omnibus 6.0.30 → 7.0.13

data/lib/omnibus/packagers/pkg.rb

@@ -44,8 +44,7 @@ module Omnibus
           maintainer: project.maintainer,
           build_version: project.build_version,
           package_name: project.package_name,
-        }
-      )
+        })
 
       # Render the welcome template
       render_template(resource_path("welcome.html.erb"),
@@ -56,8 +55,7 @@ module Omnibus
           maintainer: project.maintainer,
           build_version: project.build_version,
           package_name: project.package_name,
-        }
-      )
+        })
 
       # "Render" the assets
       copy_file(resource_path("background.png"), "#{resources_dir}/background.png")
@@ -66,6 +64,8 @@ module Omnibus
     build do
       write_scripts
 
+      sign_software_libs_and_bins
+
       build_component_pkg
 
       write_distribution_file
@@ -179,6 +179,67 @@ module Omnibus
       end
     end
 
+    def sign_software_libs_and_bins
+      if signing_identity
+        log.info(log_key) { "Finding libraries and binaries that require signing." }
+
+        bin_dirs = Set[]
+        lib_dirs = Set[]
+        binaries = Set[]
+        libraries = Set[]
+
+        # Capture lib_dirs and bin_dirs from each software
+        project.softwares.each do |software|
+          lib_dirs.merge(software.lib_dirs)
+          bin_dirs.merge(software.bin_dirs)
+        end
+
+        # Find all binaries in each bind_dir
+        bin_dirs.each do |dir|
+          binaries.merge Dir["#{dir}/*"]
+        end
+        # Filter out symlinks, non-files, and non-executables
+        log.debug(log_key) { "  Filtering non-binary files:" }
+        binaries.select! { |bin| is_binary?(bin) }
+
+        # Use otool to find all libries that are used by our binaries
+        binaries.each do |bin|
+          libraries.merge find_linked_libs bin
+        end
+
+        # Find all libraries in each lib_dir and add any we missed with otool
+        lib_dirs.each do |dir|
+          libraries.merge Dir["#{dir}/*"]
+        end
+
+        # Filter Mach-O libraries and bundles
+        log.debug(log_key) { "  Filtering non-library files:" }
+        libraries.select! { |lib| is_macho?(lib) }
+
+        # Use otool to find all libries that are used by our libraries
+        otool_libs = Set[]
+        libraries.each do |lib|
+          otool_libs.merge find_linked_libs lib
+        end
+
+        # Filter Mach-O libraries and bundles
+        otool_libs.select! { |lib| is_macho?(lib) }
+        libraries.merge otool_libs
+
+        log.info(log_key) { "  Signing libraries:" } unless libraries.empty?
+        libraries.each do |library|
+          log.debug(log_key) { "    Signing: #{library}" }
+          sign_library(library)
+        end
+
+        log.info(log_key) { "  Signing binaries:" } unless binaries.empty?
+        binaries.each do |binary|
+          log.debug(log_key) { "    Signing: #{binary}" }
+          sign_binary(binary, true)
+        end
+      end
+    end
+
     #
     # Construct the intermediate build product. It can be installed with the
     # Installer.app, but doesn't contain the data needed to customize the
@@ -187,16 +248,20 @@ module Omnibus
     # @return [void]
     #
     def build_component_pkg
-      command = <<-EOH.gsub(/^ {8}/, "")
+      command = <<~EOH
         pkgbuild \\
           --identifier "#{safe_identifier}" \\
           --version "#{safe_version}" \\
           --scripts "#{scripts_dir}" \\
           --root "#{project.install_dir}" \\
           --install-location "#{project.install_dir}" \\
-          "#{component_pkg}"
+          --preserve-xattr \\
       EOH
 
+      command << %Q{  --sign "#{signing_identity}" \\\n} if signing_identity
+      command << %Q{  "#{component_pkg}"}
+      command << %Q{\n}
+
       Dir.chdir(staging_dir) do
         shellout!(command)
       end
@@ -221,8 +286,7 @@ module Omnibus
           identifier: safe_identifier,
           version: safe_version,
           component_pkg: component_pkg,
-        }
-      )
+        })
     end
 
     #
@@ -232,7 +296,7 @@ module Omnibus
     # @return [void]
     #
     def build_product_pkg
-      command = <<-EOH.gsub(/^ {8}/, "")
+      command = <<~EOH
         productbuild \\
           --distribution "#{staging_dir}/Distribution" \\
           --resources "#{resources_dir}" \\
@@ -323,5 +387,57 @@ module Omnibus
         converted
       end
     end
+
+    #
+    # Given a file path return any linked libraries.
+    #
+    # @param [String] file_path
+    #    The path to a file
+    # @return [Array<String>]
+    #    The linked libs
+    #
+    def find_linked_libs(file_path)
+      # Find all libaries for each bin
+      command = "otool -L #{file_path}"
+
+      stdout = shellout!(command).stdout
+      stdout.slice!(file_path)
+      stdout.scan(/#{install_dir}\S*/)
+    end
+
+    def sign_library(lib)
+      sign_binary(lib)
+    end
+
+    def sign_binary(bin, hardened_runtime = false)
+      command = "codesign -s '#{signing_identity}' '#{bin}'"
+      command << %q{ --options=runtime} if hardened_runtime
+      command << %Q{ --entitlements #{resource_path("entitlements.plist")}} if File.exist?(resource_path("entitlements.plist")) && hardened_runtime
+      ## Force re-signing to deal with binaries that have the same sha.
+      command << %q{ --force}
+      command << %Q{\n}
+
+      shellout!(command)
+    end
+
+    def is_binary?(bin)
+      is_binary = File.file?(bin) &&
+        File.executable?(bin) &&
+        !File.symlink?(bin)
+      log.debug(log_key) { "    removing from signing: #{bin}" } unless is_binary
+      is_binary
+    end
+
+    def is_macho?(lib)
+      is_macho = false
+      if is_binary?(lib)
+        command = "file #{lib}"
+
+        stdout = shellout!(command).stdout
+        is_macho = stdout.match?(/Mach-O.*library/) || stdout.match?(/Mach-O.*bundle/)
+      end
+      log.debug(log_key) { "    removing from signing: #{lib}" } unless is_macho
+      is_macho
+    end
   end
 end

data/lib/omnibus/packagers/rpm.rb

@@ -243,7 +243,7 @@ module Omnibus
       if null?(val)
         @compression_type || :gzip
       else
-        unless val.is_a?(Symbol) && [:gzip, :bzip2, :xz].member?(val)
+        unless val.is_a?(Symbol) && %i{gzip bzip2 xz}.member?(val)
           raise InvalidValue.new(:compression_type, "be a Symbol (:gzip, :bzip2, or :xz)")
         end
 
@@ -317,7 +317,7 @@ module Omnibus
     # @return [Array]
     #
     def filesystem_directories
-      @filesystem_directories ||= IO.readlines(resource_path("filesystem_list")).map { |f| f.chomp }
+      @filesystem_directories ||= IO.readlines(resource_path("filesystem_list")).map(&:chomp)
     end
 
     #
@@ -356,7 +356,7 @@ module Omnibus
 
       # Get a list of all files
       files = FileSyncer.glob("#{build_dir}/**/*")
-                .map { |path| build_filepath(path) }
+        .map { |path| build_filepath(path) }
 
       render_template(resource_path("spec.erb"),
         destination: spec_file,
@@ -383,8 +383,7 @@ module Omnibus
           build_dir: build_dir,
           platform_family: Ohai["platform_family"],
           compression: compression,
-        }
-      )
+        })
     end
 
     #
@@ -422,8 +421,8 @@ module Omnibus
       if signing_passphrase
         log.info(log_key) { "Signing enabled for .rpm file" }
 
-        if File.exist?("#{ENV['HOME']}/.rpmmacros")
-          log.info(log_key) { "Detected .rpmmacros file at `#{ENV['HOME']}'" }
+        if File.exist?("#{ENV["HOME"]}/.rpmmacros")
+          log.info(log_key) { "Detected .rpmmacros file at `#{ENV["HOME"]}'" }
           home = ENV["HOME"]
         else
           log.info(log_key) { "Using default .rpmmacros file from Omnibus" }
@@ -435,9 +434,8 @@ module Omnibus
             destination: "#{home}/.rpmmacros",
             variables: {
               gpg_name: project.maintainer,
-              gpg_path: "#{ENV['HOME']}/.gnupg", # TODO: Make this configurable
-            }
-          )
+              gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable
+            })
         end
 
         command << " --sign"
@@ -466,11 +464,13 @@ module Omnibus
     def build_filepath(path)
       filepath = rpm_safe("/" + path.gsub("#{build_dir}/", ""))
       return if config_files.include?(filepath)
+
       full_path = build_dir + filepath.gsub("[%]", "%")
       # FileSyncer.glob quotes pathnames that contain spaces, which is a problem on el7
       full_path.delete!('"')
       # Mark directories with the %dir directive to prevent rpmbuild from counting their contents twice.
       return mark_filesystem_directories(filepath) if !File.symlink?(full_path) && File.directory?(full_path)
+
       filepath
     end
 
@@ -502,8 +502,7 @@ module Omnibus
         mode: 0700,
         variables: {
           passphrase: signing_passphrase,
-        }
-      )
+        })
 
       # Yield the destination to the block
       yield(destination)

data/lib/omnibus/packagers/solaris.rb

@@ -76,7 +76,7 @@ module Omnibus
     # Generate a Prototype file for solaris build
     #
     def write_prototype_file
-      shellout! "cd #{install_dirname} && find #{install_basename} -print > #{staging_dir_path('files')}"
+      shellout! "cd #{install_dirname} && find #{install_basename} -print > #{staging_dir_path("files")}"
 
       File.open staging_dir_path("files.clean"), "w+" do |fout|
         File.open staging_dir_path("files") do |fin|
@@ -100,10 +100,10 @@ module Omnibus
       end
 
       # generate the prototype's file list
-      shellout! "cd #{install_dirname} && pkgproto < #{staging_dir_path('files.clean')} > #{staging_dir_path('Prototype.files')}"
+      shellout! "cd #{install_dirname} && pkgproto < #{staging_dir_path("files.clean")} > #{staging_dir_path("Prototype.files")}"
 
       # fix up the user and group in the file list to root
-      shellout! "awk '{ $5 = \"root\"; $6 = \"root\"; print }' < #{staging_dir_path('Prototype.files')} >> #{staging_dir_path('Prototype')}"
+      shellout! "awk '{ $5 = \"root\"; $6 = \"root\"; print }' < #{staging_dir_path("Prototype.files")} >> #{staging_dir_path("Prototype")}"
     end
 
     #
@@ -139,7 +139,7 @@ module Omnibus
     # @return [void]
     #
     def create_solaris_file
-      shellout! "pkgmk -o -r #{install_dirname} -d #{staging_dir} -f #{staging_dir_path('Prototype')}"
+      shellout! "pkgmk -o -r #{install_dirname} -d #{staging_dir} -f #{staging_dir_path("Prototype")}"
       shellout! "pkgchk -vd #{staging_dir} #{project.package_name}"
       shellout! "pkgtrans #{staging_dir} #{package_path} #{project.package_name}"
     end

data/lib/omnibus/packagers/windows_base.rb

@@ -59,11 +59,11 @@ module Omnibus
             raise InvalidValue.new(:params, "be a Hash")
           end
 
-          valid_keys = [:store, :timestamp_servers, :machine_store, :algorithm]
+          valid_keys = %i{store timestamp_servers machine_store algorithm}
           invalid_keys = params.keys - valid_keys
           unless invalid_keys.empty?
-            raise InvalidValue.new(:params, "contain keys from [#{valid_keys.join(', ')}]. "\
-                                   "Found invalid keys [#{invalid_keys.join(', ')}]")
+            raise InvalidValue.new(:params, "contain keys from [#{valid_keys.join(", ")}]. "\
+                                   "Found invalid keys [#{invalid_keys.join(", ")}]")
           end
 
           if !params[:machine_store].nil? && !(
@@ -117,11 +117,11 @@ module Omnibus
         success = try_sign(package_file, ts)
         break if success
       end
-      raise FailedToSignWindowsPackage.new if !success
+      raise FailedToSignWindowsPackage.new unless success
     end
 
     def try_sign(package_file, url)
-      cmd = Array.new.tap do |arr|
+      cmd = [].tap do |arr|
         arr << "signtool.exe"
         arr << "sign /v"
         arr << "/t #{url}"
@@ -158,8 +158,9 @@ module Omnibus
     #
     def certificate_subject
       return "CN=#{project.package_name}" unless signing_identity
+
       store = machine_store? ? "LocalMachine" : "CurrentUser"
-      cmd = Array.new.tap do |arr|
+      cmd = [].tap do |arr|
         arr << "powershell.exe"
         arr << "-ExecutionPolicy Bypass"
         arr << "-NoProfile"

data/lib/omnibus/project.rb

@@ -1007,6 +1007,7 @@ module Omnibus
     #
     def dirty!(software)
       raise ProjectAlreadyDirty.new(self) if culprit
+
       @culprit = software
     end
 

data/lib/omnibus/publisher.rb

@@ -44,10 +44,10 @@ module Omnibus
     #   mapping of build to publish platform(s)
     # @example
     #   {
-    #     'ubuntu-10.04' => [
-    #       'ubuntu-10.04',
-    #       'ubuntu-12.04',
-    #       'ubuntu-14.04',
+    #     'ubuntu-10.04-x86_64' => [
+    #       'ubuntu-10.04-x86_64',
+    #       'ubuntu-12.04-x86_64',
+    #       'ubuntu-14.04-x86_64',
     #     ],
     #   }
     #
@@ -69,39 +69,41 @@ module Omnibus
     #
     def packages
       @packages ||= begin
-        publish_packages = Array.new
+        publish_packages = []
         build_packages   = FileSyncer.glob(@pattern).map { |path| Package.new(path) }
 
         if @options[:platform_mappings]
           # the platform map is a simple hash with publish to build platform mappings
           @options[:platform_mappings].each_pair do |build_platform, publish_platforms|
-            # Splits `ubuntu-12.04` into `ubuntu` and `12.04`
-            build_platform, build_platform_version = build_platform.rpartition("-") - %w{ - }
+            # Splits `ubuntu-12.04-x86_64` into `ubuntu`, `12.04` and `x86_64`
+            build_platform, build_platform_version, build_architecture = build_platform.split("-")
 
             # locate the package for the build platform
             packages = build_packages.select do |p|
               p.metadata[:platform] == build_platform &&
-                p.metadata[:platform_version] == build_platform_version
+                p.metadata[:platform_version] == build_platform_version &&
+                p.metadata[:arch] == build_architecture
             end
 
             if packages.empty?
               log.warn(log_key) do
-                "Could not locate a package for build platform #{build_platform}-#{build_platform_version}. " \
-                "Publishing will be skipped for: #{publish_platforms.join(', ')}"
+                "Could not locate a package for build platform #{build_platform}-#{build_platform_version}-#{build_architecture}. " \
+                "Publishing will be skipped for: #{publish_platforms.join(", ")}"
               end
             end
 
             publish_platforms.each do |publish_platform|
-              publish_platform, publish_platform_version = publish_platform.rpartition("-") - %w{ - }
+              publish_platform, publish_platform_version, publish_architecture = publish_platform.split("-")
 
               packages.each do |p|
                 # create a copy of our package before mucking with its metadata
                 publish_package  = p.dup
                 publish_metadata = p.metadata.dup.to_hash
 
-                # override the platform and platform version in the metadata
+                # override the platform, platform version and architecture in the metadata
                 publish_metadata[:platform]         = publish_platform
                 publish_metadata[:platform_version] = publish_platform_version
+                publish_metadata[:arch]             = publish_architecture
 
                 # Set the updated metadata on the package object
                 publish_package.metadata = Metadata.new(publish_package, publish_metadata)

data/lib/omnibus/publishers/s3_publisher.rb

@@ -65,11 +65,13 @@ module Omnibus
         bucket_name: @options[:bucket],
       }
 
-      if Config.publish_s3_profile
-        config[:profile]            = Config.publish_s3_profile
+      if Config.publish_s3_iam_role_arn
+        config[:publish_s3_iam_role_arn] = Config.publish_s3_iam_role_arn
+      elsif Config.publish_s3_profile
+        config[:profile] = Config.publish_s3_profile
       else
-        config[:access_key_id]      = Config.publish_s3_access_key
-        config[:secret_access_key]  = Config.publish_s3_secret_key
+        config[:access_key_id] = Config.publish_s3_access_key
+        config[:secret_access_key] = Config.publish_s3_secret_key
       end
 
       config

data/lib/omnibus/s3_cache.rb

@@ -147,7 +147,9 @@ module Omnibus
           force_path_style: Config.s3_force_path_style,
         }
 
-        if Config.s3_profile
+        if Config.s3_iam_role_arn
+          config[:iam_role_arn] = Config.s3_iam_role_arn
+        elsif Config.s3_profile
           config[:profile] = Config.s3_profile
         else
           config[:access_key_id] = Config.s3_access_key

data/lib/omnibus/s3_helpers.rb

@@ -53,10 +53,7 @@ module Omnibus
       # @return [Aws::S3::Resource]
       #
       def client
-        Aws.config.update(
-          region: s3_configuration[:region],
-          credentials: get_credentials
-        )
+        Aws.config.update(region: s3_configuration[:region])
 
         @s3_client ||= Aws::S3::Resource.new(resource_params)
       end
@@ -70,6 +67,7 @@ module Omnibus
         params = {
           use_accelerate_endpoint: s3_configuration[:use_accelerate_endpoint],
           force_path_style: s3_configuration[:force_path_style],
+          credentials: get_credentials,
         }
 
         if s3_configuration[:use_accelerate_endpoint]
@@ -84,12 +82,14 @@ module Omnibus
       end
 
       #
-      # Create credentials object based on credential profile or access key
+      # Create credentials object based on AWS IAM role arn, credential profile or access key
       # parameters for use by the client object.
       #
       # @return [Aws::SharedCredentials, Aws::Credentials]
       def get_credentials
-        if s3_configuration[:profile]
+        if s3_configuration[:iam_role_arn]
+          Aws::AssumeRoleCredentials.new(role_arn: s3_configuration[:iam_role_arn], role_session_name: "omnibus-assume-role-s3-access")
+        elsif s3_configuration[:profile]
           Aws::SharedCredentials.new(profile_name: s3_configuration[:profile])
         elsif s3_configuration[:access_key_id] && s3_configuration[:secret_access_key]
           Aws::Credentials.new(s3_configuration[:access_key_id], s3_configuration[:secret_access_key])