packaging 0.99.2 → 0.99.3

data/tasks/sign.rake

@@ -1,56 +1,12 @@
-def sign_rpm(rpm, sign_flags = nil)
-
-  # To enable support for wrappers around rpm and thus support for gpg-agent
-  # rpm signing, we have to be able to tell the packaging repo what binary to
-  # use as the rpm signing tool.
-  #
-  rpm_cmd = ENV['RPM'] || Pkg::Util::Tool.find_tool('rpm')
-
-  # If we're using the gpg agent for rpm signing, we don't want to specify the
-  # input for the passphrase, which is what '--passphrase-fd 3' does. However,
-  # if we're not using the gpg agent, this is required, and is part of the
-  # defaults on modern rpm. The fun part of gpg-agent signing of rpms is
-  # specifying that the gpg check command always return true
-  #
-  if Pkg::Util.boolean_value(ENV['RPM_GPG_AGENT'])
-    gpg_check_cmd = "--define '%__gpg_check_password_cmd /bin/true'"
-  else
-    input_flag = "--passphrase-fd 3"
-  end
-
-  # Try this up to 5 times, to allow for incorrect passwords
-  Pkg::Util::Execution.retry_on_fail(:times => 5) do
-    # This definition of %__gpg_sign_cmd is the default on modern rpm. We
-    # accept extra flags to override certain signing behavior for older
-    # versions of rpm, e.g. specifying V3 signatures instead of V4.
-    #
-    sh "#{rpm_cmd} #{gpg_check_cmd} --define '%_gpg_name #{Pkg::Util::Gpg.key}' --define '%__gpg_sign_cmd %{__gpg} gpg #{sign_flags} #{input_flag} --batch --no-verbose --no-armor --no-secmem-warning -u %{_gpg_name} -sbo %{__signature_filename} %{__plaintext_filename}' --addsign #{rpm}"
-  end
-
-end
-
-def sign_legacy_rpm(rpm)
-  sign_rpm(rpm, "--force-v3-sigs --digest-algo=sha1")
-end
-
-def rpm_has_sig(rpm)
-  %x(rpm -Kv #{rpm} | grep "#{Pkg::Util::Gpg.key.downcase}" &> /dev/null)
-  $?.success?
-end
-
-def sign_deb_changes(file)
-  # Lazy lazy lazy lazy lazy
-  sign_program = "-p'gpg --use-agent --no-tty'" if ENV['RPM_GPG_AGENT']
-  sh "debsign #{sign_program} --re-sign -k#{Pkg::Config.gpg_key} #{file}"
-end
-
 namespace :pl do
   desc "Sign the tarball, defaults to PL key, pass GPG_KEY to override or edit build_defaults"
   task :sign_tar do
     unless Pkg::Config.vanagon_project
-      File.exist?("pkg/#{Pkg::Config.project}-#{Pkg::Config.version}.tar.gz") or fail "No tarball exists. Try rake package:tar?"
+      tarballs_to_sign = Pkg::Util::Ship.collect_packages(['pkg/*.tar.gz'], ['signing_bundle', 'packaging-bundle'])
       Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
-      Pkg::Util::Gpg.sign_file "pkg/#{Pkg::Config.project}-#{Pkg::Config.version}.tar.gz"
+      tarballs_to_sign.each do |file|
+        Pkg::Util::Gpg.sign_file file
+      end
     end
   end
 
@@ -79,11 +35,27 @@ namespace :pl do
   task :sign_rpms, :root_dir do |t, args|
     rpm_dir = args.root_dir || "pkg"
 
-    all_rpms = Dir["#{rpm_dir}/**/*.rpm"]
+    # Create a hash mapping full paths to basenames.
+    # This will allow us to keep track of the different paths that may be
+    # associated with a single basename, e.g. noarch packages.
+    all_rpms = {}
+    rpms_to_sign = Dir["#{rpm_dir}/**/*.rpm"]
+    rpms_to_sign.each do |rpm_path|
+      all_rpms[rpm_path] = File.basename(rpm_path)
+    end
+    # Delete a package, both from the signing server and from the rpm array, if
+    # there are other packages with the same basename so that we only sign the
+    # package once.
+    all_rpms.each do |rpm_path, rpm_filename|
+      if rpms_to_sign.map { |rpm| File.basename(rpm) }.count(rpm_filename) > 1
+        FileUtils.rm(rpm_path)
+        rpms_to_sign.delete(rpm_path)
+      end
+    end
 
     v3_rpms = []
     v4_rpms = []
-    all_rpms.each do |rpm|
+    rpms_to_sign.each do |rpm|
       platform_tag = Pkg::Paths.tag_from_artifact_path(rpm)
       platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
 
@@ -103,44 +75,38 @@ namespace :pl do
 
     unless v3_rpms.empty?
       puts "Signing old rpms..."
-      sign_legacy_rpm(v3_rpms.join(' '))
+      Pkg::Sign::Rpm.legacy_sign(v3_rpms.join(' '))
     end
 
     unless v4_rpms.empty?
       puts "Signing modern rpms..."
-      sign_rpm(v4_rpms.join(' '))
+      Pkg::Sign::Rpm.sign(v4_rpms.join(' '))
     end
 
-    # Now we hardlink them back in
-    Dir["#{rpm_dir}/**/*.noarch.rpm"].each do |rpm|
-      platform_tag = Pkg::Paths.tag_from_artifact_path(rpm)
-      platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
-      supported_arches = Pkg::Platforms.arches_for_platform_version(platform, version)
-      cd File.dirname(rpm) do
-        noarch_rpm = File.basename(rpm)
-        supported_arches.each do |arch|
-          arch_dir = File.join('..', arch)
-          FileUtils.mkdir_p(arch_dir)
-          unless File.exist?(File.join(arch_dir, noarch_rpm))
-            FileUtils.ln(noarch_rpm, arch_dir, :force => true, :verbose => true)
-          end
-        end
+    # Using the map of paths to basenames, we re-hardlink the rpms we deleted.
+    all_rpms.each do |link_path, rpm_filename|
+      next if File.exist? link_path
+      FileUtils.mkdir_p(File.dirname(link_path))
+      # Find paths where the signed rpm has the same basename, but different
+      # full path, as the one we need to link.
+      paths_to_link_to = rpms_to_sign.select { |rpm| File.basename(rpm) == rpm_filename && rpm != link_path }
+      paths_to_link_to.each do |path|
+        FileUtils.ln(path, link_path, :force => true, :verbose => true)
       end
     end
   end
 
   desc "Sign ips package, uses PL certificates by default, update privatekey_pem, certificate_pem, and ips_inter_cert in build_defaults.yaml to override."
   task :sign_ips do
-    Pkg::IPS.sign unless Dir['pkg/**/*.p5p'].empty?
+    Pkg::Sign::Ips.sign unless Dir['pkg/**/*.p5p'].empty?
   end
 
-  if Pkg::Config.build_gem
-    desc "Sign built gems, defaults to PL key, pass GPG_KEY to override or edit build_defaults"
-    task :sign_gem do
-      FileList["pkg/#{Pkg::Config.gem_name}-#{Pkg::Config.gemversion}*.gem"].each do |gem|
-        puts "signing gem #{gem}"
-        Pkg::Util::Gpg.sign_file(gem)
-      end
+  desc "Sign built gems, defaults to PL key, pass GPG_KEY to override or edit build_defaults"
+  task :sign_gem do
+    gems = FileList["pkg/*.gem"]
+    gems.each do |gem|
+      puts "signing gem #{gem}"
+      Pkg::Util::Gpg.sign_file(gem)
     end
   end
 
@@ -150,7 +116,7 @@ namespace :pl do
     rpms = Dir["pkg/**/*.rpm"]
     print 'Checking rpm signatures'
     rpms.each do |rpm|
-      if rpm_has_sig rpm
+      if Pkg::Sign::Rpm.has_sig? rpm
         print '.'
       else
         puts "#{rpm} is unsigned."
@@ -167,7 +133,7 @@ namespace :pl do
       change_files = Dir["pkg/**/*.changes"]
       unless change_files.empty?
         Pkg::Util::Gpg.load_keychain if Pkg::Util::Tool.find_tool('keychain')
-        sign_deb_changes("pkg/**/*.changes")
+        Pkg::Sign::Deb.sign_changes("pkg/**/*.changes")
       end
     ensure
       Pkg::Util::Gpg.kill_keychain
@@ -176,12 +142,12 @@ namespace :pl do
 
   desc "Sign OSX packages"
   task :sign_osx => "pl:fetch" do
-    Pkg::OSX.sign unless Dir['pkg/**/*.dmg'].empty?
+    Pkg::Sign::Dmg.sign unless Dir['pkg/**/*.dmg'].empty?
   end
 
   desc "Sign MSI packages"
   task :sign_msi => "pl:fetch" do
-    Pkg::MSI.sign unless Dir['pkg/**/*.msi'].empty?
+    Pkg::Sign::Msi.sign unless Dir['pkg/**/*.msi'].empty?
   end
 
   ##
@@ -205,7 +171,8 @@ namespace :pl do
       signing_bundle = ENV['SIGNING_BUNDLE']
       rpm_sign_task = Pkg::Config.build_pe ? "pe:sign_rpms" : "pl:sign_rpms"
       deb_sign_task = Pkg::Config.build_pe ? "pe:sign_deb_changes" : "pl:sign_deb_changes"
-      sign_tasks    = [rpm_sign_task, deb_sign_task]
+      sign_tasks    = [rpm_sign_task]
+      sign_tasks    << deb_sign_task unless Dir['pkg/**/*.changes'].empty?
       sign_tasks    << "pl:sign_tar" if Pkg::Config.build_tar
       sign_tasks    << "pl:sign_gem" if Pkg::Config.build_gem
       sign_tasks    << "pl:sign_osx" if Pkg::Config.build_dmg || Pkg::Config.vanagon_project

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: packaging
 version: !ruby/object:Gem::Version
-  version: 0.99.2
+  version: 0.99.3
 platform: ruby
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-14 00:00:00.000000000 Z
+date: 2018-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -83,16 +83,19 @@ files:
 - lib/packaging/deb.rb
 - lib/packaging/deb/repo.rb
 - lib/packaging/gem.rb
-- lib/packaging/ips.rb
-- lib/packaging/msi.rb
 - lib/packaging/nuget.rb
-- lib/packaging/osx.rb
 - lib/packaging/paths.rb
 - lib/packaging/platforms.rb
 - lib/packaging/repo.rb
 - lib/packaging/retrieve.rb
 - lib/packaging/rpm.rb
 - lib/packaging/rpm/repo.rb
+- lib/packaging/sign.rb
+- lib/packaging/sign/deb.rb
+- lib/packaging/sign/dmg.rb
+- lib/packaging/sign/ips.rb
+- lib/packaging/sign/msi.rb
+- lib/packaging/sign/rpm.rb
 - lib/packaging/tar.rb
 - lib/packaging/util.rb
 - lib/packaging/util/date.rb

data/lib/packaging/ips.rb

@@ -1,57 +0,0 @@
-module Pkg::IPS
-  class << self
-    def sign(target_dir = 'pkg')
-      use_identity = "-i #{Pkg::Config.ips_signing_ssh_key}" unless Pkg::Config.ips_signing_ssh_key.nil?
-
-      ssh_host_string = "#{use_identity} #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
-      rsync_host_string = "-e 'ssh #{use_identity}' #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
-
-      p5ps = Dir.glob("#{target_dir}/solaris/11/**/*.p5p")
-
-      p5ps.each do |p5p|
-        work_dir     = "/tmp/#{Pkg::Util.rand_string}"
-        unsigned_dir = "#{work_dir}/unsigned"
-        repo_dir     = "#{work_dir}/repo"
-        signed_dir   = "#{work_dir}/pkgs"
-
-        Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}")
-        Pkg::Util::Net.rsync_to(p5p, rsync_host_string, unsigned_dir)
-
-        # Before we can get started with signing packages we need to create a repo
-        Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
-        Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com")
-        # And import all the packages into the repo.
-        Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{File.basename(p5p)} -d #{repo_dir} '*'")
-        # We are going to hard code the values for signing cert locations for now.
-        # This autmation will require an update to actually become reusable, but
-        # for now these values will stay this way so solaris signing will stop
-        # failing. Please update soon. 06/23/16
-        #
-        #            - Sean P. McDonald
-        #
-        # We sign the entire repo
-        sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_interim_SHA1.pem \
-                    -i /root/signing/Thawte_Code_Signing_Certificate_interim_SHA1.pem \
-                    -i /root/signing/Thawte_Primary_Root_CA_interim_SHA1.pem \
-                    -k /root/signing/signing_key_interim_SHA1.pem \
-                    -s 'file://#{work_dir}/repo' '*'"
-        puts "About to sign #{p5p} with #{sign_cmd} in #{work_dir}"
-        Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, sign_cmd.squeeze(' '))
-        # pkgrecv with -a will pull packages out of the repo, so we need to do that too to actually get the packages we signed
-        Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{File.basename(p5p)} -a -s #{repo_dir} '*'")
-        begin
-          # lets make sure we actually signed something?
-          # **NOTE** if we're repeatedly trying to sign the same version this
-          # might explode because I don't know how to reset the IPS cache.
-          # Everything is amazing.
-          Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{File.basename(p5p)} '*' | grep '^signature '")
-        rescue RuntimeError
-          raise "Looks like #{File.basename(p5p)} was not signed correctly, quitting!"
-        end
-        # and pull the packages back.
-        Pkg::Util::Net.rsync_from("#{signed_dir}/#{File.basename(p5p)}", rsync_host_string, File.dirname(p5p))
-        Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi")
-      end
-    end
-  end
-end

data/lib/packaging/msi.rb

@@ -1,89 +0,0 @@
-module Pkg::MSI
-  class << self
-    def sign(target_dir = 'pkg')
-      use_identity = "-i #{Pkg::Config.msi_signing_ssh_key}" if Pkg::Config.msi_signing_ssh_key
-
-      ssh_host_string = "#{use_identity} Administrator@#{Pkg::Config.msi_signing_server}"
-      rsync_host_string = "-e 'ssh #{use_identity}' Administrator@#{Pkg::Config.msi_signing_server}"
-
-      work_dir = "Windows/Temp/#{Pkg::Util.rand_string}"
-      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p C:/#{work_dir}")
-      msis = Dir.glob("#{target_dir}/windows/**/*.msi")
-      Pkg::Util::Net.rsync_to(msis.join(" "), rsync_host_string, "/cygdrive/c/#{work_dir}")
-
-      # Please Note:
-      # We are currently adding two signatures to the msi.
-      #
-      # Microsoft compatable Signatures are composed of three different
-      # elements.
-      #   1) The Certificate used to sign the package. This is the element that
-      #     is attached to organization. The certificate has an associated
-      #     algorithm. We recently (February 2016) had to switch from a sha1 to
-      #     a sha256 certificate. Sha1 was deprecated by many Microsoft
-      #     elements on 2016-01-01, which forced us to switch to a sha256 cert.
-      #     This sha256 certificate is recognized by all currently supported
-      #     windows platforms (Windows 8/Vista forward).
-      #   2) The signature used to attach the certificate to the package. This
-      #     can be a done with a variety of digest algorithms. Older platforms
-      #     (i.e., Windows 8 and Windows Vista) don't recognize later
-      #     algorithms like sha256.
-      #   3) The timestamp used to validate when the package was signed. This
-      #     comes from an external source and can be delivered with a variety
-      #     of digest algorithms. Older platforms do not recognize newer
-      #     algorithms like sha256.
-      #
-      # We could have only one signature with the Sha256 Cert, Sha1 Signature,
-      # and Sha1 Timestamp, but that would be too easy. The sha256 signature
-      # and timestamp add more security to our packages. We can't have only
-      # sha256 elements in our package signature, though, because Windows 8
-      # and Windows Vista just don't recognize them at all.
-      #
-      # In order to add two signatures to an MSI, we also need to change the
-      # tool we use to sign packages with. Previously, we were using SignTool
-      # which is the Microsoft blessed program used to sign packages. However,
-      # this tool isn't able to add two signatures to an MSI specifically. It
-      # can dual-sign an exe, just not an MSI. In order to get the dual-signed
-      # packages, we decided to switch over to using osslsigncode. The original
-      # project didn't have support to compile on a windows system, so we
-      # decided to use this fork. The binaries on the signer were pulled from
-      # https://sourceforge.net/u/keeely/osslsigncode/ci/master/tree/
-      #
-      # These are our signatures:
-      # The first signature:
-      #   * Sha256 Certificate
-      #   * Sha1 Signature
-      #   * Sha1 Timestamp
-      #
-      # The second signature:
-      #   * Sha256 Certificate
-      #   * Sha256 Signature
-      #   * Sha256 Timestamp
-      #
-      # Once we no longer support Windows 8/Windows Vista, we can remove the
-      # first Sha1 signature.
-      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, %Q(for msi in #{msis.map { |d| File.basename(d) }.join(" ")}; do
-        "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" sign \
-          -n "Puppet" -i "http://www.puppet.com" \
-          -h sha1 \
-          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
-          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
-          -t "http://timestamp.verisign.com/scripts/timstamp.dll" \
-          -in "C:/#{work_dir}/$msi" \
-          -out "C:/#{work_dir}/signed-$msi"
-        "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" sign \
-          -n "Puppet" -i "http://www.puppet.com" \
-          -nest -h sha256 \
-          -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
-          -pass "#{Pkg::Config.msi_signing_cert_pw}" \
-          -ts "http://sha256timestamp.ws.symantec.com/sha256/timestamp" \
-          -in "C:/#{work_dir}/signed-$msi" \
-          -out "C:/#{work_dir}/$msi"
-        rm "C:/#{work_dir}/signed-$msi"
-      done))
-      msis.each do | msi |
-        Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{File.basename(msi)}", rsync_host_string, File.dirname(msi))
-      end
-      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")
-    end
-  end
-end

data/lib/packaging/osx.rb

@@ -1,36 +0,0 @@
-module Pkg::OSX
-  class << self
-    def sign(target_dir = 'pkg')
-      use_identity = "-i #{Pkg::Config.osx_signing_ssh_key}" unless Pkg::Config.osx_signing_ssh_key.nil?
-
-      if Pkg::Config.osx_signing_server =~ /@/
-        host_string = "#{Pkg::Config.osx_signing_server}"
-      else
-        host_string = "#{ENV['USER']}@#{Pkg::Config.osx_signing_server}"
-      end
-      ssh_host_string = "#{use_identity} #{host_string}"
-      rsync_host_string = "-e 'ssh #{use_identity}' #{host_string}"
-
-      work_dir  = "/tmp/#{Pkg::Util.rand_string}"
-      mount     = File.join(work_dir, "mount")
-      signed    = File.join(work_dir, "signed")
-      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p #{mount} #{signed}")
-      dmgs = Dir.glob("#{target_dir}/apple/**/*.dmg")
-      Pkg::Util::Net.rsync_to(dmgs.join(" "), rsync_host_string, work_dir)
-      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, %Q[for dmg in #{dmgs.map { |d| File.basename(d, ".dmg") }.join(" ")}; do
-        /usr/bin/hdiutil attach #{work_dir}/$dmg.dmg -mountpoint #{mount} -nobrowse -quiet ;
-        /usr/bin/security -q unlock-keychain -p "#{Pkg::Config.osx_signing_keychain_pw}" "#{Pkg::Config.osx_signing_keychain}" ;
-          for pkg in $(ls #{mount}/*.pkg | xargs -n 1 basename); do
-            /usr/bin/productsign --keychain "#{Pkg::Config.osx_signing_keychain}" --sign "#{Pkg::Config.osx_signing_cert}" #{mount}/$pkg #{signed}/$pkg ;
-          done
-        /usr/bin/hdiutil detach #{mount} -quiet ;
-        /bin/rm #{work_dir}/$dmg.dmg ;
-        /usr/bin/hdiutil create -volname $dmg -srcfolder #{signed}/ #{work_dir}/$dmg.dmg ;
-        /bin/rm #{signed}/* ; done])
-      dmgs.each do | dmg |
-        Pkg::Util::Net.rsync_from("#{work_dir}/#{File.basename(dmg)}", rsync_host_string, File.dirname(dmg))
-      end
-      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -d '#{work_dir}' ]; then rm -rf '#{work_dir}'; fi")
-    end
-  end
-end