packaging 0.116.0 → 0.118.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/packaging/platforms.rb +9 -1
- data/lib/packaging/sign/msi.rb +41 -87
- data/lib/packaging/sign.rb +0 -1
- data/lib/packaging/util/gpg.rb +36 -27
- data/spec/lib/packaging/platforms_spec.rb +2 -2
- data/spec/lib/packaging/sign_spec.rb +1 -2
- data/tasks/nightly_repos.rake +2 -1
- data/tasks/sign.rake +32 -20
- metadata +16 -17
- data/lib/packaging/sign/ips.rb +0 -89
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d1b41756b1e69f37e70e46b4cb8efac82a8a64722d01ca578b73657c01b889cd
|
4
|
+
data.tar.gz: 7835d3b37e2090da5265eea585d9e4fb0f68847ec4eb467301408213917227e7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6a6bb1684deca5aa04bf1e8fefaaebc9b64be735675d8d69fb284f2d3b6d49fdeaba59fa28e07aaa2037e5d24db713c0e046e107c3c41b07c84b67c6de3add58
|
7
|
+
data.tar.gz: e0016808e5792f0399e9aef46ff539a8b3ac30954188f9221a222c84a1bc0c0167499e0aa77bbf6e3d47d2c0d27163bbc51176901bebe75d70f835b5f658c3d3
|
data/lib/packaging/platforms.rb
CHANGED
@@ -91,7 +91,7 @@ module Pkg
|
|
91
91
|
repo: true,
|
92
92
|
},
|
93
93
|
'9' => {
|
94
|
-
architectures: ['x86_64', 'aarch64'],
|
94
|
+
architectures: ['x86_64', 'aarch64', 'ppc64le'],
|
95
95
|
source_architecture: 'SRPMS',
|
96
96
|
package_format: 'rpm',
|
97
97
|
source_package_formats: ['src.rpm'],
|
@@ -234,6 +234,14 @@ module Pkg
|
|
234
234
|
source_package_formats: DEBIAN_SOURCE_FORMATS,
|
235
235
|
repo: true,
|
236
236
|
},
|
237
|
+
'24.04' => {
|
238
|
+
codename: 'noble',
|
239
|
+
architectures: ['amd64', 'aarch64'],
|
240
|
+
source_architecture: 'source',
|
241
|
+
package_format: 'deb',
|
242
|
+
source_package_formats: DEBIAN_SOURCE_FORMATS,
|
243
|
+
repo: true,
|
244
|
+
},
|
237
245
|
},
|
238
246
|
|
239
247
|
'windows' => {
|
data/lib/packaging/sign/msi.rb
CHANGED
@@ -1,95 +1,49 @@
|
|
1
1
|
module Pkg::Sign::Msi
|
2
2
|
module_function
|
3
3
|
|
4
|
-
def sign(
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
4
|
+
def sign(packages_root = 'pkg')
|
5
|
+
# These will need to be untangled in another release because build-data changes
|
6
|
+
# don't affect existing packages
|
7
|
+
signing_server_spec = 'jenkins@msi-signer-prod-1.delivery.puppetlabs.net'
|
8
|
+
# signing_server_spec = Pkg::Config.msi_signing_server
|
9
|
+
|
10
|
+
identity_spec = '-i /home/jenkins/.ssh/id_signing'
|
11
|
+
# identity_spec = "-i #{Pkg::Config.msi_signing_ssh_key}"
|
12
|
+
|
13
|
+
rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
|
14
|
+
ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
|
15
|
+
|
16
|
+
packages = Dir.glob("#{packages_root}/windows*/**/*.msi")
|
17
|
+
|
18
|
+
packages.each do |package|
|
19
|
+
top_directory = "/tmp/#{Pkg::Util.rand_string}"
|
20
|
+
unsigned_packages_directory = "#{top_directory}/unsigned"
|
21
|
+
signed_packages_directory = "#{top_directory}/pkgs"
|
22
|
+
package_name = File.basename(package)
|
23
|
+
sign_msi_command = %W[
|
24
|
+
/usr/local/bin/sign-msi
|
25
|
+
#{unsigned_packages_directory}
|
26
|
+
#{signed_packages_directory}
|
27
|
+
#{package_name}
|
28
|
+
].join(' ')
|
29
|
+
|
30
|
+
# Send the unsigned package to the signing server
|
31
|
+
Pkg::Util::Net.remote_execute(ssh_host_spec, "mkdir -p #{unsigned_packages_directory}")
|
32
|
+
Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_packages_directory)
|
33
|
+
|
34
|
+
# Sign it
|
35
|
+
puts "Signing #{package} with \"#{sign_msi_command}\""
|
36
|
+
Pkg::Util::Net.remote_execute(ssh_host_spec, sign_msi_command)
|
37
|
+
|
38
|
+
# Pull the signed package back
|
39
|
+
Pkg::Util::Net.rsync_from(
|
40
|
+
"#{signed_packages_directory}/#{package_name}",
|
41
|
+
rsync_host_spec,
|
42
|
+
File.dirname(package)
|
18
43
|
)
|
19
|
-
rescue StandardError => e
|
20
|
-
fail "msis can only be signed by jenkins.\n#{e}"
|
21
|
-
end
|
22
|
-
|
23
|
-
gcp_auth_token = authorizer.fetch_access_token!['id_token']
|
24
|
-
|
25
|
-
gcp_storage = Google::Cloud::Storage.new(
|
26
|
-
project_id: 'puppet-release-engineering',
|
27
|
-
credentials: gcp_service_account_credentials
|
28
|
-
)
|
29
|
-
|
30
|
-
tosign_bucket = gcp_storage.bucket(Pkg::Config.gcp_tosign_bucket)
|
31
|
-
signed_bucket = gcp_storage.bucket(Pkg::Config.gcp_signed_bucket)
|
32
|
-
|
33
|
-
service_uri = URI.parse(signing_service_url)
|
34
|
-
headers = { 'Content-Type': 'application/json', 'Authorization': "Bearer #{gcp_auth_token}" }
|
35
|
-
http = Net::HTTP.new(service_uri.host, service_uri.port)
|
36
|
-
http.use_ssl = true
|
37
|
-
request = Net::HTTP::Post.new(service_uri.request_uri, headers)
|
38
|
-
|
39
|
-
# Create hash to keep track of the signed msis
|
40
|
-
signed_msis = {}
|
41
|
-
|
42
|
-
msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
|
43
|
-
|
44
|
-
# Upload msis to GCP and sign them
|
45
|
-
msis.each do |msi|
|
46
|
-
begin
|
47
|
-
tosign_bucket.create_file(msi, msi)
|
48
|
-
rescue StandardError => e
|
49
|
-
delete_tosign_msis(tosign_bucket, msis)
|
50
|
-
fail "There was an error uploading #{msi} to the windows-tosign-bucket gcp bucket.\n#{e}"
|
51
|
-
end
|
52
|
-
msi_json = { 'Path': msi }
|
53
|
-
request.body = msi_json.to_json
|
54
|
-
begin
|
55
|
-
response = http.request(request)
|
56
|
-
response_body = JSON.parse(JSON.parse(response.body.to_json), :quirks_mode => true)
|
57
|
-
rescue StandardError => e
|
58
|
-
delete_tosign_msis(tosign_bucket, msis)
|
59
|
-
delete_signed_msis(signed_bucket, signed_msis)
|
60
|
-
fail "There was an error signing #{msi}.\n#{e}"
|
61
|
-
end
|
62
|
-
# Store location of signed msi
|
63
|
-
signed_msi = response_body['Path']
|
64
|
-
signed_msis[msi] = signed_msi
|
65
|
-
end
|
66
|
-
|
67
|
-
# Download the signed msis
|
68
|
-
msis.each do |msi|
|
69
|
-
signed_msi = signed_bucket.file(signed_msis[msi])
|
70
|
-
signed_msi.download(msi)
|
71
|
-
rescue StandardError => e
|
72
|
-
delete_tosign_msis(tosign_bucket, msis)
|
73
|
-
delete_signed_msis(signed_bucket, signed_msis)
|
74
|
-
fail "There was an error retrieving the signed msi:#{msi}.\n#{e}"
|
75
|
-
end
|
76
|
-
|
77
|
-
# Cleanup buckets
|
78
|
-
delete_tosign_msis(tosign_bucket, msis)
|
79
|
-
delete_signed_msis(signed_bucket, signed_msis)
|
80
|
-
end
|
81
|
-
|
82
|
-
def delete_tosign_msis(bucket, msis)
|
83
|
-
msis.each do |msi|
|
84
|
-
tosign_msi = bucket.file(msi)
|
85
|
-
tosign_msi.delete unless tosign_msi.nil?
|
86
|
-
end
|
87
|
-
end
|
88
44
|
|
89
|
-
|
90
|
-
|
91
|
-
signed_msi = bucket.file(temp_name)
|
92
|
-
signed_msi.delete unless signed_msi.nil?
|
45
|
+
# Clean up
|
46
|
+
Pkg::Util::Net.remote_execute(ssh_host_spec, "rm -r '#{top_directory}'")
|
93
47
|
end
|
94
48
|
end
|
95
49
|
end
|
data/lib/packaging/sign.rb
CHANGED
data/lib/packaging/util/gpg.rb
CHANGED
@@ -6,7 +6,10 @@ module Pkg::Util::Gpg
|
|
6
6
|
# files that are generated with this repo use the default gpg key to
|
7
7
|
# reflect that.
|
8
8
|
def key
|
9
|
-
|
9
|
+
if Pkg::Config.gpg_key.nil? || Pkg::Config.gpg_key.empty?
|
10
|
+
fail '`gpg_key` configuration variable is unset. Cannot continue.'
|
11
|
+
end
|
12
|
+
|
10
13
|
Pkg::Config.gpg_key
|
11
14
|
end
|
12
15
|
|
@@ -19,47 +22,53 @@ module Pkg::Util::Gpg
|
|
19
22
|
end
|
20
23
|
|
21
24
|
def load_keychain
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
end
|
25
|
+
return if @keychain_loaded
|
26
|
+
return if ENV['RPM_GPG_AGENT']
|
27
|
+
|
28
|
+
kill_keychain
|
29
|
+
start_keychain
|
30
|
+
@keychain_loaded = true
|
29
31
|
end
|
30
32
|
|
31
33
|
def kill_keychain
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
end
|
34
|
+
return unless keychain
|
35
|
+
|
36
|
+
Pkg::Util::Execution.capture3("#{keychain} -k mine")[0]
|
36
37
|
end
|
37
38
|
|
38
39
|
def start_keychain
|
39
|
-
|
40
|
-
keychain_output, = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
|
41
|
-
keychain_output.chomp!
|
42
|
-
new_env = keychain_output.match(/GPG_AGENT_INFO=([^;]*)/)
|
43
|
-
ENV["GPG_AGENT_INFO"] = new_env[1]
|
44
|
-
else
|
40
|
+
unless keychain
|
45
41
|
fail "Keychain is not installed, it is required to autosign using gpg."
|
46
42
|
end
|
43
|
+
|
44
|
+
keychain_output, = Pkg::Util::Execution.capture3("#{keychain} -q --agents gpg --eval #{key}")
|
45
|
+
keychain_output.chomp!
|
46
|
+
|
47
|
+
ENV['GPG_AGENT_INFO'] = keychain_output.match(/GPG_AGENT_INFO=([^;]*)/)[1]
|
47
48
|
end
|
48
49
|
|
49
50
|
def sign_file(file)
|
50
51
|
gpg ||= Pkg::Util::Tool.find_tool('gpg')
|
51
52
|
|
52
|
-
|
53
|
-
if File.exist? "#{file}.asc"
|
54
|
-
warn "Signature on #{file} exists, skipping..."
|
55
|
-
return true
|
56
|
-
end
|
57
|
-
use_tty = "--no-tty --use-agent" if ENV['RPM_GPG_AGENT']
|
58
|
-
stdout, = Pkg::Util::Execution.capture3("#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}")
|
59
|
-
stdout
|
60
|
-
else
|
53
|
+
unless gpg
|
61
54
|
fail "No gpg available. Cannot sign #{file}."
|
62
55
|
end
|
56
|
+
|
57
|
+
if File.exist? "#{file}.asc"
|
58
|
+
warn "Signature on #{file} already exists, skipping."
|
59
|
+
return true
|
60
|
+
end
|
61
|
+
|
62
|
+
use_tty = if ENV['RPM_GPG_AGENT']
|
63
|
+
'--no-tty --use-agent'
|
64
|
+
else
|
65
|
+
''
|
66
|
+
end
|
67
|
+
|
68
|
+
signing_command = "#{gpg} #{use_tty} --armor --detach-sign -u #{key} #{file}"
|
69
|
+
puts "GPG signing with \"#{signing_command}\""
|
70
|
+
Pkg::Util::Execution.capture3(signing_command)
|
71
|
+
puts 'GPG signing succeeded.'
|
63
72
|
end
|
64
73
|
end
|
65
74
|
end
|
@@ -36,14 +36,14 @@ describe 'Pkg::Platforms' do
|
|
36
36
|
|
37
37
|
describe '#codenames' do
|
38
38
|
it 'should return all codenames for a given platform' do
|
39
|
-
codenames = ['focal', 'bionic', 'bullseye', 'buster', 'bookworm', 'jammy']
|
39
|
+
codenames = ['focal', 'bionic', 'bullseye', 'buster', 'bookworm', 'jammy', 'noble']
|
40
40
|
expect(Pkg::Platforms.codenames).to match_array(codenames)
|
41
41
|
end
|
42
42
|
end
|
43
43
|
|
44
44
|
describe '#codename_to_platform_version' do
|
45
45
|
it 'should return the platform and version corresponding to a given codename' do
|
46
|
-
expect(Pkg::Platforms.codename_to_platform_version('
|
46
|
+
expect(Pkg::Platforms.codename_to_platform_version('noble')).to eq(['ubuntu', '24.04'])
|
47
47
|
end
|
48
48
|
|
49
49
|
it 'should fail if given nil as a codename' do
|
@@ -52,8 +52,7 @@ describe 'Pkg::Sign' do
|
|
52
52
|
end
|
53
53
|
it 'fails if gpg_key is not set' do
|
54
54
|
allow(Pkg::Config).to receive(:gpg_key).and_return(nil)
|
55
|
-
expect { Pkg::Sign::Rpm.has_sig?(rpm) }
|
56
|
-
.to raise_error(RuntimeError, /You need to set `gpg_key` in your build defaults./)
|
55
|
+
expect { Pkg::Sign::Rpm.has_sig?(rpm) }.to raise_error(RuntimeError, /`gpg_key`/)
|
57
56
|
end
|
58
57
|
end
|
59
58
|
|
data/tasks/nightly_repos.rake
CHANGED
@@ -39,7 +39,8 @@ namespace :pl do
|
|
39
39
|
Pkg::Rpm::Repo.sign_repos('repos')
|
40
40
|
Pkg::Deb::Repo.sign_repos('repos', 'Apt repository for signed builds')
|
41
41
|
Pkg::Sign::Dmg.sign('repos') unless Dir['repos/apple/**/*.dmg'].empty?
|
42
|
-
|
42
|
+
### RE-16211: we should put this back and unify with the code in sign.rake
|
43
|
+
# Pkg::Sign::Ips.sign('repos') unless Dir['repos/solaris/11/**/*.p5p'].empty?
|
43
44
|
Pkg::Sign::Msi.sign('repos') unless Dir['repos/windows/**/*.msi'].empty?
|
44
45
|
end
|
45
46
|
|
data/tasks/sign.rake
CHANGED
@@ -17,22 +17,22 @@ namespace :pl do
|
|
17
17
|
task :sign_swix, :root_dir do |_t, args|
|
18
18
|
swix_dir = args.root_dir || $DEFAULT_DIRECTORY
|
19
19
|
packages = Dir["#{swix_dir}/**/*.swix"]
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
20
|
+
next if packages.empty?
|
21
|
+
|
22
|
+
Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
|
23
|
+
packages.each do |swix_package|
|
24
|
+
Pkg::Util::Gpg.sign_file swix_package
|
25
25
|
end
|
26
26
|
end
|
27
27
|
|
28
28
|
desc "Detach sign any solaris svr4 packages"
|
29
29
|
task :sign_svr4, :root_dir do |_t, args|
|
30
30
|
svr4_dir = args.root_dir || $DEFAULT_DIRECTORY
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
31
|
+
next if Dir["#{svr4_dir}/**/*.pkg.gz"].empty?
|
32
|
+
|
33
|
+
Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
|
34
|
+
Dir["#{svr4_dir}/**/*.pkg.gz"].each do |pkg|
|
35
|
+
Pkg::Util::Gpg.sign_file pkg
|
36
36
|
end
|
37
37
|
end
|
38
38
|
|
@@ -42,10 +42,16 @@ namespace :pl do
|
|
42
42
|
Pkg::Sign::Rpm.sign_all(rpm_directory)
|
43
43
|
end
|
44
44
|
|
45
|
-
desc "Sign ips package,
|
45
|
+
desc "Sign ips package, defaults to PL key, pass GPG_KEY to override"
|
46
46
|
task :sign_ips, :root_dir do |_t, args|
|
47
47
|
ips_dir = args.root_dir || $DEFAULT_DIRECTORY
|
48
|
-
|
48
|
+
packages = Dir["#{ips_dir}/**/*.p5p"]
|
49
|
+
next if packages.empty?
|
50
|
+
|
51
|
+
Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
|
52
|
+
packages.each do |p5p_package|
|
53
|
+
Pkg::Util::Gpg.sign_file p5p_package
|
54
|
+
end
|
49
55
|
end
|
50
56
|
|
51
57
|
desc "Sign built gems, defaults to PL key, pass GPG_KEY to override or edit build_defaults"
|
@@ -80,11 +86,11 @@ namespace :pl do
|
|
80
86
|
task :sign_deb_changes, :root_dir do |_t, args|
|
81
87
|
deb_dir = args.root_dir || $DEFAULT_DIRECTORY
|
82
88
|
change_files = Dir["#{deb_dir}/**/*.changes"]
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
89
|
+
next if change_files.empty?
|
90
|
+
|
91
|
+
Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
|
92
|
+
change_files.each do |file|
|
93
|
+
Pkg::Sign::Deb.sign_changes(file)
|
88
94
|
end
|
89
95
|
ensure
|
90
96
|
Pkg::Util::Gpg.kill_keychain
|
@@ -93,13 +99,17 @@ namespace :pl do
|
|
93
99
|
desc "Sign OSX packages"
|
94
100
|
task :sign_osx, [:root_dir] => "pl:fetch" do |_t, args|
|
95
101
|
dmg_dir = args.root_dir || $DEFAULT_DIRECTORY
|
96
|
-
|
102
|
+
next if Dir["#{dmg_dir}/**/*.dmg"].empty?
|
103
|
+
|
104
|
+
Pkg::Sign::Dmg.sign(dmg_dir)
|
97
105
|
end
|
98
106
|
|
99
107
|
desc "Sign MSI packages"
|
100
108
|
task :sign_msi, [:root_dir] => "pl:fetch" do |_t, args|
|
101
109
|
msi_dir = args.root_dir || $DEFAULT_DIRECTORY
|
102
|
-
|
110
|
+
next if Dir["#{msi_dir}/**/*.msi"].empty?
|
111
|
+
|
112
|
+
Pkg::Sign::Msi.sign(msi_dir)
|
103
113
|
end
|
104
114
|
|
105
115
|
##
|
@@ -111,7 +121,9 @@ namespace :pl do
|
|
111
121
|
task :sign_all, :root_dir do |_t, args|
|
112
122
|
Pkg::Util::RakeUtils.invoke_task('pl:fetch')
|
113
123
|
root_dir = args.root_dir || $DEFAULT_DIRECTORY
|
114
|
-
Dir["#{root_dir}/*"].empty?
|
124
|
+
if Dir["#{root_dir}/*"].empty?
|
125
|
+
fail "There were no files found in #{root_dir}. Perhaps build/retrieve something?"
|
126
|
+
end
|
115
127
|
|
116
128
|
# Because rpms and debs are laid out differently in PE under pkg/ they
|
117
129
|
# have a different sign task to address this. Rather than create a whole
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: packaging
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.118.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet By Perforce
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-04-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: debug
|
@@ -180,7 +180,6 @@ files:
|
|
180
180
|
- lib/packaging/sign.rb
|
181
181
|
- lib/packaging/sign/deb.rb
|
182
182
|
- lib/packaging/sign/dmg.rb
|
183
|
-
- lib/packaging/sign/ips.rb
|
184
183
|
- lib/packaging/sign/msi.rb
|
185
184
|
- lib/packaging/sign/rpm.rb
|
186
185
|
- lib/packaging/tar.rb
|
@@ -307,28 +306,28 @@ signing_key:
|
|
307
306
|
specification_version: 4
|
308
307
|
summary: Puppet by Perforce packaging automation
|
309
308
|
test_files:
|
310
|
-
- spec/lib/
|
309
|
+
- spec/lib/packaging_spec.rb
|
310
|
+
- spec/lib/packaging/repo_spec.rb
|
311
|
+
- spec/lib/packaging/config_spec.rb
|
312
|
+
- spec/lib/packaging/sign_spec.rb
|
313
|
+
- spec/lib/packaging/artifactory_spec.rb
|
311
314
|
- spec/lib/packaging/tar_spec.rb
|
312
315
|
- spec/lib/packaging/platforms_spec.rb
|
313
|
-
- spec/lib/packaging/retrieve_spec.rb
|
314
|
-
- spec/lib/packaging/rpm/repo_spec.rb
|
315
|
-
- spec/lib/packaging/artifactory_spec.rb
|
316
316
|
- spec/lib/packaging/deb/repo_spec.rb
|
317
|
-
- spec/lib/packaging/
|
318
|
-
- spec/lib/packaging/
|
317
|
+
- spec/lib/packaging/util/net_spec.rb
|
318
|
+
- spec/lib/packaging/util/git_spec.rb
|
319
319
|
- spec/lib/packaging/util/ship_spec.rb
|
320
320
|
- spec/lib/packaging/util/jenkins_spec.rb
|
321
|
+
- spec/lib/packaging/util/execution_spec.rb
|
322
|
+
- spec/lib/packaging/util/file_spec.rb
|
321
323
|
- spec/lib/packaging/util/git_tag_spec.rb
|
324
|
+
- spec/lib/packaging/util/version_spec.rb
|
322
325
|
- spec/lib/packaging/util/gpg_spec.rb
|
323
326
|
- spec/lib/packaging/util/rake_utils_spec.rb
|
324
|
-
- spec/lib/packaging/util/net_spec.rb
|
325
327
|
- spec/lib/packaging/util/os_spec.rb
|
326
|
-
- spec/lib/packaging/util/execution_spec.rb
|
327
328
|
- spec/lib/packaging/util/misc_spec.rb
|
328
|
-
- spec/lib/packaging/
|
329
|
-
- spec/lib/packaging/
|
330
|
-
- spec/lib/packaging/
|
331
|
-
- spec/lib/packaging/config_spec.rb
|
329
|
+
- spec/lib/packaging/paths_spec.rb
|
330
|
+
- spec/lib/packaging/retrieve_spec.rb
|
331
|
+
- spec/lib/packaging/rpm/repo_spec.rb
|
332
332
|
- spec/lib/packaging/deb_spec.rb
|
333
|
-
- spec/lib/packaging/
|
334
|
-
- spec/lib/packaging_spec.rb
|
333
|
+
- spec/lib/packaging/gem_spec.rb
|
data/lib/packaging/sign/ips.rb
DELETED
@@ -1,89 +0,0 @@
|
|
1
|
-
module Pkg::Sign::Ips
|
2
|
-
module_function
|
3
|
-
|
4
|
-
def sign(packages_root = 'pkg')
|
5
|
-
identity_spec = ''
|
6
|
-
unless Pkg::Config.ips_signing_ssh_key.nil?
|
7
|
-
identity_spec = "-i #{Pkg::Config.ips_signing_ssh_key}"
|
8
|
-
end
|
9
|
-
|
10
|
-
signing_server_spec = Pkg::Config.ips_signing_server
|
11
|
-
unless Pkg::Config.ips_signing_server.match(%r{.+@.+})
|
12
|
-
signing_server_spec = "#{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
|
13
|
-
end
|
14
|
-
|
15
|
-
ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
|
16
|
-
rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
|
17
|
-
|
18
|
-
packages = Dir.glob("#{packages_root}/solaris/11/**/*.p5p")
|
19
|
-
|
20
|
-
packages.each do |package|
|
21
|
-
work_dir = "/tmp/#{Pkg::Util.rand_string}"
|
22
|
-
unsigned_dir = "#{work_dir}/unsigned"
|
23
|
-
repo_dir = "#{work_dir}/repo"
|
24
|
-
signed_dir = "#{work_dir}/pkgs"
|
25
|
-
package_name = File.basename(package)
|
26
|
-
|
27
|
-
Pkg::Util::Net.remote_execute(
|
28
|
-
ssh_host_spec,
|
29
|
-
"mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}"
|
30
|
-
)
|
31
|
-
Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_dir)
|
32
|
-
|
33
|
-
# Before we can get started with signing packages we need to create a repo
|
34
|
-
Pkg::Util::Net.remote_execute(ssh_host_spec, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
|
35
|
-
Pkg::Util::Net.remote_execute(
|
36
|
-
ssh_host_spec,
|
37
|
-
"sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com"
|
38
|
-
)
|
39
|
-
|
40
|
-
# Import all the packages into the repo.
|
41
|
-
Pkg::Util::Net.remote_execute(
|
42
|
-
ssh_host_spec,
|
43
|
-
"sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{package_name} -d #{repo_dir} '*'"
|
44
|
-
)
|
45
|
-
|
46
|
-
# We sign the entire repo
|
47
|
-
# Paths to the .pem files should live elsewhere rather than hardcoded here.
|
48
|
-
sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2022.pem \
|
49
|
-
-i /root/signing/DigiCert_Code_Signing_Certificate.pem \
|
50
|
-
-i /root/signing/DigiCert_Trusted_Root.pem \
|
51
|
-
-k /root/signing/signing_key_2022.pem \
|
52
|
-
-s 'file://#{work_dir}/repo' '*'"
|
53
|
-
puts "Signing #{package} with #{sign_cmd} in #{work_dir}"
|
54
|
-
Pkg::Util::Net.remote_execute(ssh_host_spec, sign_cmd.squeeze(' '))
|
55
|
-
|
56
|
-
# pkgrecv with -a will pull packages out of the repo, so we need
|
57
|
-
# to do that too to actually get the packages we signed
|
58
|
-
Pkg::Util::Net.remote_execute(
|
59
|
-
ssh_host_spec,
|
60
|
-
"sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{package_name} -a -s #{repo_dir} '*'"
|
61
|
-
)
|
62
|
-
begin
|
63
|
-
# lets make sure we actually signed something?
|
64
|
-
# **NOTE** if we're repeatedly trying to sign the same version this
|
65
|
-
# might explode because I don't know how to reset the IPS cache.
|
66
|
-
# Everything is amazing.
|
67
|
-
Pkg::Util::Net.remote_execute(
|
68
|
-
ssh_host_spec,
|
69
|
-
"sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{package_name} '*' " \
|
70
|
-
"| grep '^signature '"
|
71
|
-
)
|
72
|
-
rescue RuntimeError
|
73
|
-
raise "Error: #{package_name} was not signed correctly."
|
74
|
-
end
|
75
|
-
|
76
|
-
# Pull the packages back.
|
77
|
-
Pkg::Util::Net.rsync_from(
|
78
|
-
"#{signed_dir}/#{package_name}",
|
79
|
-
rsync_host_spec,
|
80
|
-
File.dirname(package)
|
81
|
-
)
|
82
|
-
|
83
|
-
Pkg::Util::Net.remote_execute(
|
84
|
-
ssh_host_spec,
|
85
|
-
"if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi"
|
86
|
-
)
|
87
|
-
end
|
88
|
-
end
|
89
|
-
end
|