packaging 0.106.1 → 0.106.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/packaging/config/params.rb +4 -10
  3. data/lib/packaging/sign/msi.rb +83 -111
  4. data/lib/packaging/util/net.rb +2 -1
  5. metadata +43 -15
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: db83755518bc81f835ca1c1b64cb4fa7febab19049e584aabcc77ddf049a0baa
4
- data.tar.gz: 16139b7c1e409444034c8eda4481c96fdb2b63a0a46fa1a2aeed3d50951fae15
3
+ metadata.gz: 193d585363a1423508a90e96a1b3df94e8152e74c1dd72083f5b589b5b143501
4
+ data.tar.gz: 22492fe7cebbcda8a61742c5d1c1b88073d2b170a392c3f639ef01968a9ad456
5
5
  SHA512:
6
- metadata.gz: d33084fee800fe837b891703dbdf2bc404e1aabb23a965704ea5275c0c08a397daabc20aab2cce63babb9040088de855a4dbc3846b0ec78e96cab13c89299768
7
- data.tar.gz: 3cd7163d6acc73d96f062924938a31ec46dafecf717f0fcbceb4d1c56e4ae6d2a9af05fdc0904f4a790673a30d3a2c3f85772c5137ffd4e4d80fc9efbbc5c597
6
+ metadata.gz: edc24fcef7b4c1fcc6d63796628a094d3d1d299cc0d29b761af91146c11dfa8627af60b49ee368d15366b324f1d163af013796c6137ea5de08e035d3633811a4
7
+ data.tar.gz: 297b0577830caeef96526ee289d5d2c31da95237f3d57af53af8a650387a936e3ba1064c790bf1a9b9269f21b859a031f91e30ad49e43cd121d014e193d8123e
data/lib/packaging/config/params.rb CHANGED
@@ -101,10 +101,8 @@ module Pkg::Params
101
101
  msi_host
102
102
  msi_name
103
103
  msi_path
104
- msi_signing_cert
105
- msi_signing_cert_pw
106
- msi_signing_server
107
- msi_signing_ssh_key
104
+ msi_signing_gcp_service_account_credentials
105
+ msi_signing_service_url
108
106
  msi_staging_server
109
107
  name
110
108
  nonfinal_apt_repo_command
@@ -244,10 +242,8 @@ module Pkg::Params
244
242
  { :var => :ips_signing_ssh_key, :envvar => :IPS_SIGNING_SSH_KEY },
245
243
  { :var => :msi_host, :envvar => :MSI_HOST },
246
244
  { :var => :msi_path, :envvar => :MSI_PATH },
247
- { :var => :msi_signing_cert, :envvar => :MSI_SIGNING_CERT },
248
- { :var => :msi_signing_cert_pw, :envvar => :MSI_SIGNING_CERT_PW },
249
- { :var => :msi_signing_server, :envvar => :MSI_SIGNING_SERVER },
250
- { :var => :msi_signing_ssh_key, :envvar => :MSI_SIGNING_SSH_KEY },
245
+ { :var => :msi_signing_gcp_service_account_credentials, :envvar => :MSI_SIGNING_GCP_SERVICE_ACCOUNT_CREDENTIALS },
246
+ { :var => :msi_signing_service_url, :envvar => :MSI_SIGNING_SERVICE_URL },
251
247
  { :var => :msi_staging_server, :envvar => :MSI_STAGING_SERVER },
252
248
  { :var => :nonfinal_apt_repo_command, :envvar => :NONFINAL_APT_REPO_COMMAND },
253
249
  { :var => :nonfinal_apt_repo_path, :envvar => :NONFINAL_APT_REPO_PATH },
@@ -328,8 +324,6 @@ module Pkg::Params
328
324
  { :var => :ips_inter_cert, :val => '$IPS_INTER_CERT' },
329
325
  { :var => :ips_root_cert, :val => '$IPS_ROOT_CERT' },
330
326
  { :var => :ips_signing_key, :val => '$IPS_SIGNING_KEY' },
331
- { :var => :msi_signing_cert, :val => '$MSI_SIGNING_CERT' },
332
- { :var => :msi_signing_cert_pw, :val => '$MSI_SIGNING_CERT_PW' },
333
327
  { :var => :pe_feature_branch, :val => false },
334
328
  { :var => :pe_release_branch, :val => false },
335
329
  { :var => :s3_ship, :val => false },
data/lib/packaging/sign/msi.rb CHANGED
@@ -2,123 +2,95 @@ module Pkg::Sign::Msi
2
2
  module_function
3
3
 
4
4
  def sign(target_dir = 'pkg')
5
- use_identity = "-i #{Pkg::Config.msi_signing_ssh_key}" if Pkg::Config.msi_signing_ssh_key
5
+ require 'google/cloud/storage'
6
+ require 'googleauth'
7
+ require 'json'
8
+ require 'net/http'
9
+ require 'uri'
6
10
 
7
- ssh_host_string = "#{use_identity} Administrator@#{Pkg::Config.msi_signing_server}"
8
- rsync_host_string = "-e 'ssh #{use_identity}' Administrator@#{Pkg::Config.msi_signing_server}"
11
+ gcp_service_account_credentials = Pkg::Config.msi_signing_gcp_service_account_credentials
12
+ signing_service_url = Pkg::Config.msi_signing_service_url
9
13
 
10
- work_dir = "Windows/Temp/#{Pkg::Util.rand_string}"
11
- Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p C:/#{work_dir}")
12
- msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
13
- Pkg::Util::Net.rsync_to(msis.join(" "), rsync_host_string, "/cygdrive/c/#{work_dir}",
14
- extra_flags: ["--ignore-existing --relative"])
14
+ begin
15
+ authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
16
+ json_key_io: File.open(gcp_service_account_credentials),
17
+ target_audience: signing_service_url
18
+ )
19
+ rescue StandardError => e
20
+ fail "msis can only be signed by jenkins.\n#{e}"
21
+ end
15
22
 
16
- # Please Note:
17
- # We are currently adding two signatures to the msi.
18
- #
19
- # Microsoft compatable Signatures are composed of three different
20
- # elements.
21
- # 1) The Certificate used to sign the package. This is the element that
22
- # is attached to organization. The certificate has an associated
23
- # algorithm. We recently (February 2016) had to switch from a sha1 to
24
- # a sha256 certificate. Sha1 was deprecated by many Microsoft
25
- # elements on 2016-01-01, which forced us to switch to a sha256 cert.
26
- # This sha256 certificate is recognized by all currently supported
27
- # windows platforms (Windows 8/Vista forward).
28
- # 2) The signature used to attach the certificate to the package. This
29
- # can be a done with a variety of digest algorithms. Older platforms
30
- # (i.e., Windows 8 and Windows Vista) don't recognize later
31
- # algorithms like sha256.
32
- # 3) The timestamp used to validate when the package was signed. This
33
- # comes from an external source and can be delivered with a variety
34
- # of digest algorithms. Older platforms do not recognize newer
35
- # algorithms like sha256.
36
- #
37
- # We could have only one signature with the Sha256 Cert, Sha1 Signature,
38
- # and Sha1 Timestamp, but that would be too easy. The sha256 signature
39
- # and timestamp add more security to our packages. We can't have only
40
- # sha256 elements in our package signature, though, because Windows 8
41
- # and Windows Vista just don't recognize them at all.
42
- #
43
- # In order to add two signatures to an MSI, we also need to change the
44
- # tool we use to sign packages with. Previously, we were using SignTool
45
- # which is the Microsoft blessed program used to sign packages. However,
46
- # this tool isn't able to add two signatures to an MSI specifically. It
47
- # can dual-sign an exe, just not an MSI. In order to get the dual-signed
48
- # packages, we decided to switch over to using osslsigncode. The original
49
- # project didn't have support to compile on a windows system, so we
50
- # decided to use this fork. The binaries on the signer were pulled from
51
- # https://sourceforge.net/u/keeely/osslsigncode/ci/master/tree/
52
- #
53
- # These are our signatures:
54
- # The first signature:
55
- # * Sha256 Certificate
56
- # * Sha1 Signature
57
- # * Sha1 Timestamp
58
- #
59
- # The second signature:
60
- # * Sha256 Certificate
61
- # * Sha256 Signature
62
- # * Sha256 Timestamp
63
- #
64
- # Once we no longer support Windows 8/Windows Vista, we can remove the
65
- # first Sha1 signature.
66
- sign_command = <<~CMD
67
- for msipath in #{msis.join(' ')}; do
68
- msi="$(basename $msipath)"
69
- msidir="C:/#{work_dir}/$(dirname $msipath)"
70
- if "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" verify -in "$msidir/$msi" ; then
71
- echo "$msi is already signed, skipping . . ." ;
72
- else
73
- tries=5
74
- sha1Servers=(http://timestamp.digicert.com/sha1/timestamp
75
- http://timestamp.comodoca.com/authenticode)
76
- for timeserver in "${sha1Servers[@]}"; do
77
- for ((try=1; try<=$tries; try++)) do
78
- ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
79
- -n "Puppet" -i "http://www.puppet.com" \
80
- -h sha1 \
81
- -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
82
- -pass "#{Pkg::Config.msi_signing_cert_pw}" \
83
- -t "$timeserver" \
84
- -in "$msidir/$msi" \
85
- -out "$msidir/signed-$msi")
86
- if [[ $ret == *"Succeeded"* ]]; then break; fi
87
- done;
88
- if [[ $ret == *"Succeeded"* ]]; then break; fi
89
- done;
90
- echo $ret
91
- if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
92
- sha256Servers=(http://timestamp.digicert.com/sha256/timestamp
93
- http://timestamp.comodoca.com?td=sha256)
94
- for timeserver in "${sha256Servers[@]}"; do
95
- for ((try=1; try<=$tries; try++)) do
96
- ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
97
- -n "Puppet" -i "http://www.puppet.com" \
98
- -nest -h sha256 \
99
- -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
100
- -pass "#{Pkg::Config.msi_signing_cert_pw}" \
101
- -ts "$timeserver" \
102
- -in "$msidir/signed-$msi" \
103
- -out "$msidir/$msi")
104
- if [[ $ret == *"Succeeded"* ]]; then break; fi
105
- done;
106
- if [[ $ret == *"Succeeded"* ]]; then break; fi
107
- done;
108
- echo $ret
109
- if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
110
- fi
111
- done
112
- CMD
23
+ gcp_auth_token = authorizer.fetch_access_token!['id_token']
113
24
 
114
- Pkg::Util::Net.remote_execute(
115
- ssh_host_string,
116
- sign_command,
117
- { fail_fast: false }
25
+ gcp_storage = Google::Cloud::Storage.new(
26
+ project_id: 'puppet-release-engineering',
27
+ credentials: gcp_service_account_credentials
118
28
  )
29
+ tosign_bucket = gcp_storage.bucket('windows-tosign-bucket')
30
+ signed_bucket = gcp_storage.bucket('windows-signed-bucket')
31
+
32
+ service_uri = URI.parse(signing_service_url)
33
+ headers = { 'Content-Type': 'application/json', 'Authorization': "Bearer #{gcp_auth_token}" }
34
+ http = Net::HTTP.new(service_uri.host, service_uri.port)
35
+ http.use_ssl = true
36
+ request = Net::HTTP::Post.new(service_uri.request_uri, headers)
37
+
38
+ # Create hash to keep track of the signed msis
39
+ signed_msis = {}
40
+
41
+ msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
42
+
43
+ # Upload msis to GCP and sign them
44
+ msis.each do |msi|
45
+ begin
46
+ tosign_bucket.create_file(msi, msi)
47
+ rescue StandardError => e
48
+ delete_tosign_msis(tosign_bucket, msis)
49
+ fail "There was an error uploading #{msi} to the windows-tosign-bucket gcp bucket.\n#{e}"
50
+ end
51
+ msi_json = { 'Path': msi }
52
+ request.body = msi_json.to_json
53
+ begin
54
+ response = http.request(request)
55
+ response_body = JSON.parse(JSON.parse(response.body.to_json), :quirks_mode => true)
56
+ rescue StandardError => e
57
+ delete_tosign_msis(tosign_bucket, msis)
58
+ delete_signed_msis(signed_bucket, signed_msis)
59
+ fail "There was an error signing #{msi}.\n#{e}"
60
+ end
61
+ # Store location of signed msi
62
+ signed_msi = response_body['Path']
63
+ signed_msis[msi] = signed_msi
64
+ end
65
+
66
+ # Download the signed msis
119
67
  msis.each do |msi|
120
- Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{msi}", rsync_host_string, File.dirname(msi))
68
+ begin
69
+ signed_msi = signed_bucket.file(signed_msis[msi])
70
+ signed_msi.download(msi)
71
+ rescue StandardError => e
72
+ delete_tosign_msis(tosign_bucket, msis)
73
+ delete_signed_msis(signed_bucket, signed_msis)
74
+ fail "There was an error retrieving the signed msi:#{msi}.\n#{e}"
75
+ end
76
+ end
77
+
78
+ # Cleanup buckets
79
+ delete_tosign_msis(tosign_bucket, msis)
80
+ delete_signed_msis(signed_bucket, signed_msis)
81
+ end
82
+
83
+ def delete_tosign_msis(bucket, msis)
84
+ msis.each do |msi|
85
+ tosign_msi = bucket.file(msi)
86
+ tosign_msi.delete unless tosign_msi.nil?
87
+ end
88
+ end
89
+
90
+ def delete_signed_msis(bucket, signed_msis)
91
+ signed_msis.each do |msi, temp_name|
92
+ signed_msi = bucket.file(temp_name)
93
+ signed_msi.delete unless signed_msi.nil?
121
94
  end
122
- Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")
123
95
  end
124
96
  end
data/lib/packaging/util/net.rb CHANGED
@@ -394,9 +394,10 @@ module Pkg::Util::Net
394
394
  end
395
395
 
396
396
  def remote_bundle_install_command
397
+ rvm_ruby_version = ENV['RVM_RUBY_VERSION'] || '2.5.9'
397
398
  export_packaging_location = "export PACKAGING_LOCATION='#{ENV['PACKAGING_LOCATION']}';" if ENV['PACKAGING_LOCATION'] && !ENV['PACKAGING_LOCATION'].empty?
398
399
  export_vanagon_location = "export VANAGON_LOCATION='#{ENV['VANAGON_LOCATION']}';" if ENV['VANAGON_LOCATION'] && !ENV['VANAGON_LOCATION'].empty?
399
- "source /usr/local/rvm/scripts/rvm; rvm use ruby-2.5.1; #{export_packaging_location} #{export_vanagon_location} bundle install --path .bundle/gems ;"
400
+ "source /usr/local/rvm/scripts/rvm; rvm use ruby-#{rvm_ruby_version}; #{export_packaging_location} #{export_vanagon_location} bundle install --path .bundle/gems ;"
400
401
  end
401
402
 
402
403
  # Given a BuildInstance object and a host, send its params to the host. Return
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: packaging
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.106.1
4
+ version: 0.106.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet Labs
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-04-12 00:00:00.000000000 Z
11
+ date: 2022-05-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: pry
@@ -108,6 +108,34 @@ dependencies:
108
108
  - - '='
109
109
  - !ruby/object:Gem::Version
110
110
  version: 3.1.5
111
+ - !ruby/object:Gem::Dependency
112
+ name: googleauth
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - ">="
116
+ - !ruby/object:Gem::Version
117
+ version: '0'
118
+ type: :runtime
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - ">="
123
+ - !ruby/object:Gem::Version
124
+ version: '0'
125
+ - !ruby/object:Gem::Dependency
126
+ name: google-cloud-storage
127
+ requirement: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - ">="
130
+ - !ruby/object:Gem::Version
131
+ version: '0'
132
+ type: :runtime
133
+ prerelease: false
134
+ version_requirements: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - ">="
137
+ - !ruby/object:Gem::Version
138
+ version: '0'
111
139
  - !ruby/object:Gem::Dependency
112
140
  name: rake
113
141
  requirement: !ruby/object:Gem::Requirement
@@ -296,27 +324,27 @@ specification_version: 4
296
324
  summary: Puppet Labs' packaging automation
297
325
  test_files:
298
326
  - spec/lib/packaging_spec.rb
299
- - spec/lib/packaging/retrieve_spec.rb
300
- - spec/lib/packaging/paths_spec.rb
301
327
  - spec/lib/packaging/platforms_spec.rb
302
- - spec/lib/packaging/config_spec.rb
303
- - spec/lib/packaging/tar_spec.rb
304
- - spec/lib/packaging/repo_spec.rb
328
+ - spec/lib/packaging/deb/repo_spec.rb
305
329
  - spec/lib/packaging/artifactory_spec.rb
330
+ - spec/lib/packaging/gem_spec.rb
306
331
  - spec/lib/packaging/deb_spec.rb
307
- - spec/lib/packaging/deb/repo_spec.rb
332
+ - spec/lib/packaging/retrieve_spec.rb
333
+ - spec/lib/packaging/sign_spec.rb
334
+ - spec/lib/packaging/config_spec.rb
308
335
  - spec/lib/packaging/util/git_spec.rb
309
- - spec/lib/packaging/util/version_spec.rb
310
- - spec/lib/packaging/util/os_spec.rb
311
336
  - spec/lib/packaging/util/execution_spec.rb
312
- - spec/lib/packaging/util/file_spec.rb
313
- - spec/lib/packaging/util/git_tag_spec.rb
337
+ - spec/lib/packaging/util/gpg_spec.rb
314
338
  - spec/lib/packaging/util/rake_utils_spec.rb
339
+ - spec/lib/packaging/util/git_tag_spec.rb
315
340
  - spec/lib/packaging/util/ship_spec.rb
316
341
  - spec/lib/packaging/util/jenkins_spec.rb
317
342
  - spec/lib/packaging/util/net_spec.rb
343
+ - spec/lib/packaging/util/os_spec.rb
344
+ - spec/lib/packaging/util/version_spec.rb
345
+ - spec/lib/packaging/util/file_spec.rb
318
346
  - spec/lib/packaging/util/misc_spec.rb
319
- - spec/lib/packaging/util/gpg_spec.rb
347
+ - spec/lib/packaging/paths_spec.rb
320
348
  - spec/lib/packaging/rpm/repo_spec.rb
321
- - spec/lib/packaging/sign_spec.rb
322
- - spec/lib/packaging/gem_spec.rb
349
+ - spec/lib/packaging/repo_spec.rb
350
+ - spec/lib/packaging/tar_spec.rb