packaging 0.105.0 → 0.106.2

data/lib/packaging/sign/msi.rb

@@ -2,123 +2,95 @@ module Pkg::Sign::Msi
   module_function
 
   def sign(target_dir = 'pkg')
-    use_identity = "-i #{Pkg::Config.msi_signing_ssh_key}" if Pkg::Config.msi_signing_ssh_key
+    require 'google/cloud/storage'
+    require 'googleauth'
+    require 'json'
+    require 'net/http'
+    require 'uri'
 
-    ssh_host_string = "#{use_identity} Administrator@#{Pkg::Config.msi_signing_server}"
-    rsync_host_string = "-e 'ssh #{use_identity}' Administrator@#{Pkg::Config.msi_signing_server}"
+    gcp_service_account_credentials = Pkg::Config.msi_signing_gcp_service_account_credentials
+    signing_service_url = Pkg::Config.msi_signing_service_url
 
-    work_dir = "Windows/Temp/#{Pkg::Util.rand_string}"
-    Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p C:/#{work_dir}")
-    msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
-    Pkg::Util::Net.rsync_to(msis.join(" "), rsync_host_string, "/cygdrive/c/#{work_dir}",
-                           extra_flags: ["--ignore-existing --relative"])
+    begin
+      authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
+        json_key_io: File.open(gcp_service_account_credentials),
+        target_audience: signing_service_url
+      )
+    rescue StandardError => e
+      fail "msis can only be signed by jenkins.\n#{e}"
+    end
 
-    # Please Note:
-    # We are currently adding two signatures to the msi.
-    #
-    # Microsoft compatable Signatures are composed of three different
-    # elements.
-    #   1) The Certificate used to sign the package. This is the element that
-    #     is attached to organization. The certificate has an associated
-    #     algorithm. We recently (February 2016) had to switch from a sha1 to
-    #     a sha256 certificate. Sha1 was deprecated by many Microsoft
-    #     elements on 2016-01-01, which forced us to switch to a sha256 cert.
-    #     This sha256 certificate is recognized by all currently supported
-    #     windows platforms (Windows 8/Vista forward).
-    #   2) The signature used to attach the certificate to the package. This
-    #     can be a done with a variety of digest algorithms. Older platforms
-    #     (i.e., Windows 8 and Windows Vista) don't recognize later
-    #     algorithms like sha256.
-    #   3) The timestamp used to validate when the package was signed. This
-    #     comes from an external source and can be delivered with a variety
-    #     of digest algorithms. Older platforms do not recognize newer
-    #     algorithms like sha256.
-    #
-    # We could have only one signature with the Sha256 Cert, Sha1 Signature,
-    # and Sha1 Timestamp, but that would be too easy. The sha256 signature
-    # and timestamp add more security to our packages. We can't have only
-    # sha256 elements in our package signature, though, because Windows 8
-    # and Windows Vista just don't recognize them at all.
-    #
-    # In order to add two signatures to an MSI, we also need to change the
-    # tool we use to sign packages with. Previously, we were using SignTool
-    # which is the Microsoft blessed program used to sign packages. However,
-    # this tool isn't able to add two signatures to an MSI specifically. It
-    # can dual-sign an exe, just not an MSI. In order to get the dual-signed
-    # packages, we decided to switch over to using osslsigncode. The original
-    # project didn't have support to compile on a windows system, so we
-    # decided to use this fork. The binaries on the signer were pulled from
-    # https://sourceforge.net/u/keeely/osslsigncode/ci/master/tree/
-    #
-    # These are our signatures:
-    # The first signature:
-    #   * Sha256 Certificate
-    #   * Sha1 Signature
-    #   * Sha1 Timestamp
-    #
-    # The second signature:
-    #   * Sha256 Certificate
-    #   * Sha256 Signature
-    #   * Sha256 Timestamp
-    #
-    # Once we no longer support Windows 8/Windows Vista, we can remove the
-    # first Sha1 signature.
-    sign_command = <<-CMD
-for msipath in #{msis.join(" ")}; do
-  msi="$(basename $msipath)"
-  msidir="C:/#{work_dir}/$(dirname $msipath)"
-  if "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" verify -in "$msidir/$msi" ; then
-    echo "$msi is already signed, skipping . . ." ;
-  else
-    tries=5
-    sha1Servers=(http://timestamp.digicert.com/sha1/timestamp
-    http://timestamp.comodoca.com/authenticode)
-    for timeserver in "${sha1Servers[@]}"; do
-      for ((try=1; try<=$tries; try++)) do
-        ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
-          -n "Puppet" -i "http://www.puppet.com" \
-          -h sha1 \
-          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
-          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
-          -t "$timeserver" \
-          -in "$msidir/$msi" \
-          -out "$msidir/signed-$msi")
-        if [[ $ret == *"Succeeded"* ]]; then break; fi
-      done;
-      if [[ $ret == *"Succeeded"* ]]; then break; fi
-    done;
-    echo $ret
-    if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
-    sha256Servers=(http://timestamp.digicert.com/sha256/timestamp
-      http://timestamp.comodoca.com?td=sha256)
-    for timeserver in "${sha256Servers[@]}"; do
-      for ((try=1; try<=$tries; try++)) do
-        ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
-          -n "Puppet" -i "http://www.puppet.com" \
-          -nest -h sha256 \
-          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
-          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
-          -ts "$timeserver" \
-          -in "$msidir/signed-$msi" \
-          -out "$msidir/$msi")
-        if [[ $ret == *"Succeeded"* ]]; then break; fi
-      done;
-      if [[ $ret == *"Succeeded"* ]]; then break; fi
-    done;
-    echo $ret
-    if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
-  fi
-done
-CMD
+    gcp_auth_token = authorizer.fetch_access_token!['id_token']
 
-    Pkg::Util::Net.remote_execute(
-      ssh_host_string,
-      sign_command,
-      { fail_fast: false }
+    gcp_storage = Google::Cloud::Storage.new(
+      project_id: 'puppet-release-engineering',
+      credentials: gcp_service_account_credentials
     )
-    msis.each do | msi |
-      Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{msi}", rsync_host_string, File.dirname(msi))
+    tosign_bucket = gcp_storage.bucket('windows-tosign-bucket')
+    signed_bucket = gcp_storage.bucket('windows-signed-bucket')
+
+    service_uri = URI.parse(signing_service_url)
+    headers = { 'Content-Type': 'application/json', 'Authorization': "Bearer #{gcp_auth_token}" }
+    http = Net::HTTP.new(service_uri.host, service_uri.port)
+    http.use_ssl = true
+    request = Net::HTTP::Post.new(service_uri.request_uri, headers)
+
+    # Create hash to keep track of the signed msis
+    signed_msis = {}
+
+    msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
+
+    # Upload msis to GCP and sign them
+    msis.each do |msi|
+      begin
+        tosign_bucket.create_file(msi, msi)
+      rescue StandardError => e
+        delete_tosign_msis(tosign_bucket, msis)
+        fail "There was an error uploading #{msi} to the windows-tosign-bucket gcp bucket.\n#{e}"
+      end
+      msi_json = { 'Path': msi }
+      request.body = msi_json.to_json
+      begin
+        response = http.request(request)
+        response_body = JSON.parse(JSON.parse(response.body.to_json), :quirks_mode => true)
+      rescue StandardError => e
+        delete_tosign_msis(tosign_bucket, msis)
+        delete_signed_msis(signed_bucket, signed_msis)
+        fail "There was an error signing #{msi}.\n#{e}"
+      end
+      # Store location of signed msi
+      signed_msi = response_body['Path']
+      signed_msis[msi] = signed_msi
+    end
+
+    # Download the signed msis
+    msis.each do |msi|
+      begin
+        signed_msi = signed_bucket.file(signed_msis[msi])
+        signed_msi.download(msi)
+      rescue StandardError => e
+        delete_tosign_msis(tosign_bucket, msis)
+        delete_signed_msis(signed_bucket, signed_msis)
+        fail "There was an error retrieving the signed msi:#{msi}.\n#{e}"
+      end
+    end
+
+    # Cleanup buckets
+    delete_tosign_msis(tosign_bucket, msis)
+    delete_signed_msis(signed_bucket, signed_msis)
+  end
+
+  def delete_tosign_msis(bucket, msis)
+    msis.each do |msi|
+      tosign_msi = bucket.file(msi)
+      tosign_msi.delete unless tosign_msi.nil?
+    end
+  end
+
+  def delete_signed_msis(bucket, signed_msis)
+    signed_msis.each do |msi, temp_name|
+      signed_msi = bucket.file(temp_name)
+      signed_msi.delete unless signed_msi.nil?
     end
-    Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")
   end
 end

data/lib/packaging/sign/rpm.rb

@@ -70,7 +70,7 @@ module Pkg::Sign::Rpm
     v4_rpms = []
     rpms_to_sign.each do |rpm|
       platform_tag = Pkg::Paths.tag_from_artifact_path(rpm)
-      platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
+      platform, version, = Pkg::Platforms.parse_platform_tag(platform_tag)
 
       # We don't sign AIX rpms
       next if platform_tag.include?('aix')

data/lib/packaging/sign.rb

@@ -4,5 +4,4 @@ module Pkg::Sign
   require 'packaging/sign/ips'
   require 'packaging/sign/msi'
   require 'packaging/sign/rpm'
-  module_function
 end

data/lib/packaging/tar.rb

@@ -5,7 +5,6 @@ module Pkg
     include FileUtils
 
     attr_accessor :files, :project, :version, :excludes, :target, :templates
-    attr_reader :tar
 
     def initialize
       @tar      = Pkg::Util::Tool.find_tool('tar', :required => true)
@@ -56,7 +55,7 @@ module Pkg
       patterns =
         case @files
         when String
-          $stderr.puts "warning: `files` should be an array, not a string"
+          warn "warning: `files` should be an array, not a string"
           @files.split(' ')
         when Array
           @files
@@ -137,7 +136,7 @@ module Pkg
     def tar(target, source)
       mkpath File.dirname(target)
       cd File.dirname(source) do
-        %x(#{@tar} #{@excludes.map { |x| (" --exclude #{x} ") }.join if @excludes} -zcf '#{File.basename(target)}' '#{File.basename(source)}')
+        %x(#{@tar} #{@excludes.map { |x| " --exclude #{x} " }.join if @excludes} -zcf '#{File.basename(target)}' '#{File.basename(source)}')
         unless $?.success?
           fail "Failed to create .tar.gz archive with #{@tar}. Please ensure the tar command in your path accepts the flags '-c', '-z', and '-f'"
         end
@@ -157,7 +156,6 @@ module Pkg
       self.tar(@target, workdir)
       self.clean_up workdir
     end
-
   end
 end
 

data/lib/packaging/util/date.rb

@@ -1,7 +1,6 @@
 # Utilities for managing/querying date/time
 
 module Pkg::Util::Date
-
   class << self
     def timestamp(separator = nil)
       if s = separator

data/lib/packaging/util/distribution_server.rb

@@ -31,8 +31,8 @@ module Pkg::Util::DistributionServer
 
       # If we just shipped a tagged version, we want to make it immutable
       files = Dir.glob("#{local_source_directory}/**/*")
-                 .select { |f| File.file?(f) and !f.include? "#{Pkg::Config.ref}.yaml" }
-                 .map { |f| "#{remote_target_directory}/#{f.sub(/^#{local_source_directory}\//, '')}" }
+        .select { |f| File.file?(f) and !f.include? "#{Pkg::Config.ref}.yaml" }
+        .map { |f| "#{remote_target_directory}/#{f.sub(/^#{local_source_directory}\//, '')}" }
 
       Pkg::Util::Net.remote_set_ownership(Pkg::Config.distribution_server, 'root', 'release', files)
       Pkg::Util::Net.remote_set_permissions(Pkg::Config.distribution_server, '0664', files)

data/lib/packaging/util/execution.rb

@@ -1,9 +1,7 @@
 # Utility methods for handling system calls and interactions
 
 module Pkg::Util::Execution
-
   class << self
-
     # Alias to $?.success? that makes success? slightly easier to test and stub
     # If immediately run, $? will not be instanciated, so only call success? if
     # $? exists, otherwise return nil
@@ -23,7 +21,7 @@ module Pkg::Util::Execution
     # while also raising an exception if a command does not succeed (ala `sh "cmd"`).
     def ex(command, debug = false)
       puts "Executing '#{command}'..." if debug
-      ret = `#{command}`
+      ret = %x(#{command})
       unless Pkg::Util::Execution.success?
         raise RuntimeError
       end
@@ -71,7 +69,7 @@ module Pkg::Util::Execution
             blk.call
             success = true
             break
-          rescue => err
+          rescue StandardError => err
             puts "An error was encountered evaluating block. Retrying.."
             exception = err.to_s + "\n" + err.backtrace.join("\n")
           end

data/lib/packaging/util/file.rb

@@ -2,7 +2,6 @@
 require 'fileutils'
 
 module Pkg::Util::File
-
   class << self
     def exist?(file)
       ::File.exist?(file)
@@ -15,7 +14,7 @@ module Pkg::Util::File
 
     def mktemp
       mktemp = Pkg::Util::Tool.find_tool('mktemp', :required => true)
-      stdout, _, _ = Pkg::Util::Execution.capture3("#{mktemp} -d -t pkgXXXXXX")
+      stdout, = Pkg::Util::Execution.capture3("#{mktemp} -d -t pkgXXXXXX")
       stdout.strip
     end
 
@@ -79,7 +78,7 @@ module Pkg::Util::File
         target_opts = "-C #{target}"
       end
       if file_exists?(source, :required => true)
-        stdout, _, _ = Pkg::Util::Execution.capture3(%Q(#{tar} #{options} #{target_opts} -xf #{source}))
+        stdout, = Pkg::Util::Execution.capture3(%(#{tar} #{options} #{target_opts} -xf #{source}))
         stdout
       end
     end

data/lib/packaging/util/git.rb

@@ -22,7 +22,6 @@ module Pkg::Util::Git
     end
 
     # Git utility to create a new git bundle
-    # rubocop:disable Metrics/AbcSize
     def bundle(treeish, appendix = Pkg::Util.rand_string, temp = Pkg::Util::File.mktemp)
       fail_unless_repo
       Pkg::Util::Execution.capture3("#{Pkg::Util::Tool::GIT} bundle create #{temp}/#{Pkg::Config.project}-#{Pkg::Config.version}-#{appendix} #{treeish} --tags")
@@ -113,13 +112,12 @@ module Pkg::Util::Git
       end
     end
 
-    # rubocop:disable Style/GuardClause
     def fail_unless_repo
       unless repo?
         raise "Pkg::Config.project_root (#{Pkg::Config.project_root}) is not \
           a valid git repository"
       end
-    end
+end
 
     # Return the basename of the project repo
     def project_name

data/lib/packaging/util/git_tags.rb

@@ -1,6 +1,6 @@
 module Pkg::Util
   class Git_tag
-    attr_reader :address, :ref, :ref_name, :ref_type, :branch_name
+    attr_reader :address, :ref, :ref_name, :ref_type
 
     GIT = Pkg::Util::Tool::GIT
     DEVNULL = Pkg::Util::OS::DEVNULL
@@ -43,7 +43,7 @@ module Pkg::Util
     # Fetch the full ref using ls-remote, this should raise an error if it returns non-zero
     # because that means this ref doesn't exist in the repo
     def fetch_full_ref
-      stdout, _, _ = Pkg::Util::Execution.capture3("#{GIT} ls-remote --tags --heads --exit-code #{address} #{ref}")
+      stdout, = Pkg::Util::Execution.capture3("#{GIT} ls-remote --tags --heads --exit-code #{address} #{ref}")
       stdout.split.last
     rescue RuntimeError => e
       raise "ERROR : Not a ref or sha!\n#{e}"
@@ -54,7 +54,7 @@ module Pkg::Util
     end
 
     def ref?
-      `#{GIT} check-ref-format #{ref} >#{DEVNULL} 2>&1`
+      %x(#{GIT} check-ref-format #{ref} >#{DEVNULL} 2>&1)
       $?.success?
     end
 

data/lib/packaging/util/gpg.rb

@@ -1,6 +1,5 @@
 module Pkg::Util::Gpg
   class << self
-
     # Please note that this method is not used in determining what key is used
     # to sign the debian repos. That is defined in the freight config that
     # lives on our internal repo staging host. The debian conf/distribution
@@ -31,14 +30,14 @@ module Pkg::Util::Gpg
 
     def kill_keychain
       if keychain
-        stdout, _, _ = Pkg::Util::Execution.capture3("#{keychain} -k mine")
+        stdout, = Pkg::Util::Execution.capture3("#{keychain} -k mine")
         stdout
       end
     end
 
     def start_keychain
       if keychain
-        keychain_output, _, _ = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
+        keychain_output, = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
         keychain_output.chomp!
         new_env = keychain_output.match(/GPG_AGENT_INFO=([^;]*)/)
         ENV["GPG_AGENT_INFO"] = new_env[1]
@@ -56,7 +55,7 @@ module Pkg::Util::Gpg
           return true
         end
         use_tty = "--no-tty --use-agent" if ENV['RPM_GPG_AGENT']
-        stdout, _, _ = Pkg::Util::Execution.capture3("#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}")
+        stdout, = Pkg::Util::Execution.capture3("#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}")
         stdout
       else
         fail "No gpg available. Cannot sign #{file}."

data/lib/packaging/util/jenkins.rb

@@ -3,9 +3,7 @@ require 'net/http'
 require 'json'
 
 module Pkg::Util::Jenkins
-
   class << self
-
     # Use the curl to create a jenkins job from a valid XML
     # configuration file.
     # Returns the URL to the job
@@ -90,6 +88,5 @@ module Pkg::Util::Jenkins
 
       wait_for_build job_hash['lastBuild']['url']
     end
-
   end
 end

data/lib/packaging/util/misc.rb

@@ -57,7 +57,7 @@ module Pkg::Util::Misc
     def check_rubygems_ownership(gem_name)
       require 'yaml'
       credentials = YAML.load_file("#{ENV['HOME']}/.gem/credentials")
-      gems = YAML.load(%x(curl -H 'Authorization:#{credentials[:rubygems_api_key]}' https://rubygems.org/api/v1/gems.yaml))
+      gems = YAML.safe_load(%x(curl -H 'Authorization:#{credentials[:rubygems_api_key]}' https://rubygems.org/api/v1/gems.yaml))
       gems.each do |gem|
         if gem['name'] == gem_name
           return true

data/lib/packaging/util/net.rb

@@ -1,15 +1,13 @@
 # Utility methods for handling network calls and interactions
 
 module Pkg::Util::Net
-
   class << self
-
     # This simple method does an HTTP get of a URI and writes it to a file
     # in a slightly more platform agnostic way than curl/wget
     def fetch_uri(uri, target)
       require 'open-uri'
       if Pkg::Util::File.file_writable?(File.dirname(target))
-        File.open(target, 'w') { |f| f.puts(open(uri).read) }
+        File.open(target, 'w') { |f| f.puts(URI.open(uri).read) }
       end
     end
 
@@ -37,7 +35,7 @@ module Pkg::Util::Net
       Array(hosts).flatten.each do |host|
         begin
           remote_execute(host, 'exit', { extra_options: '-oBatchMode=yes' })
-        rescue
+        rescue StandardError
           errs << host
         end
       end
@@ -56,7 +54,7 @@ module Pkg::Util::Net
         begin
           remote_execute(host, "gpg --list-secret-keys #{gpg} > /dev/null 2&>1",
                          { extra_options: '-oBatchMode=yes' })
-        rescue
+        rescue StandardError
           errs << host
         end
       end
@@ -112,13 +110,14 @@ module Pkg::Util::Net
     ###
     ### Deprecated method implemented as a shim to the new `remote_execute` method
     ###
-    def remote_ssh_cmd(target, command, capture_output = false, extra_options = '', fail_fast = true, trace = false)  # rubocop:disable Style/ParameterLists
+    def remote_ssh_cmd(target, command, capture_output = false, extra_options = '', fail_fast = true, trace = false) # rubocop:disable Metrics/ParameterLists
       puts "Warn: \"remote_ssh_cmd\" call in packaging is deprecated. Use \"remote_execute\" instead."
       remote_execute(target, command, {
                        capture_output: capture_output,
                        extra_options: extra_options,
                        fail_fast: fail_fast,
-                       trace: trace })
+                       trace: trace
+})
     end
 
     # Construct a valid rsync command
@@ -149,7 +148,8 @@ module Pkg::Util::Net
         target_path: nil,
         target_host: nil,
         extra_flags: nil,
-        dryrun: false }.merge(opts)
+        dryrun: false
+}.merge(opts)
       origin = Pathname.new(origin_path)
       target = options[:target_path] || origin.parent
 
@@ -187,9 +187,10 @@ module Pkg::Util::Net
         target_path: nil,
         target_host: nil,
         extra_flags: nil,
-        dryrun: ENV['DRYRUN'] }.merge(opts.delete_if { |_, value| value.nil? })
+        dryrun: ENV['DRYRUN']
+}.merge(opts.delete_if { |_, value| value.nil? })
 
-      stdout, _, _ = Pkg::Util::Execution.capture3(rsync_cmd(source, options), true)
+      stdout, = Pkg::Util::Execution.capture3(rsync_cmd(source, options), true)
       stdout
     end
 
@@ -223,7 +224,7 @@ module Pkg::Util::Net
       s3cmd = Pkg::Util::Tool.check_tool('s3cmd')
 
       if Pkg::Util::File.file_exists?(File.join(ENV['HOME'], '.s3cfg'))
-        stdout, _, _ = Pkg::Util::Execution.capture3("#{s3cmd} sync #{flags.join(' ')} '#{source}' s3://#{target_bucket}/#{target_directory}/")
+        stdout, = Pkg::Util::Execution.capture3("#{s3cmd} sync #{flags.join(' ')} '#{source}' s3://#{target_bucket}/#{target_directory}/")
         stdout
       else
         fail "#{File.join(ENV['HOME'], '.s3cfg')} does not exist. It is required to ship files using s3cmd."
@@ -279,7 +280,7 @@ module Pkg::Util::Net
         '--write-out "%{http_code}"',
         '--output /dev/null'
       ]
-      stdout, _ = Pkg::Util::Net.curl_form_data(uri, data)
+      stdout, = Pkg::Util::Net.curl_form_data(uri, data)
       stdout
     end
 
@@ -292,18 +293,18 @@ module Pkg::Util::Net
     end
 
     def remote_set_ownership(host, owner, group, files)
-      remote_cmd = "for file in #{files.join(" ")}; do if [[ -d $file ]] || ! `lsattr $file | grep -q '\\-i\\-'`; then sudo chown #{owner}:#{group} $file; else echo \"$file is immutable\"; fi; done"
+      remote_cmd = "for file in #{files.join(' ')}; do if [[ -d $file ]] || ! `lsattr $file | grep -q '\\-i\\-'`; then sudo chown #{owner}:#{group} $file; else echo \"$file is immutable\"; fi; done"
       Pkg::Util::Net.remote_execute(host, remote_cmd)
     end
 
     def remote_set_permissions(host, permissions, files)
-      remote_cmd = "for file in #{files.join(" ")}; do if [[ -d $file ]] || ! `lsattr $file | grep -q '\\-i\\-'`; then sudo chmod #{permissions} $file; else echo \"$file is immutable\"; fi; done"
+      remote_cmd = "for file in #{files.join(' ')}; do if [[ -d $file ]] || ! `lsattr $file | grep -q '\\-i\\-'`; then sudo chmod #{permissions} $file; else echo \"$file is immutable\"; fi; done"
       Pkg::Util::Net.remote_execute(host, remote_cmd)
     end
 
     # Remotely set the immutable bit on a list of files
     def remote_set_immutable(host, files)
-      Pkg::Util::Net.remote_execute(host, "sudo chattr +i #{files.join(" ")}")
+      Pkg::Util::Net.remote_execute(host, "sudo chattr +i #{files.join(' ')}")
     end
 
     # Create a symlink indicating the latest version of a package
@@ -350,8 +351,9 @@ module Pkg::Util::Net
       CMD
 
       _, err = Pkg::Util::Net.remote_execute(
-           Pkg::Config.staging_server, cmd, { capture_output: true })
-      $stderr.puts err
+        Pkg::Config.staging_server, cmd, { capture_output: true }
+      )
+      warn err
     end
 
     def escape_html(uri)
@@ -383,17 +385,19 @@ module Pkg::Util::Net
       Pkg::Util::Net.rsync_to(tarball, host, '/tmp')
       appendix = Pkg::Util.rand_string
       git_bundle_directory = File.join('/tmp', "#{Pkg::Config.project}-#{appendix}")
-      command = <<-DOC
-#{tar} -zxvf /tmp/#{tarball_name}.tar.gz -C /tmp/ ;
-git clone --recursive /tmp/#{tarball_name} #{git_bundle_directory} ;
-DOC
+      command = <<~DOC
+        #{tar} -zxvf /tmp/#{tarball_name}.tar.gz -C /tmp/ ;
+        git clone --recursive /tmp/#{tarball_name} #{git_bundle_directory} ;
+      DOC
       Pkg::Util::Net.remote_execute(host, command)
       return git_bundle_directory
     end
 
     def remote_bundle_install_command
+      rvm_ruby_version = ENV['RVM_RUBY_VERSION'] || '2.5.9'
       export_packaging_location = "export PACKAGING_LOCATION='#{ENV['PACKAGING_LOCATION']}';" if ENV['PACKAGING_LOCATION'] && !ENV['PACKAGING_LOCATION'].empty?
-      "source /usr/local/rvm/scripts/rvm; rvm use ruby-2.5.1; #{export_packaging_location} bundle install --path .bundle/gems ;"
+      export_vanagon_location = "export VANAGON_LOCATION='#{ENV['VANAGON_LOCATION']}';" if ENV['VANAGON_LOCATION'] && !ENV['VANAGON_LOCATION'].empty?
+      "source /usr/local/rvm/scripts/rvm; rvm use ruby-#{rvm_ruby_version}; #{export_packaging_location} #{export_vanagon_location} bundle install --path .bundle/gems ;"
     end
 
     # Given a BuildInstance object and a host, send its params to the host. Return

data/lib/packaging/util/repo.rb

@@ -2,7 +2,6 @@
 
 module Pkg::Util::Repo
   class << self
-
     # Create yum repositories of built RPM packages for this SHA on the distribution server
     def rpm_repos
       Pkg::Util::File.fetch

data/lib/packaging/util/serialization.rb

@@ -2,14 +2,13 @@
 
 module Pkg::Util::Serialization
   class << self
-
     # Given the path to a yaml file, load the yaml file into an object and return the object.
     def load_yaml(file)
       require 'yaml'
       file = File.expand_path(file)
       begin
         input_data = YAML.load_file(file) || {}
-      rescue => e
+      rescue StandardError => e
         fail "There was an error loading data from #{file}.\n#{e}"
       end
       input_data

data/lib/packaging/util/ship.rb

@@ -87,7 +87,7 @@ module Pkg::Util::Ship
     puts "Do you want to ship the above files to (#{staging_server})?"
     return false unless Pkg::Util.ask_yes_or_no
 
-    extra_flags = %w(--ignore-existing --delay-updates)
+    extra_flags = %w[--ignore-existing --delay-updates]
     extra_flags << '--dry-run' if ENV['DRYRUN']
 
     staged_pkgs.each do |pkg|
@@ -330,7 +330,7 @@ module Pkg::Util::Ship
   def test_ship(vm, ship_task)
     command = 'getent group release || groupadd release'
     Pkg::Util::Net.remote_execute(vm, command)
-    hosts_to_override = %w(
+    hosts_to_override = %w[
       APT_HOST
       DMG_HOST
       GEM_HOST
@@ -349,7 +349,7 @@ module Pkg::Util::Ship
       TAR_STAGING_SERVER
       YUM_STAGING_SERVER
       STAGING_SERVER
-    )
+    ]
     hosts_to_override.each do |host|
       ENV[host] = vm
     end