omnibus 6.1.9 → 8.0.15

data/resources/rpm/signing.erb

@@ -11,25 +11,22 @@ require 'pty'
 
 puts rpm_cmd
 PTY.spawn(rpm_cmd) do |r, w, pid|
+  # Older versions of rpmsign will prompt right away for the passphrase
   prompt = r.read(19)
 
-  # match the expected prompt exactly, since that's the only way we know if
-  # something went wrong.
-  unless prompt == 'Enter pass phrase: '
-    STDERR.puts "unexpected output from `#{rpm_cmd}`: '#{prompt}'"
-    Process.kill(:KILL, pid)
-    exit 1
+  if prompt == 'Enter pass phrase: '
+    STDOUT.puts prompt
+    w.write("#{password}\n")
   end
 
-  STDOUT.puts prompt
-  w.write("#{password}\n")
-
   # Keep printing output unti the command exits
   loop do
     begin
       line = r.gets
       puts line
-      if (line =~ /failed/) && !(line =~ /warning:/)
+      if line =~ /Please enter the passphrase to unlock the OpenPGP secret key:/
+        w.write("#{password}\n")
+      elsif (line =~ /failed/) && !(line =~ /warning:/)
         STDERR.puts 'RPM signing failure'
         exit 1
       end

data/spec/support/path_helpers.rb

@@ -6,13 +6,13 @@ module Omnibus
       end
 
       def tmp_path
-        File.expand_path("../../tmp", __FILE__)
+        File.expand_path("../tmp", __dir__)
       end
 
       private
 
       def fixtures_path
-        File.expand_path("../../fixtures", __FILE__)
+        File.expand_path("../fixtures", __dir__)
       end
     end
   end

data/spec/unit/compressor_spec.rb

@@ -4,7 +4,7 @@ module Omnibus
   describe Compressor do
     describe ".for_current_system" do
       context "on Mac OS X" do
-        before { stub_ohai(platform: "mac_os_x", version: "10.12") }
+        before { stub_ohai(platform: "mac_os_x", version: "10.15") }
 
         context "when :dmg is activated" do
           it "prefers dmg" do

data/spec/unit/compressors/dmg_spec.rb

@@ -219,8 +219,11 @@ module Omnibus
             sync
             hdiutil unmount "#{device}"
             # Give some time to the system so unmount dmg
-            sleep 5
-            hdiutil detach "#{device}" &&\
+            ATTEMPTS=1
+            until [ $ATTEMPTS -eq 6 ] || hdiutil detach "/dev/sda1"; do
+              sleep 10
+              echo Attempt number $(( ATTEMPTS++ ))
+            done
             hdiutil convert \\
               "#{staging_dir}/project-writable.dmg" \\
               -format UDZO \\

data/spec/unit/metadata_spec.rb

@@ -177,17 +177,17 @@ module Omnibus
 
     describe ".platform_shortname" do
       it "returns el on rhel" do
-        stub_ohai(platform: "redhat", version: "6.9")
+        stub_ohai(platform: "redhat", version: "6")
         expect(described_class.platform_shortname).to eq("el")
       end
 
       it "returns sles on suse" do
-        stub_ohai(platform: "suse", version: "12.2")
+        stub_ohai(platform: "suse", version: "12")
         expect(described_class.platform_shortname).to eq("sles")
       end
 
       it "returns .platform on all other systems" do
-        stub_ohai(platform: "ubuntu", version: "16.04")
+        stub_ohai(platform: "ubuntu", version: "20.04")
         expect(described_class.platform_shortname).to eq("ubuntu")
       end
     end
@@ -196,7 +196,7 @@ module Omnibus
       shared_examples "a version manipulator" do |platform_shortname, version, expected|
         context "on #{platform_shortname}-#{version}" do
           it "returns the correct value" do
-            stub_ohai(platform: "ubuntu", version: "16.04") do |data|
+            stub_ohai(platform: "ubuntu", version: "20.04") do |data|
               data["platform"] = platform_shortname
               data["platform_version"] = version
             end
@@ -245,7 +245,7 @@ module Omnibus
 
       context "given an unknown platform" do
         before do
-          stub_ohai(platform: "ubuntu", version: "16.04") do |data|
+          stub_ohai(platform: "ubuntu", version: "20.04") do |data|
             data["platform"] = "bacon"
             data["platform_version"] = "1.crispy"
           end
@@ -259,7 +259,7 @@ module Omnibus
 
       context "given an unknown windows platform version" do
         before do
-          stub_ohai(platform: "ubuntu", version: "16.04") do |data|
+          stub_ohai(platform: "ubuntu", version: "20.04") do |data|
             data["platform"] = "windows"
             data["platform_version"] = "1.2.3"
           end

data/spec/unit/packager_spec.rb

@@ -4,26 +4,19 @@ module Omnibus
   describe Packager do
     describe ".for_current_system" do
       context "on Mac OS X" do
-        before { stub_ohai(platform: "mac_os_x", version: "10.13") }
+        before { stub_ohai(platform: "mac_os_x", version: "10.15") }
         it "prefers PKG" do
           expect(described_class.for_current_system).to eq([Packager::PKG])
         end
       end
 
-      context "on Windows 2012 R2" do
+      context "on Windows" do
         before { stub_ohai(platform: "windows", version: "2012R2") }
         it "prefers MSI and APPX" do
           expect(described_class.for_current_system).to eq([Packager::MSI, Packager::APPX])
         end
       end
 
-      context "on Windows 2008 R2" do
-        before { stub_ohai(platform: "windows", version: "2008R2") }
-        it "prefers MSI only" do
-          expect(described_class.for_current_system).to eq([Packager::MSI])
-        end
-      end
-
       context "on Solaris 11" do
         before { stub_ohai(platform: "solaris2", version: "5.11") }
         it "prefers IPS" do
@@ -32,14 +25,14 @@ module Omnibus
       end
 
       context "on AIX" do
-        before { stub_ohai(platform: "aix", version: "7.1") }
+        before { stub_ohai(platform: "aix", version: "7") }
         it "prefers BFF" do
           expect(described_class.for_current_system).to eq([Packager::BFF])
         end
       end
 
       context "on Fedora" do
-        before { stub_ohai(platform: "fedora", version: "28") }
+        before { stub_ohai(platform: "fedora", version: "31") }
         it "prefers RPM" do
           expect(described_class.for_current_system).to eq([Packager::RPM])
         end
@@ -53,14 +46,14 @@ module Omnibus
       end
 
       context "on Debian" do
-        before { stub_ohai(platform: "debian", version: "8.11") }
+        before { stub_ohai(platform: "debian", version: "10") }
         it "prefers RPM" do
           expect(described_class.for_current_system).to eq([Packager::DEB])
         end
       end
 
       context "on SLES" do
-        before { stub_ohai(platform: "suse", version: "12.3") }
+        before { stub_ohai(platform: "suse", version: "15") }
         it "prefers RPM" do
           expect(described_class.for_current_system).to eq([Packager::RPM])
         end

data/spec/unit/packagers/ips_spec.rb

@@ -155,6 +155,7 @@ module Omnibus
         expect(transform_file_contents).to include("<transform file depend -> edit pkg.debug.depend.file ruby env>")
         expect(transform_file_contents).to include("<transform file depend -> edit pkg.debug.depend.file make env>")
         expect(transform_file_contents).to include("<transform file depend -> edit pkg.debug.depend.file perl env>")
+        expect(transform_file_contents).to include("<transform file depend -> edit pkg.debug.depend.path usr/local/bin usr/bin>")
       end
     end
 

data/spec/unit/packagers/pkg_spec.rb

@@ -109,6 +109,158 @@ module Omnibus
       end
     end
 
+    describe "#sign_software_libs_and_bins" do
+      context "when pkg signing is disabled" do
+        it "does not sign anything" do
+          expect(subject).not_to receive(:sign_binary)
+          expect(subject).not_to receive(:sign_library)
+          subject.sign_software_libs_and_bins
+        end
+
+        it "returns an empty set" do
+          expect(subject.sign_software_libs_and_bins).to be_nil
+        end
+      end
+
+      context "when pkg signing is enabled" do
+        before do
+          subject.signing_identity("My Special Identity")
+        end
+
+        context "without software" do
+          it "does not sign anything" do
+            expect(subject).not_to receive(:sign_binary)
+            expect(subject).not_to receive(:sign_library)
+            subject.sign_software_libs_and_bins
+          end
+
+          it "returns an empty set" do
+            expect(subject.sign_software_libs_and_bins).to eq(Set.new)
+          end
+        end
+
+        context "project with software" do
+          let(:software) do
+            Software.new(project).tap do |software|
+              software.name("software-full-name")
+            end
+          end
+
+          before do
+            allow(project).to receive(:softwares).and_return([software])
+          end
+
+          context "with empty bin_dirs and lib_dirs" do
+            before do
+              allow(software).to receive(:lib_dirs).and_return([])
+              allow(software).to receive(:bin_dirs).and_return([])
+            end
+
+            it "does not sign anything" do
+              expect(subject).not_to receive(:sign_binary)
+              expect(subject).not_to receive(:sign_library)
+              subject.sign_software_libs_and_bins
+            end
+
+            it "returns an empty set" do
+              expect(subject.sign_software_libs_and_bins).to eq(Set.new)
+            end
+          end
+
+          context "with default bin_dirs and lib_dirs" do
+            context "with binaries" do
+              let(:bin) { "/opt/#{project.name}/bin/test_bin" }
+              let(:embedded_bin) { "/opt/#{project.name}/embedded/bin/test_bin" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([embedded_bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([])
+                allow(subject).to receive(:is_binary?).with(bin).and_return(true)
+                allow(subject).to receive(:is_binary?).with(embedded_bin).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(bin).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(embedded_bin).and_return([])
+                allow(subject).to receive(:sign_binary).with(bin, true)
+                allow(subject).to receive(:sign_binary).with(embedded_bin, true)
+              end
+
+              it "signs the binaries" do
+                expect(subject).to receive(:sign_binary).with(bin, true)
+                expect(subject).to receive(:sign_binary).with(embedded_bin, true)
+                subject.sign_software_libs_and_bins
+              end
+
+              it "returns a set with the signed binaries" do
+                expect(subject.sign_software_libs_and_bins).to eq(Set.new [bin, embedded_bin])
+              end
+            end
+
+            context "with library" do
+              let(:lib) { "/opt/#{project.name}/embedded/lib/test_lib" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([lib])
+                allow(subject).to receive(:is_macho?).with(lib).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(lib).and_return([])
+                allow(subject).to receive(:sign_library).with(lib)
+              end
+
+              it "signs the library" do
+                expect(subject).to receive(:sign_library).with(lib)
+                subject.sign_software_libs_and_bins
+              end
+            end
+
+            context "with binaries and libraries with linked libs" do
+              let(:bin) { "/opt/#{project.name}/bin/test_bin" }
+              let(:bin2) { "/opt/#{project.name}/bin/test_bin2" }
+              let(:embedded_bin) { "/opt/#{project.name}/embedded/bin/test_bin" }
+              let(:lib) { "/opt/#{project.name}/embedded/lib/test_lib" }
+              let(:lib2) { "/opt/#{project.name}/embedded/lib/test_lib2" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([bin, bin2])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([embedded_bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([lib])
+                allow(subject).to receive(:is_binary?).with(bin).and_return(true)
+                allow(subject).to receive(:is_binary?).with(bin2).and_return(true)
+                allow(subject).to receive(:is_binary?).with(embedded_bin).and_return(true)
+                allow(subject).to receive(:is_macho?).with(lib).and_return(true)
+                allow(subject).to receive(:is_macho?).with(lib2).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(bin).and_return([lib2])
+                allow(subject).to receive(:find_linked_libs).with(bin2).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(embedded_bin).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(lib).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(lib2).and_return([])
+                allow(subject).to receive(:sign_binary).with(bin, true)
+                allow(subject).to receive(:sign_binary).with(bin2, true)
+                allow(subject).to receive(:sign_binary).with(embedded_bin, true)
+                allow(subject).to receive(:sign_library).with(lib)
+                allow(subject).to receive(:sign_library).with(lib2)
+                allow(Digest::SHA256).to receive(:file).with(bin).and_return(Digest::SHA256.new.update(bin))
+                allow(Digest::SHA256).to receive(:file).with(bin2).and_return(Digest::SHA256.new.update(bin2))
+                allow(Digest::SHA256).to receive(:file).with(embedded_bin).and_return(Digest::SHA256.new.update(embedded_bin))
+                allow(Digest::SHA256).to receive(:file).with(lib).and_return(Digest::SHA256.new.update(lib))
+                allow(Digest::SHA256).to receive(:file).with(lib2).and_return(Digest::SHA256.new.update(lib2))
+              end
+
+              it "signs the binaries" do
+                expect(subject).to receive(:sign_binary).with(bin, true)
+                expect(subject).to receive(:sign_binary).with(bin2, true)
+                expect(subject).to receive(:sign_binary).with(embedded_bin, true)
+                subject.sign_software_libs_and_bins
+              end
+
+              it "signs the libraries" do
+                expect(subject).to receive(:sign_library).with(lib)
+                expect(subject).to receive(:sign_library).with(lib2)
+                subject.sign_software_libs_and_bins
+              end
+            end
+          end
+        end
+      end
+    end
+
     describe "#build_component_pkg" do
       it "executes the pkgbuild command" do
         expect(subject).to receive(:shellout!).with <<-EOH.gsub(/^ {10}/, "")
@@ -118,6 +270,7 @@ module Omnibus
             --scripts "#{staging_dir}/Scripts" \\
             --root "/opt/project-full-name" \\
             --install-location "/opt/project-full-name" \\
+            --preserve-xattr \\
             "project-full-name-core.pkg"
         EOH
 
@@ -267,5 +420,206 @@ module Omnibus
         end
       end
     end
+
+    describe "#find_linked_libs" do
+      context "with linked libs" do
+        let(:file) { "/opt/#{project.name}/embedded/bin/test_bin" }
+        let(:stdout) do
+          <<~EOH
+            /opt/#{project.name}/embedded/bin/test_bin:
+                      /opt/#{project.name}/embedded/lib/lib.dylib (compatibility version 7.0.0, current version 7.4.0)
+                      /opt/#{project.name}/embedded/lib/lib.6.dylib (compatibility version 7.0.0, current version 7.4.0)
+                      /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.0.0)
+          EOH
+        end
+        let(:shellout) { Mixlib::ShellOut.new }
+
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return(stdout)
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([
+            "/opt/#{project.name}/embedded/lib/lib.dylib",
+            "/opt/#{project.name}/embedded/lib/lib.6.dylib",
+          ])
+        end
+      end
+
+      context "with only system linked libs" do
+        let(:file) { "/opt/#{project.name}/embedded/lib/lib.dylib" }
+        let(:stdout) do
+          <<~EOH
+            /opt/#{project.name}/embedded/lib/lib.dylib:
+                      /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.0.0)
+          EOH
+        end
+        let(:shellout) { Mixlib::ShellOut.new }
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return(stdout)
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([])
+        end
+      end
+
+      context "file is just a file" do
+        let(:file) { "/opt/#{project.name}/embedded/lib/file.rb" }
+        let(:shellout) { Mixlib::ShellOut.new }
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return("#{file}: is not an object file")
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([])
+        end
+      end
+    end
+
+    describe "#is_binary?" do
+      context "when is a file, executable, and not a symlink" do
+        before do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+        end
+
+        it "returns true" do
+          expect(subject.is_binary?("file")).to be true
+        end
+      end
+
+      context "when not a file" do
+        before do
+          allow(File).to receive(:file?).with("file").and_return(false)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+        end
+
+        it "returns false" do
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+
+      context "when not an executable" do
+        it "returns false" do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(false)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+
+      context "when is symlink" do
+        it "returns false" do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(true)
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+    end
+
+    describe "#is_macho?" do
+      let(:shellout) { Mixlib::ShellOut.new }
+
+      context "when is a Mach-O library" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: Mach-O 64-bit dynamically linked shared library x86_64")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be true
+        end
+      end
+
+      context "when is a Mach-O Bundle" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: Mach-O 64-bit bundle x86_64")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be true
+        end
+      end
+
+      context "when is not a Mach-O Bundle or Mach-O library" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: ASCII text")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be false
+        end
+      end
+    end
+
+    describe "#sign_library" do
+      before do
+        subject.signing_identity("My Special Identity")
+      end
+
+      it "calls sign_binary without hardened runtime" do
+        expect(subject).to receive(:sign_binary).with("file")
+        subject.sign_library("file")
+      end
+    end
+
+    describe "#sign_binary" do
+      before do
+        subject.signing_identity("My Special Identity")
+      end
+
+      it "it signs the binary without hardened runtime" do
+        expect(subject).to receive(:shellout!)
+          .with("codesign -s '#{subject.signing_identity}' 'file' --force\n")
+        subject.sign_binary("file")
+      end
+
+      context "with hardened runtime" do
+        it "it signs the binary with hardened runtime" do
+          expect(subject).to receive(:shellout!)
+            .with("codesign -s '#{subject.signing_identity}' 'file' --options=runtime --force\n")
+          subject.sign_binary("file", true)
+        end
+
+        context "with entitlements" do
+          let(:entitlements_file) { File.join(tmp_path, "project-full-name/resources/project-full-name/pkg/entitlements.plist") }
+
+          it "it signs the binary with the entitlements" do
+            allow(subject).to receive(:resource_path).with("entitlements.plist").and_return(entitlements_file)
+            allow(File).to receive(:exist?).with(entitlements_file).and_return(true)
+            expect(subject).to receive(:shellout!)
+              .with("codesign -s '#{subject.signing_identity}' 'file' --options=runtime --entitlements #{entitlements_file} --force\n")
+            subject.sign_binary("file", true)
+          end
+        end
+      end
+    end
   end
 end