omnibus 6.1.7 → 8.0.9

data/lib/omnibus/metadata.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "ffi_yajl"
+require "ffi_yajl" unless defined?(FFI_Yajl)
 
 module Omnibus
   class Metadata
@@ -83,7 +83,7 @@ module Omnibus
         data = File.read(path_for(package))
         hash = FFI_Yajl::Parser.parse(data, symbolize_names: true)
 
-         # Ensure Platform version has been truncated
+        # Ensure Platform version has been truncated
         if hash[:platform_version] && hash[:platform]
           hash[:platform_version] = truncate_platform_version(hash[:platform_version], hash[:platform])
         end

data/lib/omnibus/ohai.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "ohai"
+require "ohai" unless defined?(Ohai::System)
 
 module Omnibus
   class Ohai

data/lib/omnibus/package.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "ffi_yajl"
+require "ffi_yajl" unless defined?(FFI_Yajl)
 
 module Omnibus
   class Package

data/lib/omnibus/packager.rb

@@ -1,5 +1,5 @@
 #
-# Copyright 2014-2018 Chef Software, Inc.
+# Copyright 2014-2020, Chef Software Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -46,6 +46,7 @@ module Omnibus
       "amazon" => RPM,
       "aix" => BFF,
       "solaris" => Solaris,
+      "omnios" => IPS,
       "ips" => IPS,
       "windows" => [MSI, APPX],
       "mac_os_x" => PKG,
@@ -65,25 +66,16 @@ module Omnibus
       family = Ohai["platform_family"]
       version = Ohai["platform_version"]
 
-      if family == "solaris2" && Chef::Sugar::Constraints::Version.new(version).satisfies?(">= 5.11")
+      if family == "solaris2" && ChefUtils::VersionString.new(version).satisfies?(">= 5.11")
         family = "ips"
-      elsif family == "solaris2" && Chef::Sugar::Constraints::Version.new(version).satisfies?(">= 5.10")
+      elsif family == "solaris2" && ChefUtils::VersionString.new(version).satisfies?(">= 5.10")
         family = "solaris"
       end
       if klass = PLATFORM_PACKAGER_MAP[family]
-        package_types = klass.is_a?(Array) ? klass : [ klass ]
-
-        if package_types.include?(APPX) &&
-            !Chef::Sugar::Constraints::Version.new(version).satisfies?(">= 6.2")
-          log.warn(log_key) { "APPX generation is only supported on Windows versions 2012 and above" }
-          package_types -= [APPX]
-        end
-
-        package_types
+        klass.is_a?(Array) ? klass : [ klass ]
       else
         log.warn(log_key) do
-          "Could not determine packager for `#{family}', defaulting " \
-          "to `makeself'!"
+          "Could not determine packager for `#{family}`, defaulting to `makeself`!"
         end
         [Makeself]
       end

data/lib/omnibus/packagers/appx.rb

@@ -69,8 +69,7 @@ module Omnibus
           version: windows_package_version,
           maintainer: project.maintainer,
           certificate_subject: certificate_subject.gsub('"', """),
-        }
-      )
+        })
     end
 
     #

data/lib/omnibus/packagers/base.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "fileutils"
+require "fileutils" unless defined?(FileUtils)
 
 module Omnibus
   class Packager::Base
@@ -142,6 +142,7 @@ module Omnibus
       unless val.is_a?(TrueClass) || val.is_a?(FalseClass)
         raise InvalidValue.new(:skip_packager, "be TrueClass or FalseClass")
       end
+
       @skip_package ||= val
     end
     expose :skip_packager

data/lib/omnibus/packagers/bff.rb

@@ -153,12 +153,11 @@ module Omnibus
               destination: "#{scripts_staging_dir}/config",
               variables: {
                 name: project.name,
-              }
-            )
+              })
           end
 
           File.open(File.join(scripts_staging_dir, "config"), "a") do |file|
-            file.puts "mv '#{alt.gsub(/^#{staging_dir}/, '')}' '#{path.gsub(/^#{staging_dir}/, '')}'"
+            file.puts "mv '#{alt.gsub(/^#{staging_dir}/, "")}' '#{path.gsub(/^#{staging_dir}/, "")}'"
           end
 
           path = alt
@@ -189,8 +188,7 @@ module Omnibus
           description: project.description,
           files: files,
           scripts: scripts,
-        }
-      )
+        })
 
       # Print the full contents of the rendered template file for mkinstallp's use
       log.debug(log_key) { "Rendered Template:\n" + File.read(File.join(staging_dir, "gen.template")) }
@@ -214,19 +212,19 @@ module Omnibus
       # we will chown from 'project' on, rather than 'project/dir', which leaves
       # project owned by the build user (which is incorrect)
       # First - let's find out who we are.
-      shellout!("sudo chown -Rh 0:0 #{File.join(staging_dir, project.install_dir.match(/^\/?(\w+)/).to_s)}")
+      shellout!("sudo chown -Rh 0:0 #{File.join(staging_dir, project.install_dir.match(%r{^/?(\w+)}).to_s)}")
       log.info(log_key) { "Creating .bff file" }
 
       # Since we want the owner to be root, we need to sudo the mkinstallp
       # command, otherwise it will not have access to the previously chowned
       # directory.
-      shellout!("sudo /usr/sbin/mkinstallp -d #{staging_dir} -T #{File.join(staging_dir, 'gen.template')}")
+      shellout!("sudo /usr/sbin/mkinstallp -d #{staging_dir} -T #{File.join(staging_dir, "gen.template")}")
 
       # Print the full contents of the inventory file generated by mkinstallp
       # from within the staging_dir's .info folder (where control files for the
       # packaging process are kept.)
       log.debug(log_key) do
-        "With .inventory file of:\n" + File.read("#{File.join( staging_dir, '.info', "#{safe_base_package_name}.inventory" )}")
+        "With .inventory file of:\n" + File.read("#{File.join( staging_dir, ".info", "#{safe_base_package_name}.inventory" )}")
       end
 
       # Copy the resulting package up to the package_dir

data/lib/omnibus/packagers/deb.rb

@@ -207,7 +207,7 @@ module Omnibus
       if null?(val)
         @compression_type || :gzip
       else
-        unless val.is_a?(Symbol) && [:gzip, :xz, :none].member?(val)
+        unless val.is_a?(Symbol) && %i{gzip xz none}.member?(val)
           raise InvalidValue.new(:compression_type, "be a Symbol (:gzip, :xz, or :none)")
         end
 
@@ -261,7 +261,7 @@ module Omnibus
         @compression_strategy
       else
         unless val.is_a?(Symbol) &&
-            [:filtered, :huffman, :rle, :fixed, :extreme].member?(val)
+            %i{filtered huffman rle fixed extreme}.member?(val)
           raise InvalidValue.new(:compression_strategy, "be a Symbol (:filtered, "\
                                                         ":huffman, :rle, :fixed, or :extreme)")
         end
@@ -320,8 +320,7 @@ module Omnibus
           conflicts: project.conflicts,
           replaces: project.replaces,
           dependencies: project.runtime_dependencies,
-        }
-      )
+        })
     end
 
     #
@@ -336,8 +335,7 @@ module Omnibus
         destination: File.join(debian_dir, "conffiles"),
         variables: {
           config_files: project.config_files,
-        }
-      )
+        })
     end
 
     #
@@ -380,8 +378,7 @@ module Omnibus
         destination: File.join(debian_dir, "md5sums"),
         variables: {
           md5sums: hash,
-        }
-      )
+        })
     end
 
     #
@@ -421,7 +418,7 @@ module Omnibus
     #
     # @return [void]
     def sign_deb_file
-      if !signing_passphrase
+      unless signing_passphrase
         log.info(log_key) { "Signing not enabled for .deb file" }
         return
       end
@@ -447,7 +444,7 @@ module Omnibus
             # Create signature (as +root+)
             gpg_command =  "#{gpg} --armor --sign --detach-sign"
             gpg_command << " --local-user '#{project.maintainer}'"
-            gpg_command << " --homedir #{ENV['HOME']}/.gnupg" # TODO: Make this configurable
+            gpg_command << " --homedir #{ENV["HOME"]}/.gnupg" # TODO: Make this configurable
             ## pass the +signing_passphrase+ via +STDIN+
             gpg_command << " --batch --no-tty"
             ## Check `gpg` for the compatibility/need of pinentry-mode

data/lib/omnibus/packagers/ips.rb

@@ -209,8 +209,7 @@ module Omnibus
         destination: transform_file,
         variables: {
           pathdir: project.install_dir.split("/")[1],
-        }
-      )
+        })
     end
 
     #
@@ -242,8 +241,7 @@ module Omnibus
       render_template_content(resource_path(symlinks_file),
         {
           projectdir: project.install_dir,
-        }
-      )
+        })
     end
 
     #
@@ -262,8 +260,7 @@ module Omnibus
           description: project.description,
           summary: project.friendly_name,
           arch: safe_architecture,
-        }
-      )
+        })
 
       # Append the contents of symlinks_file if it exists
       if symlinks_file

data/lib/omnibus/packagers/makeself.rb

@@ -81,8 +81,7 @@ module Omnibus
         destination: makeselfinst_staging_path,
         variables: {
           install_dir: project.install_dir,
-        }
-      )
+        })
       FileUtils.chmod(0755, makeselfinst_staging_path)
     end
 

data/lib/omnibus/packagers/msi.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "pathname"
+require "pathname" unless defined?(Pathname)
 require "omnibus/packagers/windows_base"
 
 module Omnibus
@@ -181,10 +181,12 @@ module Omnibus
       unless val.is_a?(TrueClass) || val.is_a?(FalseClass)
         raise InvalidValue.new(:iwix_light_delay_validation, "be TrueClass or FalseClass")
       end
+
       @delay_validation ||= val
       unless @delay_validation
         return ""
       end
+
       "-sval"
     end
     expose :wix_light_delay_validation
@@ -225,6 +227,7 @@ module Omnibus
       unless val.is_a?(TrueClass) || val.is_a?(FalseClass)
         raise InvalidValue.new(:bundle_msi, "be TrueClass or FalseClass")
       end
+
       @bundle_msi ||= val
     end
     expose :bundle_msi
@@ -244,6 +247,7 @@ module Omnibus
       unless val.is_a?(TrueClass) || val.is_a?(FalseClass)
         raise InvalidValue.new(:fast_msi, "be TrueClass or FalseClass")
       end
+
       @fast_msi ||= val
     end
     expose :fast_msi
@@ -298,6 +302,7 @@ module Omnibus
 
       raise "Could not find `#{search_pattern}'!" if file_paths.none?
       raise "Multiple possible matches of `#{search_pattern}'! : #{file_paths}" if file_paths.count > 1
+
       file_paths.first.relative_path_from(install_path).to_s
     end
     expose :gem_path
@@ -340,8 +345,7 @@ module Omnibus
           name: project.package_name,
           friendly_name: project.friendly_name,
           maintainer: project.maintainer,
-        }
-      )
+        })
     end
 
     #
@@ -360,8 +364,7 @@ module Omnibus
           parameters: parameters,
           version: windows_package_version,
           display_version: msi_display_version,
-        }
-      )
+        })
     end
 
     #
@@ -408,8 +411,7 @@ module Omnibus
           hierarchy: hierarchy,
           fastmsi: fast_msi,
           wix_install_dir: wix_install_dir,
-        }
-      )
+        })
     end
 
     #
@@ -429,8 +431,7 @@ module Omnibus
           version: windows_package_version,
           display_version: msi_display_version,
           msi: windows_safe_path(Config.package_dir, msi_name),
-        }
-      )
+        })
     end
 
     #
@@ -487,7 +488,7 @@ module Omnibus
           -ext WixBalExtension
           #{wix_extension_switches(wix_candle_extensions)}
           -dOmnibusCacheDir="#{windows_safe_path(File.expand_path(Config.cache_dir))}"
-          "#{windows_safe_path(staging_dir, 'bundle.wxs')}"
+          "#{windows_safe_path(staging_dir, "bundle.wxs")}"
         EOH
       else
         <<-EOH.split.join(" ").squeeze(" ").strip
@@ -496,7 +497,7 @@ module Omnibus
             #{wix_candle_flags}
             #{wix_extension_switches(wix_candle_extensions)}
             -dProjectSourceDir="#{windows_safe_path(project.install_dir)}" "project-files.wxs"
-            "#{windows_safe_path(staging_dir, 'source.wxs')}"
+            "#{windows_safe_path(staging_dir, "source.wxs")}"
         EOH
       end
     end
@@ -588,7 +589,7 @@ module Omnibus
     # @return [String]
     #
     def wix_extension_switches(arr)
-      "#{arr.map { |e| "-ext '#{e}'" }.join(' ')}"
+      "#{arr.map { |e| "-ext '#{e}'" }.join(" ")}"
     end
   end
 end

data/lib/omnibus/packagers/pkg.rb

@@ -44,8 +44,7 @@ module Omnibus
           maintainer: project.maintainer,
           build_version: project.build_version,
           package_name: project.package_name,
-        }
-      )
+        })
 
       # Render the welcome template
       render_template(resource_path("welcome.html.erb"),
@@ -56,8 +55,7 @@ module Omnibus
           maintainer: project.maintainer,
           build_version: project.build_version,
           package_name: project.package_name,
-        }
-      )
+        })
 
       # "Render" the assets
       copy_file(resource_path("background.png"), "#{resources_dir}/background.png")
@@ -66,6 +64,8 @@ module Omnibus
     build do
       write_scripts
 
+      sign_software_libs_and_bins
+
       build_component_pkg
 
       write_distribution_file
@@ -179,6 +179,67 @@ module Omnibus
       end
     end
 
+    def sign_software_libs_and_bins
+      if signing_identity
+        log.info(log_key) { "Finding libraries and binaries that require signing." }
+
+        bin_dirs = Set[]
+        lib_dirs = Set[]
+        binaries = Set[]
+        libraries = Set[]
+
+        # Capture lib_dirs and bin_dirs from each software
+        project.softwares.each do |software|
+          lib_dirs.merge(software.lib_dirs)
+          bin_dirs.merge(software.bin_dirs)
+        end
+
+        # Find all binaries in each bind_dir
+        bin_dirs.each do |dir|
+          binaries.merge Dir["#{dir}/*"]
+        end
+        # Filter out symlinks, non-files, and non-executables
+        log.debug(log_key) { "  Filtering non-binary files:" }
+        binaries.select! { |bin| is_binary?(bin) }
+
+        # Use otool to find all libries that are used by our binaries
+        binaries.each do |bin|
+          libraries.merge find_linked_libs bin
+        end
+
+        # Find all libraries in each lib_dir and add any we missed with otool
+        lib_dirs.each do |dir|
+          libraries.merge Dir["#{dir}/*"]
+        end
+
+        # Filter Mach-O libraries and bundles
+        log.debug(log_key) { "  Filtering non-library files:" }
+        libraries.select! { |lib| is_macho?(lib) }
+
+        # Use otool to find all libries that are used by our libraries
+        otool_libs = Set[]
+        libraries.each do |lib|
+          otool_libs.merge find_linked_libs lib
+        end
+
+        # Filter Mach-O libraries and bundles
+        otool_libs.select! { |lib| is_macho?(lib) }
+        libraries.merge otool_libs
+
+        log.info(log_key) { "  Signing libraries:" } unless libraries.empty?
+        libraries.each do |library|
+          log.debug(log_key) { "    Signing: #{library}" }
+          sign_library(library)
+        end
+
+        log.info(log_key) { "  Signing binaries:" } unless binaries.empty?
+        binaries.each do |binary|
+          log.debug(log_key) { "    Signing: #{binary}" }
+          sign_binary(binary, true)
+        end
+      end
+    end
+
     #
     # Construct the intermediate build product. It can be installed with the
     # Installer.app, but doesn't contain the data needed to customize the
@@ -187,16 +248,20 @@ module Omnibus
     # @return [void]
     #
     def build_component_pkg
-      command = <<-EOH.gsub(/^ {8}/, "")
+      command = <<~EOH
         pkgbuild \\
           --identifier "#{safe_identifier}" \\
           --version "#{safe_version}" \\
           --scripts "#{scripts_dir}" \\
           --root "#{project.install_dir}" \\
           --install-location "#{project.install_dir}" \\
-          "#{component_pkg}"
+          --preserve-xattr \\
       EOH
 
+      command << %Q{  --sign "#{signing_identity}" \\\n} if signing_identity
+      command << %Q{  "#{component_pkg}"}
+      command << %Q{\n}
+
       Dir.chdir(staging_dir) do
         shellout!(command)
       end
@@ -221,8 +286,7 @@ module Omnibus
           identifier: safe_identifier,
           version: safe_version,
           component_pkg: component_pkg,
-        }
-      )
+        })
     end
 
     #
@@ -232,7 +296,7 @@ module Omnibus
     # @return [void]
     #
     def build_product_pkg
-      command = <<-EOH.gsub(/^ {8}/, "")
+      command = <<~EOH
         productbuild \\
           --distribution "#{staging_dir}/Distribution" \\
           --resources "#{resources_dir}" \\
@@ -323,5 +387,57 @@ module Omnibus
         converted
       end
     end
+
+    #
+    # Given a file path return any linked libraries.
+    #
+    # @param [String] file_path
+    #    The path to a file
+    # @return [Array<String>]
+    #    The linked libs
+    #
+    def find_linked_libs(file_path)
+      # Find all libaries for each bin
+      command = "otool -L #{file_path}"
+
+      stdout = shellout!(command).stdout
+      stdout.slice!(file_path)
+      stdout.scan(/#{install_dir}\S*/)
+    end
+
+    def sign_library(lib)
+      sign_binary(lib)
+    end
+
+    def sign_binary(bin, hardened_runtime = false)
+      command = "codesign -s '#{signing_identity}' '#{bin}'"
+      command << %q{ --options=runtime} if hardened_runtime
+      command << %Q{ --entitlements #{resource_path("entitlements.plist")}} if File.exist?(resource_path("entitlements.plist")) && hardened_runtime
+      ## Force re-signing to deal with binaries that have the same sha.
+      command << %q{ --force}
+      command << %Q{\n}
+
+      shellout!(command)
+    end
+
+    def is_binary?(bin)
+      is_binary = File.file?(bin) &&
+        File.executable?(bin) &&
+        !File.symlink?(bin)
+      log.debug(log_key) { "    removing non-binary file from signing: #{bin}" } unless is_binary
+      is_binary
+    end
+
+    def is_macho?(lib)
+      is_macho = false
+      if is_binary?(lib)
+        command = "file #{lib}"
+
+        stdout = shellout!(command).stdout
+        is_macho = stdout.match?(/Mach-O.*(library|bundle)/)
+      end
+      log.debug(log_key) { "    removing non-Mach-O library file from signing: #{lib}" } unless is_macho
+      is_macho
+    end
   end
 end