packaging 0.104.0 → 0.106.1

data/lib/packaging/sign/ips.rb

@@ -1,57 +1,89 @@
 module Pkg::Sign::Ips
   module_function
 
-  def sign(target_dir = 'pkg')
-    use_identity = "-i #{Pkg::Config.ips_signing_ssh_key}" unless Pkg::Config.ips_signing_ssh_key.nil?
+  def sign(packages_root = 'pkg')
+    identity_spec = ''
+    unless Pkg::Config.ips_signing_ssh_key.nil?
+      identity_spec = "-i #{Pkg::Config.ips_signing_ssh_key}"
+    end
+
+    signing_server_spec = Pkg::Config.ips_signing_server
+    unless Pkg::Config.ips_signing_server.match(%r{.+@.+})
+      signing_server_spec = "#{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
+    end
 
-    ssh_host_string = "#{use_identity} #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
-    rsync_host_string = "-e 'ssh #{use_identity}' #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
+    ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
+    rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
 
-    p5ps = Dir.glob("#{target_dir}/solaris/11/**/*.p5p")
+    packages = Dir.glob("#{packages_root}/solaris/11/**/*.p5p")
 
-    p5ps.each do |p5p|
+    packages.each do |package|
       work_dir     = "/tmp/#{Pkg::Util.rand_string}"
       unsigned_dir = "#{work_dir}/unsigned"
       repo_dir     = "#{work_dir}/repo"
       signed_dir   = "#{work_dir}/pkgs"
+      package_name = File.basename(package)
 
-      Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}")
-      Pkg::Util::Net.rsync_to(p5p, rsync_host_string, unsigned_dir)
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}"
+      )
+      Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_dir)
 
       # Before we can get started with signing packages we need to create a repo
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com")
-      # And import all the packages into the repo.
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{File.basename(p5p)} -d #{repo_dir} '*'")
-      # We are going to hard code the values for signing cert locations for now.
-      # This autmation will require an update to actually become reusable, but
-      # for now these values will stay this way so solaris signing will stop
-      # failing. Please update soon. 06/23/16
-      #
-      #            - Sean P. McDonald
-      #
+      Pkg::Util::Net.remote_execute(ssh_host_spec, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com"
+      )
+
+      # Import all the packages into the repo.
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{package_name} -d #{repo_dir} '*'"
+      )
+
       # We sign the entire repo
-      sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2020.pem \
-                  -i /root/signing/Thawte_SHA256_Code_Signing_CA.pem \
-                  -i /root/signing/Thawte_Primary_Root_CA.pem \
-                  -k /root/signing/signing_key_2020.pem \
+      # Paths to the  .pem files should live elsewhere rather than hardcoded here.
+      sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2022.pem \
+                  -i /root/signing/DigiCert_Code_Signing_Certificate.pem \
+                  -i /root/signing/DigiCert_Trusted_Root.pem \
+                  -k /root/signing/signing_key_2022.pem \
                   -s 'file://#{work_dir}/repo' '*'"
-      puts "About to sign #{p5p} with #{sign_cmd} in #{work_dir}"
-      Pkg::Util::Net.remote_execute(ssh_host_string, sign_cmd.squeeze(' '))
-      # pkgrecv with -a will pull packages out of the repo, so we need to do that too to actually get the packages we signed
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{File.basename(p5p)} -a -s #{repo_dir} '*'")
+      puts "Signing #{package} with #{sign_cmd} in #{work_dir}"
+      Pkg::Util::Net.remote_execute(ssh_host_spec, sign_cmd.squeeze(' '))
+
+      # pkgrecv with -a will pull packages out of the repo, so we need
+      # to do that too to actually get the packages we signed
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{package_name} -a -s #{repo_dir} '*'"
+      )
       begin
         # lets make sure we actually signed something?
         # **NOTE** if we're repeatedly trying to sign the same version this
         # might explode because I don't know how to reset the IPS cache.
         # Everything is amazing.
-        Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{File.basename(p5p)} '*' | grep '^signature '")
+        Pkg::Util::Net.remote_execute(
+          ssh_host_spec,
+          "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{package_name} '*' " \
+          "| grep '^signature '"
+        )
       rescue RuntimeError
-        raise "Looks like #{File.basename(p5p)} was not signed correctly, quitting!"
+        raise "Error: #{package_name} was not signed correctly."
       end
-      # and pull the packages back.
-      Pkg::Util::Net.rsync_from("#{signed_dir}/#{File.basename(p5p)}", rsync_host_string, File.dirname(p5p))
-      Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi")
+
+      # Pull the packages back.
+      Pkg::Util::Net.rsync_from(
+        "#{signed_dir}/#{package_name}",
+        rsync_host_spec,
+        File.dirname(package)
+      )
+
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi"
+      )
     end
   end
 end

data/lib/packaging/sign/msi.rb

@@ -63,60 +63,60 @@ module Pkg::Sign::Msi
     #
     # Once we no longer support Windows 8/Windows Vista, we can remove the
     # first Sha1 signature.
-    sign_command = <<-CMD
-for msipath in #{msis.join(" ")}; do
-  msi="$(basename $msipath)"
-  msidir="C:/#{work_dir}/$(dirname $msipath)"
-  if "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" verify -in "$msidir/$msi" ; then
-    echo "$msi is already signed, skipping . . ." ;
-  else
-    tries=5
-    sha1Servers=(http://timestamp.digicert.com/sha1/timestamp
-    http://timestamp.comodoca.com/authenticode)
-    for timeserver in "${sha1Servers[@]}"; do
-      for ((try=1; try<=$tries; try++)) do
-        ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
-          -n "Puppet" -i "http://www.puppet.com" \
-          -h sha1 \
-          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
-          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
-          -t "$timeserver" \
-          -in "$msidir/$msi" \
-          -out "$msidir/signed-$msi")
-        if [[ $ret == *"Succeeded"* ]]; then break; fi
-      done;
-      if [[ $ret == *"Succeeded"* ]]; then break; fi
-    done;
-    echo $ret
-    if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
-    sha256Servers=(http://timestamp.digicert.com/sha256/timestamp
-      http://timestamp.comodoca.com?td=sha256)
-    for timeserver in "${sha256Servers[@]}"; do
-      for ((try=1; try<=$tries; try++)) do
-        ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
-          -n "Puppet" -i "http://www.puppet.com" \
-          -nest -h sha256 \
-          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
-          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
-          -ts "$timeserver" \
-          -in "$msidir/signed-$msi" \
-          -out "$msidir/$msi")
-        if [[ $ret == *"Succeeded"* ]]; then break; fi
-      done;
-      if [[ $ret == *"Succeeded"* ]]; then break; fi
-    done;
-    echo $ret
-    if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
-  fi
-done
-CMD
+    sign_command = <<~CMD
+      for msipath in #{msis.join(' ')}; do
+        msi="$(basename $msipath)"
+        msidir="C:/#{work_dir}/$(dirname $msipath)"
+        if "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" verify -in "$msidir/$msi" ; then
+          echo "$msi is already signed, skipping . . ." ;
+        else
+          tries=5
+          sha1Servers=(http://timestamp.digicert.com/sha1/timestamp
+          http://timestamp.comodoca.com/authenticode)
+          for timeserver in "${sha1Servers[@]}"; do
+            for ((try=1; try<=$tries; try++)) do
+              ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
+                -n "Puppet" -i "http://www.puppet.com" \
+                -h sha1 \
+                -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
+                -pass "#{Pkg::Config.msi_signing_cert_pw}" \
+                -t "$timeserver" \
+                -in "$msidir/$msi" \
+                -out "$msidir/signed-$msi")
+              if [[ $ret == *"Succeeded"* ]]; then break; fi
+            done;
+            if [[ $ret == *"Succeeded"* ]]; then break; fi
+          done;
+          echo $ret
+          if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
+          sha256Servers=(http://timestamp.digicert.com/sha256/timestamp
+            http://timestamp.comodoca.com?td=sha256)
+          for timeserver in "${sha256Servers[@]}"; do
+            for ((try=1; try<=$tries; try++)) do
+              ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
+                -n "Puppet" -i "http://www.puppet.com" \
+                -nest -h sha256 \
+                -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
+                -pass "#{Pkg::Config.msi_signing_cert_pw}" \
+                -ts "$timeserver" \
+                -in "$msidir/signed-$msi" \
+                -out "$msidir/$msi")
+              if [[ $ret == *"Succeeded"* ]]; then break; fi
+            done;
+            if [[ $ret == *"Succeeded"* ]]; then break; fi
+          done;
+          echo $ret
+          if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
+        fi
+      done
+    CMD
 
     Pkg::Util::Net.remote_execute(
       ssh_host_string,
       sign_command,
       { fail_fast: false }
     )
-    msis.each do | msi |
+    msis.each do |msi|
       Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{msi}", rsync_host_string, File.dirname(msi))
     end
     Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")

data/lib/packaging/sign/rpm.rb

@@ -70,7 +70,7 @@ module Pkg::Sign::Rpm
     v4_rpms = []
     rpms_to_sign.each do |rpm|
       platform_tag = Pkg::Paths.tag_from_artifact_path(rpm)
-      platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
+      platform, version, = Pkg::Platforms.parse_platform_tag(platform_tag)
 
       # We don't sign AIX rpms
       next if platform_tag.include?('aix')

data/lib/packaging/sign.rb

@@ -4,5 +4,4 @@ module Pkg::Sign
   require 'packaging/sign/ips'
   require 'packaging/sign/msi'
   require 'packaging/sign/rpm'
-  module_function
 end

data/lib/packaging/tar.rb

@@ -5,7 +5,6 @@ module Pkg
     include FileUtils
 
     attr_accessor :files, :project, :version, :excludes, :target, :templates
-    attr_reader :tar
 
     def initialize
       @tar      = Pkg::Util::Tool.find_tool('tar', :required => true)
@@ -56,7 +55,7 @@ module Pkg
       patterns =
         case @files
         when String
-          $stderr.puts "warning: `files` should be an array, not a string"
+          warn "warning: `files` should be an array, not a string"
           @files.split(' ')
         when Array
           @files
@@ -137,7 +136,7 @@ module Pkg
     def tar(target, source)
       mkpath File.dirname(target)
       cd File.dirname(source) do
-        %x(#{@tar} #{@excludes.map { |x| (" --exclude #{x} ") }.join if @excludes} -zcf '#{File.basename(target)}' '#{File.basename(source)}')
+        %x(#{@tar} #{@excludes.map { |x| " --exclude #{x} " }.join if @excludes} -zcf '#{File.basename(target)}' '#{File.basename(source)}')
         unless $?.success?
           fail "Failed to create .tar.gz archive with #{@tar}. Please ensure the tar command in your path accepts the flags '-c', '-z', and '-f'"
         end
@@ -157,7 +156,6 @@ module Pkg
       self.tar(@target, workdir)
       self.clean_up workdir
     end
-
   end
 end
 

data/lib/packaging/util/date.rb

@@ -1,7 +1,6 @@
 # Utilities for managing/querying date/time
 
 module Pkg::Util::Date
-
   class << self
     def timestamp(separator = nil)
       if s = separator

data/lib/packaging/util/distribution_server.rb

@@ -31,8 +31,8 @@ module Pkg::Util::DistributionServer
 
       # If we just shipped a tagged version, we want to make it immutable
       files = Dir.glob("#{local_source_directory}/**/*")
-                 .select { |f| File.file?(f) and !f.include? "#{Pkg::Config.ref}.yaml" }
-                 .map { |f| "#{remote_target_directory}/#{f.sub(/^#{local_source_directory}\//, '')}" }
+        .select { |f| File.file?(f) and !f.include? "#{Pkg::Config.ref}.yaml" }
+        .map { |f| "#{remote_target_directory}/#{f.sub(/^#{local_source_directory}\//, '')}" }
 
       Pkg::Util::Net.remote_set_ownership(Pkg::Config.distribution_server, 'root', 'release', files)
       Pkg::Util::Net.remote_set_permissions(Pkg::Config.distribution_server, '0664', files)

data/lib/packaging/util/execution.rb

@@ -1,9 +1,7 @@
 # Utility methods for handling system calls and interactions
 
 module Pkg::Util::Execution
-
   class << self
-
     # Alias to $?.success? that makes success? slightly easier to test and stub
     # If immediately run, $? will not be instanciated, so only call success? if
     # $? exists, otherwise return nil
@@ -23,7 +21,7 @@ module Pkg::Util::Execution
     # while also raising an exception if a command does not succeed (ala `sh "cmd"`).
     def ex(command, debug = false)
       puts "Executing '#{command}'..." if debug
-      ret = `#{command}`
+      ret = %x(#{command})
       unless Pkg::Util::Execution.success?
         raise RuntimeError
       end
@@ -71,7 +69,7 @@ module Pkg::Util::Execution
             blk.call
             success = true
             break
-          rescue => err
+          rescue StandardError => err
             puts "An error was encountered evaluating block. Retrying.."
             exception = err.to_s + "\n" + err.backtrace.join("\n")
           end

data/lib/packaging/util/file.rb

@@ -2,7 +2,6 @@
 require 'fileutils'
 
 module Pkg::Util::File
-
   class << self
     def exist?(file)
       ::File.exist?(file)
@@ -15,7 +14,7 @@ module Pkg::Util::File
 
     def mktemp
       mktemp = Pkg::Util::Tool.find_tool('mktemp', :required => true)
-      stdout, _, _ = Pkg::Util::Execution.capture3("#{mktemp} -d -t pkgXXXXXX")
+      stdout, = Pkg::Util::Execution.capture3("#{mktemp} -d -t pkgXXXXXX")
       stdout.strip
     end
 
@@ -79,7 +78,7 @@ module Pkg::Util::File
         target_opts = "-C #{target}"
       end
       if file_exists?(source, :required => true)
-        stdout, _, _ = Pkg::Util::Execution.capture3(%Q(#{tar} #{options} #{target_opts} -xf #{source}))
+        stdout, = Pkg::Util::Execution.capture3(%(#{tar} #{options} #{target_opts} -xf #{source}))
         stdout
       end
     end
@@ -120,6 +119,85 @@ module Pkg::Util::File
       end
       Pkg::Util::Version.versionbump(workdir) if Pkg::Config.update_version_file
     end
+
+    # The fetch method pulls down two files from the build-data repo that contain additional
+    # data specific to Puppet Labs release infrastructure intended to augment/override any
+    # defaults specified in the source project repo, e.g. in ext/build_defaults.yaml
+    #
+    # It uses curl to download the files, and places them in a temporary
+    # directory, e.g. /tmp/somedirectory/{project,team}/Pkg::Config.builder_data_file
+    #
+    # Retrieve build-data configurations to override/extend local build_defaults
+    def fetch
+      # Each team has a build-defaults file that specifies local infrastructure targets
+      # for things like builders, target locations for build artifacts, etc Since much
+      # of these don't change, one file can be maintained for the team.  Each project
+      # also has a data file for information specific to it. If the project builds
+      # both PE and not PE, it has two files, one for PE, and the other for FOSS
+      #
+      data_repo = Pkg::Config.build_data_repo
+
+      if Pkg::Config.dev_build
+        puts "NOTICE: This is a dev build!"
+        project_data_branch = "#{Pkg::Config.project}-dev"
+      else
+        project_data_branch = Pkg::Config.project
+      end
+      team_data_branch = Pkg::Config.team
+
+      if Pkg::Config.build_pe
+        project_data_branch = 'pe-' + project_data_branch unless project_data_branch =~ /^pe-/
+        team_data_branch = 'pe-' + team_data_branch unless team_data_branch =~ /^pe-/
+      end
+
+      # Remove .packaging directory from old-style extras loading
+      FileUtils.rm_rf("#{ENV['HOME']}/.packaging") if File.directory?("#{ENV['HOME']}/.packaging")
+
+      # Touch the .packaging file which is allows packaging to present remote tasks
+      FileUtils.touch("#{ENV['HOME']}/.packaging")
+
+      begin
+        build_data_directory = Pkg::Util::File.mktemp
+        %x(git clone #{data_repo} #{build_data_directory})
+        unless $?.success?
+          fail 'Error: could not fetch the build-data repo. Maybe you do not have the correct permissions?'
+        end
+
+        Dir.chdir(build_data_directory) do
+          [team_data_branch, project_data_branch].each do |branch|
+            %x(git checkout #{branch})
+            unless $?.success?
+              warn "Warning: no build_defaults found in branch '#{branch}' of '#{data_repo}'. Skipping."
+              next
+            end
+            load_extras(build_data_directory)
+          end
+        end
+      ensure
+        FileUtils.rm_rf(build_data_directory)
+      end
+
+      Pkg::Config.perform_validations
+    end
+
+    # The load_extras method is intended to load variables
+    # from the extra yaml file downloaded by the pl:fetch task.
+    # The goal is to be able to augment/override settings in the
+    # source project's build_data.yaml and project_data.yaml with
+    # Puppet Labs-specific data, rather than having to clutter the
+    # generic tasks with data not generally useful outside the
+    # PL Release team
+    def load_extras(temp_directory)
+      unless ENV['PARAMS_FILE'] && ENV['PARAMS_FILE'] != ''
+        temp_directory = temp_directory
+        raise "load_extras requires a directory containing extras data" if temp_directory.nil?
+        Pkg::Config.config_from_yaml("#{temp_directory}/#{Pkg::Config.builder_data_file}")
+
+        # Environment variables take precedence over those loaded from configs,
+        # so we make sure that any we clobbered are reset.
+        Pkg::Config.load_envvars
+      end
+    end
   end
 end
 

data/lib/packaging/util/git.rb

@@ -22,7 +22,6 @@ module Pkg::Util::Git
     end
 
     # Git utility to create a new git bundle
-    # rubocop:disable Metrics/AbcSize
     def bundle(treeish, appendix = Pkg::Util.rand_string, temp = Pkg::Util::File.mktemp)
       fail_unless_repo
       Pkg::Util::Execution.capture3("#{Pkg::Util::Tool::GIT} bundle create #{temp}/#{Pkg::Config.project}-#{Pkg::Config.version}-#{appendix} #{treeish} --tags")
@@ -113,13 +112,12 @@ module Pkg::Util::Git
       end
     end
 
-    # rubocop:disable Style/GuardClause
     def fail_unless_repo
       unless repo?
         raise "Pkg::Config.project_root (#{Pkg::Config.project_root}) is not \
           a valid git repository"
       end
-    end
+end
 
     # Return the basename of the project repo
     def project_name

data/lib/packaging/util/git_tags.rb

@@ -1,6 +1,6 @@
 module Pkg::Util
   class Git_tag
-    attr_reader :address, :ref, :ref_name, :ref_type, :branch_name
+    attr_reader :address, :ref, :ref_name, :ref_type
 
     GIT = Pkg::Util::Tool::GIT
     DEVNULL = Pkg::Util::OS::DEVNULL
@@ -43,7 +43,7 @@ module Pkg::Util
     # Fetch the full ref using ls-remote, this should raise an error if it returns non-zero
     # because that means this ref doesn't exist in the repo
     def fetch_full_ref
-      stdout, _, _ = Pkg::Util::Execution.capture3("#{GIT} ls-remote --tags --heads --exit-code #{address} #{ref}")
+      stdout, = Pkg::Util::Execution.capture3("#{GIT} ls-remote --tags --heads --exit-code #{address} #{ref}")
       stdout.split.last
     rescue RuntimeError => e
       raise "ERROR : Not a ref or sha!\n#{e}"
@@ -54,7 +54,7 @@ module Pkg::Util
     end
 
     def ref?
-      `#{GIT} check-ref-format #{ref} >#{DEVNULL} 2>&1`
+      %x(#{GIT} check-ref-format #{ref} >#{DEVNULL} 2>&1)
       $?.success?
     end
 

data/lib/packaging/util/gpg.rb

@@ -1,6 +1,5 @@
 module Pkg::Util::Gpg
   class << self
-
     # Please note that this method is not used in determining what key is used
     # to sign the debian repos. That is defined in the freight config that
     # lives on our internal repo staging host. The debian conf/distribution
@@ -31,14 +30,14 @@ module Pkg::Util::Gpg
 
     def kill_keychain
       if keychain
-        stdout, _, _ = Pkg::Util::Execution.capture3("#{keychain} -k mine")
+        stdout, = Pkg::Util::Execution.capture3("#{keychain} -k mine")
         stdout
       end
     end
 
     def start_keychain
       if keychain
-        keychain_output, _, _ = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
+        keychain_output, = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
         keychain_output.chomp!
         new_env = keychain_output.match(/GPG_AGENT_INFO=([^;]*)/)
         ENV["GPG_AGENT_INFO"] = new_env[1]
@@ -56,7 +55,7 @@ module Pkg::Util::Gpg
           return true
         end
         use_tty = "--no-tty --use-agent" if ENV['RPM_GPG_AGENT']
-        stdout, _, _ = Pkg::Util::Execution.capture3("#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}")
+        stdout, = Pkg::Util::Execution.capture3("#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}")
         stdout
       else
         fail "No gpg available. Cannot sign #{file}."

data/lib/packaging/util/jenkins.rb

@@ -3,9 +3,7 @@ require 'net/http'
 require 'json'
 
 module Pkg::Util::Jenkins
-
   class << self
-
     # Use the curl to create a jenkins job from a valid XML
     # configuration file.
     # Returns the URL to the job
@@ -90,6 +88,5 @@ module Pkg::Util::Jenkins
 
       wait_for_build job_hash['lastBuild']['url']
     end
-
   end
 end

data/lib/packaging/util/misc.rb

@@ -57,7 +57,7 @@ module Pkg::Util::Misc
     def check_rubygems_ownership(gem_name)
       require 'yaml'
       credentials = YAML.load_file("#{ENV['HOME']}/.gem/credentials")
-      gems = YAML.load(%x(curl -H 'Authorization:#{credentials[:rubygems_api_key]}' https://rubygems.org/api/v1/gems.yaml))
+      gems = YAML.safe_load(%x(curl -H 'Authorization:#{credentials[:rubygems_api_key]}' https://rubygems.org/api/v1/gems.yaml))
       gems.each do |gem|
         if gem['name'] == gem_name
           return true