packaging 0.115.0 → 0.117.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/packaging/platforms.rb +16 -0
- data/lib/packaging/sign/msi.rb +41 -87
- data/lib/packaging/sign.rb +0 -1
- data/lib/packaging/util/gpg.rb +36 -27
- data/lib/packaging/util/net.rb +2 -1
- data/spec/lib/packaging/platforms_spec.rb +2 -2
- data/spec/lib/packaging/sign_spec.rb +1 -2
- data/tasks/sign.rake +32 -20
- metadata +20 -21
- data/lib/packaging/sign/ips.rb +0 -89
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: be5128ca201f626a0c0688964ce13218e13fe085c07d59244293821174433bf4
|
4
|
+
data.tar.gz: 4083e5df3d4c9dfa0f4f22a4eeb50dd9188024be9d708e0d18d7dad1d8cce8df
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: de61beb5f4952898a171df26fd648bfa9bd800562a3cb5fc03e65a0d93e5ce00fa916cfd39a15c92a5631144bcf6d5c2a20d322bb67f6d47779a9138705b30a1
|
7
|
+
data.tar.gz: b4ad8e92d302bd23a96b8a4b7b3883a655509aa63eb3d8052b2e231e67f533c99993bda0dcb36c174c2f3bfba62979eb38a61f81463e4b12e3790b17736c6705
|
data/lib/packaging/platforms.rb
CHANGED
@@ -158,6 +158,14 @@ module Pkg
|
|
158
158
|
source_package_formats: ['src.rpm'],
|
159
159
|
signature_format: 'v3',
|
160
160
|
repo: true,
|
161
|
+
},
|
162
|
+
'9' => {
|
163
|
+
architectures: ['x86_64'],
|
164
|
+
source_architecture: 'SRPMS',
|
165
|
+
package_format: 'rpm',
|
166
|
+
source_package_formats: ['src.rpm'],
|
167
|
+
signature_format: 'v4',
|
168
|
+
repo: true,
|
161
169
|
}
|
162
170
|
},
|
163
171
|
|
@@ -226,6 +234,14 @@ module Pkg
|
|
226
234
|
source_package_formats: DEBIAN_SOURCE_FORMATS,
|
227
235
|
repo: true,
|
228
236
|
},
|
237
|
+
'24.04' => {
|
238
|
+
codename: 'noble',
|
239
|
+
architectures: ['amd64', 'aarch64'],
|
240
|
+
source_architecture: 'source',
|
241
|
+
package_format: 'deb',
|
242
|
+
source_package_formats: DEBIAN_SOURCE_FORMATS,
|
243
|
+
repo: true,
|
244
|
+
},
|
229
245
|
},
|
230
246
|
|
231
247
|
'windows' => {
|
data/lib/packaging/sign/msi.rb
CHANGED
@@ -1,95 +1,49 @@
|
|
1
1
|
module Pkg::Sign::Msi
|
2
2
|
module_function
|
3
3
|
|
4
|
-
def sign(
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
4
|
+
def sign(packages_root = 'pkg')
|
5
|
+
# These will need to be untangled in another release because build-data changes
|
6
|
+
# don't affect existing packages
|
7
|
+
signing_server_spec = 'jenkins@msi-signer-prod-1.delivery.puppetlabs.net'
|
8
|
+
# signing_server_spec = Pkg::Config.msi_signing_server
|
9
|
+
|
10
|
+
identity_spec = '-i /home/jenkins/.ssh/id_signing'
|
11
|
+
# identity_spec = "-i #{Pkg::Config.msi_signing_ssh_key}"
|
12
|
+
|
13
|
+
rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
|
14
|
+
ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
|
15
|
+
|
16
|
+
packages = Dir.glob("#{packages_root}/windows*/**/*.msi")
|
17
|
+
|
18
|
+
packages.each do |package|
|
19
|
+
top_directory = "/tmp/#{Pkg::Util.rand_string}"
|
20
|
+
unsigned_packages_directory = "#{top_directory}/unsigned"
|
21
|
+
signed_packages_directory = "#{top_directory}/pkgs"
|
22
|
+
package_name = File.basename(package)
|
23
|
+
sign_msi_command = %W[
|
24
|
+
/usr/local/bin/sign-msi
|
25
|
+
#{unsigned_packages_directory}
|
26
|
+
#{signed_packages_directory}
|
27
|
+
#{package_name}
|
28
|
+
].join(' ')
|
29
|
+
|
30
|
+
# Send the unsigned package to the signing server
|
31
|
+
Pkg::Util::Net.remote_execute(ssh_host_spec, "mkdir -p #{unsigned_packages_directory}")
|
32
|
+
Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_packages_directory)
|
33
|
+
|
34
|
+
# Sign it
|
35
|
+
puts "Signing #{package} with \"#{sign_msi_command}\""
|
36
|
+
Pkg::Util::Net.remote_execute(ssh_host_spec, sign_msi_command)
|
37
|
+
|
38
|
+
# Pull the signed package back
|
39
|
+
Pkg::Util::Net.rsync_from(
|
40
|
+
"#{signed_packages_directory}/#{package_name}",
|
41
|
+
rsync_host_spec,
|
42
|
+
File.dirname(package)
|
18
43
|
)
|
19
|
-
rescue StandardError => e
|
20
|
-
fail "msis can only be signed by jenkins.\n#{e}"
|
21
|
-
end
|
22
|
-
|
23
|
-
gcp_auth_token = authorizer.fetch_access_token!['id_token']
|
24
|
-
|
25
|
-
gcp_storage = Google::Cloud::Storage.new(
|
26
|
-
project_id: 'puppet-release-engineering',
|
27
|
-
credentials: gcp_service_account_credentials
|
28
|
-
)
|
29
|
-
|
30
|
-
tosign_bucket = gcp_storage.bucket(Pkg::Config.gcp_tosign_bucket)
|
31
|
-
signed_bucket = gcp_storage.bucket(Pkg::Config.gcp_signed_bucket)
|
32
|
-
|
33
|
-
service_uri = URI.parse(signing_service_url)
|
34
|
-
headers = { 'Content-Type': 'application/json', 'Authorization': "Bearer #{gcp_auth_token}" }
|
35
|
-
http = Net::HTTP.new(service_uri.host, service_uri.port)
|
36
|
-
http.use_ssl = true
|
37
|
-
request = Net::HTTP::Post.new(service_uri.request_uri, headers)
|
38
|
-
|
39
|
-
# Create hash to keep track of the signed msis
|
40
|
-
signed_msis = {}
|
41
|
-
|
42
|
-
msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
|
43
|
-
|
44
|
-
# Upload msis to GCP and sign them
|
45
|
-
msis.each do |msi|
|
46
|
-
begin
|
47
|
-
tosign_bucket.create_file(msi, msi)
|
48
|
-
rescue StandardError => e
|
49
|
-
delete_tosign_msis(tosign_bucket, msis)
|
50
|
-
fail "There was an error uploading #{msi} to the windows-tosign-bucket gcp bucket.\n#{e}"
|
51
|
-
end
|
52
|
-
msi_json = { 'Path': msi }
|
53
|
-
request.body = msi_json.to_json
|
54
|
-
begin
|
55
|
-
response = http.request(request)
|
56
|
-
response_body = JSON.parse(JSON.parse(response.body.to_json), :quirks_mode => true)
|
57
|
-
rescue StandardError => e
|
58
|
-
delete_tosign_msis(tosign_bucket, msis)
|
59
|
-
delete_signed_msis(signed_bucket, signed_msis)
|
60
|
-
fail "There was an error signing #{msi}.\n#{e}"
|
61
|
-
end
|
62
|
-
# Store location of signed msi
|
63
|
-
signed_msi = response_body['Path']
|
64
|
-
signed_msis[msi] = signed_msi
|
65
|
-
end
|
66
|
-
|
67
|
-
# Download the signed msis
|
68
|
-
msis.each do |msi|
|
69
|
-
signed_msi = signed_bucket.file(signed_msis[msi])
|
70
|
-
signed_msi.download(msi)
|
71
|
-
rescue StandardError => e
|
72
|
-
delete_tosign_msis(tosign_bucket, msis)
|
73
|
-
delete_signed_msis(signed_bucket, signed_msis)
|
74
|
-
fail "There was an error retrieving the signed msi:#{msi}.\n#{e}"
|
75
|
-
end
|
76
|
-
|
77
|
-
# Cleanup buckets
|
78
|
-
delete_tosign_msis(tosign_bucket, msis)
|
79
|
-
delete_signed_msis(signed_bucket, signed_msis)
|
80
|
-
end
|
81
|
-
|
82
|
-
def delete_tosign_msis(bucket, msis)
|
83
|
-
msis.each do |msi|
|
84
|
-
tosign_msi = bucket.file(msi)
|
85
|
-
tosign_msi.delete unless tosign_msi.nil?
|
86
|
-
end
|
87
|
-
end
|
88
44
|
|
89
|
-
|
90
|
-
|
91
|
-
signed_msi = bucket.file(temp_name)
|
92
|
-
signed_msi.delete unless signed_msi.nil?
|
45
|
+
# Clean up
|
46
|
+
Pkg::Util::Net.remote_execute(ssh_host_spec, "rm -r '#{top_directory}'")
|
93
47
|
end
|
94
48
|
end
|
95
49
|
end
|
data/lib/packaging/sign.rb
CHANGED
data/lib/packaging/util/gpg.rb
CHANGED
@@ -6,7 +6,10 @@ module Pkg::Util::Gpg
|
|
6
6
|
# files that are generated with this repo use the default gpg key to
|
7
7
|
# reflect that.
|
8
8
|
def key
|
9
|
-
|
9
|
+
if Pkg::Config.gpg_key.nil? || Pkg::Config.gpg_key.empty?
|
10
|
+
fail '`gpg_key` configuration variable is unset. Cannot continue.'
|
11
|
+
end
|
12
|
+
|
10
13
|
Pkg::Config.gpg_key
|
11
14
|
end
|
12
15
|
|
@@ -19,47 +22,53 @@ module Pkg::Util::Gpg
|
|
19
22
|
end
|
20
23
|
|
21
24
|
def load_keychain
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
end
|
25
|
+
return if @keychain_loaded
|
26
|
+
return if ENV['RPM_GPG_AGENT']
|
27
|
+
|
28
|
+
kill_keychain
|
29
|
+
start_keychain
|
30
|
+
@keychain_loaded = true
|
29
31
|
end
|
30
32
|
|
31
33
|
def kill_keychain
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
end
|
34
|
+
return unless keychain
|
35
|
+
|
36
|
+
Pkg::Util::Execution.capture3("#{keychain} -k mine")[0]
|
36
37
|
end
|
37
38
|
|
38
39
|
def start_keychain
|
39
|
-
|
40
|
-
keychain_output, = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
|
41
|
-
keychain_output.chomp!
|
42
|
-
new_env = keychain_output.match(/GPG_AGENT_INFO=([^;]*)/)
|
43
|
-
ENV["GPG_AGENT_INFO"] = new_env[1]
|
44
|
-
else
|
40
|
+
unless keychain
|
45
41
|
fail "Keychain is not installed, it is required to autosign using gpg."
|
46
42
|
end
|
43
|
+
|
44
|
+
keychain_output, = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
|
45
|
+
keychain_output.chomp!
|
46
|
+
|
47
|
+
ENV['GPG_AGENT_INFO'] = keychain_output.match(/GPG_AGENT_INFO=([^;]*)/)[1]
|
47
48
|
end
|
48
49
|
|
49
50
|
def sign_file(file)
|
50
51
|
gpg ||= Pkg::Util::Tool.find_tool('gpg')
|
51
52
|
|
52
|
-
|
53
|
-
if File.exist? "#{file}.asc"
|
54
|
-
warn "Signature on #{file} exists, skipping..."
|
55
|
-
return true
|
56
|
-
end
|
57
|
-
use_tty = "--no-tty --use-agent" if ENV['RPM_GPG_AGENT']
|
58
|
-
stdout, = Pkg::Util::Execution.capture3("#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}")
|
59
|
-
stdout
|
60
|
-
else
|
53
|
+
unless gpg
|
61
54
|
fail "No gpg available. Cannot sign #{file}."
|
62
55
|
end
|
56
|
+
|
57
|
+
if File.exist? "#{file}.asc"
|
58
|
+
warn "Signature on #{file} already exists, skipping."
|
59
|
+
return true
|
60
|
+
end
|
61
|
+
|
62
|
+
use_tty = if ENV['RPM_GPG_AGENT']
|
63
|
+
'--no-tty --use-agent'
|
64
|
+
else
|
65
|
+
''
|
66
|
+
end
|
67
|
+
|
68
|
+
signing_command = "#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}"
|
69
|
+
puts "GPG signing with \"#{signing_command}\""
|
70
|
+
Pkg::Util::Execution.capture3(signing_command)
|
71
|
+
puts 'GPG signing succeeded.'
|
63
72
|
end
|
64
73
|
end
|
65
74
|
end
|
data/lib/packaging/util/net.rb
CHANGED
@@ -393,7 +393,8 @@ module Pkg::Util::Net
|
|
393
393
|
rvm_ruby_version = ENV['RVM_RUBY_VERSION'] || '3.1.1'
|
394
394
|
export_packaging_location = "export PACKAGING_LOCATION='#{ENV['PACKAGING_LOCATION']}';" if ENV['PACKAGING_LOCATION'] && !ENV['PACKAGING_LOCATION'].empty?
|
395
395
|
export_vanagon_location = "export VANAGON_LOCATION='#{ENV['VANAGON_LOCATION']}';" if ENV['VANAGON_LOCATION'] && !ENV['VANAGON_LOCATION'].empty?
|
396
|
-
|
396
|
+
export_gem_source = "export GEM_SOURCE='#{ENV['GEM_SOURCE']}';" if ENV['GEM_SOURCE'] && !ENV['GEM_SOURCE'].empty?
|
397
|
+
"source /usr/local/rvm/scripts/rvm; rvm use ruby-#{rvm_ruby_version}; #{export_gem_source} #{export_packaging_location} #{export_vanagon_location} bundle install --path .bundle/gems ;"
|
397
398
|
end
|
398
399
|
|
399
400
|
# Given a BuildInstance object and a host, send its params to the host. Return
|
@@ -36,14 +36,14 @@ describe 'Pkg::Platforms' do
|
|
36
36
|
|
37
37
|
describe '#codenames' do
|
38
38
|
it 'should return all codenames for a given platform' do
|
39
|
-
codenames = ['focal', 'bionic', 'bullseye', 'buster', 'bookworm', 'jammy']
|
39
|
+
codenames = ['focal', 'bionic', 'bullseye', 'buster', 'bookworm', 'jammy', 'noble']
|
40
40
|
expect(Pkg::Platforms.codenames).to match_array(codenames)
|
41
41
|
end
|
42
42
|
end
|
43
43
|
|
44
44
|
describe '#codename_to_platform_version' do
|
45
45
|
it 'should return the platform and version corresponding to a given codename' do
|
46
|
-
expect(Pkg::Platforms.codename_to_platform_version('
|
46
|
+
expect(Pkg::Platforms.codename_to_platform_version('noble')).to eq(['ubuntu', '24.04'])
|
47
47
|
end
|
48
48
|
|
49
49
|
it 'should fail if given nil as a codename' do
|
@@ -52,8 +52,7 @@ describe 'Pkg::Sign' do
|
|
52
52
|
end
|
53
53
|
it 'fails if gpg_key is not set' do
|
54
54
|
allow(Pkg::Config).to receive(:gpg_key).and_return(nil)
|
55
|
-
expect { Pkg::Sign::Rpm.has_sig?(rpm) }
|
56
|
-
.to raise_error(RuntimeError, /You need to set `gpg_key` in your build defaults./)
|
55
|
+
expect { Pkg::Sign::Rpm.has_sig?(rpm) }.to raise_error(RuntimeError, /`gpg_key`/)
|
57
56
|
end
|
58
57
|
end
|
59
58
|
|
data/tasks/sign.rake
CHANGED
@@ -17,22 +17,22 @@ namespace :pl do
|
|
17
17
|
task :sign_swix, :root_dir do |_t, args|
|
18
18
|
swix_dir = args.root_dir || $DEFAULT_DIRECTORY
|
19
19
|
packages = Dir["#{swix_dir}/**/*.swix"]
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
20
|
+
next if packages.empty?
|
21
|
+
|
22
|
+
Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
|
23
|
+
packages.each do |swix_package|
|
24
|
+
Pkg::Util::Gpg.sign_file swix_package
|
25
25
|
end
|
26
26
|
end
|
27
27
|
|
28
28
|
desc "Detach sign any solaris svr4 packages"
|
29
29
|
task :sign_svr4, :root_dir do |_t, args|
|
30
30
|
svr4_dir = args.root_dir || $DEFAULT_DIRECTORY
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
31
|
+
next if Dir["#{svr4_dir}/**/*.pkg.gz"].empty?
|
32
|
+
|
33
|
+
Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
|
34
|
+
Dir["#{svr4_dir}/**/*.pkg.gz"].each do |pkg|
|
35
|
+
Pkg::Util::Gpg.sign_file pkg
|
36
36
|
end
|
37
37
|
end
|
38
38
|
|
@@ -42,10 +42,16 @@ namespace :pl do
|
|
42
42
|
Pkg::Sign::Rpm.sign_all(rpm_directory)
|
43
43
|
end
|
44
44
|
|
45
|
-
desc "Sign ips package,
|
45
|
+
desc "Sign ips package, defaults to PL key, pass GPG_KEY to override"
|
46
46
|
task :sign_ips, :root_dir do |_t, args|
|
47
47
|
ips_dir = args.root_dir || $DEFAULT_DIRECTORY
|
48
|
-
|
48
|
+
packages = Dir["#{ips_dir}/**/*.p5p"]
|
49
|
+
next if packages.empty?
|
50
|
+
|
51
|
+
Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
|
52
|
+
packages.each do |p5p_package|
|
53
|
+
Pkg::Util::Gpg.sign_file p5p_package
|
54
|
+
end
|
49
55
|
end
|
50
56
|
|
51
57
|
desc "Sign built gems, defaults to PL key, pass GPG_KEY to override or edit build_defaults"
|
@@ -80,11 +86,11 @@ namespace :pl do
|
|
80
86
|
task :sign_deb_changes, :root_dir do |_t, args|
|
81
87
|
deb_dir = args.root_dir || $DEFAULT_DIRECTORY
|
82
88
|
change_files = Dir["#{deb_dir}/**/*.changes"]
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
89
|
+
next if change_files.empty?
|
90
|
+
|
91
|
+
Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
|
92
|
+
change_files.each do |file|
|
93
|
+
Pkg::Sign::Deb.sign_changes(file)
|
88
94
|
end
|
89
95
|
ensure
|
90
96
|
Pkg::Util::Gpg.kill_keychain
|
@@ -93,13 +99,17 @@ namespace :pl do
|
|
93
99
|
desc "Sign OSX packages"
|
94
100
|
task :sign_osx, [:root_dir] => "pl:fetch" do |_t, args|
|
95
101
|
dmg_dir = args.root_dir || $DEFAULT_DIRECTORY
|
96
|
-
|
102
|
+
next if Dir["#{dmg_dir}/**/*.dmg"].empty?
|
103
|
+
|
104
|
+
Pkg::Sign::Dmg.sign(dmg_dir)
|
97
105
|
end
|
98
106
|
|
99
107
|
desc "Sign MSI packages"
|
100
108
|
task :sign_msi, [:root_dir] => "pl:fetch" do |_t, args|
|
101
109
|
msi_dir = args.root_dir || $DEFAULT_DIRECTORY
|
102
|
-
|
110
|
+
next if Dir["#{msi_dir}/**/*.msi"].empty?
|
111
|
+
|
112
|
+
Pkg::Sign::Msi.sign(msi_dir)
|
103
113
|
end
|
104
114
|
|
105
115
|
##
|
@@ -111,7 +121,9 @@ namespace :pl do
|
|
111
121
|
task :sign_all, :root_dir do |_t, args|
|
112
122
|
Pkg::Util::RakeUtils.invoke_task('pl:fetch')
|
113
123
|
root_dir = args.root_dir || $DEFAULT_DIRECTORY
|
114
|
-
Dir["#{root_dir}/*"].empty?
|
124
|
+
if Dir["#{root_dir}/*"].empty?
|
125
|
+
fail "There were no files found in #{root_dir}. Perhaps build/retrieve something?"
|
126
|
+
end
|
115
127
|
|
116
128
|
# Because rpms and debs are laid out differently in PE under pkg/ they
|
117
129
|
# have a different sign task to address this. Rather than create a whole
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: packaging
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.117.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet By Perforce
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-03-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: debug
|
@@ -180,7 +180,6 @@ files:
|
|
180
180
|
- lib/packaging/sign.rb
|
181
181
|
- lib/packaging/sign/deb.rb
|
182
182
|
- lib/packaging/sign/dmg.rb
|
183
|
-
- lib/packaging/sign/ips.rb
|
184
183
|
- lib/packaging/sign/msi.rb
|
185
184
|
- lib/packaging/sign/rpm.rb
|
186
185
|
- lib/packaging/tar.rb
|
@@ -307,28 +306,28 @@ signing_key:
|
|
307
306
|
specification_version: 4
|
308
307
|
summary: Puppet by Perforce packaging automation
|
309
308
|
test_files:
|
310
|
-
- spec/lib/
|
311
|
-
- spec/lib/packaging/
|
312
|
-
- spec/lib/packaging/platforms_spec.rb
|
313
|
-
- spec/lib/packaging/retrieve_spec.rb
|
314
|
-
- spec/lib/packaging/rpm/repo_spec.rb
|
315
|
-
- spec/lib/packaging/artifactory_spec.rb
|
316
|
-
- spec/lib/packaging/deb/repo_spec.rb
|
317
|
-
- spec/lib/packaging/sign_spec.rb
|
318
|
-
- spec/lib/packaging/paths_spec.rb
|
319
|
-
- spec/lib/packaging/util/ship_spec.rb
|
320
|
-
- spec/lib/packaging/util/jenkins_spec.rb
|
321
|
-
- spec/lib/packaging/util/git_tag_spec.rb
|
322
|
-
- spec/lib/packaging/util/gpg_spec.rb
|
323
|
-
- spec/lib/packaging/util/rake_utils_spec.rb
|
309
|
+
- spec/lib/packaging_spec.rb
|
310
|
+
- spec/lib/packaging/util/file_spec.rb
|
324
311
|
- spec/lib/packaging/util/net_spec.rb
|
312
|
+
- spec/lib/packaging/util/jenkins_spec.rb
|
325
313
|
- spec/lib/packaging/util/os_spec.rb
|
314
|
+
- spec/lib/packaging/util/git_spec.rb
|
315
|
+
- spec/lib/packaging/util/git_tag_spec.rb
|
326
316
|
- spec/lib/packaging/util/execution_spec.rb
|
327
317
|
- spec/lib/packaging/util/misc_spec.rb
|
328
|
-
- spec/lib/packaging/util/
|
318
|
+
- spec/lib/packaging/util/gpg_spec.rb
|
319
|
+
- spec/lib/packaging/util/rake_utils_spec.rb
|
329
320
|
- spec/lib/packaging/util/version_spec.rb
|
330
|
-
- spec/lib/packaging/util/
|
331
|
-
- spec/lib/packaging/
|
321
|
+
- spec/lib/packaging/util/ship_spec.rb
|
322
|
+
- spec/lib/packaging/tar_spec.rb
|
332
323
|
- spec/lib/packaging/deb_spec.rb
|
324
|
+
- spec/lib/packaging/config_spec.rb
|
325
|
+
- spec/lib/packaging/retrieve_spec.rb
|
326
|
+
- spec/lib/packaging/deb/repo_spec.rb
|
327
|
+
- spec/lib/packaging/artifactory_spec.rb
|
328
|
+
- spec/lib/packaging/paths_spec.rb
|
329
|
+
- spec/lib/packaging/gem_spec.rb
|
330
|
+
- spec/lib/packaging/sign_spec.rb
|
331
|
+
- spec/lib/packaging/platforms_spec.rb
|
332
|
+
- spec/lib/packaging/rpm/repo_spec.rb
|
333
333
|
- spec/lib/packaging/repo_spec.rb
|
334
|
-
- spec/lib/packaging_spec.rb
|
data/lib/packaging/sign/ips.rb
DELETED
@@ -1,89 +0,0 @@
|
|
1
|
-
module Pkg::Sign::Ips
|
2
|
-
module_function
|
3
|
-
|
4
|
-
def sign(packages_root = 'pkg')
|
5
|
-
identity_spec = ''
|
6
|
-
unless Pkg::Config.ips_signing_ssh_key.nil?
|
7
|
-
identity_spec = "-i #{Pkg::Config.ips_signing_ssh_key}"
|
8
|
-
end
|
9
|
-
|
10
|
-
signing_server_spec = Pkg::Config.ips_signing_server
|
11
|
-
unless Pkg::Config.ips_signing_server.match(%r{.+@.+})
|
12
|
-
signing_server_spec = "#{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
|
13
|
-
end
|
14
|
-
|
15
|
-
ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
|
16
|
-
rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
|
17
|
-
|
18
|
-
packages = Dir.glob("#{packages_root}/solaris/11/**/*.p5p")
|
19
|
-
|
20
|
-
packages.each do |package|
|
21
|
-
work_dir = "/tmp/#{Pkg::Util.rand_string}"
|
22
|
-
unsigned_dir = "#{work_dir}/unsigned"
|
23
|
-
repo_dir = "#{work_dir}/repo"
|
24
|
-
signed_dir = "#{work_dir}/pkgs"
|
25
|
-
package_name = File.basename(package)
|
26
|
-
|
27
|
-
Pkg::Util::Net.remote_execute(
|
28
|
-
ssh_host_spec,
|
29
|
-
"mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}"
|
30
|
-
)
|
31
|
-
Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_dir)
|
32
|
-
|
33
|
-
# Before we can get started with signing packages we need to create a repo
|
34
|
-
Pkg::Util::Net.remote_execute(ssh_host_spec, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
|
35
|
-
Pkg::Util::Net.remote_execute(
|
36
|
-
ssh_host_spec,
|
37
|
-
"sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com"
|
38
|
-
)
|
39
|
-
|
40
|
-
# Import all the packages into the repo.
|
41
|
-
Pkg::Util::Net.remote_execute(
|
42
|
-
ssh_host_spec,
|
43
|
-
"sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{package_name} -d #{repo_dir} '*'"
|
44
|
-
)
|
45
|
-
|
46
|
-
# We sign the entire repo
|
47
|
-
# Paths to the .pem files should live elsewhere rather than hardcoded here.
|
48
|
-
sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2022.pem \
|
49
|
-
-i /root/signing/DigiCert_Code_Signing_Certificate.pem \
|
50
|
-
-i /root/signing/DigiCert_Trusted_Root.pem \
|
51
|
-
-k /root/signing/signing_key_2022.pem \
|
52
|
-
-s 'file://#{work_dir}/repo' '*'"
|
53
|
-
puts "Signing #{package} with #{sign_cmd} in #{work_dir}"
|
54
|
-
Pkg::Util::Net.remote_execute(ssh_host_spec, sign_cmd.squeeze(' '))
|
55
|
-
|
56
|
-
# pkgrecv with -a will pull packages out of the repo, so we need
|
57
|
-
# to do that too to actually get the packages we signed
|
58
|
-
Pkg::Util::Net.remote_execute(
|
59
|
-
ssh_host_spec,
|
60
|
-
"sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{package_name} -a -s #{repo_dir} '*'"
|
61
|
-
)
|
62
|
-
begin
|
63
|
-
# lets make sure we actually signed something?
|
64
|
-
# **NOTE** if we're repeatedly trying to sign the same version this
|
65
|
-
# might explode because I don't know how to reset the IPS cache.
|
66
|
-
# Everything is amazing.
|
67
|
-
Pkg::Util::Net.remote_execute(
|
68
|
-
ssh_host_spec,
|
69
|
-
"sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{package_name} '*' " \
|
70
|
-
"| grep '^signature '"
|
71
|
-
)
|
72
|
-
rescue RuntimeError
|
73
|
-
raise "Error: #{package_name} was not signed correctly."
|
74
|
-
end
|
75
|
-
|
76
|
-
# Pull the packages back.
|
77
|
-
Pkg::Util::Net.rsync_from(
|
78
|
-
"#{signed_dir}/#{package_name}",
|
79
|
-
rsync_host_spec,
|
80
|
-
File.dirname(package)
|
81
|
-
)
|
82
|
-
|
83
|
-
Pkg::Util::Net.remote_execute(
|
84
|
-
ssh_host_spec,
|
85
|
-
"if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi"
|
86
|
-
)
|
87
|
-
end
|
88
|
-
end
|
89
|
-
end
|