packaging 0.88.77

data/lib/packaging/sign.rb

@@ -0,0 +1,8 @@
+module Pkg::Sign
+  require 'packaging/sign/deb'
+  require 'packaging/sign/dmg'
+  require 'packaging/sign/ips'
+  require 'packaging/sign/msi'
+  require 'packaging/sign/rpm'
+  module_function
+end

data/lib/packaging/sign/deb.rb

@@ -0,0 +1,9 @@
+module Pkg::Sign::Deb
+  module_function
+
+  def sign_changes(file)
+    # Lazy lazy lazy lazy lazy
+    sign_program = "-p'gpg --use-agent --no-tty'" if ENV['RPM_GPG_AGENT']
+    Pkg::Util::Execution.capture3("debsign #{sign_program} --re-sign -k#{Pkg::Config.gpg_key} #{file}")
+  end
+end

data/lib/packaging/sign/dmg.rb

@@ -0,0 +1,41 @@
+module Pkg::Sign::Dmg
+  module_function
+
+  def sign(target_dir = 'pkg')
+    use_identity = "-i #{Pkg::Config.osx_signing_ssh_key}" unless Pkg::Config.osx_signing_ssh_key.nil?
+
+    if Pkg::Config.osx_signing_server =~ /@/
+      host_string = "#{Pkg::Config.osx_signing_server}"
+    else
+      host_string = "#{ENV['USER']}@#{Pkg::Config.osx_signing_server}"
+    end
+    ssh_host_string = "#{use_identity} #{host_string}"
+    rsync_host_string = "-e 'ssh #{use_identity}' #{host_string}"
+
+    work_dir  = "/tmp/#{Pkg::Util.rand_string}"
+    mount     = File.join(work_dir, "mount")
+    signed    = File.join(work_dir, "signed")
+    Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p #{mount} #{signed}")
+    dmgs = Dir.glob("#{target_dir}/apple/**/*.dmg")
+    Pkg::Util::Net.rsync_to(dmgs.join(" "), rsync_host_string, work_dir)
+    Pkg::Util::Net.remote_execute(ssh_host_string, %Q[for dmg in #{dmgs.map { |d| File.basename(d, ".dmg") }.join(" ")}; do
+      /usr/bin/hdiutil attach #{work_dir}/$dmg.dmg -mountpoint #{mount} -nobrowse -quiet ;
+      /usr/bin/security -q unlock-keychain -p "#{Pkg::Config.osx_signing_keychain_pw}" "#{Pkg::Config.osx_signing_keychain}" ;
+        for pkg in $(ls #{mount}/*.pkg | xargs -n 1 basename); do
+          if /usr/sbin/pkgutil --check-signature #{mount}/$pkg ; then
+            echo "$pkg is already signed, skipping . . ." ;
+            cp #{mount}/$pkg #{signed}/$pkg ;
+          else
+            /usr/bin/productsign --keychain "#{Pkg::Config.osx_signing_keychain}" --sign "#{Pkg::Config.osx_signing_cert}" #{mount}/$pkg #{signed}/$pkg ;
+          fi
+        done
+      /usr/bin/hdiutil detach #{mount} -quiet ;
+      /bin/rm #{work_dir}/$dmg.dmg ;
+      /usr/bin/hdiutil create -volname $dmg -srcfolder #{signed}/ #{work_dir}/$dmg.dmg ;
+      /bin/rm #{signed}/* ; done])
+    dmgs.each do | dmg |
+      Pkg::Util::Net.rsync_from("#{work_dir}/#{File.basename(dmg)}", rsync_host_string, File.dirname(dmg))
+    end
+    Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -d '#{work_dir}' ]; then rm -rf '#{work_dir}'; fi")
+  end
+end

data/lib/packaging/sign/ips.rb

@@ -0,0 +1,57 @@
+module Pkg::Sign::Ips
+  module_function
+
+  def sign(target_dir = 'pkg')
+    use_identity = "-i #{Pkg::Config.ips_signing_ssh_key}" unless Pkg::Config.ips_signing_ssh_key.nil?
+
+    ssh_host_string = "#{use_identity} #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
+    rsync_host_string = "-e 'ssh #{use_identity}' #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
+
+    p5ps = Dir.glob("#{target_dir}/solaris/11/**/*.p5p")
+
+    p5ps.each do |p5p|
+      work_dir     = "/tmp/#{Pkg::Util.rand_string}"
+      unsigned_dir = "#{work_dir}/unsigned"
+      repo_dir     = "#{work_dir}/repo"
+      signed_dir   = "#{work_dir}/pkgs"
+
+      Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}")
+      Pkg::Util::Net.rsync_to(p5p, rsync_host_string, unsigned_dir)
+
+      # Before we can get started with signing packages we need to create a repo
+      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
+      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com")
+      # And import all the packages into the repo.
+      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{File.basename(p5p)} -d #{repo_dir} '*'")
+      # We are going to hard code the values for signing cert locations for now.
+      # This autmation will require an update to actually become reusable, but
+      # for now these values will stay this way so solaris signing will stop
+      # failing. Please update soon. 06/23/16
+      #
+      #            - Sean P. McDonald
+      #
+      # We sign the entire repo
+      sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2020.pem \
+                  -i /root/signing/Thawte_SHA256_Code_Signing_CA.pem \
+                  -i /root/signing/Thawte_Primary_Root_CA.pem \
+                  -k /root/signing/signing_key_2020.pem \
+                  -s 'file://#{work_dir}/repo' '*'"
+      puts "About to sign #{p5p} with #{sign_cmd} in #{work_dir}"
+      Pkg::Util::Net.remote_execute(ssh_host_string, sign_cmd.squeeze(' '))
+      # pkgrecv with -a will pull packages out of the repo, so we need to do that too to actually get the packages we signed
+      Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{File.basename(p5p)} -a -s #{repo_dir} '*'")
+      begin
+        # lets make sure we actually signed something?
+        # **NOTE** if we're repeatedly trying to sign the same version this
+        # might explode because I don't know how to reset the IPS cache.
+        # Everything is amazing.
+        Pkg::Util::Net.remote_execute(ssh_host_string, "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{File.basename(p5p)} '*' | grep '^signature '")
+      rescue RuntimeError
+        raise "Looks like #{File.basename(p5p)} was not signed correctly, quitting!"
+      end
+      # and pull the packages back.
+      Pkg::Util::Net.rsync_from("#{signed_dir}/#{File.basename(p5p)}", rsync_host_string, File.dirname(p5p))
+      Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi")
+    end
+  end
+end

data/lib/packaging/sign/msi.rb

@@ -0,0 +1,124 @@
+module Pkg::Sign::Msi
+  module_function
+
+  def sign(target_dir = 'pkg')
+    use_identity = "-i #{Pkg::Config.msi_signing_ssh_key}" if Pkg::Config.msi_signing_ssh_key
+
+    ssh_host_string = "#{use_identity} Administrator@#{Pkg::Config.msi_signing_server}"
+    rsync_host_string = "-e 'ssh #{use_identity}' Administrator@#{Pkg::Config.msi_signing_server}"
+
+    work_dir = "Windows/Temp/#{Pkg::Util.rand_string}"
+    Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p C:/#{work_dir}")
+    msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
+    Pkg::Util::Net.rsync_to(msis.join(" "), rsync_host_string, "/cygdrive/c/#{work_dir}",
+                           extra_flags: ["--ignore-existing --relative"])
+
+    # Please Note:
+    # We are currently adding two signatures to the msi.
+    #
+    # Microsoft compatable Signatures are composed of three different
+    # elements.
+    #   1) The Certificate used to sign the package. This is the element that
+    #     is attached to organization. The certificate has an associated
+    #     algorithm. We recently (February 2016) had to switch from a sha1 to
+    #     a sha256 certificate. Sha1 was deprecated by many Microsoft
+    #     elements on 2016-01-01, which forced us to switch to a sha256 cert.
+    #     This sha256 certificate is recognized by all currently supported
+    #     windows platforms (Windows 8/Vista forward).
+    #   2) The signature used to attach the certificate to the package. This
+    #     can be a done with a variety of digest algorithms. Older platforms
+    #     (i.e., Windows 8 and Windows Vista) don't recognize later
+    #     algorithms like sha256.
+    #   3) The timestamp used to validate when the package was signed. This
+    #     comes from an external source and can be delivered with a variety
+    #     of digest algorithms. Older platforms do not recognize newer
+    #     algorithms like sha256.
+    #
+    # We could have only one signature with the Sha256 Cert, Sha1 Signature,
+    # and Sha1 Timestamp, but that would be too easy. The sha256 signature
+    # and timestamp add more security to our packages. We can't have only
+    # sha256 elements in our package signature, though, because Windows 8
+    # and Windows Vista just don't recognize them at all.
+    #
+    # In order to add two signatures to an MSI, we also need to change the
+    # tool we use to sign packages with. Previously, we were using SignTool
+    # which is the Microsoft blessed program used to sign packages. However,
+    # this tool isn't able to add two signatures to an MSI specifically. It
+    # can dual-sign an exe, just not an MSI. In order to get the dual-signed
+    # packages, we decided to switch over to using osslsigncode. The original
+    # project didn't have support to compile on a windows system, so we
+    # decided to use this fork. The binaries on the signer were pulled from
+    # https://sourceforge.net/u/keeely/osslsigncode/ci/master/tree/
+    #
+    # These are our signatures:
+    # The first signature:
+    #   * Sha256 Certificate
+    #   * Sha1 Signature
+    #   * Sha1 Timestamp
+    #
+    # The second signature:
+    #   * Sha256 Certificate
+    #   * Sha256 Signature
+    #   * Sha256 Timestamp
+    #
+    # Once we no longer support Windows 8/Windows Vista, we can remove the
+    # first Sha1 signature.
+    sign_command = <<-CMD
+for msipath in #{msis.join(" ")}; do
+  msi="$(basename $msipath)"
+  msidir="C:/#{work_dir}/$(dirname $msipath)"
+  if "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" verify -in "$msidir/$msi" ; then
+    echo "$msi is already signed, skipping . . ." ;
+  else
+    tries=5
+    sha1Servers=(http://timestamp.digicert.com/sha1/timestamp
+    http://timestamp.comodoca.com/authenticode)
+    for timeserver in "${sha1Servers[@]}"; do
+      for ((try=1; try<=$tries; try++)) do
+        ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
+          -n "Puppet" -i "http://www.puppet.com" \
+          -h sha1 \
+          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
+          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
+          -t "$timeserver" \
+          -in "$msidir/$msi" \
+          -out "$msidir/signed-$msi")
+        if [[ $ret == *"Succeeded"* ]]; then break; fi
+      done;
+      if [[ $ret == *"Succeeded"* ]]; then break; fi
+    done;
+    echo $ret
+    if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
+    sha256Servers=(http://timestamp.digicert.com/sha256/timestamp
+      http://timestamp.comodoca.com?td=sha256)
+    for timeserver in "${sha256Servers[@]}"; do
+      for ((try=1; try<=$tries; try++)) do
+        ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
+          -n "Puppet" -i "http://www.puppet.com" \
+          -nest -h sha256 \
+          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
+          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
+          -ts "$timeserver" \
+          -in "$msidir/signed-$msi" \
+          -out "$msidir/$msi")
+        if [[ $ret == *"Succeeded"* ]]; then break; fi
+      done;
+      if [[ $ret == *"Succeeded"* ]]; then break; fi
+    done;
+    echo $ret
+    if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
+  fi
+done
+CMD
+
+    Pkg::Util::Net.remote_execute(
+      ssh_host_string,
+      sign_command,
+      { fail_fast: false }
+    )
+    msis.each do | msi |
+      Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{msi}", rsync_host_string, File.dirname(msi))
+    end
+    Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")
+  end
+end

data/lib/packaging/sign/rpm.rb

@@ -0,0 +1,115 @@
+module Pkg::Sign::Rpm
+  module_function
+
+  def sign(rpm, sign_flags = nil)
+    # To enable support for wrappers around rpm and thus support for gpg-agent
+    # rpm signing, we have to be able to tell the packaging repo what binary to
+    # use as the rpm signing tool.
+    rpm_command = ENV['RPM'] || Pkg::Util::Tool.find_tool('rpm')
+
+    # If we're using the gpg agent for rpm signing, we don't want to specify the
+    # input for the passphrase, which is what '--passphrase-fd 3' does. However,
+    # if we're not using the gpg agent, this is required, and is part of the
+    # defaults on modern rpm. The fun part of gpg-agent signing of rpms is
+    # specifying that the gpg check command always return true
+    gpg_check_command = ''
+    input_flag = ''
+    if Pkg::Util.boolean_value(ENV['RPM_GPG_AGENT'])
+      gpg_check_command = "--define '%__gpg_check_password_cmd /bin/true'"
+    else
+      input_flag = "--passphrase-fd 3"
+    end
+
+    # Try this up to 5 times, to allow for incorrect passwords
+    Pkg::Util::Execution.retry_on_fail(:times => 5) do
+      # This definition of %__gpg_sign_cmd is the default on modern rpm. We
+      # accept extra flags to override certain signing behavior for older
+      # versions of rpm, e.g. specifying V3 signatures instead of V4.
+      Pkg::Util::Execution.capture3("#{rpm_command} #{gpg_check_command} --define '%_gpg_name #{Pkg::Util::Gpg.key}' --define '%__gpg_sign_cmd %{__gpg} gpg #{sign_flags} #{input_flag} --batch --no-verbose --no-armor --no-secmem-warning -u %{_gpg_name} -sbo %{__signature_filename} %{__plaintext_filename}' --addsign #{rpm}")
+    end
+  end
+
+  def legacy_sign(rpm)
+    sign(rpm, "--force-v3-sigs --digest-algo=sha1")
+  end
+
+  def has_sig?(rpm)
+    # This should allow the `Pkg::Util::Gpg.key` method to fail if gpg_key is
+    # not set, before shelling out. We also only want the short key, all
+    # lowercase, since that's what the `rpm -Kv` output uses.
+    key = Pkg::Util::Gpg.key.downcase.chars.last(8).join
+    signature_check_output = %x(rpm --checksig --verbose #{rpm})
+    # If the signing key has not been loaded on the system this is running on,
+    # the check will exit 1, even if the rpm is signed, so we can't use capture3,
+    # which bails out with non-0 exit codes. Instead, check that the output
+    # looks more-or-less how we expect it to.
+    fail "Something went wrong checking the signature of #{rpm}." unless signature_check_output.include? "Header"
+    return signature_check_output.include? "key ID #{key}"
+  end
+
+  def sign_all(rpm_directory)
+    # Create a hash mapping full paths to basenames.
+    # This will allow us to keep track of the different paths that may be
+    # associated with a single basename, e.g. noarch packages.
+    all_rpms = {}
+    rpms_to_sign = Dir["#{rpm_directory}/**/*.rpm"]
+    rpms_to_sign.each do |rpm_path|
+      all_rpms[rpm_path] = File.basename(rpm_path)
+    end
+    # Delete a package, both from the signing server and from the rpm array, if
+    # there are other packages with the same basename so that we only sign the
+    # package once.
+    all_rpms.each do |rpm_path, rpm_filename|
+      if rpms_to_sign.map { |rpm| File.basename(rpm) }.count(rpm_filename) > 1
+        FileUtils.rm(rpm_path)
+        rpms_to_sign.delete(rpm_path)
+      end
+    end
+
+    v3_rpms = []
+    v4_rpms = []
+    rpms_to_sign.each do |rpm|
+      platform_tag = Pkg::Paths.tag_from_artifact_path(rpm)
+      platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
+
+      # We don't sign AIX rpms
+      next if platform_tag.include?('aix')
+
+      if has_sig? rpm
+        puts "#{rpm} is already signed, skipping . . ."
+        next
+      end
+
+      case Pkg::Platforms.signature_format_for_platform_version(platform, version)
+      when 'v3'
+        v3_rpms << rpm
+      when 'v4'
+        v4_rpms << rpm
+      else
+        fail "Cannot find signature type for package '#{rpm}'"
+      end
+    end
+
+    unless v3_rpms.empty?
+      puts "Signing legacy (v3) rpms..."
+      legacy_sign(v3_rpms.join(' '))
+    end
+
+    unless v4_rpms.empty?
+      puts "Signing modern (v4) rpms..."
+      sign(v4_rpms.join(' '))
+    end
+
+    # Using the map of paths to basenames, we re-hardlink the rpms we deleted.
+    all_rpms.each do |link_path, rpm_filename|
+      next if File.exist? link_path
+      FileUtils.mkdir_p(File.dirname(link_path))
+      # Find paths where the signed rpm has the same basename, but different
+      # full path, as the one we need to link.
+      paths_to_link_to = rpms_to_sign.select { |rpm| File.basename(rpm) == rpm_filename && rpm != link_path }
+      paths_to_link_to.each do |path|
+        FileUtils.ln(path, link_path, :force => true, :verbose => true)
+      end
+    end
+  end
+end

data/lib/packaging/tar.rb

@@ -0,0 +1,163 @@
+module Pkg
+  class Tar
+    require 'fileutils'
+    require 'pathname'
+    include FileUtils
+
+    attr_accessor :files, :project, :version, :excludes, :target, :templates
+    attr_reader :tar
+
+    def initialize
+      @tar      = Pkg::Util::Tool.find_tool('tar', :required => true)
+      @project  = Pkg::Config.project
+      @version  = Pkg::Config.version
+      @files    = Pkg::Config.files
+      @target   = File.join(Pkg::Config.project_root, "pkg", "#{@project}-#{@version}.tar.gz")
+
+      # If the user did not specify any files, then archive the entire working directory
+      # instead
+      @files ||= Dir.glob('*')
+
+      # We require that the excludes list be a string (which is space
+      # separated, we hope)(deprecated) or an array.
+      #
+      if Pkg::Config.tar_excludes
+        if Pkg::Config.tar_excludes.is_a?(String)
+          warn "warning: `tar_excludes` should be an array, not a string"
+          @excludes = Pkg::Config.tar_excludes.split(' ')
+        elsif Pkg::Config.tar_excludes.is_a?(Array)
+          @excludes = Pkg::Config.tar_excludes
+        else
+          fail "Tarball excludes must either be an array or a string, not #{@excludes.class}"
+        end
+      else
+        @excludes = []
+      end
+
+      # If the user has specified things to exclude via config file, they will be
+      # honored by the tar class, but we also always exclude the packaging repo
+      # and 'pkg' directory.
+      @excludes += ['pkg', 'ext/packaging']
+
+      # On the other hand, support for explicit templates started with Arrays,
+      # so that's all we support.
+      #
+      if Pkg::Config.templates
+        @templates = Pkg::Config.templates.dup
+        fail "templates must be an array" unless @templates.is_a?(Array)
+        expand_templates
+      end
+    end
+
+    def install_files_to(workdir)
+      # It is nice to use arrays in YAML to represent array content, but we used
+      # to support a mode where a space-separated string was used.  Support both
+      # to allow a gentle migration to a modern style...
+      patterns =
+        case @files
+        when String
+          $stderr.puts "warning: `files` should be an array, not a string"
+          @files.split(' ')
+        when Array
+          @files
+        else
+          raise "`files` must be a string or an array!"
+        end
+
+      Pkg::Util::File.install_files_into_dir(patterns, workdir)
+    end
+
+    # The templates of a project can include globs, which may expand to an
+    # arbitrary number of files. This method expands all of the templates using
+    # Dir.glob and then filters out any templates that live in the packaging
+    # tools themselves. If the template is a source/target combination, it is
+    # returned to the array untouched.
+    def expand_templates
+      @templates.map! do |tempfile|
+        if tempfile.is_a?(String)
+          # Expand possible globs to all matching entries
+          Dir.glob(File.join(Pkg::Config::project_root, tempfile))
+        elsif tempfile.is_a?(Hash)
+          tempfile
+        end
+      end
+      @templates.flatten!
+
+      # Reject matches that are templates from packaging itself. These will contain the packaging root.
+      # These tend to come from the current tar.rake implementation.
+      @templates.reject! { |temp| temp.is_a?(String) && temp.match(/#{Pkg::Config::packaging_root}/) }
+    end
+
+    # Given the tar object's template files (assumed to be in Pkg::Config.project_root), transform
+    # them, removing the originals. If workdir is passed, assume Pkg::Config.project_root
+    # exists in workdir
+    def template(workdir = nil)
+      workdir ||= Pkg::Config.project_root
+      root = Pathname.new(Pkg::Config.project_root)
+
+      # Templates can be either a string or a hash of source and target. If it
+      # is a string, the target is assumed to be the same path as the
+      # source,with the extension removed. If it is a hash, we assume nothing
+      # and use the provided source and target.
+      @templates.each do |cur_template|
+        if cur_template.is_a?(String)
+          template_file = File.expand_path(cur_template)
+          target_file = template_file.sub(File.extname(template_file), "")
+        elsif cur_template.is_a?(Hash)
+          template_file = File.expand_path(cur_template["source"])
+          target_file = File.expand_path(cur_template["target"])
+        end
+
+        #   We construct paths to the erb template and its proposed target file
+        #   relative to the project root, *not* fully qualified. This allows us
+        #   to, given a temporary workdir containing a copy of the project,
+        #   construct the full path to the erb and target file inside the
+        #   temporary workdir.
+        #
+        rel_path_to_template = Pathname.new(template_file).relative_path_from(root).to_s
+        rel_path_to_target = Pathname.new(target_file).relative_path_from(root).to_s
+
+        #   What we pass to Pkg::util::File.erb_file are the paths to the erb
+        #   and target inside of a temporary project directory. We are, in
+        #   essence, templating "in place." This is why we remove the original
+        #   files - they're not the originals in the authoritative project
+        #   directory, but the originals in the temporary working copy.
+        if File.exist?(File.join(workdir, rel_path_to_template))
+          mkpath(File.dirname(File.join(workdir, rel_path_to_target)), :verbose => false)
+          Pkg::Util::File.erb_file(File.join(workdir, rel_path_to_template), File.join(workdir, rel_path_to_target), true, :binding => Pkg::Config.get_binding)
+        elsif File.exist?(File.join(root, rel_path_to_template))
+          mkpath(File.dirname(File.join(workdir, rel_path_to_target)), :verbose => false)
+          Pkg::Util::File.erb_file(File.join(root, rel_path_to_template), File.join(workdir, rel_path_to_target), false, :binding => Pkg::Config.get_binding)
+        else
+          fail "Expected to find #{template_file} in #{root} for templating. But it was not there. Maybe you deleted it?"
+        end
+      end
+    end
+
+    def tar(target, source)
+      mkpath File.dirname(target)
+      cd File.dirname(source) do
+        %x(#{@tar} #{@excludes.map { |x| (" --exclude #{x} ") }.join if @excludes} -zcf '#{File.basename(target)}' '#{File.basename(source)}')
+        unless $?.success?
+          fail "Failed to create .tar.gz archive with #{@tar}. Please ensure the tar command in your path accepts the flags '-c', '-z', and '-f'"
+        end
+        mv File.basename(target), target
+      end
+    end
+
+    def clean_up(workdir)
+      rm_rf workdir
+    end
+
+    def pkg!
+      workdir = File.join(Pkg::Util::File.mktemp, "#{@project}-#{@version}")
+      mkpath workdir
+      self.install_files_to workdir
+      self.template(workdir)
+      self.tar(@target, workdir)
+      self.clean_up workdir
+    end
+
+  end
+end
+