packaging 0.88.77 → 0.99.0

data/lib/packaging/archive.rb

@@ -1,126 +0,0 @@
-module Pkg::Archive
-  module_function
-
-  # Array of base paths for foss artifacts on weth
-  def base_paths
-    [Pkg::Config.yum_repo_path, Pkg::Config.apt_repo_staging_path, Pkg::Config.apt_repo_path, '/opt/downloads'].compact.freeze
-  end
-
-  # Array of paths for temporarily staging artifacts before syncing to release-archives on s3
-  def archive_paths
-    [Pkg::Config.yum_archive_path, Pkg::Config.apt_archive_path, Pkg::Config.freight_archive_path, Pkg::Config.downloads_archive_path, '/opt/tmp-apt'].compact.freeze
-  end
-
-  # Move yum directories from repo path to archive staging path
-  def stage_yum_archives(directory)
-    # /opt/repository/yum/#{directory}
-    full_directory = File.join(Pkg::Config.yum_repo_path, directory)
-    archive_path = File.join(Pkg::Config.yum_archive_path, directory)
-    command = <<-CMD
-      if [ ! -d #{full_directory} ]; then
-        if [ -d #{archive_path} ]; then
-          echo "Directory #{full_directory} has already been staged, skipping . . ."
-          exit 0
-        else
-          echo "ERROR: Couldn't find directory #{full_directory}, exiting . . ."
-          exit 1
-        fi
-      fi
-      find #{full_directory} -type l -delete
-      sudo chattr -i -R #{full_directory}
-      sudo mkdir --parents #{File.dirname(archive_path)}
-      sudo chown root:release -R #{Pkg::Config.yum_archive_path}
-      sudo chmod g+w -R #{Pkg::Config.yum_archive_path}
-      mv #{full_directory} #{archive_path}
-    CMD
-    Pkg::Util::Net.remote_execute(Pkg::Config.staging_server, command)
-  end
-
-  # Move directories from freight path (aka repo staging path) to archive staging paths
-  def stage_apt_archives(directory)
-    find_command = "find #{Pkg::Config.apt_repo_staging_path} -type d -name #{directory}"
-    find_command = "find #{Pkg::Config.apt_repo_staging_path} -maxdepth 2 -type f" if directory == 'main'
-    command = <<-CMD
-      for stuff in $(#{find_command}); do
-        find $stuff -type l -delete
-        codename=$(dirname ${stuff##{Pkg::Config.apt_repo_staging_path}/})
-        sudo mkdir --parents #{Pkg::Config.freight_archive_path}/$codename
-        sudo chown root:release -R #{Pkg::Config.freight_archive_path}/$codename
-        sudo chmod g+w -R #{Pkg::Config.freight_archive_path}/$codename
-        mv $stuff #{Pkg::Config.freight_archive_path}/$codename
-
-        pool_directory=#{Pkg::Config.apt_repo_path}/pool/$codename/#{directory}
-        if [ ! -d $pool_directory ]; then
-          echo "Can't find directory $pool_directory, it may have already been archived, skipping . . ."
-          continue
-        fi
-        sudo mkdir --parents /opt/tmp-apt
-        sudo chown root:release -R /opt/tmp-apt
-        sudo chmod g+w -R /opt/tmp-apt
-        mv $pool_directory /opt/tmp-apt
-      done
-    CMD
-    Pkg::Util::Net.remote_execute(Pkg::Config.staging_server, command)
-  end
-
-  # Move downloads directories to archive staging path
-  def stage_downloads_archives(directory)
-    # /opt/downloads/#{directory}
-    full_directory = File.join('/', 'opt', 'downloads', directory)
-    archive_path = File.join(Pkg::Config.downloads_archive_path, directory)
-    command = <<-CMD
-      if [ ! -d #{full_directory} ]; then
-        if [ -d #{archive_path} ]; then
-          echo "Directory #{full_directory} has already been staged, skipping . . ."
-          exit 0
-        else
-          echo "ERROR: Couldn't find directory #{full_directory}, exiting . . ."
-          exit 1
-        fi
-      fi
-      find #{full_directory} -type l -delete
-      sudo chattr -i -R #{full_directory}
-      sudo mkdir --parents #{File.dirname(archive_path)}
-      sudo chown root:release -R #{Pkg::Config.downloads_archive_path}
-      sudo chmod g+w -R #{Pkg::Config.downloads_archive_path}
-      mv #{full_directory} #{archive_path}
-    CMD
-    Pkg::Util::Net.remote_execute(Pkg::Config.staging_server, command)
-  end
-
-  # Delete empty directories from repo paths on weth
-  def remove_empty_directories
-    base_paths.each do |path|
-      command = <<-CMD
-        for directory in $(find #{path} -type d); do
-          if [ ! -d $directory ]; then
-            echo "Can't find directory $directory, it was probably already deleted, skipping . . ."
-            continue
-          fi
-          files=$(find $directory -type f)
-          if [ -z "$files" ]; then
-            echo "No files in directory $directory, deleting . . ."
-            sudo rm -rf $directory
-          fi
-        done
-      CMD
-      Pkg::Util::Net.remote_execute(Pkg::Config.staging_server, command)
-    end
-  end
-
-  # Delete broken symlinks from repo paths on weth
-  def remove_dead_symlinks
-    base_paths.each do |path|
-      command = "find #{path} -xtype l -delete"
-      Pkg::Util::Net.remote_execute(Pkg::Config.staging_server, command)
-    end
-  end
-
-  # Delete artifacts from archive staging paths (after they've been synced to s3)
-  def delete_staged_archives
-    archive_paths.each do |archive_path|
-      command = "sudo rm -rf #{File.join(archive_path, '*')}"
-      Pkg::Util::Net.remote_execute(Pkg::Config.staging_server, command)
-    end
-  end
-end

data/lib/packaging/artifactory/extensions.rb

@@ -1,94 +0,0 @@
-require 'artifactory'
-
-module ArtifactoryExtensions
-  module ClassMethods
-    #
-    # Search for an artifact in a repo using an Ant-like pattern.
-    # Unlike many Artifactory searches, this one is restricted to a single
-    # repository.
-    #
-    # @example Search in a repository named 'foo_local' for an artifact in a directory containing
-    #   the word "recent", named "artifact[0-9].txt"
-    #   Artifact.pattern_search(pattern: '*recent*/artifact[0-9].txt',
-    #                           repo: 'foo_local')
-    #
-    # @param [Hash] options
-    #   A hash of options, as follows:
-    #
-    # @option options [Artifactory::Client] :client
-    #   the client object to make the request with
-    # @option options [String] :pattern
-    #   the Ant-like pattern to use for finding artifacts within the repos. Note that the
-    #   Ant pattern '**' is barred in this case by JFrog.
-    # @option options [String] :repo
-    #   the repo to search
-    #
-    # @return [Array<Resource::Artifact>]
-    #   a list of artifacts that match the query
-    #
-    def pattern_search(options = {})
-      client = extract_client!(options)
-      params = Artifactory::Util.slice(options, :pattern, :repo)
-      pattern_search_parameter = { :pattern => "#{params[:repo]}:#{params[:pattern]}" }
-      response = client.get('/api/search/pattern', pattern_search_parameter)
-      return [] if response['files'].nil? || response['files'].empty?
-
-      # A typical response:
-      # {
-      #  "repoUri"=>"https:<artifactory endpoint>/<repo>",
-      #  "sourcePattern"=>"<repo>:<provided search pattern>",
-      #  "files"=>[<filename that matched pattern>, ...]
-      # }
-      #
-      # Inserting '/api/storage' before the repo makes the 'from_url' call work correctly.
-      #
-      repo_uri = response['repoUri']
-      unless repo_uri.include?('/api/storage/')
-        # rubocop:disable Style/PercentLiteralDelimiters
-        repo_uri.sub!(%r(/#{params[:repo]}$), "/api/storage/#{params[:repo]}")
-      end
-      response['files'].map do |file_path|
-        from_url("#{repo_uri}/#{file_path}", client: client)
-      end
-    end
-
-    # This adds the `exact_match` option to artifactory search, and defaults it
-    # to true. With `exact_match` set to `true` the artifact will only be
-    # returned if the name in the download uri matches the name we're trying to
-    # download
-    def search(options = {})
-      exact_match = options[:exact_match].nil? ? true : options[:exact_match]
-      artifacts = super
-
-      if exact_match
-        artifacts.select! { |artifact| File.basename(artifact.download_uri) == options[:name] }
-      end
-      artifacts
-    end
-
-    # This adds the `name` option to artifactory checksum search. It defaults to
-    # unset. If set, the artifact is only returned if the download uri matches
-    # the passed name
-    def checksum_search(options = {})
-      artifacts = super
-      if options[:name]
-        artifacts.select! { |artifact| File.basename(artifact.download_uri) == options[:name] }
-      end
-      artifacts
-    end
-  end
-
-  # needed to prepend class methods, see https://stackoverflow.com/questions/18683750/how-to-prepend-classmethods
-  def self.prepended(base)
-    class << base
-      prepend ClassMethods
-    end
-  end
-end
-
-module Artifactory
-  class Resource::Artifact
-    # use prepend instead of monkeypatching so we can call `super`
-    prepend ArtifactoryExtensions
-  end
-end

data/lib/packaging/config/validations.rb

@@ -1,13 +0,0 @@
-module Pkg
-  class ConfigValidations
-
-    class << self
-
-      # As a validation, this one is kindof lame but is intended as a seed pattern for possibly
-      # more robust ones.
-      def not_empty?(value)
-        value.to_s.empty? ? false : true
-      end
-    end
-  end
-end

data/lib/packaging/metrics.rb

@@ -1,15 +0,0 @@
-module Pkg::Metrics
-  module_function
-
-  def update_release_metrics
-    metrics_repo = 'release-metrics'
-    command = <<CMD
-git clone git@github.com:puppetlabs/#{metrics_repo}.git
-cd #{metrics_repo}
-bundle exec add-release --date #{Pkg::Util::Date.today} --project #{Pkg::Config.project} --version #{Pkg::Config.ref}
-cd ..
-rm -r #{metrics_repo}
-CMD
-    Pkg::Util::Execution.capture3(command, true)
-  end
-end

data/lib/packaging/sign/deb.rb

@@ -1,9 +0,0 @@
-module Pkg::Sign::Deb
-  module_function
-
-  def sign_changes(file)
-    # Lazy lazy lazy lazy lazy
-    sign_program = "-p'gpg --use-agent --no-tty'" if ENV['RPM_GPG_AGENT']
-    Pkg::Util::Execution.capture3("debsign #{sign_program} --re-sign -k#{Pkg::Config.gpg_key} #{file}")
-  end
-end

data/lib/packaging/sign/dmg.rb

@@ -1,41 +0,0 @@
-module Pkg::Sign::Dmg
-  module_function
-
-  def sign(target_dir = 'pkg')
-    use_identity = "-i #{Pkg::Config.osx_signing_ssh_key}" unless Pkg::Config.osx_signing_ssh_key.nil?
-
-    if Pkg::Config.osx_signing_server =~ /@/
-      host_string = "#{Pkg::Config.osx_signing_server}"
-    else
-      host_string = "#{ENV['USER']}@#{Pkg::Config.osx_signing_server}"
-    end
-    ssh_host_string = "#{use_identity} #{host_string}"
-    rsync_host_string = "-e 'ssh #{use_identity}' #{host_string}"
-
-    work_dir  = "/tmp/#{Pkg::Util.rand_string}"
-    mount     = File.join(work_dir, "mount")
-    signed    = File.join(work_dir, "signed")
-    Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p #{mount} #{signed}")
-    dmgs = Dir.glob("#{target_dir}/apple/**/*.dmg")
-    Pkg::Util::Net.rsync_to(dmgs.join(" "), rsync_host_string, work_dir)
-    Pkg::Util::Net.remote_execute(ssh_host_string, %Q[for dmg in #{dmgs.map { |d| File.basename(d, ".dmg") }.join(" ")}; do
-      /usr/bin/hdiutil attach #{work_dir}/$dmg.dmg -mountpoint #{mount} -nobrowse -quiet ;
-      /usr/bin/security -q unlock-keychain -p "#{Pkg::Config.osx_signing_keychain_pw}" "#{Pkg::Config.osx_signing_keychain}" ;
-        for pkg in $(ls #{mount}/*.pkg | xargs -n 1 basename); do
-          if /usr/sbin/pkgutil --check-signature #{mount}/$pkg ; then
-            echo "$pkg is already signed, skipping . . ." ;
-            cp #{mount}/$pkg #{signed}/$pkg ;
-          else
-            /usr/bin/productsign --keychain "#{Pkg::Config.osx_signing_keychain}" --sign "#{Pkg::Config.osx_signing_cert}" #{mount}/$pkg #{signed}/$pkg ;
-          fi
-        done
-      /usr/bin/hdiutil detach #{mount} -quiet ;
-      /bin/rm #{work_dir}/$dmg.dmg ;
-      /usr/bin/hdiutil create -volname $dmg -srcfolder #{signed}/ #{work_dir}/$dmg.dmg ;
-      /bin/rm #{signed}/* ; done])
-    dmgs.each do | dmg |
-      Pkg::Util::Net.rsync_from("#{work_dir}/#{File.basename(dmg)}", rsync_host_string, File.dirname(dmg))
-    end
-    Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -d '#{work_dir}' ]; then rm -rf '#{work_dir}'; fi")
-  end
-end

data/lib/packaging/sign/ips.rb

@@ -1,57 +0,0 @@
-module Pkg::Sign::Ips
-  module_function
-
-  def sign(target_dir = 'pkg')
-    use_identity = "-i #{Pkg::Config.ips_signing_ssh_key}" unless Pkg::Config.ips_signing_ssh_key.nil?
-
-    ssh_host_string = "#{use_identity} #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
-    rsync_host_string = "-e 'ssh #{use_identity}' #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
-
-    p5ps = Dir.glob("#{target_dir}/solaris/11/**/*.p5p")
-
-    p5ps.each do |p5p|
-      work_dir     = "/tmp/#{Pkg::Util.rand_string}"
-      unsigned_dir = "#{work_dir}/unsigned"
-      repo_dir     = "#{work_dir}/repo"
-      signed_dir   = "#{work_dir}/pkgs"
-
-      Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}")
-      Pkg::Util::Net.rsync_to(p5p, rsync_host_string, unsigned_dir)
-
-      # Before we can get started with signing packages we need to create a repo
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com")
-      # And import all the packages into the repo.
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{File.basename(p5p)} -d #{repo_dir} '*'")
-      # We are going to hard code the values for signing cert locations for now.
-      # This autmation will require an update to actually become reusable, but
-      # for now these values will stay this way so solaris signing will stop
-      # failing. Please update soon. 06/23/16
-      #
-      #            - Sean P. McDonald
-      #
-      # We sign the entire repo
-      sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2020.pem \
-                  -i /root/signing/Thawte_SHA256_Code_Signing_CA.pem \
-                  -i /root/signing/Thawte_Primary_Root_CA.pem \
-                  -k /root/signing/signing_key_2020.pem \
-                  -s 'file://#{work_dir}/repo' '*'"
-      puts "About to sign #{p5p} with #{sign_cmd} in #{work_dir}"
-      Pkg::Util::Net.remote_execute(ssh_host_string, sign_cmd.squeeze(' '))
-      # pkgrecv with -a will pull packages out of the repo, so we need to do that too to actually get the packages we signed
-      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{File.basename(p5p)} -a -s #{repo_dir} '*'")
-      begin
-        # lets make sure we actually signed something?
-        # **NOTE** if we're repeatedly trying to sign the same version this
-        # might explode because I don't know how to reset the IPS cache.
-        # Everything is amazing.
-        Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{File.basename(p5p)} '*' | grep '^signature '")
-      rescue RuntimeError
-        raise "Looks like #{File.basename(p5p)} was not signed correctly, quitting!"
-      end
-      # and pull the packages back.
-      Pkg::Util::Net.rsync_from("#{signed_dir}/#{File.basename(p5p)}", rsync_host_string, File.dirname(p5p))
-      Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi")
-    end
-  end
-end

data/lib/packaging/sign/msi.rb

@@ -1,124 +0,0 @@
-module Pkg::Sign::Msi
-  module_function
-
-  def sign(target_dir = 'pkg')
-    use_identity = "-i #{Pkg::Config.msi_signing_ssh_key}" if Pkg::Config.msi_signing_ssh_key
-
-    ssh_host_string = "#{use_identity} Administrator@#{Pkg::Config.msi_signing_server}"
-    rsync_host_string = "-e 'ssh #{use_identity}' Administrator@#{Pkg::Config.msi_signing_server}"
-
-    work_dir = "Windows/Temp/#{Pkg::Util.rand_string}"
-    Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p C:/#{work_dir}")
-    msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
-    Pkg::Util::Net.rsync_to(msis.join(" "), rsync_host_string, "/cygdrive/c/#{work_dir}",
-                           extra_flags: ["--ignore-existing --relative"])
-
-    # Please Note:
-    # We are currently adding two signatures to the msi.
-    #
-    # Microsoft compatable Signatures are composed of three different
-    # elements.
-    #   1) The Certificate used to sign the package. This is the element that
-    #     is attached to organization. The certificate has an associated
-    #     algorithm. We recently (February 2016) had to switch from a sha1 to
-    #     a sha256 certificate. Sha1 was deprecated by many Microsoft
-    #     elements on 2016-01-01, which forced us to switch to a sha256 cert.
-    #     This sha256 certificate is recognized by all currently supported
-    #     windows platforms (Windows 8/Vista forward).
-    #   2) The signature used to attach the certificate to the package. This
-    #     can be a done with a variety of digest algorithms. Older platforms
-    #     (i.e., Windows 8 and Windows Vista) don't recognize later
-    #     algorithms like sha256.
-    #   3) The timestamp used to validate when the package was signed. This
-    #     comes from an external source and can be delivered with a variety
-    #     of digest algorithms. Older platforms do not recognize newer
-    #     algorithms like sha256.
-    #
-    # We could have only one signature with the Sha256 Cert, Sha1 Signature,
-    # and Sha1 Timestamp, but that would be too easy. The sha256 signature
-    # and timestamp add more security to our packages. We can't have only
-    # sha256 elements in our package signature, though, because Windows 8
-    # and Windows Vista just don't recognize them at all.
-    #
-    # In order to add two signatures to an MSI, we also need to change the
-    # tool we use to sign packages with. Previously, we were using SignTool
-    # which is the Microsoft blessed program used to sign packages. However,
-    # this tool isn't able to add two signatures to an MSI specifically. It
-    # can dual-sign an exe, just not an MSI. In order to get the dual-signed
-    # packages, we decided to switch over to using osslsigncode. The original
-    # project didn't have support to compile on a windows system, so we
-    # decided to use this fork. The binaries on the signer were pulled from
-    # https://sourceforge.net/u/keeely/osslsigncode/ci/master/tree/
-    #
-    # These are our signatures:
-    # The first signature:
-    #   * Sha256 Certificate
-    #   * Sha1 Signature
-    #   * Sha1 Timestamp
-    #
-    # The second signature:
-    #   * Sha256 Certificate
-    #   * Sha256 Signature
-    #   * Sha256 Timestamp
-    #
-    # Once we no longer support Windows 8/Windows Vista, we can remove the
-    # first Sha1 signature.
-    sign_command = <<-CMD
-for msipath in #{msis.join(" ")}; do
-  msi="$(basename $msipath)"
-  msidir="C:/#{work_dir}/$(dirname $msipath)"
-  if "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" verify -in "$msidir/$msi" ; then
-    echo "$msi is already signed, skipping . . ." ;
-  else
-    tries=5
-    sha1Servers=(http://timestamp.digicert.com/sha1/timestamp
-    http://timestamp.comodoca.com/authenticode)
-    for timeserver in "${sha1Servers[@]}"; do
-      for ((try=1; try<=$tries; try++)) do
-        ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
-          -n "Puppet" -i "http://www.puppet.com" \
-          -h sha1 \
-          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
-          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
-          -t "$timeserver" \
-          -in "$msidir/$msi" \
-          -out "$msidir/signed-$msi")
-        if [[ $ret == *"Succeeded"* ]]; then break; fi
-      done;
-      if [[ $ret == *"Succeeded"* ]]; then break; fi
-    done;
-    echo $ret
-    if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
-    sha256Servers=(http://timestamp.digicert.com/sha256/timestamp
-      http://timestamp.comodoca.com?td=sha256)
-    for timeserver in "${sha256Servers[@]}"; do
-      for ((try=1; try<=$tries; try++)) do
-        ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
-          -n "Puppet" -i "http://www.puppet.com" \
-          -nest -h sha256 \
-          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
-          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
-          -ts "$timeserver" \
-          -in "$msidir/signed-$msi" \
-          -out "$msidir/$msi")
-        if [[ $ret == *"Succeeded"* ]]; then break; fi
-      done;
-      if [[ $ret == *"Succeeded"* ]]; then break; fi
-    done;
-    echo $ret
-    if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
-  fi
-done
-CMD
-
-    Pkg::Util::Net.remote_execute(
-      ssh_host_string,
-      sign_command,
-      { fail_fast: false }
-    )
-    msis.each do | msi |
-      Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{msi}", rsync_host_string, File.dirname(msi))
-    end
-    Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")
-  end
-end

data/lib/packaging/sign/rpm.rb

@@ -1,115 +0,0 @@
-module Pkg::Sign::Rpm
-  module_function
-
-  def sign(rpm, sign_flags = nil)
-    # To enable support for wrappers around rpm and thus support for gpg-agent
-    # rpm signing, we have to be able to tell the packaging repo what binary to
-    # use as the rpm signing tool.
-    rpm_command = ENV['RPM'] || Pkg::Util::Tool.find_tool('rpm')
-
-    # If we're using the gpg agent for rpm signing, we don't want to specify the
-    # input for the passphrase, which is what '--passphrase-fd 3' does. However,
-    # if we're not using the gpg agent, this is required, and is part of the
-    # defaults on modern rpm. The fun part of gpg-agent signing of rpms is
-    # specifying that the gpg check command always return true
-    gpg_check_command = ''
-    input_flag = ''
-    if Pkg::Util.boolean_value(ENV['RPM_GPG_AGENT'])
-      gpg_check_command = "--define '%__gpg_check_password_cmd /bin/true'"
-    else
-      input_flag = "--passphrase-fd 3"
-    end
-
-    # Try this up to 5 times, to allow for incorrect passwords
-    Pkg::Util::Execution.retry_on_fail(:times => 5) do
-      # This definition of %__gpg_sign_cmd is the default on modern rpm. We
-      # accept extra flags to override certain signing behavior for older
-      # versions of rpm, e.g. specifying V3 signatures instead of V4.
-      Pkg::Util::Execution.capture3("#{rpm_command} #{gpg_check_command} --define '%_gpg_name #{Pkg::Util::Gpg.key}' --define '%__gpg_sign_cmd %{__gpg} gpg #{sign_flags} #{input_flag} --batch --no-verbose --no-armor --no-secmem-warning -u %{_gpg_name} -sbo %{__signature_filename} %{__plaintext_filename}' --addsign #{rpm}")
-    end
-  end
-
-  def legacy_sign(rpm)
-    sign(rpm, "--force-v3-sigs --digest-algo=sha1")
-  end
-
-  def has_sig?(rpm)
-    # This should allow the `Pkg::Util::Gpg.key` method to fail if gpg_key is
-    # not set, before shelling out. We also only want the short key, all
-    # lowercase, since that's what the `rpm -Kv` output uses.
-    key = Pkg::Util::Gpg.key.downcase.chars.last(8).join
-    signature_check_output = %x(rpm --checksig --verbose #{rpm})
-    # If the signing key has not been loaded on the system this is running on,
-    # the check will exit 1, even if the rpm is signed, so we can't use capture3,
-    # which bails out with non-0 exit codes. Instead, check that the output
-    # looks more-or-less how we expect it to.
-    fail "Something went wrong checking the signature of #{rpm}." unless signature_check_output.include? "Header"
-    return signature_check_output.include? "key ID #{key}"
-  end
-
-  def sign_all(rpm_directory)
-    # Create a hash mapping full paths to basenames.
-    # This will allow us to keep track of the different paths that may be
-    # associated with a single basename, e.g. noarch packages.
-    all_rpms = {}
-    rpms_to_sign = Dir["#{rpm_directory}/**/*.rpm"]
-    rpms_to_sign.each do |rpm_path|
-      all_rpms[rpm_path] = File.basename(rpm_path)
-    end
-    # Delete a package, both from the signing server and from the rpm array, if
-    # there are other packages with the same basename so that we only sign the
-    # package once.
-    all_rpms.each do |rpm_path, rpm_filename|
-      if rpms_to_sign.map { |rpm| File.basename(rpm) }.count(rpm_filename) > 1
-        FileUtils.rm(rpm_path)
-        rpms_to_sign.delete(rpm_path)
-      end
-    end
-
-    v3_rpms = []
-    v4_rpms = []
-    rpms_to_sign.each do |rpm|
-      platform_tag = Pkg::Paths.tag_from_artifact_path(rpm)
-      platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
-
-      # We don't sign AIX rpms
-      next if platform_tag.include?('aix')
-
-      if has_sig? rpm
-        puts "#{rpm} is already signed, skipping . . ."
-        next
-      end
-
-      case Pkg::Platforms.signature_format_for_platform_version(platform, version)
-      when 'v3'
-        v3_rpms << rpm
-      when 'v4'
-        v4_rpms << rpm
-      else
-        fail "Cannot find signature type for package '#{rpm}'"
-      end
-    end
-
-    unless v3_rpms.empty?
-      puts "Signing legacy (v3) rpms..."
-      legacy_sign(v3_rpms.join(' '))
-    end
-
-    unless v4_rpms.empty?
-      puts "Signing modern (v4) rpms..."
-      sign(v4_rpms.join(' '))
-    end
-
-    # Using the map of paths to basenames, we re-hardlink the rpms we deleted.
-    all_rpms.each do |link_path, rpm_filename|
-      next if File.exist? link_path
-      FileUtils.mkdir_p(File.dirname(link_path))
-      # Find paths where the signed rpm has the same basename, but different
-      # full path, as the one we need to link.
-      paths_to_link_to = rpms_to_sign.select { |rpm| File.basename(rpm) == rpm_filename && rpm != link_path }
-      paths_to_link_to.each do |path|
-        FileUtils.ln(path, link_path, :force => true, :verbose => true)
-      end
-    end
-  end
-end

data/lib/packaging/sign.rb

@@ -1,8 +0,0 @@
-module Pkg::Sign
-  require 'packaging/sign/deb'
-  require 'packaging/sign/dmg'
-  require 'packaging/sign/ips'
-  require 'packaging/sign/msi'
-  require 'packaging/sign/rpm'
-  module_function
-end