packaging 0.106.1 → 0.106.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/packaging/config/params.rb +4 -10
  3. data/lib/packaging/sign/msi.rb +83 -111
  4. data/lib/packaging/util/net.rb +2 -1
  5. metadata +43 -15
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: db83755518bc81f835ca1c1b64cb4fa7febab19049e584aabcc77ddf049a0baa
4
- data.tar.gz: 16139b7c1e409444034c8eda4481c96fdb2b63a0a46fa1a2aeed3d50951fae15
3
+ metadata.gz: 193d585363a1423508a90e96a1b3df94e8152e74c1dd72083f5b589b5b143501
4
+ data.tar.gz: 22492fe7cebbcda8a61742c5d1c1b88073d2b170a392c3f639ef01968a9ad456
5
5
  SHA512:
6
- metadata.gz: d33084fee800fe837b891703dbdf2bc404e1aabb23a965704ea5275c0c08a397daabc20aab2cce63babb9040088de855a4dbc3846b0ec78e96cab13c89299768
7
- data.tar.gz: 3cd7163d6acc73d96f062924938a31ec46dafecf717f0fcbceb4d1c56e4ae6d2a9af05fdc0904f4a790673a30d3a2c3f85772c5137ffd4e4d80fc9efbbc5c597
6
+ metadata.gz: edc24fcef7b4c1fcc6d63796628a094d3d1d299cc0d29b761af91146c11dfa8627af60b49ee368d15366b324f1d163af013796c6137ea5de08e035d3633811a4
7
+ data.tar.gz: 297b0577830caeef96526ee289d5d2c31da95237f3d57af53af8a650387a936e3ba1064c790bf1a9b9269f21b859a031f91e30ad49e43cd121d014e193d8123e
data/lib/packaging/config/params.rb CHANGED
@@ -101,10 +101,8 @@ module Pkg::Params
101
101
  msi_host
102
102
  msi_name
103
103
  msi_path
104
- msi_signing_cert
105
- msi_signing_cert_pw
106
- msi_signing_server
107
- msi_signing_ssh_key
104
+ msi_signing_gcp_service_account_credentials
105
+ msi_signing_service_url
108
106
  msi_staging_server
109
107
  name
110
108
  nonfinal_apt_repo_command
@@ -244,10 +242,8 @@ module Pkg::Params
244
242
  { :var => :ips_signing_ssh_key, :envvar => :IPS_SIGNING_SSH_KEY },
245
243
  { :var => :msi_host, :envvar => :MSI_HOST },
246
244
  { :var => :msi_path, :envvar => :MSI_PATH },
247
- { :var => :msi_signing_cert, :envvar => :MSI_SIGNING_CERT },
248
- { :var => :msi_signing_cert_pw, :envvar => :MSI_SIGNING_CERT_PW },
249
- { :var => :msi_signing_server, :envvar => :MSI_SIGNING_SERVER },
250
- { :var => :msi_signing_ssh_key, :envvar => :MSI_SIGNING_SSH_KEY },
245
+ { :var => :msi_signing_gcp_service_account_credentials, :envvar => :MSI_SIGNING_GCP_SERVICE_ACCOUNT_CREDENTIALS },
246
+ { :var => :msi_signing_service_url, :envvar => :MSI_SIGNING_SERVICE_URL },
251
247
  { :var => :msi_staging_server, :envvar => :MSI_STAGING_SERVER },
252
248
  { :var => :nonfinal_apt_repo_command, :envvar => :NONFINAL_APT_REPO_COMMAND },
253
249
  { :var => :nonfinal_apt_repo_path, :envvar => :NONFINAL_APT_REPO_PATH },
@@ -328,8 +324,6 @@ module Pkg::Params
328
324
  { :var => :ips_inter_cert, :val => '$IPS_INTER_CERT' },
329
325
  { :var => :ips_root_cert, :val => '$IPS_ROOT_CERT' },
330
326
  { :var => :ips_signing_key, :val => '$IPS_SIGNING_KEY' },
331
- { :var => :msi_signing_cert, :val => '$MSI_SIGNING_CERT' },
332
- { :var => :msi_signing_cert_pw, :val => '$MSI_SIGNING_CERT_PW' },
333
327
  { :var => :pe_feature_branch, :val => false },
334
328
  { :var => :pe_release_branch, :val => false },
335
329
  { :var => :s3_ship, :val => false },
data/lib/packaging/sign/msi.rb CHANGED
@@ -2,123 +2,95 @@ module Pkg::Sign::Msi
2
2
  module_function
3
3
 
4
4
  def sign(target_dir = 'pkg')
5
- use_identity = "-i #{Pkg::Config.msi_signing_ssh_key}" if Pkg::Config.msi_signing_ssh_key
5
+ require 'google/cloud/storage'
6
+ require 'googleauth'
7
+ require 'json'
8
+ require 'net/http'
9
+ require 'uri'
6
10
 
7
- ssh_host_string = "#{use_identity} Administrator@#{Pkg::Config.msi_signing_server}"
8
- rsync_host_string = "-e 'ssh #{use_identity}' Administrator@#{Pkg::Config.msi_signing_server}"
11
+ gcp_service_account_credentials = Pkg::Config.msi_signing_gcp_service_account_credentials
12
+ signing_service_url = Pkg::Config.msi_signing_service_url
9
13
 
10
- work_dir = "Windows/Temp/#{Pkg::Util.rand_string}"
11
- Pkg::Util::Net.remote_execute(ssh_host_string, "mkdir -p C:/#{work_dir}")
12
- msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
13
- Pkg::Util::Net.rsync_to(msis.join(" "), rsync_host_string, "/cygdrive/c/#{work_dir}",
14
- extra_flags: ["--ignore-existing --relative"])
14
+ begin
15
+ authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
16
+ json_key_io: File.open(gcp_service_account_credentials),
17
+ target_audience: signing_service_url
18
+ )
19
+ rescue StandardError => e
20
+ fail "msis can only be signed by jenkins.\n#{e}"
21
+ end
15
22
 
16
- # Please Note:
17
- # We are currently adding two signatures to the msi.
18
- #
19
- # Microsoft compatable Signatures are composed of three different
20
- # elements.
21
- # 1) The Certificate used to sign the package. This is the element that
22
- # is attached to organization. The certificate has an associated
23
- # algorithm. We recently (February 2016) had to switch from a sha1 to
24
- # a sha256 certificate. Sha1 was deprecated by many Microsoft
25
- # elements on 2016-01-01, which forced us to switch to a sha256 cert.
26
- # This sha256 certificate is recognized by all currently supported
27
- # windows platforms (Windows 8/Vista forward).
28
- # 2) The signature used to attach the certificate to the package. This
29
- # can be a done with a variety of digest algorithms. Older platforms
30
- # (i.e., Windows 8 and Windows Vista) don't recognize later
31
- # algorithms like sha256.
32
- # 3) The timestamp used to validate when the package was signed. This
33
- # comes from an external source and can be delivered with a variety
34
- # of digest algorithms. Older platforms do not recognize newer
35
- # algorithms like sha256.
36
- #
37
- # We could have only one signature with the Sha256 Cert, Sha1 Signature,
38
- # and Sha1 Timestamp, but that would be too easy. The sha256 signature
39
- # and timestamp add more security to our packages. We can't have only
40
- # sha256 elements in our package signature, though, because Windows 8
41
- # and Windows Vista just don't recognize them at all.
42
- #
43
- # In order to add two signatures to an MSI, we also need to change the
44
- # tool we use to sign packages with. Previously, we were using SignTool
45
- # which is the Microsoft blessed program used to sign packages. However,
46
- # this tool isn't able to add two signatures to an MSI specifically. It
47
- # can dual-sign an exe, just not an MSI. In order to get the dual-signed
48
- # packages, we decided to switch over to using osslsigncode. The original
49
- # project didn't have support to compile on a windows system, so we
50
- # decided to use this fork. The binaries on the signer were pulled from
51
- # https://sourceforge.net/u/keeely/osslsigncode/ci/master/tree/
52
- #
53
- # These are our signatures:
54
- # The first signature:
55
- # * Sha256 Certificate
56
- # * Sha1 Signature
57
- # * Sha1 Timestamp
58
- #
59
- # The second signature:
60
- # * Sha256 Certificate
61
- # * Sha256 Signature
62
- # * Sha256 Timestamp
63
- #
64
- # Once we no longer support Windows 8/Windows Vista, we can remove the
65
- # first Sha1 signature.
66
- sign_command = <<~CMD
67
- for msipath in #{msis.join(' ')}; do
68
- msi="$(basename $msipath)"
69
- msidir="C:/#{work_dir}/$(dirname $msipath)"
70
- if "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" verify -in "$msidir/$msi" ; then
71
- echo "$msi is already signed, skipping . . ." ;
72
- else
73
- tries=5
74
- sha1Servers=(http://timestamp.digicert.com/sha1/timestamp
75
- http://timestamp.comodoca.com/authenticode)
76
- for timeserver in "${sha1Servers[@]}"; do
77
- for ((try=1; try<=$tries; try++)) do
78
- ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
79
- -n "Puppet" -i "http://www.puppet.com" \
80
- -h sha1 \
81
- -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
82
- -pass "#{Pkg::Config.msi_signing_cert_pw}" \
83
- -t "$timeserver" \
84
- -in "$msidir/$msi" \
85
- -out "$msidir/signed-$msi")
86
- if [[ $ret == *"Succeeded"* ]]; then break; fi
87
- done;
88
- if [[ $ret == *"Succeeded"* ]]; then break; fi
89
- done;
90
- echo $ret
91
- if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
92
- sha256Servers=(http://timestamp.digicert.com/sha256/timestamp
93
- http://timestamp.comodoca.com?td=sha256)
94
- for timeserver in "${sha256Servers[@]}"; do
95
- for ((try=1; try<=$tries; try++)) do
96
- ret=$(/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe sign \
97
- -n "Puppet" -i "http://www.puppet.com" \
98
- -nest -h sha256 \
99
- -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
100
- -pass "#{Pkg::Config.msi_signing_cert_pw}" \
101
- -ts "$timeserver" \
102
- -in "$msidir/signed-$msi" \
103
- -out "$msidir/$msi")
104
- if [[ $ret == *"Succeeded"* ]]; then break; fi
105
- done;
106
- if [[ $ret == *"Succeeded"* ]]; then break; fi
107
- done;
108
- echo $ret
109
- if [[ $ret != *"Succeeded"* ]]; then exit 1; fi
110
- fi
111
- done
112
- CMD
23
+ gcp_auth_token = authorizer.fetch_access_token!['id_token']
113
24
 
114
- Pkg::Util::Net.remote_execute(
115
- ssh_host_string,
116
- sign_command,
117
- { fail_fast: false }
25
+ gcp_storage = Google::Cloud::Storage.new(
26
+ project_id: 'puppet-release-engineering',
27
+ credentials: gcp_service_account_credentials
118
28
  )
29
+ tosign_bucket = gcp_storage.bucket('windows-tosign-bucket')
30
+ signed_bucket = gcp_storage.bucket('windows-signed-bucket')
31
+
32
+ service_uri = URI.parse(signing_service_url)
33
+ headers = { 'Content-Type': 'application/json', 'Authorization': "Bearer #{gcp_auth_token}" }
34
+ http = Net::HTTP.new(service_uri.host, service_uri.port)
35
+ http.use_ssl = true
36
+ request = Net::HTTP::Post.new(service_uri.request_uri, headers)
37
+
38
+ # Create hash to keep track of the signed msis
39
+ signed_msis = {}
40
+
41
+ msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
42
+
43
+ # Upload msis to GCP and sign them
44
+ msis.each do |msi|
45
+ begin
46
+ tosign_bucket.create_file(msi, msi)
47
+ rescue StandardError => e
48
+ delete_tosign_msis(tosign_bucket, msis)
49
+ fail "There was an error uploading #{msi} to the windows-tosign-bucket gcp bucket.\n#{e}"
50
+ end
51
+ msi_json = { 'Path': msi }
52
+ request.body = msi_json.to_json
53
+ begin
54
+ response = http.request(request)
55
+ response_body = JSON.parse(JSON.parse(response.body.to_json), :quirks_mode => true)
56
+ rescue StandardError => e
57
+ delete_tosign_msis(tosign_bucket, msis)
58
+ delete_signed_msis(signed_bucket, signed_msis)
59
+ fail "There was an error signing #{msi}.\n#{e}"
60
+ end
61
+ # Store location of signed msi
62
+ signed_msi = response_body['Path']
63
+ signed_msis[msi] = signed_msi
64
+ end
65
+
66
+ # Download the signed msis
119
67
  msis.each do |msi|
120
- Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{msi}", rsync_host_string, File.dirname(msi))
68
+ begin
69
+ signed_msi = signed_bucket.file(signed_msis[msi])
70
+ signed_msi.download(msi)
71
+ rescue StandardError => e
72
+ delete_tosign_msis(tosign_bucket, msis)
73
+ delete_signed_msis(signed_bucket, signed_msis)
74
+ fail "There was an error retrieving the signed msi:#{msi}.\n#{e}"
75
+ end
76
+ end
77
+
78
+ # Cleanup buckets
79
+ delete_tosign_msis(tosign_bucket, msis)
80
+ delete_signed_msis(signed_bucket, signed_msis)
81
+ end
82
+
83
+ def delete_tosign_msis(bucket, msis)
84
+ msis.each do |msi|
85
+ tosign_msi = bucket.file(msi)
86
+ tosign_msi.delete unless tosign_msi.nil?
87
+ end
88
+ end
89
+
90
+ def delete_signed_msis(bucket, signed_msis)
91
+ signed_msis.each do |msi, temp_name|
92
+ signed_msi = bucket.file(temp_name)
93
+ signed_msi.delete unless signed_msi.nil?
121
94
  end
122
- Pkg::Util::Net.remote_execute(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")
123
95
  end
124
96
  end
data/lib/packaging/util/net.rb CHANGED
@@ -394,9 +394,10 @@ module Pkg::Util::Net
394
394
  end
395
395
 
396
396
  def remote_bundle_install_command
397
+ rvm_ruby_version = ENV['RVM_RUBY_VERSION'] || '2.5.9'
397
398
  export_packaging_location = "export PACKAGING_LOCATION='#{ENV['PACKAGING_LOCATION']}';" if ENV['PACKAGING_LOCATION'] && !ENV['PACKAGING_LOCATION'].empty?
398
399
  export_vanagon_location = "export VANAGON_LOCATION='#{ENV['VANAGON_LOCATION']}';" if ENV['VANAGON_LOCATION'] && !ENV['VANAGON_LOCATION'].empty?
399
- "source /usr/local/rvm/scripts/rvm; rvm use ruby-2.5.1; #{export_packaging_location} #{export_vanagon_location} bundle install --path .bundle/gems ;"
400
+ "source /usr/local/rvm/scripts/rvm; rvm use ruby-#{rvm_ruby_version}; #{export_packaging_location} #{export_vanagon_location} bundle install --path .bundle/gems ;"
400
401
  end
401
402
 
402
403
  # Given a BuildInstance object and a host, send its params to the host. Return
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: packaging
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.106.1
4
+ version: 0.106.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet Labs
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-04-12 00:00:00.000000000 Z
11
+ date: 2022-05-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: pry
@@ -108,6 +108,34 @@ dependencies:
108
108
  - - '='
109
109
  - !ruby/object:Gem::Version
110
110
  version: 3.1.5
111
+ - !ruby/object:Gem::Dependency
112
+ name: googleauth
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - ">="
116
+ - !ruby/object:Gem::Version
117
+ version: '0'
118
+ type: :runtime
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - ">="
123
+ - !ruby/object:Gem::Version
124
+ version: '0'
125
+ - !ruby/object:Gem::Dependency
126
+ name: google-cloud-storage
127
+ requirement: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - ">="
130
+ - !ruby/object:Gem::Version
131
+ version: '0'
132
+ type: :runtime
133
+ prerelease: false
134
+ version_requirements: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - ">="
137
+ - !ruby/object:Gem::Version
138
+ version: '0'
111
139
  - !ruby/object:Gem::Dependency
112
140
  name: rake
113
141
  requirement: !ruby/object:Gem::Requirement
@@ -296,27 +324,27 @@ specification_version: 4
296
324
  summary: Puppet Labs' packaging automation
297
325
  test_files:
298
326
  - spec/lib/packaging_spec.rb
299
- - spec/lib/packaging/retrieve_spec.rb
300
- - spec/lib/packaging/paths_spec.rb
301
327
  - spec/lib/packaging/platforms_spec.rb
302
- - spec/lib/packaging/config_spec.rb
303
- - spec/lib/packaging/tar_spec.rb
304
- - spec/lib/packaging/repo_spec.rb
328
+ - spec/lib/packaging/deb/repo_spec.rb
305
329
  - spec/lib/packaging/artifactory_spec.rb
330
+ - spec/lib/packaging/gem_spec.rb
306
331
  - spec/lib/packaging/deb_spec.rb
307
- - spec/lib/packaging/deb/repo_spec.rb
332
+ - spec/lib/packaging/retrieve_spec.rb
333
+ - spec/lib/packaging/sign_spec.rb
334
+ - spec/lib/packaging/config_spec.rb
308
335
  - spec/lib/packaging/util/git_spec.rb
309
- - spec/lib/packaging/util/version_spec.rb
310
- - spec/lib/packaging/util/os_spec.rb
311
336
  - spec/lib/packaging/util/execution_spec.rb
312
- - spec/lib/packaging/util/file_spec.rb
313
- - spec/lib/packaging/util/git_tag_spec.rb
337
+ - spec/lib/packaging/util/gpg_spec.rb
314
338
  - spec/lib/packaging/util/rake_utils_spec.rb
339
+ - spec/lib/packaging/util/git_tag_spec.rb
315
340
  - spec/lib/packaging/util/ship_spec.rb
316
341
  - spec/lib/packaging/util/jenkins_spec.rb
317
342
  - spec/lib/packaging/util/net_spec.rb
343
+ - spec/lib/packaging/util/os_spec.rb
344
+ - spec/lib/packaging/util/version_spec.rb
345
+ - spec/lib/packaging/util/file_spec.rb
318
346
  - spec/lib/packaging/util/misc_spec.rb
319
- - spec/lib/packaging/util/gpg_spec.rb
347
+ - spec/lib/packaging/paths_spec.rb
320
348
  - spec/lib/packaging/rpm/repo_spec.rb
321
- - spec/lib/packaging/sign_spec.rb
322
- - spec/lib/packaging/gem_spec.rb
349
+ - spec/lib/packaging/repo_spec.rb
350
+ - spec/lib/packaging/tar_spec.rb