omnibus 6.1.9 → 7.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13c799a70980298bd1b9a949570129950948678e848013b5cc45e9c16163eed4
-  data.tar.gz: f674f27153dd215d6718e988b6d4bc7b8c30e3b3b00e3b89aaffbab1c14a7bdd
+  metadata.gz: 426773f2a6ca96d0f7b36b5df60e01fb17b52bf747c2a19b040499e03737b20e
+  data.tar.gz: 8045d8e96683fafa5fcc1357d83701515ebbcd160d16743e1903c5fcb964284c
 SHA512:
-  metadata.gz: 7bd5732c6df36ef63dff1bf783117fe40eb49934209e41fe4f5b9f03e64998a3f69e30d86183b4b70d9f9780682a8641bb1bde8c229213be53b69f30d6267259
-  data.tar.gz: 74bbdef1a133d657e75853a0a44ee3eea4dc461bc8fda2a52c5623656e0a289f1c40ba9906da8179686e3998354a088d5e2410dfe6b2519c41f45823613317c6
+  metadata.gz: 427f1194c4141ff9ebd69a7bce99c2fb2f136a836e2fa3b99c842b3ae6d271698113027cf29ea25f7ac8a38a81b6448dd44a29faf2895e69f16ec537c0d789de
+  data.tar.gz: 7ae973fddc3895fc2bad09fa17316e5bc58aefb7cfa19efb4630fb44dd6a0d1e479715bde34b4d3195b560f704f5d1f47fe8543efe140913694e9723b20cd187

data/Gemfile

@@ -11,7 +11,7 @@ end
 group :debug do
   gem "pry"
   gem "pry-byebug"
-  gem "pry-stack_explorer"
+  gem "pry-stack_explorer", "~> 0.4.0" # 0.4 allows us to still test Ruby 2.5
 end
 
 if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5")

data/README.md

@@ -84,11 +84,19 @@ use_git_caching false
 # Enable S3 asset caching
 # ------------------------------
 use_s3_caching true
+s3_bucket      ENV['S3_BUCKET']
+
+# There are three ways to authenticate to the S3 bucket
+
+# 1. set `s3_access_key` and `s3_secret_key`
 s3_access_key  ENV['S3_ACCESS_KEY']
 s3_secret_key  ENV['S3_SECRET_KEY']
-# You can use the Shared Credentials files in place of the s3_access_key and s3_secret_key.
+
+# 2. set `s3_profile` to use an AWS profile in the Shared Credentials files
 #s3_profile    ENV['S3_PROFILE']
-s3_bucket      ENV['S3_BUCKET']
+
+# 3. set `s3_iam_role_arn` to use an AWS IAM role
+#s3_iam_role_arn    ENV['S3_IAM_ROLE_ARN']
 ```
 
 For more information, please see the [`Config` documentation](http://www.rubydoc.info/github/chef/omnibus/Omnibus/Config).
@@ -253,7 +261,7 @@ For all of these paths, **order matters**, so it is possible to depend on local
 $PWD/config/software/foo.rb
 /path/to/software/config/software/foo.rb
 /other/path/to/software/config/software/foo.rb
-/Users/sethvargo/.gems/.../my-comany-omnibus-software/config/software/foo.rb
+/Users/sethvargo/.gems/.../my-company-omnibus-software/config/software/foo.rb
 /Users/sethvargo/.gems/.../omnibus-software/config/software/foo.rb
 ```
 
@@ -273,7 +281,7 @@ This will output a JSON-formatted manifest containing the resolved version of ev
 
 Sometimes a platform has libraries that need to be whitelisted so the healthcheck can pass. The whitelist found in the [healthcheck](https://github.com/chef/omnibus/blob/master/lib/omnibus/health_check.rb) code comprises the minimal required for successful builds on supported platforms.
 
-To add your own whitelisted library, simply add the a regex to your software definition in your omnibus project as follows:
+To add your own whitelisted library, simply add a regex to your software definition in your omnibus project as follows:
 
 ```
 whitelist_file /libpcrecpp\.so\..+/
@@ -289,11 +297,11 @@ STATUS: _EXPERIMENTAL_
 
 `omnibus changelog generate` will generate a changelog for an omnibus project. This command currently assumes:
 
-- version-manifest.json is checked into the project root
-- the project is a git repository
-- each version is tagged with a SemVer compliant annotated tag
+- A version-manifest.json file is checked into the project root
+- The project is a git repository
+- Each version is tagged with a SemVer compliant annotated tag
 - Any git-based sources are checked out at ../COMPONENT_NAME
-- Any commit message line prepended with ChangeLog-Entry: should be added to the changelog.
+- Any commit message line prepended with ChangeLog-Entry: should be added to the changelog
 
 These assumptions _will_ change as we determine what works best for a number of our projects.
 

data/lib/omnibus/compressor.rb

@@ -49,10 +49,10 @@ module Omnibus
       end
 
       if compressors.include?(:tgz)
-        return TGZ
+        TGZ
       else
         log.info(log_key) { "No compressor defined for `#{family}'." }
-        return Null
+        Null
       end
     end
     module_function :for_current_system

data/lib/omnibus/compressors/base.rb

@@ -30,7 +30,7 @@ module Omnibus
     # @param [Project] project
     #
     def initialize(project)
-      @project  = project
+      @project = project
 
       # There can now be multiple packagers per platform
       # but windows is the only platform that uses multiple

data/lib/omnibus/config.rb

@@ -285,7 +285,7 @@ module Omnibus
     #
     # @return [String, nil]
     default(:s3_access_key) do
-      if s3_profile
+      if s3_profile || s3_iam_role_arn
         nil
       else
         raise MissingRequiredAttribute.new(self, :s3_access_key, "'ABCD1234'")
@@ -296,7 +296,7 @@ module Omnibus
     #
     # @return [String, nil]
     default(:s3_secret_key) do
-      if s3_profile
+      if s3_profile || s3_iam_role_arn
         nil
       else
         raise MissingRequiredAttribute.new(self, :s3_secret_key, "'EFGH5678'")
@@ -308,6 +308,11 @@ module Omnibus
     # @return [String, nil]
     default(:s3_profile, nil)
 
+    # The AWS IAM role arn to use with S3 caching.
+    #
+    # @return [String, nil]
+    default(:s3_iam_role_arn, nil)
+
     # The region of the S3 bucket you want to cache software artifacts in.
     # Defaults to 'us-east-1'
     #
@@ -455,6 +460,11 @@ module Omnibus
     # @return [String, nil]
     default(:publish_s3_profile, nil)
 
+    # The AWS IAM role arn to use with S3 publisher.
+    #
+    # @return [String, nil]
+    default(:publish_s3_iam_role_arn, nil)
+
     # Directory pattern for the S3 publisher.
     # Interpolation of metadata keys is supported.
     #

data/lib/omnibus/generator_files/README.md.erb

@@ -47,8 +47,8 @@ $ bin/omnibus clean <%= config[:name] %> --purge
 ### Publish
 
 Omnibus has a built-in mechanism for releasing to a variety of "backends", such
-as Amazon S3. You must set the proper credentials in your `omnibus.rb` config
-file or specify them via the command line.
+as Amazon S3. You must set the proper credentials in your
+[`omnibus.rb`](omnibus.rb) config file or specify them via the command line.
 
 ```shell
 $ bin/omnibus publish path/to/*.deb --backend s3
@@ -82,37 +82,40 @@ version of every software definition.
 
 Kitchen-based Build Environment
 -------------------------------
-Every Omnibus project ships will a project-specific
-[Berksfile](https://docs.chef.io/berkshelf.html) that will allow you to build your omnibus projects on all of the projects listed
-in the `.kitchen.yml`. You can add/remove additional platforms as needed by
-changing the list found in the `.kitchen.yml` `platforms` YAML stanza.
+Every Omnibus project ships with a project-specific
+[Berksfile](https://docs.chef.io/berkshelf.html) that will allow you to build
+your omnibus projects on all of the platforms listed in the
+[`.kitchen.yml`](.kitchen.yml). You can add/remove additional platforms as
+needed by changing the list found in the [`.kitchen.yml`](.kitchen.yml)
+`platforms` YAML stanza.
 
 This build environment is designed to get you up-and-running quickly. However,
-there is nothing that restricts you to building on other platforms. Simply use
-the [omnibus cookbook](https://github.com/chef-cookbooks/omnibus) to setup
-your desired platform and execute the build steps listed above.
+there is nothing that restricts you from building on other platforms. Simply use
+the [omnibus cookbook](https://github.com/chef-cookbooks/omnibus) to setup your
+desired platform and execute the build steps listed above.
 
 The default build environment requires Test Kitchen and VirtualBox for local
 development. Test Kitchen also exposes the ability to provision instances using
 various cloud providers like AWS, DigitalOcean, or OpenStack. For more
 information, please see the [Test Kitchen documentation](https://kitchen.ci/).
 
-Once you have tweaked your `.kitchen.yml` (or `.kitchen.local.yml`) to your
-liking, you can bring up an individual build environment using the `kitchen`
-command.
+Once you have tweaked your [`.kitchen.yml`](.kitchen.yml) (or
+[`.kitchen.local.yml`](.kitchen.local.yml)) to your liking, you can bring up an
+individual build environment using the `kitchen` command.
+
 
 ```shell
-$ bin/kitchen converge ubuntu-1204
+$ bin/kitchen converge ubuntu-1804
 ```
 
 Then login to the instance and build the project as described in the Usage
 section:
 
 ```shell
-$ bundle exec kitchen login ubuntu-1204
+$ bin/kitchen login ubuntu-1804
+[vagrant@ubuntu...] $ .  load-omnibus-toolchain.sh
 [vagrant@ubuntu...] $ cd <%= config[:name] %>
 [vagrant@ubuntu...] $ bundle install
-[vagrant@ubuntu...] $ ...
 [vagrant@ubuntu...] $ bin/omnibus build <%= config[:name] %>
 ```
 

data/lib/omnibus/generator_files/config/software/preparation.rb.erb

@@ -15,7 +15,7 @@
 #
 
 name "preparation"
-description "the steps required to preprare the build"
+description "the steps required to prepare the build"
 default_version "1.0.0"
 
 license :project_license

data/lib/omnibus/generator_files/omnibus.rb.erb

@@ -31,10 +31,11 @@
 # Enable S3 asset caching
 # ------------------------------
 # use_s3_caching true
-# s3_access_key  ENV['AWS_ACCESS_KEY_ID']
-# s3_secret_key  ENV['AWS_SECRET_ACCESS_KEY']
-# s3_profile     ENV['AWS_S3_PROFILE']
-# s3_bucket      ENV['AWS_S3_BUCKET']
+# s3_access_key    ENV['AWS_ACCESS_KEY_ID']
+# s3_secret_key    ENV['AWS_SECRET_ACCESS_KEY']
+# s3_profile       ENV['AWS_S3_PROFILE']
+# s3_iam_role_arn  ENV['S3_IAM_ROLE_ARN']
+# s3_bucket        ENV['AWS_S3_BUCKET']
 
 # Customize compiler bits
 # ------------------------------

data/lib/omnibus/licensing.rb

@@ -439,7 +439,7 @@ module Omnibus
 
       if Config.fatal_transitive_dependency_licensing_warnings && !transitive_dependency_licensing_warnings.empty?
         warnings_to_raise << transitive_dependency_licensing_warnings
-        warnings_to_raise << "If you are encountering missing license or missing license file errors for **transitive** dependencies, you can provide overrides for the missing information at https://github.com/chef/license_scout/blob/master/lib/license_scout/overrides.rb#L93"
+        warnings_to_raise << "If you are encountering missing license or missing license file errors for **transitive** dependencies, you can provide overrides for the missing information at https://github.com/chef/license_scout/blob/1-stable/lib/license_scout/overrides.rb#L93. \n Promote license_scout to Rubygems with `/expeditor promote chef/license_scout:1-stable X.Y.Z` in slack."
       end
 
       warnings_to_raise.flatten!

data/lib/omnibus/metadata.rb

@@ -83,7 +83,7 @@ module Omnibus
         data = File.read(path_for(package))
         hash = FFI_Yajl::Parser.parse(data, symbolize_names: true)
 
-         # Ensure Platform version has been truncated
+        # Ensure Platform version has been truncated
         if hash[:platform_version] && hash[:platform]
           hash[:platform_version] = truncate_platform_version(hash[:platform_version], hash[:platform])
         end

data/lib/omnibus/packagers/pkg.rb

@@ -64,6 +64,8 @@ module Omnibus
     build do
       write_scripts
 
+      sign_software_libs_and_bins
+
       build_component_pkg
 
       write_distribution_file
@@ -177,6 +179,67 @@ module Omnibus
       end
     end
 
+    def sign_software_libs_and_bins
+      if signing_identity
+        log.info(log_key) { "Finding libraries and binaries that require signing." }
+
+        bin_dirs = Set[]
+        lib_dirs = Set[]
+        binaries = Set[]
+        libraries = Set[]
+
+        # Capture lib_dirs and bin_dirs from each software
+        project.softwares.each do |software|
+          lib_dirs.merge(software.lib_dirs)
+          bin_dirs.merge(software.bin_dirs)
+        end
+
+        # Find all binaries in each bind_dir
+        bin_dirs.each do |dir|
+          binaries.merge Dir["#{dir}/*"]
+        end
+        # Filter out symlinks, non-files, and non-executables
+        log.debug(log_key) { "  Filtering non-binary files:" }
+        binaries.select! { |bin| is_binary?(bin) }
+
+        # Use otool to find all libries that are used by our binaries
+        binaries.each do |bin|
+          libraries.merge find_linked_libs bin
+        end
+
+        # Find all libraries in each lib_dir and add any we missed with otool
+        lib_dirs.each do |dir|
+          libraries.merge Dir["#{dir}/*"]
+        end
+
+        # Filter Mach-O libraries and bundles
+        log.debug(log_key) { "  Filtering non-library files:" }
+        libraries.select! { |lib| is_macho?(lib) }
+
+        # Use otool to find all libries that are used by our libraries
+        otool_libs = Set[]
+        libraries.each do |lib|
+          otool_libs.merge find_linked_libs lib
+        end
+
+        # Filter Mach-O libraries and bundles
+        otool_libs.select! { |lib| is_macho?(lib) }
+        libraries.merge otool_libs
+
+        log.info(log_key) { "  Signing libraries:" } unless libraries.empty?
+        libraries.each do |library|
+          log.debug(log_key) { "    Signing: #{library}" }
+          sign_library(library)
+        end
+
+        log.info(log_key) { "  Signing binaries:" } unless binaries.empty?
+        binaries.each do |binary|
+          log.debug(log_key) { "    Signing: #{binary}" }
+          sign_binary(binary, true)
+        end
+      end
+    end
+
     #
     # Construct the intermediate build product. It can be installed with the
     # Installer.app, but doesn't contain the data needed to customize the
@@ -185,16 +248,20 @@ module Omnibus
     # @return [void]
     #
     def build_component_pkg
-      command = <<-EOH.gsub(/^ {8}/, "")
+      command = <<~EOH
         pkgbuild \\
           --identifier "#{safe_identifier}" \\
           --version "#{safe_version}" \\
           --scripts "#{scripts_dir}" \\
           --root "#{project.install_dir}" \\
           --install-location "#{project.install_dir}" \\
-          "#{component_pkg}"
+          --preserve-xattr \\
       EOH
 
+      command << %Q{  --sign "#{signing_identity}" \\\n} if signing_identity
+      command << %Q{  "#{component_pkg}"}
+      command << %Q{\n}
+
       Dir.chdir(staging_dir) do
         shellout!(command)
       end
@@ -229,7 +296,7 @@ module Omnibus
     # @return [void]
     #
     def build_product_pkg
-      command = <<-EOH.gsub(/^ {8}/, "")
+      command = <<~EOH
         productbuild \\
           --distribution "#{staging_dir}/Distribution" \\
           --resources "#{resources_dir}" \\
@@ -320,5 +387,57 @@ module Omnibus
         converted
       end
     end
+
+    #
+    # Given a file path return any linked libraries.
+    #
+    # @param [String] file_path
+    #    The path to a file
+    # @return [Array<String>]
+    #    The linked libs
+    #
+    def find_linked_libs(file_path)
+      # Find all libaries for each bin
+      command = "otool -L #{file_path}"
+
+      stdout = shellout!(command).stdout
+      stdout.slice!(file_path)
+      stdout.scan(/#{install_dir}\S*/)
+    end
+
+    def sign_library(lib)
+      sign_binary(lib)
+    end
+
+    def sign_binary(bin, hardened_runtime = false)
+      command = "codesign -s '#{signing_identity}' '#{bin}'"
+      command << %q{ --options=runtime} if hardened_runtime
+      command << %Q{ --entitlements #{resource_path("entitlements.plist")}} if File.exist?(resource_path("entitlements.plist")) && hardened_runtime
+      ## Force re-signing to deal with binaries that have the same sha.
+      command << %q{ --force}
+      command << %Q{\n}
+
+      shellout!(command)
+    end
+
+    def is_binary?(bin)
+      is_binary = File.file?(bin) &&
+        File.executable?(bin) &&
+        !File.symlink?(bin)
+      log.debug(log_key) { "    removing from signing: #{bin}" } unless is_binary
+      is_binary
+    end
+
+    def is_macho?(lib)
+      is_macho = false
+      if is_binary?(lib)
+        command = "file #{lib}"
+
+        stdout = shellout!(command).stdout
+        is_macho = stdout.match?(/Mach-O.*library/) || stdout.match?(/Mach-O.*bundle/)
+      end
+      log.debug(log_key) { "    removing from signing: #{lib}" } unless is_macho
+      is_macho
+    end
   end
 end

data/lib/omnibus/publishers/s3_publisher.rb

@@ -65,11 +65,13 @@ module Omnibus
         bucket_name: @options[:bucket],
       }
 
-      if Config.publish_s3_profile
-        config[:profile]            = Config.publish_s3_profile
+      if Config.publish_s3_iam_role_arn
+        config[:publish_s3_iam_role_arn] = Config.publish_s3_iam_role_arn
+      elsif Config.publish_s3_profile
+        config[:profile] = Config.publish_s3_profile
       else
-        config[:access_key_id]      = Config.publish_s3_access_key
-        config[:secret_access_key]  = Config.publish_s3_secret_key
+        config[:access_key_id] = Config.publish_s3_access_key
+        config[:secret_access_key] = Config.publish_s3_secret_key
       end
 
       config

data/lib/omnibus/s3_cache.rb

@@ -147,7 +147,9 @@ module Omnibus
           force_path_style: Config.s3_force_path_style,
         }
 
-        if Config.s3_profile
+        if Config.s3_iam_role_arn
+          config[:iam_role_arn] = Config.s3_iam_role_arn
+        elsif Config.s3_profile
           config[:profile] = Config.s3_profile
         else
           config[:access_key_id] = Config.s3_access_key