omnibus 9.0.22 → 9.0.23

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 425eba24bbd4c8de03b075dea1255fa5bedd3a8ae2299e277e7353d4b172553a
-  data.tar.gz: 61c80839060c2418ee56e831bbfa2c4e712d4c5d5287a005b5af51ada7e81002
+  metadata.gz: 60f5a801d094e92cffa5e8bebd7dc8d1fd1a7b427c6d476b7b33b629415641d4
+  data.tar.gz: c0d7fa53dbf57e5c84c356855547e69c9cf315fe53156aeddefd60c94bf88f5d
 SHA512:
-  metadata.gz: cb33e1a53677ea828fd163285dd40429792896cb9e1e06f3724225c6eeb99b82a40aacb9b4357ee80022a9fa827093061218dfb620cf3651b7445c74205a9c00
-  data.tar.gz: 1ca8cc40f6e4de6158384dda0c22fa43c528bc8c89778118716e4e4876de313636f5216a2a180a930c4f07c90dd49489b40c5bce1f839f92eec037bb17c72696
+  metadata.gz: 5525e63803dbad441fec851faf2cbd00f4463bbde7e39477517f0f9801c9f821023d787103b6eea0e0339ad39b4b89dcc6a975401587b3fbb9cab2d7e6812f50
+  data.tar.gz: 44c9a32996dc5ecbe4a7a666148236f2eeaace9e4c37f86e8ddcc9549c8265b4251956a55131f10c3ec9b6c15b9ff959075b8048da9397af8a13ffd00c945b5c

data/lib/omnibus/build_version.rb

@@ -87,13 +87,18 @@ module Omnibus
     #   and can be influenced by users.
     def semver
       build_tag = version_tag
+      log.debug(log_key) { "#{self.class}##{__method__} - build tag: #{build_tag}" }
 
       # PRERELEASE VERSION
+      log.debug(log_key) { "#{self.class}##{__method__} - prerelease_version?: #{prerelease_version?}" }
+
       if prerelease_version?
         # ensure all dashes are dots per precedence rules (#12) in Semver
         # 2.0.0-rc.1
+        log.debug(log_key) { "#{self.class}##{__method__} - prerelease_tag: #{prerelease_tag}" }
         prerelease = prerelease_tag.tr("-", ".")
         build_tag << "-" << prerelease
+        log.debug(log_key) { "#{self.class}##{__method__} - build_tag after prerelease: #{build_tag}" }
       end
 
       # BUILD VERSION
@@ -106,6 +111,7 @@ module Omnibus
       #
       # format: YYYYMMDDHHMMSS example: 20130131123345
       if Config.append_timestamp
+        log.debug(log_key) { "#{self.class}##{__method__} - build_start_time: #{build_start_time}" }
         build_version_items << build_start_time
       end
 
@@ -114,13 +120,18 @@ module Omnibus
       #
       # format: git.COMMITS_SINCE_TAG.GIT_SHA example: git.207.694b062
       unless commits_since_tag == 0
+        log.debug(log_key) { "#{self.class}##{__method__} - commits_since_tag: #{commits_since_tag}" }
+        log.debug(log_key) { "#{self.class}##{__method__} - git_sha_tag: #{git_sha_tag}" }
         build_version_items << ["git", commits_since_tag, git_sha_tag].join(".")
       end
 
       unless build_version_items.empty?
-        build_tag << "+" << build_version_items.join(".")
+        log.debug(log_key) { "#{self.class}##{__method__} - build_version_items: #{build_version_items}" }
+        build_tag << "-" << build_version_items.join(".")
       end
 
+      log.debug(log_key) { "#{self.class}##{__method__} - final build_tag returned: #{build_tag}" }
+
       build_tag
     end
 

data/lib/omnibus/build_version_dsl.rb

@@ -117,8 +117,11 @@ module Omnibus
     # @param [String] version
     # @return [String]
     def maybe_append_timestamp(version)
+      log.debug(log_key) { "#{self.class}##{__method__} - Config.append_timestamp: #{Config.append_timestamp}" }
+      log.debug(log_key) { "#{self.class}##{__method__} -  version: #{version}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - has_timestamp?(version): #{has_timestamp?(version)}" }
       if Config.append_timestamp && !has_timestamp?(version)
-        [version, Omnibus::BuildVersion.build_start_time].join("+")
+        [version, Omnibus::BuildVersion.build_start_time].join("-")
       else
         version
       end
@@ -132,7 +135,7 @@ module Omnibus
     # @param [String] version
     # @return [Boolean]
     def has_timestamp?(version)
-      _ver, build_info = version.split("+")
+      _ver, build_info = version.split("-")
       return false if build_info.nil?
 
       build_info.split(".").any? do |part|

data/lib/omnibus/packagers/appx.rb

@@ -52,6 +52,11 @@ module Omnibus
 
     # @see Base#package_name
     def package_name
+      log.debug(log_key) { "#{self.class}##{__method__} - package_name: #{project.package_name}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - build_version: #{project.build_version}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - build_iteration: #{project.build_iteration}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - Config.windows_arch: #{Config.windows_arch}" }
+
       "#{project.package_name}-#{project.build_version}-#{project.build_iteration}-#{Config.windows_arch}.appx"
     end
 

data/lib/omnibus/packagers/windows_base.rb

@@ -16,9 +16,6 @@
 
 module Omnibus
   class Packager::WindowsBase < Packager::Base
-    DEFAULT_TIMESTAMP_SERVERS = ["http://timestamp.digicert.com",
-                                 "http://timestamp.verisign.com/scripts/timestamp.dll"].freeze
-
     #
     # Set the signing certificate name
     #
@@ -59,9 +56,18 @@ module Omnibus
             raise InvalidValue.new(:params, "be a Hash")
           end
 
-          valid_keys = %i{store timestamp_servers machine_store algorithm}
+          valid_keys = %i{store machine_store algorithm keypair_alias}
           invalid_keys = params.keys - valid_keys
           unless invalid_keys.empty?
+
+            # log a deprecated warning if timestamp_server is used
+            if invalid_keys.include?(:timestamp_servers)
+              log.deprecated(log_key) do
+                "The signing_identity is updated to use smctl.exe. which does not require timestamp_servers" \
+                "Please remove timestamp_servers from your signing_identity"
+              end
+            end
+
             raise InvalidValue.new(:params, "contain keys from [#{valid_keys.join(", ")}]. "\
                                    "Found invalid keys [#{invalid_keys.join(", ")}]")
           end
@@ -77,9 +83,8 @@ module Omnibus
 
         @signing_identity[:store] = params[:store] || "My"
         @signing_identity[:algorithm] = params[:algorithm] || "SHA256"
-        servers = params[:timestamp_servers] || DEFAULT_TIMESTAMP_SERVERS
-        @signing_identity[:timestamp_servers] = [servers].flatten
         @signing_identity[:machine_store] = params[:machine_store] || false
+        @signing_identity[:keypair_alias] = params[:keypair_alias]
       end
 
       @signing_identity
@@ -102,41 +107,41 @@ module Omnibus
       signing_identity[:timestamp_servers]
     end
 
+    def keypair_alias
+      signing_identity[:keypair_alias]
+    end
+
     def machine_store?
       signing_identity[:machine_store]
     end
 
-    #
-    # Iterates through available timestamp servers and tries to sign
-    # the file with with each server, stopping after the first to succeed.
-    # If none succeed, an exception is raised.
-    #
+    # signs the package with the given certificate
     def sign_package(package_file)
-      success = false
-      timestamp_servers.each do |ts|
-        success = try_sign(package_file, ts)
-        break if success
-      end
-      raise FailedToSignWindowsPackage.new unless success
+      raise FailedToSignWindowsPackage.new unless is_signed?(package_file)
     end
 
-    def try_sign(package_file, url)
+    def is_signed?(package_file)
       cmd = [].tap do |arr|
-        arr << "signtool.exe"
-        arr << "sign /v"
-        arr << "/t #{url}"
-        arr << "/fd #{algorithm}"
-        arr << "/sm" if machine_store?
-        arr << "/s #{cert_store_name}"
-        arr << "/sha1 #{thumbprint}"
-        arr << "/d #{project.package_name}"
-        arr << "\"#{package_file}\""
+        arr << "smctl.exe"
+        arr << "sign"
+        arr << "--fingerprint #{thumbprint}"
+        arr << "--input #{package_file}"
       end.join(" ")
+
       status = shellout(cmd)
+
+      log.debug(log_key) { "#{self.class}##{__method__} - package_file: #{package_file}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - cmd: #{cmd}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - status: #{status}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - status.exitstatus: #{status.exitstatus}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - status.stdout: #{status.stdout}" }
+      log.debug(log_key) { "#{self.class}##{__method__} - status.stderr: #{status.stderr}" }
+
+      # log the error if the signing failed
       if status.exitstatus != 0
         log.warn(log_key) do
           <<-EOH.strip
-                Failed to add timestamp with timeserver #{url}
+                Failed to verify signature of #{package_file}
 
                 STDOUT
                 ------
@@ -148,6 +153,7 @@ module Omnibus
           EOH
         end
       end
+
       status.exitstatus == 0
     end
 

data/lib/omnibus/version.rb

@@ -15,5 +15,5 @@
 #
 
 module Omnibus
-  VERSION = "9.0.22".freeze
+  VERSION = "9.0.23".freeze
 end

data/spec/unit/build_version_dsl_spec.rb

@@ -34,19 +34,19 @@ module Omnibus
       before { Config.append_timestamp(true) }
 
       it "appends a timestamp to a static (String) version" do
-        expect(subject_with_version.build_version).to eq("1.0.0+#{today_string}")
+        expect(subject_with_version.build_version).to eq("1.0.0-#{today_string}")
       end
 
       it "doesn't append timestamp to something that already looks like it has a timestamp" do
-        semver = "1.0.0+#{today_string}.git.222.694b062"
-        expect(described_class.new(semver).build_version).to eq("1.0.0+#{today_string}.git.222.694b062")
+        semver = "1.0.0-#{today_string}.git.222.694b062"
+        expect(described_class.new(semver).build_version).to eq("1.0.0-#{today_string}.git.222.694b062")
       end
 
       it "appends a timestamp to a DSL-built version" do
         allow(BuildVersion).to receive(:new).and_return(BuildVersion.new)
         allow(BuildVersion).to receive(:new).with("/etc/zoo").and_return(zoo_version)
         subject_with_description.resolve(zoo_software)
-        expect(subject_with_description.build_version).to eq("5.5.5+#{today_string}")
+        expect(subject_with_description.build_version).to eq("5.5.5-#{today_string}")
       end
     end
 

data/spec/unit/build_version_spec.rb

@@ -109,12 +109,12 @@ module Omnibus
       end
 
       it "generates a version matching format 'MAJOR.MINOR.PATCH-PRERELEASE+TIMESTAMP.git.COMMITS_SINCE.GIT_SHA'" do
-        expect(build_version.semver).to match(/11.0.0-alpha1\+#{today_string}[0-9]+.git.207.694b062/)
+        expect(build_version.semver).to match(/11.0.0-alpha1\-#{today_string}[0-9]+.git.207.694b062/)
       end
 
       it "uses ENV['BUILD_TIMESTAMP'] to generate timestamp if set" do
         stub_env("BUILD_TIMESTAMP", "2012-12-25_16-41-40")
-        expect(build_version.semver).to eq("11.0.0-alpha1+20121225164140.git.207.694b062")
+        expect(build_version.semver).to eq("11.0.0-alpha1-20121225164140.git.207.694b062")
       end
 
       it "fails on invalid ENV['BUILD_TIMESTAMP'] values" do
@@ -124,7 +124,7 @@ module Omnibus
 
       it "uses ENV['BUILD_ID'] to generate timestamp if set and BUILD_TIMESTAMP is not set" do
         stub_env("BUILD_ID", "2012-12-25_16-41-40")
-        expect(build_version.semver).to eq("11.0.0-alpha1+20121225164140.git.207.694b062")
+        expect(build_version.semver).to eq("11.0.0-alpha1-20121225164140.git.207.694b062")
       end
 
       it "fails on invalid ENV['BUILD_ID'] values" do
@@ -136,7 +136,7 @@ module Omnibus
         let(:git_describe) { "11.0.0-alpha-3-207-g694b062" }
 
         it "converts all dashes to dots" do
-          expect(build_version.semver).to match(/11.0.0-alpha.3\+#{today_string}[0-9]+.git.207.694b062/)
+          expect(build_version.semver).to match(/11.0.0-alpha.3\-#{today_string}[0-9]+.git.207.694b062/)
         end
       end
 
@@ -144,7 +144,7 @@ module Omnibus
         let(:git_describe) { "11.0.0-alpha2" }
 
         it "appends a timestamp with no git info" do
-          expect(build_version.semver).to match(/11.0.0-alpha2\+#{today_string}[0-9]+/)
+          expect(build_version.semver).to match(/11.0.0-alpha2\-#{today_string}[0-9]+/)
         end
       end
 
@@ -152,20 +152,20 @@ module Omnibus
         let(:git_describe) { "11.0.0-alpha-3-207-g694b062" }
         context "by default" do
           it "appends a timestamp" do
-            expect(build_version.semver).to match(/11.0.0-alpha.3\+#{today_string}[0-9]+.git.207.694b062/)
+            expect(build_version.semver).to match(/11.0.0-alpha.3\-#{today_string}[0-9]+.git.207.694b062/)
           end
         end
 
         context "when Config.append_timestamp is true" do
           it "appends a timestamp" do
-            expect(build_version.semver).to match(/11.0.0-alpha.3\+#{today_string}[0-9]+.git.207.694b062/)
+            expect(build_version.semver).to match(/11.0.0-alpha.3\-#{today_string}[0-9]+.git.207.694b062/)
           end
         end
 
         context "when Config.append_timestamp is false" do
           before { Config.append_timestamp(false) }
           it "does not append a timestamp" do
-            expect(build_version.semver).to match(/11.0.0-alpha.3\+git.207.694b062/)
+            expect(build_version.semver).to match(/11.0.0-alpha.3\-git.207.694b062/)
           end
         end
       end

data/spec/unit/packagers/appx_spec.rb

@@ -129,39 +129,18 @@ module Omnibus
           allow(subject).to receive(:shellout!)
         end
 
-        describe "#timestamp_servers" do
-          it "defaults to using ['http://timestamp.digicert.com','http://timestamp.verisign.com/scripts/timestamp.dll']" do
+        describe "#keypair_alias" do
+          it "defaults to 'Chef Software, Inc.'" do
             subject.signing_identity("foo")
-            expect(subject).to receive(:try_sign).with(appx, "http://timestamp.digicert.com").and_return(false)
-            expect(subject).to receive(:try_sign).with(appx, "http://timestamp.verisign.com/scripts/timestamp.dll").and_return(true)
+            expect(subject).to receive(:is_signed?).with(appx).and_return(true)
             subject.sign_package(appx)
           end
 
-          it "uses the timestamp server if provided through the #timestamp_server dsl" do
-            subject.signing_identity("foo", timestamp_servers: "http://fooserver")
-            expect(subject).to receive(:try_sign).with(appx, "http://fooserver").and_return(true)
+          it "uses the keypair alias if provided through the #keypair_alias dsl" do
+            subject.signing_identity("foo", keypair_alias: "bar")
+            expect(subject).to receive(:is_signed?).with(appx).and_return(true)
             subject.sign_package(appx)
           end
-
-          it "tries all timestamp server if provided through the #timestamp_server dsl" do
-            subject.signing_identity("foo", timestamp_servers: ["http://fooserver", "http://barserver"])
-            expect(subject).to receive(:try_sign).with(appx, "http://fooserver").and_return(false)
-            expect(subject).to receive(:try_sign).with(appx, "http://barserver").and_return(true)
-            subject.sign_package(appx)
-          end
-
-          it "tries all timestamp server if provided through the #timestamp_servers dsl and stops at the first available" do
-            subject.signing_identity("foo", timestamp_servers: ["http://fooserver", "http://barserver"])
-            expect(subject).to receive(:try_sign).with(appx, "http://fooserver").and_return(true)
-            expect(subject).not_to receive(:try_sign).with(appx, "http://barserver")
-            subject.sign_package(appx)
-          end
-
-          it "raises an exception if there are no available timestamp servers" do
-            subject.signing_identity("foo", timestamp_servers: "http://fooserver")
-            expect(subject).to receive(:try_sign).with(appx, "http://fooserver").and_return(false)
-            expect { subject.sign_package(appx) }.to raise_error(FailedToSignWindowsPackage)
-          end
         end
       end
     end

data/spec/unit/packagers/msi_spec.rb

@@ -554,37 +554,16 @@ module Omnibus
           allow(subject).to receive(:shellout!)
         end
 
-        describe "#timestamp_servers" do
-          it "defaults to using ['http://timestamp.digicert.com','http://timestamp.verisign.com/scripts/timestamp.dll']" do
-            subject.signing_identity("foo")
-            expect(subject).to receive(:try_sign).with(msi, "http://timestamp.digicert.com").and_return(false)
-            expect(subject).to receive(:try_sign).with(msi, "http://timestamp.verisign.com/scripts/timestamp.dll").and_return(true)
+        describe "#keypair_alias" do
+          it "uses the keypair alias if provided through the #keypair_alias dsl" do
+            subject.signing_identity("foo", keypair_alias: "bar")
+            expect(subject).to receive(:is_signed?).with(msi).and_return(true)
             subject.sign_package(msi)
           end
 
-          it "uses the timestamp server if provided through the #timestamp_server dsl" do
-            subject.signing_identity("foo", timestamp_servers: "http://fooserver")
-            expect(subject).to receive(:try_sign).with(msi, "http://fooserver").and_return(true)
-            subject.sign_package(msi)
-          end
-
-          it "tries all timestamp server if provided through the #timestamp_server dsl" do
-            subject.signing_identity("foo", timestamp_servers: ["http://fooserver", "http://barserver"])
-            expect(subject).to receive(:try_sign).with(msi, "http://fooserver").and_return(false)
-            expect(subject).to receive(:try_sign).with(msi, "http://barserver").and_return(true)
-            subject.sign_package(msi)
-          end
-
-          it "tries all timestamp server if provided through the #timestamp_servers dsl and stops at the first available" do
-            subject.signing_identity("foo", timestamp_servers: ["http://fooserver", "http://barserver"])
-            expect(subject).to receive(:try_sign).with(msi, "http://fooserver").and_return(true)
-            expect(subject).not_to receive(:try_sign).with(msi, "http://barserver")
-            subject.sign_package(msi)
-          end
-
-          it "raises an exception if there are no available timestamp servers" do
-            subject.signing_identity("foo", timestamp_servers: "http://fooserver")
-            expect(subject).to receive(:try_sign).with(msi, "http://fooserver").and_return(false)
+          it "raises an exception if the signing fails" do
+            subject.signing_identity("foo", keypair_alias: "bar")
+            expect(subject).to receive(:is_signed?).with(msi).and_return(false)
             expect { subject.sign_package(msi) }.to raise_error(FailedToSignWindowsPackage)
           end
         end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omnibus
 version: !ruby/object:Gem::Version
-  version: 9.0.22
+  version: 9.0.23
 platform: ruby
 authors:
 - Chef Software, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-08-17 00:00:00.000000000 Z
+date: 2023-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-s3