packaging 0.106.0 → 0.106.3

data/lib/packaging/paths.rb

@@ -2,7 +2,6 @@
 # This includes both reporting the correct path and divining the platform
 # tag associated with a variety of paths
 #
-# rubocop:disable Metrics/ModuleLength
 module Pkg::Paths
   include Pkg::Platforms
 
@@ -17,7 +16,7 @@ module Pkg::Paths
       return Pkg::Platforms.get_attribute_for_platform_version(platform, version, :source_architecture)
     end
     arches.find { |a| path.include?(package_arch(platform, a)) } || arches[0]
-  rescue
+  rescue StandardError
     arches.find { |a| path.include?(package_arch(platform, a)) } || arches[0]
   end
 
@@ -40,7 +39,7 @@ module Pkg::Paths
     arch = arch_from_artifact_path(platform, version, path)
 
     return "#{platform}-#{version}-#{arch}"
-  rescue
+  rescue StandardError
     fmt = Pkg::Platforms.all_supported_package_formats.find { |ext| path =~ /#{ext}$/ }
 
     # We need to make sure this is actually a file, and not simply a path
@@ -117,7 +116,7 @@ module Pkg::Paths
 
       # In puppet7 and beyond, we moved the repo_name to the top to allow each
       # puppet major release to have its own apt repo.
-      if %w(FUTURE-puppet7 FUTURE-puppet7-nightly).include? repo_name
+      if %w[FUTURE-puppet7 FUTURE-puppet7-nightly].include? repo_name
         return File.join(prefix, apt_repo_name(is_nonfinal), debian_code_name)
       end
 
@@ -170,7 +169,7 @@ module Pkg::Paths
   # Given platform information, create symlink target (base_path) and link path in the
   # form of a 2-element array
   def artifacts_base_path_and_link_path(platform_tag, prefix = 'artifacts', is_nonfinal = false)
-    platform_name, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
+    platform_name, = Pkg::Platforms.parse_platform_tag(platform_tag)
     package_format = Pkg::Platforms.package_format_for_tag(platform_tag)
 
     path_data = {
@@ -189,7 +188,7 @@ module Pkg::Paths
   end
 
   def artifacts_path(platform_tag, path_prefix = 'artifacts', nonfinal = false)
-    base_path, _ = artifacts_base_path_and_link_path(platform_tag, path_prefix, nonfinal)
+    base_path, = artifacts_base_path_and_link_path(platform_tag, path_prefix, nonfinal)
     platform, version, architecture = Pkg::Platforms.parse_platform_tag(platform_tag)
     package_format = Pkg::Platforms.package_format_for_tag(platform_tag)
 
@@ -306,24 +305,24 @@ module Pkg::Paths
       fail "Can't determine path for non-debian platform #{platform_tag}."
     end
 
-    platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
+    platform, version, = Pkg::Platforms.parse_platform_tag(platform_tag)
     code_name = Pkg::Platforms.codename_for_platform_version(platform, version)
     remote_repo_path = remote_repo_base(platform_tag, nonfinal: nonfinal)
 
     # In puppet7 and beyond, we moved the puppet major version to near the top to allow each
     # puppet major release to have its own apt repo, for example:
     # /opt/repository/apt/puppet7/pool/bionic/p/puppet-agent
-    if %w(FUTURE-puppet7 FUTURE-puppet7-nightly).include? repo_name
+    if %w[FUTURE-puppet7 FUTURE-puppet7-nightly].include? repo_name
       return File.join(remote_repo_path, repo_name, 'pool', code_name, project[0], project)
     end
 
     # For repos prior to puppet7, the puppet version was part of the repository
     # For example: /opt/repository/apt/pool/bionic/puppet6/p/puppet-agent
-    if %w(puppet7 puppet7-nightly
+    if %w[puppet7 puppet7-nightly
           puppet6 puppet6-nightly
           puppet5 puppet5-nightly
-          puppet  puppet-nightly
-          puppet-tools).include? repo_name
+          puppet puppet-nightly
+          puppet-tools].include? repo_name
       return File.join(remote_repo_path, 'pool', code_name, repo_name, project[0], project)
     end
 
@@ -331,7 +330,7 @@ module Pkg::Paths
   end
 
   def release_package_link_path(platform_tag, nonfinal = false)
-    platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
+    platform, version, = Pkg::Platforms.parse_platform_tag(platform_tag)
     package_format = Pkg::Platforms.package_format_for_tag(platform_tag)
     case package_format
     when 'rpm'
@@ -372,5 +371,4 @@ module Pkg::Paths
   end
 
   private :package_arch
-
 end

data/lib/packaging/platforms.rb

@@ -4,7 +4,6 @@ require 'set'
 # explicitly supports
 module Pkg
   module Platforms
-
     module_function
 
     DEBIAN_SOURCE_FORMATS = ['debian.tar.gz', 'orig.tar.gz', 'dsc', 'changes']
@@ -113,6 +112,11 @@ module Pkg
           package_format: 'dmg',
           repo: false,
         },
+        '12' => {
+          architectures: ['x86_64', 'arm64'],
+          package_format: 'dmg',
+          repo: false,
+        },
       },
 
       'redhatfips' => {
@@ -223,7 +227,7 @@ module Pkg
           repo: false,
         }
       },
-    }.freeze
+    }
 
     # @return [Array] An array of Strings, containing all of the supported
     #   platforms as defined in PLATFORM_INFO
@@ -235,7 +239,7 @@ module Pkg
     #   versions for the given platform
     def versions_for_platform(platform)
       PLATFORM_INFO[platform].keys
-    rescue
+    rescue StandardError
       raise "No information found for '#{platform}'"
     end
 
@@ -277,7 +281,7 @@ module Pkg
       # AIX uses 'ppc' as its architecture in paths and file names
       architecture = 'ppc' if platform == 'aix'
       return [platform, version, architecture]
-    rescue
+    rescue StandardError
       raise "Could not verify that '#{platform_tag}' is a valid tag"
     end
 
@@ -286,7 +290,7 @@ module Pkg
     #   platform-version-arch
     # @return [Hash] The hash of data associated with the given platform version
     def platform_lookup(platform_tag)
-      platform, version, _ = parse_platform_tag(platform_tag)
+      platform, version, = parse_platform_tag(platform_tag)
       PLATFORM_INFO[platform][version]
     end
 
@@ -396,7 +400,7 @@ module Pkg
       if include_source
         begin
           source_architecture = Array(get_attribute_for_platform_version(platform, version, :source_architecture))
-        rescue
+        rescue StandardError # rubocop:disable Lint/SuppressedException
         end
       end
       return (platform_architectures + source_architecture).flatten

data/lib/packaging/repo.rb

@@ -1,7 +1,5 @@
 module Pkg::Repo
-
   class << self
-
     ##
     ## Construct a local_target based upon the versioning style
     ##
@@ -38,7 +36,7 @@ module Pkg::Repo
         target_tarball = File.join('repos', "#{archive_name}.tar.gz")
         tar_command = %W[#{tar} --owner=0 --group=0 --create --gzip
           --file #{target_tarball} #{repo_location}].join(' ')
-        stdout, _, _ = Pkg::Util::Execution.capture3(tar_command)
+        stdout, = Pkg::Util::Execution.capture3(tar_command)
         return stdout
       end
     end
@@ -69,7 +67,7 @@ module Pkg::Repo
         tar_command = %W[#{tar} --owner=0 --group=0 #{tar_action}
           --file #{all_repos_tarball_name} #{repo_tarball_path}].join(' ')
 
-        stdout, _, _ = Pkg::Util::Execution.capture3(tar_command)
+        stdout, = Pkg::Util::Execution.capture3(tar_command)
         puts stdout
       end
     end
@@ -82,7 +80,7 @@ module Pkg::Repo
       gzip = Pkg::Util::Tool.check_tool('gzip')
 
       gzip_command = "#{gzip} --fast #{all_repos_tarball_name}"
-      stdout, _, _ = Pkg::Util::Execution.capture3(gzip_command)
+      stdout, = Pkg::Util::Execution.capture3(gzip_command)
       puts stdout
     end
 
@@ -111,13 +109,13 @@ module Pkg::Repo
       cmd = "[ -d #{artifact_directory} ] || exit 1 ; "
       cmd << "pushd #{artifact_directory} > /dev/null && "
       cmd << "find . -name '*.#{pkg_ext}' -print0 | xargs --no-run-if-empty -0 -I {} dirname {} "
-      stdout, _ = Pkg::Util::Net.remote_execute(
-                Pkg::Config.distribution_server,
+      stdout, = Pkg::Util::Net.remote_execute(
+        Pkg::Config.distribution_server,
                 cmd,
                 { capture_output: true }
-              )
+      )
       return stdout.split
-    rescue => e
+    rescue StandardError => e
       fail "Error: Could not retrieve directories that contain #{pkg_ext} " \
            "packages in #{Pkg::Config.distribution_server}:#{artifact_directory}: #{e}"
     end
@@ -127,7 +125,7 @@ module Pkg::Repo
       cmd << "pushd #{artifact_parent_directory} > /dev/null && "
       cmd << 'rsync --archive --verbose --one-file-system --ignore-existing artifacts/ repos/ '
       Pkg::Util::Net.remote_execute(Pkg::Config.distribution_server, cmd)
-    rescue => e
+    rescue StandardError => e
       fail "Error: Could not populate repos directory in " \
            "#{Pkg::Config.distribution_server}:#{artifact_parent_directory}: #{e}"
     end
@@ -138,7 +136,7 @@ module Pkg::Repo
 
     def update_repo(remote_host, command, options = {})
       fail_message = "Error: Missing required argument '%s', perhaps update build_defaults?"
-      [:repo_name, :repo_path, :repo_host, :repo_url].each do |option|
+      %i[repo_name repo_path repo_host repo_url].each do |option|
         fail fail_message % option.to_s if argument_required?(option.to_s, command) && !options[option]
       end
 
@@ -152,7 +150,8 @@ module Pkg::Repo
       }
       Pkg::Util::Net.remote_execute(
         remote_host,
-        Pkg::Util::Misc.search_and_replace(command, repo_configuration))
+        Pkg::Util::Misc.search_and_replace(command, repo_configuration)
+      )
     end
   end
 end

data/lib/packaging/retrieve.rb

@@ -67,7 +67,7 @@ module Pkg::Retrieve
       warn "Could not find `wget` tool. Falling back to rsyncing from #{Pkg::Config.distribution_server}."
       begin
         Pkg::Util::Net.rsync_from("#{rsync_path}/", Pkg::Config.distribution_server, "#{local_target}/")
-      rescue => e
+      rescue StandardError => e
         fail "Couldn't rsync packages from distribution server.\n#{e}"
       end
     end

data/lib/packaging/rpm/repo.rb

@@ -75,7 +75,7 @@ module Pkg::Rpm::Repo
       path = Pathname.new(origin_path)
       dest_path = Pathname.new(destination_path)
 
-      options = %w(
+      options = %w[
         rsync
         --recursive
         --links
@@ -91,7 +91,7 @@ module Pkg::Rpm::Repo
         --no-perms
         --no-owner
         --no-group
-      )
+      ]
 
       options << '--dry-run' if dryrun
       options << path
@@ -99,7 +99,7 @@ module Pkg::Rpm::Repo
       if destination
         options << "#{destination}:#{dest_path.parent}"
       else
-        options << "#{dest_path.parent}"
+        options << dest_path.parent.to_s
       end
 
       options.join("\s")
@@ -117,9 +117,9 @@ module Pkg::Rpm::Repo
       FileUtils.mkdir_p("pkg/#{target}")
       config_url = "#{base_url}/#{target}/rpm/"
       begin
-        stdout, _, _ = Pkg::Util::Execution.capture3("#{wget} -r -np -nH --cut-dirs 3 -P pkg/#{target} --reject 'index*' #{config_url}")
+        stdout, = Pkg::Util::Execution.capture3("#{wget} -r -np -nH --cut-dirs 3 -P pkg/#{target} --reject 'index*' #{config_url}")
         stdout
-      rescue => e
+      rescue StandardError => e
         fail "Couldn't retrieve rpm yum repo configs.\n#{e}"
       end
     end
@@ -149,7 +149,7 @@ module Pkg::Rpm::Repo
       # repodata folders in them, and second that those same directories also
       # contain rpms
       #
-      stdout, _, _ = Pkg::Util::Execution.capture3("#{wget} --spider -r -l 5 --no-parent #{repo_base} 2>&1")
+      stdout, = Pkg::Util::Execution.capture3("#{wget} --spider -r -l 5 --no-parent #{repo_base} 2>&1")
       stdout = stdout.split.uniq.reject { |x| x =~ /\?|index/ }.select { |x| x =~ /http:.*repodata\/$/ }
 
       # RPMs will always exist at the same directory level as the repodata
@@ -157,7 +157,7 @@ module Pkg::Rpm::Repo
       #
       yum_repos = []
       stdout.map { |x| x.chomp('repodata/') }.each do |url|
-        output, _, _ = Pkg::Util::Execution.capture3("#{wget} --spider -r -l 1 --no-parent #{url} 2>&1")
+        output, = Pkg::Util::Execution.capture3("#{wget} --spider -r -l 1 --no-parent #{url} 2>&1")
         unless output.split.uniq.reject { |x| x =~ /\?|index/ }.select { |x| x =~ /http:.*\.rpm$/ }.empty?
           yum_repos << url
         end
@@ -204,7 +204,7 @@ module Pkg::Rpm::Repo
     end
 
     def create_local_repos(directory = "repos")
-      stdout, _, _ = Pkg::Util::Execution.capture3("bash -c '#{repo_creation_command(directory)}'")
+      stdout, = Pkg::Util::Execution.capture3("bash -c '#{repo_creation_command(directory)}'")
       stdout
     end
 

data/lib/packaging/sign/dmg.rb

@@ -8,25 +8,25 @@ module Pkg::Sign::Dmg
     end
 
     host_string = "#{ENV['USER']}@#{Pkg::Config.osx_signing_server}"
-    host_string = "#{Pkg::Config.osx_signing_server}" if Pkg::Config.osx_signing_server =~ /@/
+    host_string = Pkg::Config.osx_signing_server.to_s if Pkg::Config.osx_signing_server =~ /@/
 
     ssh_host_string = "#{use_identity} #{host_string}"
     rsync_host_string = "-e 'ssh #{use_identity}' #{host_string}"
-    archs =  Dir.glob("#{pkg_directory}/{apple,mac,osx}/**/{x86_64,arm64}").map { |el| el.split('/').last }
+    archs = Dir.glob("#{pkg_directory}/{apple,mac,osx}/**/{x86_64,arm64}").map { |el| el.split('/').last }
 
     if archs.empty?
-      $stderr.puts "Error: no architectures found in #{pkg_directory}/{apple,mac,osx}"
+      warn "Error: no architectures found in #{pkg_directory}/{apple,mac,osx}"
       exit 1
     end
 
     archs.each do |arch|
       remote_working_directory = "/tmp/#{Pkg::Util.rand_string}/#{arch}"
       dmg_mount_point = File.join(remote_working_directory, "mount")
-      signed_items_directory    = File.join(remote_working_directory, "signed")
+      signed_items_directory = File.join(remote_working_directory, "signed")
 
       dmgs = Dir.glob("#{pkg_directory}/{apple,mac,osx}/**/#{arch}/*.dmg")
       if dmgs.empty?
-        $stderr.puts "Error: no dmgs found in #{pkg_directory}/{apple,mac,osx} for #{arch} architecture."
+        warn "Error: no dmgs found in #{pkg_directory}/{apple,mac,osx} for #{arch} architecture."
         exit 1
       end
 
@@ -43,7 +43,7 @@ module Pkg::Sign::Dmg
           for pkg in #{dmg_mount_point}/*.pkg; do
             pkg_basename=$(basename $pkg) ;
             if /usr/sbin/pkgutil --check-signature $pkg ; then
-              echo "Warning: $pkg is already signed, skipping" ;
+              echo Warning: $pkg is already signed skipping ;
               cp $pkg #{signed_items_directory}/$pkg_basename ;
               continue ;
             fi ;
@@ -70,7 +70,8 @@ module Pkg::Sign::Dmg
 
       dmgs.each do |dmg|
         Pkg::Util::Net.rsync_from(
-          "#{remote_working_directory}/#{File.basename(dmg)}", rsync_host_string, File.dirname(dmg))
+          "#{remote_working_directory}/#{File.basename(dmg)}", rsync_host_string, File.dirname(dmg)
+        )
       end
 
       Pkg::Util::Net.remote_execute(ssh_host_string, "rm -rf '#{remote_working_directory}'")

data/lib/packaging/sign/ips.rb

@@ -1,57 +1,89 @@
 module Pkg::Sign::Ips
   module_function
 
-  def sign(target_dir = 'pkg')
-    use_identity = "-i #{Pkg::Config.ips_signing_ssh_key}" unless Pkg::Config.ips_signing_ssh_key.nil?
+  def sign(packages_root = 'pkg')
+    identity_spec = ''
+    unless Pkg::Config.ips_signing_ssh_key.nil?
+      identity_spec = "-i #{Pkg::Config.ips_signing_ssh_key}"
+    end
+
+    signing_server_spec = Pkg::Config.ips_signing_server
+    unless Pkg::Config.ips_signing_server.match(%r{.+@.+})
+      signing_server_spec = "#{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
+    end
 
-    ssh_host_string = "#{use_identity} #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
-    rsync_host_string = "-e 'ssh #{use_identity}' #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
+    ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
+    rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
 
-    p5ps = Dir.glob("#{target_dir}/solaris/11/**/*.p5p")
+    packages = Dir.glob("#{packages_root}/solaris/11/**/*.p5p")
 
-    p5ps.each do |p5p|
+    packages.each do |package|
       work_dir     = "/tmp/#{Pkg::Util.rand_string}"
       unsigned_dir = "#{work_dir}/unsigned"
       repo_dir     = "#{work_dir}/repo"
       signed_dir   = "#{work_dir}/pkgs"
+      package_name = File.basename(package)
 
-      Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}")
-      Pkg::Util::Net.rsync_to(p5p, rsync_host_string, unsigned_dir)
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}"
+      )
+      Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_dir)
 
       # Before we can get started with signing packages we need to create a repo
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com")
-      # And import all the packages into the repo.
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{File.basename(p5p)} -d #{repo_dir} '*'")
-      # We are going to hard code the values for signing cert locations for now.
-      # This autmation will require an update to actually become reusable, but
-      # for now these values will stay this way so solaris signing will stop
-      # failing. Please update soon. 06/23/16
-      #
-      #            - Sean P. McDonald
-      #
+      Pkg::Util::Net.remote_execute(ssh_host_spec, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com"
+      )
+
+      # Import all the packages into the repo.
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{package_name} -d #{repo_dir} '*'"
+      )
+
       # We sign the entire repo
-      sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2020.pem \
-                  -i /root/signing/Thawte_SHA256_Code_Signing_CA.pem \
-                  -i /root/signing/Thawte_Primary_Root_CA.pem \
-                  -k /root/signing/signing_key_2020.pem \
+      # Paths to the  .pem files should live elsewhere rather than hardcoded here.
+      sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2022.pem \
+                  -i /root/signing/DigiCert_Code_Signing_Certificate.pem \
+                  -i /root/signing/DigiCert_Trusted_Root.pem \
+                  -k /root/signing/signing_key_2022.pem \
                   -s 'file://#{work_dir}/repo' '*'"
-      puts "About to sign #{p5p} with #{sign_cmd} in #{work_dir}"
-      Pkg::Util::Net.remote_execute(ssh_host_string, sign_cmd.squeeze(' '))
-      # pkgrecv with -a will pull packages out of the repo, so we need to do that too to actually get the packages we signed
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{File.basename(p5p)} -a -s #{repo_dir} '*'")
+      puts "Signing #{package} with #{sign_cmd} in #{work_dir}"
+      Pkg::Util::Net.remote_execute(ssh_host_spec, sign_cmd.squeeze(' '))
+
+      # pkgrecv with -a will pull packages out of the repo, so we need
+      # to do that too to actually get the packages we signed
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{package_name} -a -s #{repo_dir} '*'"
+      )
       begin
         # lets make sure we actually signed something?
         # **NOTE** if we're repeatedly trying to sign the same version this
         # might explode because I don't know how to reset the IPS cache.
         # Everything is amazing.
-        Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{File.basename(p5p)} '*' | grep '^signature '")
+        Pkg::Util::Net.remote_execute(
+          ssh_host_spec,
+          "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{package_name} '*' " \
+          "| grep '^signature '"
+        )
       rescue RuntimeError
-        raise "Looks like #{File.basename(p5p)} was not signed correctly, quitting!"
+        raise "Error: #{package_name} was not signed correctly."
       end
-      # and pull the packages back.
-      Pkg::Util::Net.rsync_from("#{signed_dir}/#{File.basename(p5p)}", rsync_host_string, File.dirname(p5p))
-      Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi")
+
+      # Pull the packages back.
+      Pkg::Util::Net.rsync_from(
+        "#{signed_dir}/#{package_name}",
+        rsync_host_spec,
+        File.dirname(package)
+      )
+
+      Pkg::Util::Net.remote_execute(
+        ssh_host_spec,
+        "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi"
+      )
     end
   end
 end