packaging 0.99.11 → 0.99.12
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +8 -8
- data/lib/packaging/sign/rpm.rb +76 -2
- data/lib/packaging/util/execution.rb +2 -2
- data/lib/packaging/util/gpg.rb +1 -1
- data/lib/packaging/util/net.rb +7 -1
- data/lib/packaging/util.rb +2 -2
- data/spec/lib/packaging/config_spec.rb +3 -3
- data/spec/lib/packaging/sign_spec.rb +136 -0
- data/spec/lib/packaging/util/gpg_spec.rb +1 -1
- data/tasks/nightly_repos.rake +1 -1
- data/tasks/sign.rake +5 -64
- data/templates/packaging.xml.erb +3 -0
- data/templates/repo.xml.erb +3 -0
- metadata +5 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 75390943c5911db51faf6f0e7402fd9f1a097a3f
|
4
|
+
data.tar.gz: 6074cb15a9e826dd85a2800df94c0cd3dbbc4c70
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7c2857a239fa9544c3442dda8901d461bbb35e42f24f740531399b383b99fe9b941d108cc5a23a48145052fd16cc222829ffe4c31e98314d219157271d87cb45
|
7
|
+
data.tar.gz: 89b6b4a5707c3e4d5c562f8ce84b43be33b582a2a98480e7b7863231dc9d668a54496e340ed2677f7979abb7a0d38ee5b6016602d46ca4d6d9d5d354e776e2d7
|
data/README.md
CHANGED
@@ -446,7 +446,7 @@ packager: 'puppetlabs'
|
|
446
446
|
# GPG key ID of the signer
|
447
447
|
gpg_key: '7F438280EF8D349F'
|
448
448
|
# Whether to require tarball signing as a prerequisite of other package building
|
449
|
-
sign_tar:
|
449
|
+
sign_tar: false
|
450
450
|
# a space separated list of mock configs. These are the rpm distributions to package for. If a noarch package, only one arch of each is needed.
|
451
451
|
final_mocks: 'pl-el-5-i386 pl-el-5-x86_64 pl-el-6-i386 pl-el-6-x86_64 pl-fedora-16-i386 pl-fedora-16-x86_64 pl-fedora-17-i386 pl-fedora-17-x86_64'
|
452
452
|
# The host that contains the yum repository to ship to
|
@@ -462,10 +462,10 @@ apt_repo_path: '/opt/repository/incoming'
|
|
462
462
|
# The host that stores the tarballs for downloading
|
463
463
|
tar_host: 'downloads.puppetlabs.com'
|
464
464
|
# Whether to present the gem and apple tasks
|
465
|
-
build_gem:
|
466
|
-
build_dmg:
|
465
|
+
build_gem: true
|
466
|
+
build_dmg: true
|
467
467
|
# Whether to execute the rdoc rake tasks prior to composing the tarball
|
468
|
-
build_doc:
|
468
|
+
build_doc: false
|
469
469
|
# Whether to kick of a dynamic msi build job along side the uber_build
|
470
470
|
# If present, a dynamically generated jenkins job will be kicked off.
|
471
471
|
# The automation in puppet_for_the_win is used to build the msi with the
|
@@ -487,9 +487,9 @@ build_msi:
|
|
487
487
|
repo: 'git://github.com/puppetlabs/puppet-win32-ruby.git'
|
488
488
|
# Whether to present the Solaris 11 IPS packaging tasks
|
489
489
|
# This requires suitable IPS packaging artifacts in the project in ext/ips
|
490
|
-
build_ips:
|
490
|
+
build_ips: false
|
491
491
|
# Whether this project is a PE project or not
|
492
|
-
build_pe:
|
492
|
+
build_pe: false
|
493
493
|
# An optional task to execute pre-tarball composition. See the tasks in
|
494
494
|
# the 'pretasks' directory
|
495
495
|
pre_tar_task: 'package:vendor_gems'
|
@@ -657,7 +657,7 @@ files:
|
|
657
657
|
* **package:apple**
|
658
658
|
|
659
659
|
Use `PackageMaker` to create a pkg package inside a dmg. Requires 'sudo'
|
660
|
-
privileges. `build_dmg:
|
660
|
+
privileges. `build_dmg: true` must be set in `ext/build_defaults.yaml`.
|
661
661
|
Packages are staged in ./pkg/apple. See the Mac packaging section of
|
662
662
|
[Setting up projects for the Packaging
|
663
663
|
Repo](https://github.com/MosesMendoza/packaging/tree/more_documentation#setting-up-projects-for-the-packaging-repo).
|
@@ -677,7 +677,7 @@ files:
|
|
677
677
|
|
678
678
|
* **package:gem**
|
679
679
|
Use the `rubygems/package_task` library to create a rubygem from the
|
680
|
-
repository. Requires `build_gem:
|
680
|
+
repository. Requires `build_gem: true` and gem-related parameters be set in
|
681
681
|
`ext/build_defaults.yaml` and `ext/project\_data.yaml`. The gem is staged
|
682
682
|
in `./pkg`.
|
683
683
|
|
data/lib/packaging/sign/rpm.rb
CHANGED
@@ -34,7 +34,81 @@ module Pkg::Sign::Rpm
|
|
34
34
|
end
|
35
35
|
|
36
36
|
def has_sig?(rpm)
|
37
|
-
|
38
|
-
|
37
|
+
# This should allow the `Pkg::Util::Gpg.key` method to fail if gpg_key is
|
38
|
+
# not set, before shelling out. We also only want the short key, all
|
39
|
+
# lowercase, since that's what the `rpm -Kv` output uses.
|
40
|
+
key = Pkg::Util::Gpg.key.downcase.chars.last(8).join
|
41
|
+
signature_check_output = %x(rpm --checksig --verbose #{rpm})
|
42
|
+
# If the signing key has not been loaded on the system this is running on,
|
43
|
+
# the check will exit 1, even if the rpm is signed, so we can't use capture3,
|
44
|
+
# which bails out with non-0 exit codes. Instead, check that the output
|
45
|
+
# looks more-or-less how we expect it to.
|
46
|
+
fail "Something went wrong checking the signature of #{rpm}." unless signature_check_output.include? "Header"
|
47
|
+
return signature_check_output.include? "key ID #{key}"
|
48
|
+
end
|
49
|
+
|
50
|
+
def sign_all(rpm_directory)
|
51
|
+
# Create a hash mapping full paths to basenames.
|
52
|
+
# This will allow us to keep track of the different paths that may be
|
53
|
+
# associated with a single basename, e.g. noarch packages.
|
54
|
+
all_rpms = {}
|
55
|
+
rpms_to_sign = Dir["#{rpm_directory}/**/*.rpm"]
|
56
|
+
rpms_to_sign.each do |rpm_path|
|
57
|
+
all_rpms[rpm_path] = File.basename(rpm_path)
|
58
|
+
end
|
59
|
+
# Delete a package, both from the signing server and from the rpm array, if
|
60
|
+
# there are other packages with the same basename so that we only sign the
|
61
|
+
# package once.
|
62
|
+
all_rpms.each do |rpm_path, rpm_filename|
|
63
|
+
if rpms_to_sign.map { |rpm| File.basename(rpm) }.count(rpm_filename) > 1
|
64
|
+
FileUtils.rm(rpm_path)
|
65
|
+
rpms_to_sign.delete(rpm_path)
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
v3_rpms = []
|
70
|
+
v4_rpms = []
|
71
|
+
rpms_to_sign.each do |rpm|
|
72
|
+
if has_sig? rpm
|
73
|
+
puts "#{rpm} is already signed, skipping . . ."
|
74
|
+
next
|
75
|
+
end
|
76
|
+
platform_tag = Pkg::Paths.tag_from_artifact_path(rpm)
|
77
|
+
platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
|
78
|
+
|
79
|
+
# We don't sign AIX rpms
|
80
|
+
next if platform_tag.include?('aix')
|
81
|
+
|
82
|
+
case Pkg::Platforms.signature_format_for_platform_version(platform, version)
|
83
|
+
when 'v3'
|
84
|
+
v3_rpms << rpm
|
85
|
+
when 'v4'
|
86
|
+
v4_rpms << rpm
|
87
|
+
else
|
88
|
+
fail "Cannot find signature type for package '#{rpm}'"
|
89
|
+
end
|
90
|
+
end
|
91
|
+
|
92
|
+
unless v3_rpms.empty?
|
93
|
+
puts "Signing legacy (v3) rpms..."
|
94
|
+
legacy_sign(v3_rpms.join(' '))
|
95
|
+
end
|
96
|
+
|
97
|
+
unless v4_rpms.empty?
|
98
|
+
puts "Signing modern (v4) rpms..."
|
99
|
+
sign(v4_rpms.join(' '))
|
100
|
+
end
|
101
|
+
|
102
|
+
# Using the map of paths to basenames, we re-hardlink the rpms we deleted.
|
103
|
+
all_rpms.each do |link_path, rpm_filename|
|
104
|
+
next if File.exist? link_path
|
105
|
+
FileUtils.mkdir_p(File.dirname(link_path))
|
106
|
+
# Find paths where the signed rpm has the same basename, but different
|
107
|
+
# full path, as the one we need to link.
|
108
|
+
paths_to_link_to = rpms_to_sign.select { |rpm| File.basename(rpm) == rpm_filename && rpm != link_path }
|
109
|
+
paths_to_link_to.each do |path|
|
110
|
+
FileUtils.ln(path, link_path, :force => true, :verbose => true)
|
111
|
+
end
|
112
|
+
end
|
39
113
|
end
|
40
114
|
end
|
@@ -58,7 +58,7 @@ module Pkg::Util::Execution
|
|
58
58
|
# Loop a block up to the number of attempts given, exiting when we receive success
|
59
59
|
# or max attempts is reached. Raise an exception unless we've succeeded.
|
60
60
|
def retry_on_fail(args, &blk)
|
61
|
-
success =
|
61
|
+
success = false
|
62
62
|
exception = ''
|
63
63
|
|
64
64
|
if args[:times].respond_to?(:times) and block_given?
|
@@ -69,7 +69,7 @@ module Pkg::Util::Execution
|
|
69
69
|
|
70
70
|
begin
|
71
71
|
blk.call
|
72
|
-
success =
|
72
|
+
success = true
|
73
73
|
break
|
74
74
|
rescue => err
|
75
75
|
puts "An error was encountered evaluating block. Retrying.."
|
data/lib/packaging/util/gpg.rb
CHANGED
data/lib/packaging/util/net.rb
CHANGED
@@ -361,7 +361,7 @@ git clone --recursive /tmp/#{tarball_name} /tmp/#{Pkg::Config.project}-#{appendi
|
|
361
361
|
cd /tmp/#{Pkg::Config.project}-#{appendix} ;
|
362
362
|
bundle_prefix= ;
|
363
363
|
if [[ -r Gemfile ]]; then
|
364
|
-
|
364
|
+
#{remote_bundle_install_command}
|
365
365
|
bundle_prefix='bundle exec' ;
|
366
366
|
fi ;
|
367
367
|
$bundle_prefix rake package:bootstrap
|
@@ -370,6 +370,12 @@ DOC
|
|
370
370
|
"/tmp/#{Pkg::Config.project}-#{appendix}"
|
371
371
|
end
|
372
372
|
|
373
|
+
def remote_bundle_install_command
|
374
|
+
export_packaging_location = ''
|
375
|
+
export_packaging_location = "export PACKAGING_LOCATION=#{ENV['PACKAGING_LOCATION']};" if ENV['PACKAGING_LOCATION'] && !ENV['PACKAGING_LOCATION'].empty?
|
376
|
+
command = "source /usr/local/rvm/scripts/rvm; rvm use ruby-2.4.1; #{export_packaging_location} bundle install --path .bundle/gems ;"
|
377
|
+
end
|
378
|
+
|
373
379
|
# Given a BuildInstance object and a host, send its params to the host. Return
|
374
380
|
# the remote path to the params.
|
375
381
|
def remote_buildparams(host, build)
|
data/lib/packaging/util.rb
CHANGED
@@ -22,8 +22,8 @@ module Pkg::Util
|
|
22
22
|
require 'packaging/util/git_tags'
|
23
23
|
|
24
24
|
def self.boolean_value(var)
|
25
|
-
return
|
26
|
-
|
25
|
+
return true if var == true || ( var.is_a?(String) && ( var.downcase == 'true' || var.downcase =~ /^y$|^yes$/))
|
26
|
+
return false
|
27
27
|
end
|
28
28
|
|
29
29
|
def self.in_project_root(&blk)
|
@@ -168,10 +168,10 @@ describe "Pkg::Config" do
|
|
168
168
|
end
|
169
169
|
end
|
170
170
|
|
171
|
-
mixed_params = { :sign_tar =>
|
171
|
+
mixed_params = { :sign_tar => true, :baz => 'qux' }
|
172
172
|
context "given a hash with both valid and invalid params" do
|
173
173
|
it "should set the valid param" do
|
174
|
-
Pkg::Config.should_receive(:instance_variable_set).with("@sign_tar",
|
174
|
+
Pkg::Config.should_receive(:instance_variable_set).with("@sign_tar", true)
|
175
175
|
Pkg::Config.config_from_hash(mixed_params)
|
176
176
|
end
|
177
177
|
|
@@ -190,7 +190,7 @@ describe "Pkg::Config" do
|
|
190
190
|
describe "#params" do
|
191
191
|
it "should return a hash containing keys for all build parameters" do
|
192
192
|
params = Pkg::Config.config
|
193
|
-
Build_Params.each { |param| params.has_key?(param).should ==
|
193
|
+
Build_Params.each { |param| params.has_key?(param).should == true }
|
194
194
|
end
|
195
195
|
end
|
196
196
|
|
@@ -0,0 +1,136 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
require 'packaging/sign'
|
3
|
+
|
4
|
+
describe 'Pkg::Sign' do
|
5
|
+
describe 'Pkg::Sign::Rpm' do
|
6
|
+
|
7
|
+
before :each do
|
8
|
+
allow(Pkg::Config).to receive(:gpg_key).and_return('7F438280EF8D349F')
|
9
|
+
end
|
10
|
+
|
11
|
+
describe '#has_sig?' do
|
12
|
+
let(:rpm) { 'foo.rpm' }
|
13
|
+
let(:el7_signed_response) { <<-DOC
|
14
|
+
Header V4 RSA/SHA256 Signature, key ID ef8d349f: NOKEY
|
15
|
+
Header SHA1 digest: OK (3cb7e9861e8bc09783a1b6c8d88243a3c16daa81)
|
16
|
+
V4 RSA/SHA256 Signature, key ID ef8d349f: NOKEY
|
17
|
+
MD5 digest: OK (d5f06ba2a9053de532326d0659ec0d11)
|
18
|
+
DOC
|
19
|
+
}
|
20
|
+
let(:el5_signed_response) { <<-DOC
|
21
|
+
Header V3 RSA/SHA1 signature: NOKEY, key ID ef8d349f
|
22
|
+
Header SHA1 digest: OK (12ea7bd578097a3aecc5deb8ada6aca6147d68e3)
|
23
|
+
V3 RSA/SHA1 signature: NOKEY, key ID ef8d349f
|
24
|
+
MD5 digest: OK (27353c6153068a3c9902fcb4ad5b8b92)
|
25
|
+
DOC
|
26
|
+
}
|
27
|
+
let(:sles12_signed_response) { <<-DOC
|
28
|
+
Header V4 RSA/SHA256 Signature, key ID ef8d349f: NOKEY
|
29
|
+
Header SHA1 digest: OK (e713487cf21ebeb933aefd5ec9211a34603233d2)
|
30
|
+
V4 RSA/SHA256 Signature, key ID ef8d349f: NOKEY
|
31
|
+
MD5 digest: OK (3093a09ac39bc17751f913e19ca74432)
|
32
|
+
DOC
|
33
|
+
}
|
34
|
+
let(:unsigned_response) { <<-DOC
|
35
|
+
Header SHA1 digest: OK (f9404cc95f200568c2dbb1fd24e1119e3e4a40a9)
|
36
|
+
MD5 digest: OK (816095f3cee145091c3fa07a0915ce85)
|
37
|
+
DOC
|
38
|
+
}
|
39
|
+
it 'returns true if rpm has been signed (el7)' do
|
40
|
+
allow(Pkg::Sign::Rpm).to receive(:`).and_return(el7_signed_response)
|
41
|
+
expect(Pkg::Sign::Rpm.has_sig?(rpm)).to be true
|
42
|
+
end
|
43
|
+
it 'returns true if rpm has been signed (el5)' do
|
44
|
+
allow(Pkg::Sign::Rpm).to receive(:`).and_return(el5_signed_response)
|
45
|
+
expect(Pkg::Sign::Rpm.has_sig?(rpm)).to be true
|
46
|
+
end
|
47
|
+
it 'returns true if rpm has been signed (sles12)' do
|
48
|
+
allow(Pkg::Sign::Rpm).to receive(:`).and_return(sles12_signed_response)
|
49
|
+
expect(Pkg::Sign::Rpm.has_sig?(rpm)).to be true
|
50
|
+
end
|
51
|
+
it 'returns false if rpm has not been signed' do
|
52
|
+
allow(Pkg::Sign::Rpm).to receive(:`).and_return(unsigned_response)
|
53
|
+
expect(Pkg::Sign::Rpm.has_sig?(rpm)).to be false
|
54
|
+
end
|
55
|
+
it 'fails with unexpected output' do
|
56
|
+
allow(Pkg::Sign::Rpm).to receive(:`).and_return('something that is definitely not a normal response')
|
57
|
+
expect { Pkg::Sign::Rpm.has_sig?(rpm) }.to raise_error(RuntimeError, /Something went wrong checking the signature/)
|
58
|
+
end
|
59
|
+
it 'fails if gpg_key is not set' do
|
60
|
+
allow(Pkg::Config).to receive(:gpg_key).and_return(nil)
|
61
|
+
expect { Pkg::Sign::Rpm.has_sig?(rpm) }.to raise_error(RuntimeError, /You need to set `gpg_key` in your build defaults./)
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
describe '#sign_all' do
|
66
|
+
let(:rpm_directory) { 'foo' }
|
67
|
+
let(:rpms_not_to_sign) { [
|
68
|
+
"#{rpm_directory}/aix/6.1/PC1/ppc/puppet-agent-5.5.3-1.aix6.1.ppc.rpm",
|
69
|
+
"#{rpm_directory}/aix/7.1/PC1/ppc/puppet-agent-5.5.3-1.aix7.1.ppc.rpm",
|
70
|
+
] }
|
71
|
+
let(:v3_rpms) { [
|
72
|
+
"#{rpm_directory}/el/5/PC1/i386/puppet-agent-5.5.3-1.el5.i386.rpm",
|
73
|
+
"#{rpm_directory}/sles/11/PC1/x86_64/puppet-agent-5.5.3-1.sles11.x86_64.rpm",
|
74
|
+
] }
|
75
|
+
let(:v4_rpms) { [
|
76
|
+
"#{rpm_directory}/el/7/PC1/aarch64/puppet-agent-5.5.3-1.el7.aarch64.rpm",
|
77
|
+
"#{rpm_directory}/sles/12/PC1/s390x/puppet-agent-5.5.3-1.sles12.s390x.rpm",
|
78
|
+
] }
|
79
|
+
let(:rpms) { rpms_not_to_sign + v3_rpms + v4_rpms }
|
80
|
+
let(:already_signed_rpms) { [
|
81
|
+
"#{rpm_directory}/cisco-wrlinux/7/PC1/x86_64/puppet-agent-5.5.3-1.cisco_wrlinux7.x86_64.rpm",
|
82
|
+
"#{rpm_directory}/el/6/PC1/x86_64/puppet-agent-5.5.3-1.el6.x86_64.rpm",
|
83
|
+
] }
|
84
|
+
let(:noarch_rpms) { [
|
85
|
+
"#{rpm_directory}/el/6/puppet5/i386/puppetserver-5.3.3-1.el6.noarch.rpm",
|
86
|
+
"#{rpm_directory}/el/6/puppet5/x86_64/puppetserver-5.3.3-1.el6.noarch.rpm",
|
87
|
+
"#{rpm_directory}/el/7/puppet5/i386/puppetserver-5.3.3-1.el7.noarch.rpm",
|
88
|
+
"#{rpm_directory}/el/7/puppet5/x86_64/puppetserver-5.3.3-1.el7.noarch.rpm",
|
89
|
+
"#{rpm_directory}/sles/12/puppet5/i386/puppetserver-5.3.3-1.sles12.noarch.rpm",
|
90
|
+
"#{rpm_directory}/sles/12/puppet5/x86_64/puppetserver-5.3.3-1.sles12.noarch.rpm"
|
91
|
+
] }
|
92
|
+
|
93
|
+
it 'signs both v3 and v4 rpms' do
|
94
|
+
allow(Dir).to receive(:[]).with("#{rpm_directory}/**/*.rpm").and_return(rpms)
|
95
|
+
rpms.each do |rpm|
|
96
|
+
allow(Pkg::Sign::Rpm).to receive(:has_sig?).and_return(false)
|
97
|
+
end
|
98
|
+
expect(Pkg::Sign::Rpm).to receive(:legacy_sign).with(v3_rpms.join(' '))
|
99
|
+
expect(Pkg::Sign::Rpm).to receive(:sign).with(v4_rpms.join(' '))
|
100
|
+
Pkg::Sign::Rpm.sign_all(rpm_directory)
|
101
|
+
end
|
102
|
+
|
103
|
+
it 'does not sign AIX rpms' do
|
104
|
+
allow(Dir).to receive(:[]).with("#{rpm_directory}/**/*.rpm").and_return(rpms_not_to_sign)
|
105
|
+
allow(Pkg::Sign::Rpm).to receive(:has_sig?)
|
106
|
+
expect(Pkg::Sign::Rpm).to_not receive(:legacy_sign)
|
107
|
+
expect(Pkg::Sign::Rpm).to_not receive(:sign)
|
108
|
+
Pkg::Sign::Rpm.sign_all(rpm_directory)
|
109
|
+
end
|
110
|
+
|
111
|
+
it 'does not sign already-signed rpms' do
|
112
|
+
allow(Dir).to receive(:[]).with("#{rpm_directory}/**/*.rpm").and_return(already_signed_rpms)
|
113
|
+
already_signed_rpms.each do |rpm|
|
114
|
+
allow(Pkg::Sign::Rpm).to receive(:has_sig?).and_return(true)
|
115
|
+
end
|
116
|
+
expect(Pkg::Sign::Rpm).to_not receive(:legacy_sign)
|
117
|
+
expect(Pkg::Sign::Rpm).to_not receive(:sign)
|
118
|
+
Pkg::Sign::Rpm.sign_all(rpm_directory)
|
119
|
+
end
|
120
|
+
|
121
|
+
it 'deletes and relinks rpms with the same basename' do
|
122
|
+
allow(Dir).to receive(:[]).with("#{rpm_directory}/**/*.rpm").and_return(noarch_rpms)
|
123
|
+
allow(Pkg::Sign::Rpm).to receive(:sign)
|
124
|
+
allow(Pkg::Sign::Rpm).to receive(:has_sig?)
|
125
|
+
expect(FileUtils).to receive(:rm).exactly(noarch_rpms.count/2).times
|
126
|
+
expect(FileUtils).to receive(:ln).exactly(noarch_rpms.count/2).times
|
127
|
+
Pkg::Sign::Rpm.sign_all(rpm_directory)
|
128
|
+
end
|
129
|
+
|
130
|
+
it 'does not fail if there are no rpms to sign' do
|
131
|
+
allow(Dir).to receive(:[]).with("#{rpm_directory}/**/*.rpm").and_return([])
|
132
|
+
expect(Pkg::Sign::Rpm.sign_all(rpm_directory)).to_not raise_error
|
133
|
+
end
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|
@@ -24,7 +24,7 @@ describe "Pkg::Util::Gpg" do
|
|
24
24
|
|
25
25
|
describe '#kill_keychain' do
|
26
26
|
it "doesn't reload the keychain if already loaded" do
|
27
|
-
Pkg::Util::Gpg.instance_variable_set("@keychain_loaded",
|
27
|
+
Pkg::Util::Gpg.instance_variable_set("@keychain_loaded", true)
|
28
28
|
Pkg::Util::Gpg.should_receive(:kill_keychain).never
|
29
29
|
Pkg::Util::Gpg.should_receive(:start_keychain).never
|
30
30
|
Pkg::Util::Gpg.load_keychain
|
data/tasks/nightly_repos.rake
CHANGED
@@ -25,7 +25,7 @@ namespace :pl do
|
|
25
25
|
cd #{remote_repo} ;
|
26
26
|
bundle_prefix= ;
|
27
27
|
if [[ -r Gemfile ]]; then
|
28
|
-
|
28
|
+
#{Pkg::Util::Net.remote_bundle_install_command}
|
29
29
|
bundle_prefix='bundle exec';
|
30
30
|
fi ;
|
31
31
|
$bundle_prefix rake pl:jenkins:sign_repos GPG_KEY=#{Pkg::Util::Gpg.key} PARAMS_FILE=#{build_params}
|
data/tasks/sign.rake
CHANGED
@@ -38,67 +38,8 @@ namespace :pl do
|
|
38
38
|
|
39
39
|
desc "Sign mocked rpms, Defaults to PL Key, pass GPG_KEY to override"
|
40
40
|
task :sign_rpms, :root_dir do |t, args|
|
41
|
-
|
42
|
-
|
43
|
-
# Create a hash mapping full paths to basenames.
|
44
|
-
# This will allow us to keep track of the different paths that may be
|
45
|
-
# associated with a single basename, e.g. noarch packages.
|
46
|
-
all_rpms = {}
|
47
|
-
rpms_to_sign = Dir["#{rpm_dir}/**/*.rpm"]
|
48
|
-
rpms_to_sign.each do |rpm_path|
|
49
|
-
all_rpms[rpm_path] = File.basename(rpm_path)
|
50
|
-
end
|
51
|
-
# Delete a package, both from the signing server and from the rpm array, if
|
52
|
-
# there are other packages with the same basename so that we only sign the
|
53
|
-
# package once.
|
54
|
-
all_rpms.each do |rpm_path, rpm_filename|
|
55
|
-
if rpms_to_sign.map { |rpm| File.basename(rpm) }.count(rpm_filename) > 1
|
56
|
-
FileUtils.rm(rpm_path)
|
57
|
-
rpms_to_sign.delete(rpm_path)
|
58
|
-
end
|
59
|
-
end
|
60
|
-
|
61
|
-
v3_rpms = []
|
62
|
-
v4_rpms = []
|
63
|
-
rpms_to_sign.each do |rpm|
|
64
|
-
platform_tag = Pkg::Paths.tag_from_artifact_path(rpm)
|
65
|
-
platform, version, _ = Pkg::Platforms.parse_platform_tag(platform_tag)
|
66
|
-
|
67
|
-
# We don't sign AIX rpms
|
68
|
-
next if platform_tag.include?('aix')
|
69
|
-
|
70
|
-
sig_type = Pkg::Platforms.signature_format_for_platform_version(platform, version)
|
71
|
-
case sig_type
|
72
|
-
when 'v3'
|
73
|
-
v3_rpms << rpm
|
74
|
-
when 'v4'
|
75
|
-
v4_rpms << rpm
|
76
|
-
else
|
77
|
-
fail "Cannot find signature type for package '#{rpm}'"
|
78
|
-
end
|
79
|
-
end
|
80
|
-
|
81
|
-
unless v3_rpms.empty?
|
82
|
-
puts "Signing old rpms..."
|
83
|
-
Pkg::Sign::Rpm.legacy_sign(v3_rpms.join(' '))
|
84
|
-
end
|
85
|
-
|
86
|
-
unless v4_rpms.empty?
|
87
|
-
puts "Signing modern rpms..."
|
88
|
-
Pkg::Sign::Rpm.sign(v4_rpms.join(' '))
|
89
|
-
end
|
90
|
-
|
91
|
-
# Using the map of paths to basenames, we re-hardlink the rpms we deleted.
|
92
|
-
all_rpms.each do |link_path, rpm_filename|
|
93
|
-
next if File.exist? link_path
|
94
|
-
FileUtils.mkdir_p(File.dirname(link_path))
|
95
|
-
# Find paths where the signed rpm has the same basename, but different
|
96
|
-
# full path, as the one we need to link.
|
97
|
-
paths_to_link_to = rpms_to_sign.select { |rpm| File.basename(rpm) == rpm_filename && rpm != link_path }
|
98
|
-
paths_to_link_to.each do |path|
|
99
|
-
FileUtils.ln(path, link_path, :force => true, :verbose => true)
|
100
|
-
end
|
101
|
-
end
|
41
|
+
rpm_directory = args.root_dir || $DEFAULT_DIRECTORY
|
42
|
+
Pkg::Sign::Rpm.sign_all(rpm_directory)
|
102
43
|
end
|
103
44
|
|
104
45
|
desc "Sign ips package, uses PL certificates by default, update privatekey_pem, certificate_pem, and ips_inter_cert in build_defaults.yaml to override."
|
@@ -120,7 +61,7 @@ namespace :pl do
|
|
120
61
|
desc "Check if all rpms are signed"
|
121
62
|
task :check_rpm_sigs, :root_dir do |_t, args|
|
122
63
|
rpm_dir = args.root_dir || $DEFAULT_DIRECTORY
|
123
|
-
signed =
|
64
|
+
signed = true
|
124
65
|
rpms = Dir["#{rpm_dir}/**/*.rpm"]
|
125
66
|
print 'Checking rpm signatures'
|
126
67
|
rpms.each do |rpm|
|
@@ -128,7 +69,7 @@ namespace :pl do
|
|
128
69
|
print '.'
|
129
70
|
else
|
130
71
|
puts "#{rpm} is unsigned."
|
131
|
-
signed =
|
72
|
+
signed = false
|
132
73
|
end
|
133
74
|
end
|
134
75
|
fail unless signed
|
@@ -200,7 +141,7 @@ namespace :pl do
|
|
200
141
|
cd #{remote_repo} ;
|
201
142
|
bundle_prefix= ;
|
202
143
|
if [[ -r Gemfile ]]; then
|
203
|
-
|
144
|
+
#{Pkg::Util::Net.remote_bundle_install_command}
|
204
145
|
bundle_prefix='bundle exec';
|
205
146
|
fi ;
|
206
147
|
$bundle_prefix rake #{sign_tasks.map { |task| task + "[#{root_dir}]" }.join(" ")} PARAMS_FILE=#{build_params}
|
data/templates/packaging.xml.erb
CHANGED
@@ -146,6 +146,9 @@ pushd project
|
|
146
146
|
pushd git_repo
|
147
147
|
|
148
148
|
### Clone the packaging repo
|
149
|
+
<% if ENV['PACKAGING_LOCATION'] && !ENV['PACKAGING_LOCATION'].empty? %>
|
150
|
+
export PACKAGING_LOCATION="<%= ENV['PACKAGING_LOCATION'] %>"
|
151
|
+
<% end %>
|
149
152
|
bundle install --path .bundle/gems --binstubs .bundle/bin --retry 3
|
150
153
|
|
151
154
|
### Perform the build
|
data/templates/repo.xml.erb
CHANGED
@@ -71,6 +71,9 @@ if [ $PACKAGE_BUILD_RESULT -eq 0 ] ; then
|
|
71
71
|
pushd git_repo
|
72
72
|
|
73
73
|
### Clone the packaging repo
|
74
|
+
<% if ENV['PACKAGING_LOCATION'] && !ENV['PACKAGING_LOCATION'].empty? %>
|
75
|
+
export PACKAGING_LOCATION="<%= ENV['PACKAGING_LOCATION'] %>"
|
76
|
+
<% end %>
|
74
77
|
bundle install --path .bundle/gems --binstubs .bundle/bin --retry 3
|
75
78
|
|
76
79
|
### Run repo creation
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: packaging
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.99.
|
4
|
+
version: 0.99.12
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet Labs
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-09-
|
11
|
+
date: 2018-09-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rspec
|
@@ -146,6 +146,7 @@ files:
|
|
146
146
|
- spec/lib/packaging/repo_spec.rb
|
147
147
|
- spec/lib/packaging/retrieve_spec.rb
|
148
148
|
- spec/lib/packaging/rpm/repo_spec.rb
|
149
|
+
- spec/lib/packaging/sign_spec.rb
|
149
150
|
- spec/lib/packaging/tar_spec.rb
|
150
151
|
- spec/lib/packaging/util/execution_spec.rb
|
151
152
|
- spec/lib/packaging/util/file_spec.rb
|
@@ -222,7 +223,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
222
223
|
version: '0'
|
223
224
|
requirements: []
|
224
225
|
rubyforge_project:
|
225
|
-
rubygems_version: 2.6.
|
226
|
+
rubygems_version: 2.6.9
|
226
227
|
signing_key:
|
227
228
|
specification_version: 4
|
228
229
|
summary: Puppet Labs' packaging automation
|
@@ -236,6 +237,7 @@ test_files:
|
|
236
237
|
- spec/lib/packaging/repo_spec.rb
|
237
238
|
- spec/lib/packaging/retrieve_spec.rb
|
238
239
|
- spec/lib/packaging/rpm/repo_spec.rb
|
240
|
+
- spec/lib/packaging/sign_spec.rb
|
239
241
|
- spec/lib/packaging/tar_spec.rb
|
240
242
|
- spec/lib/packaging/util/execution_spec.rb
|
241
243
|
- spec/lib/packaging/util/file_spec.rb
|