omnibus 6.1.9 → 8.0.15

data/lib/omnibus/file_syncer.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "fileutils"
+require "fileutils" unless defined?(FileUtils)
 
 module Omnibus
   module FileSyncer

data/lib/omnibus/generator.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "thor"
+require "thor" unless defined?(Thor)
 
 module Omnibus
   class Generator < Thor::Group
@@ -73,7 +73,7 @@ module Omnibus
     class << self
       # Set the source root for Thor
       def source_root
-        File.expand_path("../generator_files", __FILE__)
+        File.expand_path("generator_files", __dir__)
       end
     end
 

data/lib/omnibus/generator_files/README.md.erb

@@ -47,8 +47,8 @@ $ bin/omnibus clean <%= config[:name] %> --purge
 ### Publish
 
 Omnibus has a built-in mechanism for releasing to a variety of "backends", such
-as Amazon S3. You must set the proper credentials in your `omnibus.rb` config
-file or specify them via the command line.
+as Amazon S3. You must set the proper credentials in your
+[`omnibus.rb`](omnibus.rb) config file or specify them via the command line.
 
 ```shell
 $ bin/omnibus publish path/to/*.deb --backend s3
@@ -82,37 +82,41 @@ version of every software definition.
 
 Kitchen-based Build Environment
 -------------------------------
-Every Omnibus project ships will a project-specific
-[Berksfile](https://docs.chef.io/berkshelf.html) that will allow you to build your omnibus projects on all of the projects listed
-in the `.kitchen.yml`. You can add/remove additional platforms as needed by
-changing the list found in the `.kitchen.yml` `platforms` YAML stanza.
+Every Omnibus project ships with a project-specific
+[Berksfile](https://docs.chef.io/berkshelf.html) that will allow you to build
+your omnibus projects on all of the platforms listed in the
+[`.kitchen.yml`](.kitchen.yml). You can add/remove additional platforms as
+needed by changing the list found in the [`.kitchen.yml`](.kitchen.yml)
+`platforms` YAML stanza.
 
 This build environment is designed to get you up-and-running quickly. However,
-there is nothing that restricts you to building on other platforms. Simply use
-the [omnibus cookbook](https://github.com/chef-cookbooks/omnibus) to setup
-your desired platform and execute the build steps listed above.
+there is nothing that restricts you from building on other platforms. Simply use
+the [omnibus cookbook](https://github.com/chef-cookbooks/omnibus) to setup your
+desired platform and execute the build steps listed above.
 
 The default build environment requires Test Kitchen and VirtualBox for local
 development. Test Kitchen also exposes the ability to provision instances using
 various cloud providers like AWS, DigitalOcean, or OpenStack. For more
 information, please see the [Test Kitchen documentation](https://kitchen.ci/).
 
-Once you have tweaked your `.kitchen.yml` (or `.kitchen.local.yml`) to your
-liking, you can bring up an individual build environment using the `kitchen`
-command.
+Once you have tweaked your [`.kitchen.yml`](.kitchen.yml) (or
+[`.kitchen.local.yml`](.kitchen.local.yml)) to your liking, you can bring up an
+individual build environment using the `kitchen` command.
+
 
 ```shell
-$ bin/kitchen converge ubuntu-1204
+$ bin/kitchen converge ubuntu-1804
 ```
 
 Then login to the instance and build the project as described in the Usage
 section:
 
 ```shell
-$ bundle exec kitchen login ubuntu-1204
-[vagrant@ubuntu...] $ cd <%= config[:name] %>
+$ bin/kitchen login ubuntu-1804
+[vagrant@ubuntu...] $ .  load-omnibus-toolchain.sh
+[vagrant@ubuntu...] $ [ -e .bundle ] && sudo chown -R vagrant:vagrant .bundle
+[vagrant@ubuntu...] $ cd <%= config[:name] %>   # or 'cd <%= config[:name] %>/omnibus' if your omnibus project is embedded in your main project
 [vagrant@ubuntu...] $ bundle install
-[vagrant@ubuntu...] $ ...
 [vagrant@ubuntu...] $ bin/omnibus build <%= config[:name] %>
 ```
 

data/lib/omnibus/generator_files/config/software/preparation.rb.erb

@@ -15,7 +15,7 @@
 #
 
 name "preparation"
-description "the steps required to preprare the build"
+description "the steps required to prepare the build"
 default_version "1.0.0"
 
 license :project_license

data/lib/omnibus/generator_files/omnibus.rb.erb

@@ -31,10 +31,11 @@
 # Enable S3 asset caching
 # ------------------------------
 # use_s3_caching true
-# s3_access_key  ENV['AWS_ACCESS_KEY_ID']
-# s3_secret_key  ENV['AWS_SECRET_ACCESS_KEY']
-# s3_profile     ENV['AWS_S3_PROFILE']
-# s3_bucket      ENV['AWS_S3_BUCKET']
+# s3_access_key    ENV['AWS_ACCESS_KEY_ID']
+# s3_secret_key    ENV['AWS_SECRET_ACCESS_KEY']
+# s3_profile       ENV['AWS_S3_PROFILE']
+# s3_iam_role_arn  ENV['S3_IAM_ROLE_ARN']
+# s3_bucket        ENV['AWS_S3_BUCKET']
 
 # Customize compiler bits
 # ------------------------------

data/lib/omnibus/git_cache.rb

@@ -14,8 +14,8 @@
 # limitations under the License.
 #
 
-require "digest"
-require "fileutils"
+require "digest" unless defined?(Digest)
+require "fileutils" unless defined?(FileUtils)
 
 module Omnibus
   class GitCache

data/lib/omnibus/health_check.rb

@@ -428,6 +428,8 @@ module Omnibus
                          ARCH_WHITELIST_LIBS
                        when "mac_os_x"
                          MAC_WHITELIST_LIBS
+                       when "omnios"
+                         OMNIOS_WHITELIST_LIBS
                        when "solaris2"
                          SOLARIS_WHITELIST_LIBS
                        when "smartos"

data/lib/omnibus/licensing.rb

@@ -14,8 +14,8 @@
 # limitations under the License.
 #
 
-require "uri"
-require "fileutils"
+require "uri" unless defined?(URI)
+require "fileutils" unless defined?(FileUtils)
 require "omnibus/download_helpers"
 require "license_scout/collector"
 require "license_scout/reporter"
@@ -439,7 +439,7 @@ module Omnibus
 
       if Config.fatal_transitive_dependency_licensing_warnings && !transitive_dependency_licensing_warnings.empty?
         warnings_to_raise << transitive_dependency_licensing_warnings
-        warnings_to_raise << "If you are encountering missing license or missing license file errors for **transitive** dependencies, you can provide overrides for the missing information at https://github.com/chef/license_scout/blob/master/lib/license_scout/overrides.rb#L93"
+        warnings_to_raise << "If you are encountering missing license or missing license file errors for **transitive** dependencies, you can provide overrides for the missing information at https://github.com/chef/license_scout/blob/1-stable/lib/license_scout/overrides.rb#L93. \n Promote license_scout to Rubygems with `/expeditor promote chef/license_scout:1-stable X.Y.Z` in slack."
       end
 
       warnings_to_raise.flatten!

data/lib/omnibus/logger.rb

@@ -17,7 +17,7 @@
 module Omnibus
   class Logger
 
-    require "time"
+    require "time" unless defined?(Time.zone_offset)
 
     #
     # The amount of padding on the left column.

data/lib/omnibus/manifest.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "ffi_yajl"
+require "ffi_yajl" unless defined?(FFI_Yajl)
 
 module Omnibus
   class Manifest

data/lib/omnibus/metadata.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "ffi_yajl"
+require "ffi_yajl" unless defined?(FFI_Yajl)
 
 module Omnibus
   class Metadata
@@ -83,7 +83,7 @@ module Omnibus
         data = File.read(path_for(package))
         hash = FFI_Yajl::Parser.parse(data, symbolize_names: true)
 
-         # Ensure Platform version has been truncated
+        # Ensure Platform version has been truncated
         if hash[:platform_version] && hash[:platform]
           hash[:platform_version] = truncate_platform_version(hash[:platform_version], hash[:platform])
         end
@@ -170,7 +170,7 @@ module Omnibus
       # rubocop:disable Lint/DuplicateCaseCondition
       def truncate_platform_version(platform_version, platform)
         case platform
-        when "centos", "debian", "el", "fedora", "freebsd", "omnios", "pidora", "raspbian", "rhel", "sles", "suse", "smartos"
+        when "centos", "cumulus", "debian", "el", "fedora", "freebsd", "omnios", "pidora", "raspbian", "rhel", "sles", "suse", "smartos"
           # Only want MAJOR (e.g. Debian 7, OmniOS r151006, SmartOS 20120809T221258Z)
           platform_version.split(".").first
         when "aix", "alpine", "mac_os_x", "openbsd", "slackware", "solaris2", "opensuse", "opensuseleap", "ubuntu", "amazon"

data/lib/omnibus/ohai.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "ohai"
+require "ohai" unless defined?(Ohai::System)
 
 module Omnibus
   class Ohai

data/lib/omnibus/package.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "ffi_yajl"
+require "ffi_yajl" unless defined?(FFI_Yajl)
 
 module Omnibus
   class Package

data/lib/omnibus/packager.rb

@@ -1,5 +1,5 @@
 #
-# Copyright 2014-2018 Chef Software, Inc.
+# Copyright 2014-2020, Chef Software Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -46,6 +46,7 @@ module Omnibus
       "amazon" => RPM,
       "aix" => BFF,
       "solaris" => Solaris,
+      "omnios" => IPS,
       "ips" => IPS,
       "windows" => [MSI, APPX],
       "mac_os_x" => PKG,
@@ -65,25 +66,16 @@ module Omnibus
       family = Ohai["platform_family"]
       version = Ohai["platform_version"]
 
-      if family == "solaris2" && Chef::Sugar::Constraints::Version.new(version).satisfies?(">= 5.11")
+      if family == "solaris2" && ChefUtils::VersionString.new(version).satisfies?(">= 5.11")
         family = "ips"
-      elsif family == "solaris2" && Chef::Sugar::Constraints::Version.new(version).satisfies?(">= 5.10")
+      elsif family == "solaris2" && ChefUtils::VersionString.new(version).satisfies?(">= 5.10")
         family = "solaris"
       end
       if klass = PLATFORM_PACKAGER_MAP[family]
-        package_types = klass.is_a?(Array) ? klass : [ klass ]
-
-        if package_types.include?(APPX) &&
-            !Chef::Sugar::Constraints::Version.new(version).satisfies?(">= 6.2")
-          log.warn(log_key) { "APPX generation is only supported on Windows versions 2012 and above" }
-          package_types -= [APPX]
-        end
-
-        package_types
+        klass.is_a?(Array) ? klass : [ klass ]
       else
         log.warn(log_key) do
-          "Could not determine packager for `#{family}', defaulting " \
-          "to `makeself'!"
+          "Could not determine packager for `#{family}`, defaulting to `makeself`!"
         end
         [Makeself]
       end

data/lib/omnibus/packagers/base.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "fileutils"
+require "fileutils" unless defined?(FileUtils)
 
 module Omnibus
   class Packager::Base

data/lib/omnibus/packagers/msi.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-require "pathname"
+require "pathname" unless defined?(Pathname)
 require "omnibus/packagers/windows_base"
 
 module Omnibus

data/lib/omnibus/packagers/pkg.rb

@@ -64,6 +64,8 @@ module Omnibus
     build do
       write_scripts
 
+      sign_software_libs_and_bins
+
       build_component_pkg
 
       write_distribution_file
@@ -177,6 +179,67 @@ module Omnibus
       end
     end
 
+    def sign_software_libs_and_bins
+      if signing_identity
+        log.info(log_key) { "Finding libraries and binaries that require signing." }
+
+        bin_dirs = Set[]
+        lib_dirs = Set[]
+        binaries = Set[]
+        libraries = Set[]
+
+        # Capture lib_dirs and bin_dirs from each software
+        project.softwares.each do |software|
+          lib_dirs.merge(software.lib_dirs)
+          bin_dirs.merge(software.bin_dirs)
+        end
+
+        # Find all binaries in each bind_dir
+        bin_dirs.each do |dir|
+          binaries.merge Dir["#{dir}/*"]
+        end
+        # Filter out symlinks, non-files, and non-executables
+        log.debug(log_key) { "  Filtering non-binary files:" }
+        binaries.select! { |bin| is_binary?(bin) }
+
+        # Use otool to find all libries that are used by our binaries
+        binaries.each do |bin|
+          libraries.merge find_linked_libs bin
+        end
+
+        # Find all libraries in each lib_dir and add any we missed with otool
+        lib_dirs.each do |dir|
+          libraries.merge Dir["#{dir}/*"]
+        end
+
+        # Filter Mach-O libraries and bundles
+        log.debug(log_key) { "  Filtering non-library files:" }
+        libraries.select! { |lib| is_macho?(lib) }
+
+        # Use otool to find all libries that are used by our libraries
+        otool_libs = Set[]
+        libraries.each do |lib|
+          otool_libs.merge find_linked_libs lib
+        end
+
+        # Filter Mach-O libraries and bundles
+        otool_libs.select! { |lib| is_macho?(lib) }
+        libraries.merge otool_libs
+
+        log.info(log_key) { "  Signing libraries:" } unless libraries.empty?
+        libraries.each do |library|
+          log.debug(log_key) { "    Signing: #{library}" }
+          sign_library(library)
+        end
+
+        log.info(log_key) { "  Signing binaries:" } unless binaries.empty?
+        binaries.each do |binary|
+          log.debug(log_key) { "    Signing: #{binary}" }
+          sign_binary(binary, true)
+        end
+      end
+    end
+
     #
     # Construct the intermediate build product. It can be installed with the
     # Installer.app, but doesn't contain the data needed to customize the
@@ -185,16 +248,20 @@ module Omnibus
     # @return [void]
     #
     def build_component_pkg
-      command = <<-EOH.gsub(/^ {8}/, "")
+      command = <<~EOH
         pkgbuild \\
           --identifier "#{safe_identifier}" \\
           --version "#{safe_version}" \\
           --scripts "#{scripts_dir}" \\
           --root "#{project.install_dir}" \\
           --install-location "#{project.install_dir}" \\
-          "#{component_pkg}"
+          --preserve-xattr \\
       EOH
 
+      command << %Q{  --sign "#{signing_identity}" \\\n} if signing_identity
+      command << %Q{  "#{component_pkg}"}
+      command << %Q{\n}
+
       Dir.chdir(staging_dir) do
         shellout!(command)
       end
@@ -229,7 +296,7 @@ module Omnibus
     # @return [void]
     #
     def build_product_pkg
-      command = <<-EOH.gsub(/^ {8}/, "")
+      command = <<~EOH
         productbuild \\
           --distribution "#{staging_dir}/Distribution" \\
           --resources "#{resources_dir}" \\
@@ -320,5 +387,57 @@ module Omnibus
         converted
       end
     end
+
+    #
+    # Given a file path return any linked libraries.
+    #
+    # @param [String] file_path
+    #    The path to a file
+    # @return [Array<String>]
+    #    The linked libs
+    #
+    def find_linked_libs(file_path)
+      # Find all libaries for each bin
+      command = "otool -L #{file_path}"
+
+      stdout = shellout!(command).stdout
+      stdout.slice!(file_path)
+      stdout.scan(/#{install_dir}\S*/)
+    end
+
+    def sign_library(lib)
+      sign_binary(lib)
+    end
+
+    def sign_binary(bin, hardened_runtime = false)
+      command = "codesign -s '#{signing_identity}' '#{bin}'"
+      command << %q{ --options=runtime} if hardened_runtime
+      command << %Q{ --entitlements #{resource_path("entitlements.plist")}} if File.exist?(resource_path("entitlements.plist")) && hardened_runtime
+      ## Force re-signing to deal with binaries that have the same sha.
+      command << %q{ --force}
+      command << %Q{\n}
+
+      shellout!(command)
+    end
+
+    def is_binary?(bin)
+      is_binary = File.file?(bin) &&
+        File.executable?(bin) &&
+        !File.symlink?(bin)
+      log.debug(log_key) { "    removing non-binary file from signing: #{bin}" } unless is_binary
+      is_binary
+    end
+
+    def is_macho?(lib)
+      is_macho = false
+      if is_binary?(lib)
+        command = "file #{lib}"
+
+        stdout = shellout!(command).stdout
+        is_macho = stdout.match?(/Mach-O.*(library|bundle)/)
+      end
+      log.debug(log_key) { "    removing non-Mach-O library file from signing: #{lib}" } unless is_macho
+      is_macho
+    end
   end
 end