RubyGems - packaging - Versions diffs - 0.116.0 → 0.118.0 - Mend

packaging 0.116.0 → 0.118.0

Files changed (11) hide show

checksums.yaml +4 -4
data/lib/packaging/platforms.rb +9 -1
data/lib/packaging/sign/msi.rb +41 -87
data/lib/packaging/sign.rb +0 -1
data/lib/packaging/util/gpg.rb +36 -27
data/spec/lib/packaging/platforms_spec.rb +2 -2
data/spec/lib/packaging/sign_spec.rb +1 -2
data/tasks/nightly_repos.rake +2 -1
data/tasks/sign.rake +32 -20
metadata +16 -17
data/lib/packaging/sign/ips.rb +0 -89

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb125c91f5926ab20605e4c9fb9ede2e46eb2494642ec25e37099327ad4a61f7
-  data.tar.gz: 89ab12e77f021ce246fbca1686b9f7218b059c660f557a56a1006623901cab10
+  metadata.gz: d1b41756b1e69f37e70e46b4cb8efac82a8a64722d01ca578b73657c01b889cd
+  data.tar.gz: 7835d3b37e2090da5265eea585d9e4fb0f68847ec4eb467301408213917227e7
 SHA512:
-  metadata.gz: b938753dcaa851a1091496734b0b53a101b3b28f5d66fa7c2ded2f3ba23907d3c6ba2ab75b50f1c9a5f3c8f6b7f242c5235cd07e5fd651165c3791e63749fe97
-  data.tar.gz: 404cee80c9f4ab2f28d5cd311c8be29a929b42ba6c7c635d99853e77b6a4bf5df08712a0657369dd8587680ba40363d66d03cd672cd78a32ab4ae6bab31c5311
+  metadata.gz: 6a6bb1684deca5aa04bf1e8fefaaebc9b64be735675d8d69fb284f2d3b6d49fdeaba59fa28e07aaa2037e5d24db713c0e046e107c3c41b07c84b67c6de3add58
+  data.tar.gz: e0016808e5792f0399e9aef46ff539a8b3ac30954188f9221a222c84a1bc0c0167499e0aa77bbf6e3d47d2c0d27163bbc51176901bebe75d70f835b5f658c3d3

data/lib/packaging/platforms.rb CHANGED Viewed

@@ -91,7 +91,7 @@ module Pkg
           repo: true,
         },
         '9' => {
-          architectures: ['x86_64', 'aarch64'],
+          architectures: ['x86_64', 'aarch64', 'ppc64le'],
           source_architecture: 'SRPMS',
           package_format: 'rpm',
           source_package_formats: ['src.rpm'],
@@ -234,6 +234,14 @@ module Pkg
           source_package_formats: DEBIAN_SOURCE_FORMATS,
           repo: true,
         },
+        '24.04' => {
+          codename: 'noble',
+          architectures: ['amd64', 'aarch64'],
+          source_architecture: 'source',
+          package_format: 'deb',
+          source_package_formats: DEBIAN_SOURCE_FORMATS,
+          repo: true,
+        },
       },
       'windows' => {

data/lib/packaging/sign/msi.rb CHANGED Viewed

@@ -1,95 +1,49 @@
 module Pkg::Sign::Msi
   module_function
-  def sign(target_dir = 'pkg')
-    require 'google/cloud/storage'
-    require 'googleauth'
-    require 'json'
-    require 'net/http'
-    require 'uri'
-    gcp_service_account_credentials = Pkg::Config.msi_signing_gcp_service_account_credentials
-    signing_service_url = Pkg::Config.msi_signing_service_url
-    begin
-      authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
-        json_key_io: File.open(gcp_service_account_credentials),
-        target_audience: signing_service_url
+  def sign(packages_root = 'pkg')
+    # These will need to be untangled in another release because build-data changes
+    # don't affect existing packages
+    signing_server_spec = 'jenkins@msi-signer-prod-1.delivery.puppetlabs.net'
+    # signing_server_spec = Pkg::Config.msi_signing_server
+    identity_spec = '-i /home/jenkins/.ssh/id_signing'
+    # identity_spec = "-i #{Pkg::Config.msi_signing_ssh_key}"
+    rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
+    ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
+    packages = Dir.glob("#{packages_root}/windows*/**/*.msi")
+    packages.each do |package|
+      top_directory = "/tmp/#{Pkg::Util.rand_string}"
+      unsigned_packages_directory = "#{top_directory}/unsigned"
+      signed_packages_directory = "#{top_directory}/pkgs"
+      package_name = File.basename(package)
+      sign_msi_command = %W[
+        /usr/local/bin/sign-msi
+        #{unsigned_packages_directory}
+        #{signed_packages_directory}
+        #{package_name}
+      ].join(' ')
+      # Send the unsigned package to the signing server
+      Pkg::Util::Net.remote_execute(ssh_host_spec, "mkdir -p #{unsigned_packages_directory}")
+      Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_packages_directory)
+      # Sign it
+      puts "Signing #{package} with \"#{sign_msi_command}\""
+      Pkg::Util::Net.remote_execute(ssh_host_spec, sign_msi_command)
+      # Pull the signed package back
+      Pkg::Util::Net.rsync_from(
+        "#{signed_packages_directory}/#{package_name}",
+        rsync_host_spec,
+        File.dirname(package)
       )
-    rescue StandardError => e
-      fail "msis can only be signed by jenkins.\n#{e}"
-    end
-    gcp_auth_token = authorizer.fetch_access_token!['id_token']
-    gcp_storage = Google::Cloud::Storage.new(
-      project_id: 'puppet-release-engineering',
-      credentials: gcp_service_account_credentials
-    )
-    tosign_bucket = gcp_storage.bucket(Pkg::Config.gcp_tosign_bucket)
-    signed_bucket = gcp_storage.bucket(Pkg::Config.gcp_signed_bucket)
-    service_uri = URI.parse(signing_service_url)
-    headers = { 'Content-Type': 'application/json', 'Authorization': "Bearer #{gcp_auth_token}" }
-    http = Net::HTTP.new(service_uri.host, service_uri.port)
-    http.use_ssl = true
-    request = Net::HTTP::Post.new(service_uri.request_uri, headers)
-    # Create hash to keep track of the signed msis
-    signed_msis = {}
-    msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
-    # Upload msis to GCP and sign them
-    msis.each do |msi|
-      begin
-        tosign_bucket.create_file(msi, msi)
-      rescue StandardError => e
-        delete_tosign_msis(tosign_bucket, msis)
-        fail "There was an error uploading #{msi} to the windows-tosign-bucket gcp bucket.\n#{e}"
-      end
-      msi_json = { 'Path': msi }
-      request.body = msi_json.to_json
-      begin
-        response = http.request(request)
-        response_body = JSON.parse(JSON.parse(response.body.to_json), :quirks_mode => true)
-      rescue StandardError => e
-        delete_tosign_msis(tosign_bucket, msis)
-        delete_signed_msis(signed_bucket, signed_msis)
-        fail "There was an error signing #{msi}.\n#{e}"
-      end
-      # Store location of signed msi
-      signed_msi = response_body['Path']
-      signed_msis[msi] = signed_msi
-    end
-    # Download the signed msis
-    msis.each do |msi|
-      signed_msi = signed_bucket.file(signed_msis[msi])
-      signed_msi.download(msi)
-    rescue StandardError => e
-      delete_tosign_msis(tosign_bucket, msis)
-      delete_signed_msis(signed_bucket, signed_msis)
-      fail "There was an error retrieving the signed msi:#{msi}.\n#{e}"
-    end
-    # Cleanup buckets
-    delete_tosign_msis(tosign_bucket, msis)
-    delete_signed_msis(signed_bucket, signed_msis)
-  end
-  def delete_tosign_msis(bucket, msis)
-    msis.each do |msi|
-      tosign_msi = bucket.file(msi)
-      tosign_msi.delete unless tosign_msi.nil?
-    end
-  end
-  def delete_signed_msis(bucket, signed_msis)
-    signed_msis.each_value do |temp_name|
-      signed_msi = bucket.file(temp_name)
-      signed_msi.delete unless signed_msi.nil?
+      # Clean up
+      Pkg::Util::Net.remote_execute(ssh_host_spec, "rm -r '#{top_directory}'")
     end
   end
 end

data/lib/packaging/sign.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 module Pkg::Sign
   require 'packaging/sign/deb'
   require 'packaging/sign/dmg'
-  require 'packaging/sign/ips'
   require 'packaging/sign/msi'
   require 'packaging/sign/rpm'
 end

data/lib/packaging/util/gpg.rb CHANGED Viewed

@@ -6,7 +6,10 @@ module Pkg::Util::Gpg
     # files that are generated with this repo use the default gpg key to
     # reflect that.
     def key
-      fail "You need to set `gpg_key` in your build defaults." unless Pkg::Config.gpg_key && !Pkg::Config.gpg_key.empty?
+      if Pkg::Config.gpg_key.nil? || Pkg::Config.gpg_key.empty?
+        fail '`gpg_key` configuration variable is unset. Cannot continue.'
+      end
       Pkg::Config.gpg_key
     end
@@ -19,47 +22,53 @@ module Pkg::Util::Gpg
     end
     def load_keychain
-      unless @keychain_loaded
-        unless ENV['RPM_GPG_AGENT']
-          kill_keychain
-          start_keychain
-        end
-        @keychain_loaded = true
-      end
+      return if @keychain_loaded
+      return if ENV['RPM_GPG_AGENT']
+      kill_keychain
+      start_keychain
+      @keychain_loaded = true
     end
     def kill_keychain
-      if keychain
-        stdout, = Pkg::Util::Execution.capture3("#{keychain} -k mine")
-        stdout
-      end
+      return unless keychain
+      Pkg::Util::Execution.capture3("#{keychain} -k mine")[0]
     end
     def start_keychain
-      if keychain
-        keychain_output, = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
-        keychain_output.chomp!
-        new_env = keychain_output.match(/GPG_AGENT_INFO=([^;]*)/)
-        ENV["GPG_AGENT_INFO"] = new_env[1]
-      else
+      unless keychain
         fail "Keychain is not installed, it is required to autosign using gpg."
       end
+      keychain_output, = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
+      keychain_output.chomp!
+      ENV['GPG_AGENT_INFO'] = keychain_output.match(/GPG_AGENT_INFO=([^;]*)/)[1]
     end
     def sign_file(file)
       gpg ||= Pkg::Util::Tool.find_tool('gpg')
-      if gpg
-        if File.exist? "#{file}.asc"
-          warn "Signature on #{file} exists, skipping..."
-          return true
-        end
-        use_tty = "--no-tty --use-agent" if ENV['RPM_GPG_AGENT']
-        stdout, = Pkg::Util::Execution.capture3("#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}")
-        stdout
-      else
+      unless gpg
         fail "No gpg available. Cannot sign #{file}."
       end
+      if File.exist? "#{file}.asc"
+        warn "Signature on #{file} already exists, skipping."
+        return true
+      end
+      use_tty = if ENV['RPM_GPG_AGENT']
+                  '--no-tty --use-agent'
+                else
+                  ''
+                end
+      signing_command = "#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}"
+      puts "GPG signing with \"#{signing_command}\""
+      Pkg::Util::Execution.capture3(signing_command)
+      puts 'GPG signing succeeded.'
     end
   end
 end

data/spec/lib/packaging/platforms_spec.rb CHANGED Viewed

@@ -36,14 +36,14 @@ describe 'Pkg::Platforms' do
   describe '#codenames' do
     it 'should return all codenames for a given platform' do
-      codenames = ['focal', 'bionic', 'bullseye', 'buster', 'bookworm', 'jammy']
+      codenames = ['focal', 'bionic', 'bullseye', 'buster', 'bookworm', 'jammy', 'noble']
       expect(Pkg::Platforms.codenames).to match_array(codenames)
     end
   end
   describe '#codename_to_platform_version' do
     it 'should return the platform and version corresponding to a given codename' do
-      expect(Pkg::Platforms.codename_to_platform_version('jammy')).to eq(['ubuntu', '22.04'])
+      expect(Pkg::Platforms.codename_to_platform_version('noble')).to eq(['ubuntu', '24.04'])
     end
     it 'should fail if given nil as a codename' do

data/spec/lib/packaging/sign_spec.rb CHANGED Viewed

@@ -52,8 +52,7 @@ describe 'Pkg::Sign' do
       end
       it 'fails if gpg_key is not set' do
         allow(Pkg::Config).to receive(:gpg_key).and_return(nil)
-        expect { Pkg::Sign::Rpm.has_sig?(rpm) }
-          .to raise_error(RuntimeError, /You need to set `gpg_key` in your build defaults./)
+        expect { Pkg::Sign::Rpm.has_sig?(rpm) }.to raise_error(RuntimeError, /`gpg_key`/)
       end
     end

data/tasks/nightly_repos.rake CHANGED Viewed

@@ -39,7 +39,8 @@ namespace :pl do
       Pkg::Rpm::Repo.sign_repos('repos')
       Pkg::Deb::Repo.sign_repos('repos', 'Apt repository for signed builds')
       Pkg::Sign::Dmg.sign('repos') unless Dir['repos/apple/**/*.dmg'].empty?
-      Pkg::Sign::Ips.sign('repos') unless Dir['repos/solaris/11/**/*.p5p'].empty?
+      ### RE-16211: we should put this back and unify with the code in sign.rake
+      # Pkg::Sign::Ips.sign('repos') unless Dir['repos/solaris/11/**/*.p5p'].empty?
       Pkg::Sign::Msi.sign('repos') unless Dir['repos/windows/**/*.msi'].empty?
     end

data/tasks/sign.rake CHANGED Viewed

@@ -17,22 +17,22 @@ namespace :pl do
   task :sign_swix, :root_dir do |_t, args|
     swix_dir = args.root_dir || $DEFAULT_DIRECTORY
     packages = Dir["#{swix_dir}/**/*.swix"]
-    unless packages.empty?
-      Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
-      packages.each do |swix_package|
-        Pkg::Util::Gpg.sign_file swix_package
-      end
+    next if packages.empty?
+    Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
+    packages.each do |swix_package|
+      Pkg::Util::Gpg.sign_file swix_package
     end
   end
   desc "Detach sign any solaris svr4 packages"
   task :sign_svr4, :root_dir do |_t, args|
     svr4_dir = args.root_dir || $DEFAULT_DIRECTORY
-    unless Dir["#{svr4_dir}/**/*.pkg.gz"].empty?
-      Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
-      Dir["#{svr4_dir}/**/*.pkg.gz"].each do |pkg|
-        Pkg::Util::Gpg.sign_file pkg
-      end
+    next if Dir["#{svr4_dir}/**/*.pkg.gz"].empty?
+    Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
+    Dir["#{svr4_dir}/**/*.pkg.gz"].each do |pkg|
+      Pkg::Util::Gpg.sign_file pkg
     end
   end
@@ -42,10 +42,16 @@ namespace :pl do
     Pkg::Sign::Rpm.sign_all(rpm_directory)
   end
-  desc "Sign ips package, uses PL certificates by default, update privatekey_pem, certificate_pem, and ips_inter_cert in build_defaults.yaml to override."
+  desc "Sign ips package, defaults to PL key, pass GPG_KEY to override"
   task :sign_ips, :root_dir do |_t, args|
     ips_dir = args.root_dir || $DEFAULT_DIRECTORY
-    Pkg::Sign::Ips.sign(ips_dir) unless Dir["#{ips_dir}/**/*.p5p"].empty?
+    packages = Dir["#{ips_dir}/**/*.p5p"]
+    next if packages.empty?
+    Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
+    packages.each do |p5p_package|
+      Pkg::Util::Gpg.sign_file p5p_package
+    end
   end
   desc "Sign built gems, defaults to PL key, pass GPG_KEY to override or edit build_defaults"
@@ -80,11 +86,11 @@ namespace :pl do
   task :sign_deb_changes, :root_dir do |_t, args|
     deb_dir = args.root_dir || $DEFAULT_DIRECTORY
     change_files = Dir["#{deb_dir}/**/*.changes"]
-    unless change_files.empty?
-      Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
-      change_files.each do |file|
-        Pkg::Sign::Deb.sign_changes(file)
-      end
+    next if change_files.empty?
+    Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
+    change_files.each do |file|
+      Pkg::Sign::Deb.sign_changes(file)
     end
   ensure
     Pkg::Util::Gpg.kill_keychain
@@ -93,13 +99,17 @@ namespace :pl do
   desc "Sign OSX packages"
   task :sign_osx, [:root_dir] => "pl:fetch" do |_t, args|
     dmg_dir = args.root_dir || $DEFAULT_DIRECTORY
-    Pkg::Sign::Dmg.sign(dmg_dir) unless Dir["#{dmg_dir}/**/*.dmg"].empty?
+    next if Dir["#{dmg_dir}/**/*.dmg"].empty?
+    Pkg::Sign::Dmg.sign(dmg_dir)
   end
   desc "Sign MSI packages"
   task :sign_msi, [:root_dir] => "pl:fetch" do |_t, args|
     msi_dir = args.root_dir || $DEFAULT_DIRECTORY
-    Pkg::Sign::Msi.sign(msi_dir) unless Dir["#{msi_dir}/**/*.msi"].empty?
+    next if Dir["#{msi_dir}/**/*.msi"].empty?
+    Pkg::Sign::Msi.sign(msi_dir)
   end
   ##
@@ -111,7 +121,9 @@ namespace :pl do
     task :sign_all, :root_dir do |_t, args|
       Pkg::Util::RakeUtils.invoke_task('pl:fetch')
       root_dir = args.root_dir || $DEFAULT_DIRECTORY
-      Dir["#{root_dir}/*"].empty? and fail "There were no files found in #{root_dir}. Maybe you wanted to build/retrieve something first?"
+      if Dir["#{root_dir}/*"].empty?
+        fail "There were no files found in #{root_dir}. Perhaps build/retrieve something?"
+      end
       # Because rpms and debs are laid out differently in PE under pkg/ they
       # have a different sign task to address this. Rather than create a whole

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: packaging
 version: !ruby/object:Gem::Version
-  version: 0.116.0
+  version: 0.118.0
 platform: ruby
 authors:
 - Puppet By Perforce
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-29 00:00:00.000000000 Z
+date: 2024-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: debug
@@ -180,7 +180,6 @@ files:
 - lib/packaging/sign.rb
 - lib/packaging/sign/deb.rb
 - lib/packaging/sign/dmg.rb
-- lib/packaging/sign/ips.rb
 - lib/packaging/sign/msi.rb
 - lib/packaging/sign/rpm.rb
 - lib/packaging/tar.rb
@@ -307,28 +306,28 @@ signing_key:
 specification_version: 4
 summary: Puppet by Perforce packaging automation
 test_files:
-- spec/lib/packaging/gem_spec.rb
+- spec/lib/packaging_spec.rb
+- spec/lib/packaging/repo_spec.rb
+- spec/lib/packaging/config_spec.rb
+- spec/lib/packaging/sign_spec.rb
+- spec/lib/packaging/artifactory_spec.rb
 - spec/lib/packaging/tar_spec.rb
 - spec/lib/packaging/platforms_spec.rb
-- spec/lib/packaging/retrieve_spec.rb
-- spec/lib/packaging/rpm/repo_spec.rb
-- spec/lib/packaging/artifactory_spec.rb
 - spec/lib/packaging/deb/repo_spec.rb
-- spec/lib/packaging/sign_spec.rb
-- spec/lib/packaging/paths_spec.rb
+- spec/lib/packaging/util/net_spec.rb
+- spec/lib/packaging/util/git_spec.rb
 - spec/lib/packaging/util/ship_spec.rb
 - spec/lib/packaging/util/jenkins_spec.rb
+- spec/lib/packaging/util/execution_spec.rb
+- spec/lib/packaging/util/file_spec.rb
 - spec/lib/packaging/util/git_tag_spec.rb
+- spec/lib/packaging/util/version_spec.rb
 - spec/lib/packaging/util/gpg_spec.rb
 - spec/lib/packaging/util/rake_utils_spec.rb
-- spec/lib/packaging/util/net_spec.rb
 - spec/lib/packaging/util/os_spec.rb
-- spec/lib/packaging/util/execution_spec.rb
 - spec/lib/packaging/util/misc_spec.rb
-- spec/lib/packaging/util/file_spec.rb
-- spec/lib/packaging/util/version_spec.rb
-- spec/lib/packaging/util/git_spec.rb
-- spec/lib/packaging/config_spec.rb
+- spec/lib/packaging/paths_spec.rb
+- spec/lib/packaging/retrieve_spec.rb
+- spec/lib/packaging/rpm/repo_spec.rb
 - spec/lib/packaging/deb_spec.rb
-- spec/lib/packaging/repo_spec.rb
-- spec/lib/packaging_spec.rb
+- spec/lib/packaging/gem_spec.rb

data/lib/packaging/sign/ips.rb DELETED Viewed

@@ -1,89 +0,0 @@
-module Pkg::Sign::Ips
-  module_function
-  def sign(packages_root = 'pkg')
-    identity_spec = ''
-    unless Pkg::Config.ips_signing_ssh_key.nil?
-      identity_spec = "-i #{Pkg::Config.ips_signing_ssh_key}"
-    end
-    signing_server_spec = Pkg::Config.ips_signing_server
-    unless Pkg::Config.ips_signing_server.match(%r{.+@.+})
-      signing_server_spec = "#{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
-    end
-    ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
-    rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
-    packages = Dir.glob("#{packages_root}/solaris/11/**/*.p5p")
-    packages.each do |package|
-      work_dir     = "/tmp/#{Pkg::Util.rand_string}"
-      unsigned_dir = "#{work_dir}/unsigned"
-      repo_dir     = "#{work_dir}/repo"
-      signed_dir   = "#{work_dir}/pkgs"
-      package_name = File.basename(package)
-      Pkg::Util::Net.remote_execute(
-        ssh_host_spec,
-        "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}"
-      )
-      Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_dir)
-      # Before we can get started with signing packages we need to create a repo
-      Pkg::Util::Net.remote_execute(ssh_host_spec, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
-      Pkg::Util::Net.remote_execute(
-        ssh_host_spec,
-        "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com"
-      )
-      # Import all the packages into the repo.
-      Pkg::Util::Net.remote_execute(
-        ssh_host_spec,
-        "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{package_name} -d #{repo_dir} '*'"
-      )
-      # We sign the entire repo
-      # Paths to the  .pem files should live elsewhere rather than hardcoded here.
-      sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2022.pem \
-                  -i /root/signing/DigiCert_Code_Signing_Certificate.pem \
-                  -i /root/signing/DigiCert_Trusted_Root.pem \
-                  -k /root/signing/signing_key_2022.pem \
-                  -s 'file://#{work_dir}/repo' '*'"
-      puts "Signing #{package} with #{sign_cmd} in #{work_dir}"
-      Pkg::Util::Net.remote_execute(ssh_host_spec, sign_cmd.squeeze(' '))
-      # pkgrecv with -a will pull packages out of the repo, so we need
-      # to do that too to actually get the packages we signed
-      Pkg::Util::Net.remote_execute(
-        ssh_host_spec,
-        "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{package_name} -a -s #{repo_dir} '*'"
-      )
-      begin
-        # lets make sure we actually signed something?
-        # **NOTE** if we're repeatedly trying to sign the same version this
-        # might explode because I don't know how to reset the IPS cache.
-        # Everything is amazing.
-        Pkg::Util::Net.remote_execute(
-          ssh_host_spec,
-          "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{package_name} '*' " \
-          "| grep '^signature '"
-        )
-      rescue RuntimeError
-        raise "Error: #{package_name} was not signed correctly."
-      end
-      # Pull the packages back.
-      Pkg::Util::Net.rsync_from(
-        "#{signed_dir}/#{package_name}",
-        rsync_host_spec,
-        File.dirname(package)
-      )
-      Pkg::Util::Net.remote_execute(
-        ssh_host_spec,
-        "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi"
-      )
-    end
-  end
-end