attribute for your profile:
+
 ```YAML
 attributes:
   - name: user
@@ -356,6 +357,7 @@ attributes:
 ```
 
 Example of adding a array object of servers:
+
 ```YAML
 attributes:
   - name: servers
@@ -369,6 +371,7 @@ attributes:
 To access an attribute you will use the `attribute` keyword. You can use this anywhere in your control code.
 
 For example:
+
 ```Ruby
 current_user = attribute('user')
 
@@ -386,6 +389,7 @@ end
 For sensitive data it is recomended to use a secrets YAML file located on the local machine to populate the values of attributes. A secrets file will always overwrite a attributes default value. To use the secrets file run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.
 
 For example, a inspec.yml:
+
 ```YAML
 attributes:
   - name: username
@@ -432,6 +436,7 @@ $ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
 To change your attributes for platform specific cases you can setup multiple `--attrs` files.
 
 For example, a inspec.yml:
+
 ```YAML
 attributes:
   - name: users
@@ -440,6 +445,7 @@ attributes:
 ```
 
 A YAML file named `windows.yml`
+
 ```YAML
 users:
   - Administrator
@@ -448,6 +454,7 @@ users:
 ```
 
 A YAML file named `linux.yml`
+
 ```YAML
 users:
   - root
@@ -456,6 +463,7 @@ users:
 ```
 
 The control file:
+
 ```RUBY
 control 'system-users' do
   impact 0.8
@@ -468,6 +476,7 @@ end
 ```
 
 The following command runs the tests and applies the attributes specified:
+
 ```bash
 $ inspec exec examples/profile-attribute --attrs examples/windows.yml
 $ inspec exec examples/profile-attribute --attrs examples/linux.yml

data/docs/resources/aws_security_group.md.erb

@@ -12,7 +12,6 @@ SGs are a networking construct which contain ingress and egress rules for networ
 
 While this resource provides facilities for searching inbound and outbound rules on a variety of criteria, there is currently no support for performing matches based on:
 
- * IPv6 ranges
  * References to other Security Groups
  * References to VPC peers or other AWS services (that is, no support for searches based on 'prefix lists').
 
@@ -143,7 +142,7 @@ A string identifying the VPC that contains the Security Group. Since VPCs common
 <br>
 ## Properties
 
-* [`description`](#description), [`group_id`](#group_id), [`group_name`](#group_name), [`inbound_rules`](#inbound_rules), [`outbound_rules`](#outbound_rules), [`vpc_id`](#vpc_id)
+* [`description`](#description), [`group_id`](#group_id), [`group_name`](#group_name), [`inbound_rules`](#inbound_rules), [`inbound_rules_count`](#inbound_rules_count), [`outbound_rules`](#outbound_rules), [`outbound_rules_count`](#outbound_rules_count), [`vpc_id`](#vpc_id)
 
 <br>
 
@@ -191,6 +190,14 @@ If the Security Group could not be found (that is, `exists` is false), `inbound_
       its('inbound_rules.first') { should include(from_port: '22', ip_ranges: ['10.2.17.0/24']) }
     end
 
+### inbound\_rules\_count
+
+A Number totalling the number of individual rules defined - It is a sum of the combinations of port, protocol, ipv4 rules, ipv6 rules and security group rules.
+
+    describe aws_security_group(group_name: linux_servers) do
+      its('inbound_rules_count'){ should eq 10 }
+    end
+
 ### outbound\_rules
 
 A list of the rules that the Security Group applies to outgoing network traffic initiated by the AWS resource in the Security Group. This is a low-level property that is used by the [`allow_out`](#allow_out) matcher; see it for detailed examples. `outbound_rules` is provided here for those wishing to use Ruby code to inspect the rules directly, instead of using higher-level matchers.
@@ -203,6 +210,14 @@ If the Security Group could not be found (that is, `exists` is false), `outbound
       its('outbound_rules.last') { should_not include(ip_ranges:['0.0.0.0/0']) }
     end
 
+### outbound\_rules\_count
+
+A Number totalling the number of individual rules defined - It is a sum of the combinations of port, protocol, ipv4 rules, ipv6 rules and security group rules.
+
+    describe aws_security_group(group_name: linux_servers) do
+      its('outbound_rules_count'){ should eq 2 }
+    end
+
 ### vpc\_id
 
 A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VPC that contains the Security Group.
@@ -240,6 +255,7 @@ The matchers accept a key-value list of search criteria.  For a rule to match, i
 
   * from_port - Determines if a rule exists whose port range begins at the specified number. The word 'from_' does *not* relate to inbound/outbound directionality; it relates to the port range ("counting _from_"). `from_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `from_port` of 1001, it does not match.
   * ipv4_range - Specifies an IPv4 address or subnet as a CIDR, or a list of them, to be checked as a permissible origin (for `allow_in`) or destination (for `allow_out`) for traffic.  Each AWS Security Group rule may have multiple allowed source IP ranges.
+  * ipv6_range - Specifies an IPv6 address or subnet as a CIDR, or a list of them, to be checked as a permissible origin (for `allow_in`) or destination (for `allow_out`) for traffic.  Each AWS Security Group rule may have multiple allowed source IP ranges.
   * port - Determines if a particular TCP/IP port is reachable. allow_in and allow_out examine whether the specified port is included in the port range of a rule, while allow_in. You may specify the port as a string (`'22'`) or as a number.
   * position - A one-based index into the list of rules. If provided, this restricts the evaluation to the rule at that position. You may also use the special values `:first` and `:last`. `position` may also be used to enable `allow_in_only` and `allow_out_only` to work with multi-rule Security Groups.
   * protocol - Specifies the IP protocol. 'tcp', 'udp', and 'icmp' are some typical values. The string "-1" or 'any' is used to indicate any protocol.
@@ -248,6 +264,7 @@ The matchers accept a key-value list of search criteria.  For a rule to match, i
     describe aws_security_group(group_name: 'mixed-functionality-group') do
       # Allow RDP from defined range
       it { should allow_in(port: 3389, ipv4_range: '10.5.0.0/16') }
+      it { should allow_in(port: 3389, ipv6_range: '2001:db8::/122') }
 
       # Allow SSH from two ranges
       it { should allow_in(port: 22, ipv4_range: ['10.5.0.0/16', '10.2.3.0/24']) }

data/docs/resources/gem.md.erb

@@ -46,6 +46,15 @@ The following examples show how to use this InSpec audit resource.
       its('version') { should eq '0.33.0' }
     end
 
+### Verify that a particular version is installed when there are multiple versions installed
+
+    describe gem('rubocop') do
+      it { should be_installed }
+      its('versions') { should include /0.51.0/ }
+      its('versions.count') { should_not be > 3 }
+    end
+
+
 ### Verify that a gem package is not installed
 
     describe gem('rubocop') do
@@ -72,6 +81,21 @@ The following examples show how to use this InSpec audit resource.
 
 <br>
 
+## Properties
+
+### version (String)
+
+The `version` property returns a string of the default version on the system:
+
+    its('version') { should eq '0.33.0' }
+
+### versions
+
+The `versions` property returns an array of strings of all the versions of the gem installed on the system:
+
+    its('versions') { should include /0.33/ }
+
+
 ## Matchers
 
 For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -82,8 +106,3 @@ The `be_installed` matcher tests if the named Gem package is installed:
 
     it { should be_installed }
 
-### version
-
-The `version` matcher tests if the named package version is on the system:
-
-    its('version') { should eq '0.33.0' }

data/docs/resources/mssql_session.md.erb

@@ -62,6 +62,14 @@ The following examples show how to use this InSpec audit resource.
     describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
       its("value") { should cmp > '12.00.4457' }
     end
+  
+### Test a specific database
+
+    sql = mssql_session(user: 'my_user', password: 'password', db_name: 'test')
+
+    describe sql.query("SELECT Name AS result FROM Product WHERE ProductID == 1").row(0).column('result') do
+      its("value") { should eq 'foo' }
+    end
 
 <br>
 

data/lib/inspec/plugin/v2/loader.rb

@@ -17,7 +17,14 @@ module Inspec::Plugin::V2
       determine_plugin_conf_file
       read_conf_file
       unpack_conf_file
+
+      # Old-style (v0, v1) co-distributed plugins were called 'bundles'
+      # and were located in lib/bundles
       detect_bundled_plugins unless options[:omit_bundles]
+
+      # New-style (v2) co-distributed plugins are in lib/plugins,
+      # and may be safely loaded
+      detect_core_plugins unless options[:omit_core_plugins]
     end
 
     def load_all
@@ -26,17 +33,20 @@ module Inspec::Plugin::V2
         # rubocop: disable Lint/RescueException
         begin
           # We could use require, but under testing, we need to repeatedly reload the same
-          # plugin.
-          if plugin_details.entry_point.include?('test/unit/mock/plugins')
-            load plugin_details.entry_point + '.rb'
-          else
+          # plugin.  However, gems only work with require (rubygems dooes not overload `load`)
+          if plugin_details.installation_type == :gem
+            activate_managed_gems_for_plugin(plugin_name)
             require plugin_details.entry_point
+          else
+            load_path = plugin_details.entry_point
+            load_path += '.rb' unless plugin_details.entry_point.end_with?('.rb')
+            load load_path
           end
           plugin_details.loaded = true
           annotate_status_after_loading(plugin_name)
         rescue ::Exception => ex
           plugin_details.load_exception = ex
-          Inspec::Log.error "Could not load plugin #{plugin_name}"
+          Inspec::Log.error "Could not load plugin #{plugin_name}: #{ex.message}"
         end
         # rubocop: enable Lint/RescueException
       end
@@ -60,7 +70,7 @@ module Inspec::Plugin::V2
     end
 
     def activate(plugin_type, hook_name)
-      activator = registry.find_activators(plugin_type: plugin_type, activation_name: hook_name).first
+      activator = registry.find_activators(plugin_type: plugin_type, activator_name: hook_name).first
       # We want to capture literally any possible exception here, since we are storing them.
       # rubocop: disable Lint/RescueException
       begin
@@ -80,7 +90,7 @@ module Inspec::Plugin::V2
         next if act.activated
         # If there is anything in the CLI args with the same name, activate it
         # If the word 'help' appears in the first position, load all CLI plugins
-        if cli_args.include?(act.activator_name.to_s) || cli_args[0] == 'help'
+        if cli_args.include?(act.activator_name.to_s) || cli_args[0] == 'help' || cli_args.size.zero?
           activate(:cli_command, act.activator_name)
           act.implementation_class.register_with_thor
         end
@@ -138,6 +148,22 @@ module Inspec::Plugin::V2
       @plugin_conf_file_path = File.join(@plugin_conf_file_path, 'plugins.json')
     end
 
+    def detect_core_plugins
+      core_plugins_dir = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..', 'plugins'))
+      # These are expected to be organized as proper separate projects,
+      # with lib/ dirs, etc.
+      Dir.glob(File.join(core_plugins_dir, 'inspec-*')).each do |plugin_dir|
+        status = Inspec::Plugin::V2::Status.new
+        status.name = File.basename(plugin_dir)
+        status.entry_point = File.join(plugin_dir, 'lib', status.name + '.rb')
+        status.installation_type = :path
+        status.loaded = false
+        registry[status.name.to_sym] = status
+      end
+    end
+
+    # TODO: DRY up re: Installer read_or_init_config_file
+    # TODO: refactor the plugin.json file to have its own class, which Loader consumes
     def read_conf_file
       if File.exist?(@plugin_conf_file_path)
         @plugin_file_contents = JSON.parse(File.read(@plugin_conf_file_path))

data/lib/inspec/reporters/json_automate.rb

@@ -10,7 +10,7 @@ module Inspec::Reporters
     end
 
     def render
-      output(report_merged.to_json, false)
+      output(report.to_json, false)
     end
 
     def report

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.2.102'
+  VERSION = '2.2.112'
 end

data/lib/plugins/README.md

@@ -0,0 +1,16 @@
+# Core Plugins of InSpec
+
+This area contains the plugins that ship with InSpec.  They are automatically detected by the plugin loader.
+
+## inspec-* directories
+
+Each subdirectory here that begins with `inspec-` is intended to be a self-contained plugin project,
+with code, docs, and tests.
+
+## shared directory
+
+This directory contains material that is reusable for core plugins, such as a test helper tuned to assisting
+core plugin testing.
+
+
+

data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb

@@ -0,0 +1,12 @@
+module InspecPlugins
+  module Artifact
+    class Plugin < Inspec.plugin(2)
+      plugin_name :'inspec-artifact'
+
+      cli_command :artifact do
+        require_relative 'inspec-artifact/cli'
+        InspecPlugins::Artifact::CLI
+      end
+    end
+  end
+end

data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb

@@ -0,0 +1,162 @@
+require 'base64'
+require 'openssl'
+require 'pathname'
+require 'set'
+require 'tempfile'
+require 'yaml'
+
+module InspecPlugins
+  module Artifact
+    class Base
+      KEY_BITS=2048
+      KEY_ALG=OpenSSL::PKey::RSA
+
+      INSPEC_PROFILE_VERSION_1='INSPEC-PROFILE-1'.freeze
+      INSPEC_REPORT_VERSION_1='INSPEC-REPORT-1'.freeze
+
+      ARTIFACT_DIGEST=OpenSSL::Digest::SHA512
+      ARTIFACT_DIGEST_NAME='SHA512'.freeze
+
+      VALID_PROFILE_VERSIONS=Set.new [INSPEC_PROFILE_VERSION_1]
+      VALID_PROFILE_DIGESTS=Set.new [ARTIFACT_DIGEST_NAME]
+
+      SIGNED_PROFILE_SUFFIX='iaf'.freeze
+      SIGNED_REPORT_SUFFIX='iar'.freeze
+
+      def self.keygen(options)
+        key = KEY_ALG.new KEY_BITS
+        puts 'Generating private key'
+        open "#{options['keyname']}.pem.key", 'w' do |io| io.write key.to_pem end
+        puts 'Generating public key'
+        open "#{options['keyname']}.pem.pub", 'w' do |io| io.write key.public_key.to_pem end
+      end
+
+      def self.profile_sign(options)
+        artifact = new
+        Dir.mktmpdir do |workdir|
+          puts "Signing #{options['profile']} with key #{options['keyname']}"
+          path_to_profile = options['profile']
+          profile_md = artifact.read_profile_metadata(path_to_profile)
+          artifact_filename = "#{profile_md['name']}-#{profile_md['version']}.#{SIGNED_PROFILE_SUFFIX}"
+          tarfile = artifact.profile_compress(path_to_profile, profile_md, workdir)
+          content = IO.binread(tarfile)
+          signing_key = KEY_ALG.new File.read "#{options['keyname']}.pem.key"
+          sha = ARTIFACT_DIGEST.new
+          signature = signing_key.sign sha, content
+          # convert the signature to Base64
+          signature_base64 = Base64.encode64(signature)
+          tar_content = IO.binread(tarfile)
+          File.open(artifact_filename, 'wb') do |f|
+            f.puts(INSPEC_PROFILE_VERSION_1)
+            f.puts(options['keyname'])
+            f.puts(ARTIFACT_DIGEST_NAME)
+            f.puts(signature_base64)
+            f.puts('') # newline separates artifact header with body
+            f.write(tar_content)
+          end
+          puts "Successfully generated #{artifact_filename}"
+        end
+      end
+
+      def self.profile_verify(options)
+        artifact = new
+        file_to_verifiy = options['infile']
+        puts "Verifying #{file_to_verifiy}"
+        artifact.verify(file_to_verifiy) do ||
+          puts 'Artifact is valid'
+        end
+      end
+
+      def self.profile_install(options)
+        artifact = new
+        puts 'Installing profile'
+        file_to_verifiy = options['infile']
+        dest_dir = options['destdir']
+        artifact.verify(file_to_verifiy) do |content|
+          Dir.mktmpdir do |workdir|
+            tmpfile = Pathname.new(workdir).join('artifact_to_install.tar.gz')
+            File.write(tmpfile, content)
+            puts "Installing to #{dest_dir}"
+            `tar xzf #{tmpfile} -C #{dest_dir}`
+          end
+        end
+      end
+
+      def read_profile_metadata(path_to_profile)
+        begin
+          p = Pathname.new(path_to_profile)
+          p = p.join('inspec.yml')
+          if not p.exist?
+            raise "#{path_to_profile} doesn't appear to be a valid Inspec profile"
+          end
+          yaml = YAML.load_file(p.to_s)
+          yaml = yaml.to_hash
+
+          if not yaml.key? 'name'
+            raise 'Profile is invalid, name is not defined'
+          end
+
+          if not yaml.key? 'version'
+            raise 'Profile is invalid, version is not defined'
+          end
+        rescue => e
+          # rewrap it and pass it up to the CLI
+          raise "Error reading Inspec profile metadata: #{e}"
+        end
+
+        yaml
+      end
+
+      def profile_compress(path_to_profile, profile_md, workdir)
+        profile_name = profile_md['name']
+        profile_version = profile_md['version']
+        outfile_name = "#{workdir}/#{profile_name}-#{profile_version}.tar.gz"
+        `tar czf #{outfile_name} -C #{path_to_profile} .`
+        outfile_name
+      end
+
+      def valid_header?(file_alg, file_version, file_keyname)
+        public_keyfile = "#{file_keyname}.pem.pub"
+        puts "Looking for #{public_keyfile} to verify artifact"
+        if !File.exist? public_keyfile
+          raise "Can't find #{public_keyfile}"
+        end
+
+        raise 'Invalid artifact digest algorithm detected' if !VALID_PROFILE_DIGESTS.member?(file_alg)
+        raise 'Invalid artifact version detected' if !VALID_PROFILE_VERSIONS.member?(file_version)
+      end
+
+      def verify(file_to_verifiy, &content_block)
+        f = File.open(file_to_verifiy, 'r')
+        file_version = f.readline.strip!
+        file_keyname = f.readline.strip!
+        file_alg = f.readline.strip!
+
+        file_sig = ''
+        # the signature is multi-line
+        while (line = f.readline) != "\n"
+          file_sig += line
+        end
+        file_sig.strip!
+        f.close
+
+        valid_header?(file_alg, file_version, file_keyname)
+
+        public_keyfile = "#{file_keyname}.pem.pub"
+        verification_key = KEY_ALG.new File.read public_keyfile
+
+        f = File.open(file_to_verifiy, 'r')
+        while f.readline != "\n" do end
+        content = f.read
+
+        signature = Base64.decode64(file_sig)
+        digest = ARTIFACT_DIGEST.new
+        if verification_key.verify digest, signature, content
+          content_block.yield(content)
+        else
+          puts 'Artifact is invalid'
+        end
+      end
+    end
+  end
+end