packaging 0.99.2 → 0.99.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b096423bbbe6f7b90a9ad4eae12da125c056733c
-  data.tar.gz: 370b0e6f7c4869871a187ef12396a1728f3ba193
+  metadata.gz: b3d51003d5651ebf7f787b4e7521d3106b4b6cbd
+  data.tar.gz: 74cc5216e07712f93115445bba1bb254cb98ae69
 SHA512:
-  metadata.gz: d634374753ae4ad76adecc223002f66b2796f6b265aae22145a570f52f90c9f0179d647beac93dca131e0c300c99a52aea59ad10ff632fd5db92aef3bc1838e7
-  data.tar.gz: a095f56daa4e019ef33fbc71505d31e7bb83f066a116e87eca86eb111474b21e2ba3f21b54582db6449327ed223493421a0560435aad4f3df87ae038ce8ab381
+  metadata.gz: 59a10ab93c4cf6fc589f913b7a7e364180a675d3f74ffa145e9469747ae83ac534810083377eae4dbea6920deff67b21428b5ac111ece7fa8c32bc5edc3616a4
+  data.tar.gz: 32a6cc69cf70489512ed4648a1411a7f1c7ad5d931163be83d63e263993053ecec972d8a6375289f03b92fa610a34c6788253831b87c0d59740a20782b741fa6

data/lib/packaging.rb

@@ -12,14 +12,12 @@ module Pkg
   require 'packaging/tar'
   require 'packaging/deb'
   require 'packaging/rpm'
-  require 'packaging/osx'
-  require 'packaging/ips'
   require 'packaging/nuget'
   require 'packaging/gem'
-  require 'packaging/msi'
   require 'packaging/repo'
   require 'packaging/artifactory'
   require 'packaging/retrieve'
+  require 'packaging/sign'
 
   # Load configuration defaults
   Pkg::Config.load_defaults

data/lib/packaging/config.rb

@@ -375,17 +375,27 @@ module Pkg
       end
 
       def yum_target_path(feature_branch = false)
+        target_path = "#{Pkg::Config.yum_repo_path}/#{Pkg::Config.pe_version}"
+        # Target path is different for feature (PEZ) or release branches
         if feature_branch || Pkg::Config.pe_feature_branch
-          return "#{Pkg::Config.yum_repo_path}/#{Pkg::Config.pe_version}/feature/repos/"
+          return "#{target_path}/feature/repos/"
+        elsif Pkg::Config.pe_release_branch
+          return "#{target_path}/release/repos/"
+        else
+          return "#{target_path}/repos/"
         end
-        "#{Pkg::Config.yum_repo_path}/#{Pkg::Config.pe_version}/repos/"
       end
 
       def apt_target_path(feature_branch = false)
+        target_path = "#{Pkg::Config.apt_repo_path}/#{Pkg::Config.pe_version}"
+        # Target path is different for feature (PEZ) or release branches
         if feature_branch || Pkg::Config.pe_feature_branch
-          return "#{Pkg::Config.apt_repo_path}/#{Pkg::Config.pe_version}/feature/repos/"
+          return "#{target_path}/feature/repos/"
+        elsif Pkg::Config.pe_release_branch
+          return "#{target_path}/release/repos/"
+        else
+          return "#{target_path}/repos/"
         end
-        "#{Pkg::Config.apt_repo_path}/#{Pkg::Config.pe_version}/repos/"
       end
     end
   end

data/lib/packaging/config/params.rb

@@ -134,6 +134,7 @@ module Pkg::Params
                   :packaging_url,
                   :pbuild_conf,
                   :pe_feature_branch,
+                  :pe_release_branch,
                   :pe_name,
                   :pe_platforms,
                   :pe_version,
@@ -320,6 +321,7 @@ module Pkg::Params
               { :var => :msi_signing_cert,        :val => '$MSI_SIGNING_CERT' },
               { :var => :msi_signing_cert_pw,     :val => '$MSI_SIGNING_CERT_PW' },
               { :var => :pe_feature_branch,       :val => false },
+              { :var => :pe_release_branch,       :val => false },
               { :var => :s3_ship,                 :val => false },
               { :var => :apt_releases,            :val => Pkg::Platforms.codenames }]
 

data/lib/packaging/platforms.rb

@@ -485,6 +485,14 @@ module Pkg::Platforms # rubocop:disable Metrics/ModuleLength
     platform_tags
   end
 
+  # Return a supported platform tag for the given platform, not caring about
+  # version or architecture
+  def generic_platform_tag(platform)
+    version = versions_for_platform(platform).first
+    arch = arches_for_platform_version(platform, version).first
+    return "#{platform}-#{version}-#{arch}"
+  end
+
   # @method by_deb
   # @return [Array] An Array of Strings, containing all platforms
   #   that use .deb packages

data/lib/packaging/repo.rb

@@ -51,5 +51,26 @@ module Pkg::Repo
     rescue => e
       fail "Could not populate repos directory in #{Pkg::Config.distribution_server}:#{artifact_parent_directory}"
     end
+
+    def argument_required?(argument_name, repo_command)
+      repo_command.include?("__#{argument_name.upcase}__")
+    end
+
+    def update_repo(remote_host, command, options = {})
+      fail_message = "Missing required argument '%s', update your build_defaults?"
+      [:repo_name, :repo_path, :repo_host, :repo_url].each do |option|
+        fail fail_message % option.to_s if argument_required?(option.to_s, command) && !options[option]
+      end
+
+      whitelist = {
+        __REPO_NAME__: options[:repo_name],
+        __REPO_PATH__: options[:repo_path],
+        __REPO_HOST__: options[:repo_host],
+        __REPO_URL__: options[:repo_url],
+        __APT_PLATFORMS__: Pkg::Config.apt_releases.join(' '),
+        __GPG_KEY__: Pkg::Util::Gpg.key
+      }
+      Pkg::Util::Net.remote_ssh_cmd(remote_host, Pkg::Util::Misc.search_and_replace(command, whitelist))
+    end
   end
 end

data/lib/packaging/retrieve.rb

@@ -48,24 +48,24 @@ module Pkg::Retrieve
     unless Pkg::Config.foss_platforms
       fail "FOSS_ONLY specified, but I don't know anything about FOSS_PLATFORMS. Retrieve cancelled."
     end
-    default_wget(local_target, "#{build_url}/artifacts/", { 'level' => 1 })
+    default_wget(local_target, "#{build_url}/", { 'level' => 1 })
     yaml_path = File.join(local_target, "#{Pkg::Config.ref}.yaml")
     unless File.readable?(yaml_path)
       fail "Couldn't read #{Pkg::Config.ref}.yaml, which is necessary for FOSS_ONLY. Retrieve cancelled."
     end
     platform_data = Pkg::Util::Serialization.load_yaml(yaml_path)[:platform_data]
     platform_data.each do |platform, paths|
-      default_wget(local_target, "#{build_url}/artifacts/#{paths[:artifact]}") if Pkg::Config.foss_platforms.include?(platform)
+      default_wget(local_target, "#{build_url}/#{paths[:artifact]}") if Pkg::Config.foss_platforms.include?(platform)
     end
   end
 
-  def retrieve_all(build_url, rsync_path, remote_target, local_target)
+  def retrieve_all(build_url, rsync_path, local_target)
     if Pkg::Util::Tool.find_tool("wget")
-      default_wget(local_target, "#{build_url}/#{remote_target}/")
+      default_wget(local_target, "#{build_url}/")
     else
       warn "Could not find `wget` tool. Falling back to rsyncing from #{Pkg::Config.distribution_server}."
       begin
-        Pkg::Util::Net.rsync_from("#{rsync_path}/#{remote_target}/", Pkg::Config.distribution_server, "#{local_target}/")
+        Pkg::Util::Net.rsync_from("#{rsync_path}/", Pkg::Config.distribution_server, "#{local_target}/")
       rescue => e
         fail "Couldn't rsync packages from distribution server.\n#{e}"
       end

data/lib/packaging/sign.rb

@@ -0,0 +1,8 @@
+module Pkg::Sign
+  require 'packaging/sign/deb'
+  require 'packaging/sign/dmg'
+  require 'packaging/sign/ips'
+  require 'packaging/sign/msi'
+  require 'packaging/sign/rpm'
+  module_function
+end

data/lib/packaging/sign/deb.rb

@@ -0,0 +1,9 @@
+module Pkg::Sign::Deb
+  module_function
+
+  def sign_changes(file)
+    # Lazy lazy lazy lazy lazy
+    sign_program = "-p'gpg --use-agent --no-tty'" if ENV['RPM_GPG_AGENT']
+    Pkg::Util::Execution.capture3("debsign #{sign_program} --re-sign -k#{Pkg::Config.gpg_key} #{file}")
+  end
+end

data/lib/packaging/sign/dmg.rb

@@ -0,0 +1,36 @@
+module Pkg::Sign::Dmg
+  module_function
+
+  def sign(target_dir = 'pkg')
+    use_identity = "-i #{Pkg::Config.osx_signing_ssh_key}" unless Pkg::Config.osx_signing_ssh_key.nil?
+
+    if Pkg::Config.osx_signing_server =~ /@/
+      host_string = "#{Pkg::Config.osx_signing_server}"
+    else
+      host_string = "#{ENV['USER']}@#{Pkg::Config.osx_signing_server}"
+    end
+    ssh_host_string = "#{use_identity} #{host_string}"
+    rsync_host_string = "-e 'ssh #{use_identity}' #{host_string}"
+
+    work_dir  = "/tmp/#{Pkg::Util.rand_string}"
+    mount     = File.join(work_dir, "mount")
+    signed    = File.join(work_dir, "signed")
+    Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p #{mount} #{signed}")
+    dmgs = Dir.glob("#{target_dir}/apple/**/*.dmg")
+    Pkg::Util::Net.rsync_to(dmgs.join(" "), rsync_host_string, work_dir)
+    Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, %Q[for dmg in #{dmgs.map { |d| File.basename(d, ".dmg") }.join(" ")}; do
+      /usr/bin/hdiutil attach #{work_dir}/$dmg.dmg -mountpoint #{mount} -nobrowse -quiet ;
+      /usr/bin/security -q unlock-keychain -p "#{Pkg::Config.osx_signing_keychain_pw}" "#{Pkg::Config.osx_signing_keychain}" ;
+        for pkg in $(ls #{mount}/*.pkg | xargs -n 1 basename); do
+          /usr/bin/productsign --keychain "#{Pkg::Config.osx_signing_keychain}" --sign "#{Pkg::Config.osx_signing_cert}" #{mount}/$pkg #{signed}/$pkg ;
+        done
+      /usr/bin/hdiutil detach #{mount} -quiet ;
+      /bin/rm #{work_dir}/$dmg.dmg ;
+      /usr/bin/hdiutil create -volname $dmg -srcfolder #{signed}/ #{work_dir}/$dmg.dmg ;
+      /bin/rm #{signed}/* ; done])
+    dmgs.each do | dmg |
+      Pkg::Util::Net.rsync_from("#{work_dir}/#{File.basename(dmg)}", rsync_host_string, File.dirname(dmg))
+    end
+    Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -d '#{work_dir}' ]; then rm -rf '#{work_dir}'; fi")
+  end
+end

data/lib/packaging/sign/ips.rb

@@ -0,0 +1,57 @@
+module Pkg::Sign::Ips
+  module_function
+
+  def sign(target_dir = 'pkg')
+    use_identity = "-i #{Pkg::Config.ips_signing_ssh_key}" unless Pkg::Config.ips_signing_ssh_key.nil?
+
+    ssh_host_string = "#{use_identity} #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
+    rsync_host_string = "-e 'ssh #{use_identity}' #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
+
+    p5ps = Dir.glob("#{target_dir}/solaris/11/**/*.p5p")
+
+    p5ps.each do |p5p|
+      work_dir     = "/tmp/#{Pkg::Util.rand_string}"
+      unsigned_dir = "#{work_dir}/unsigned"
+      repo_dir     = "#{work_dir}/repo"
+      signed_dir   = "#{work_dir}/pkgs"
+
+      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}")
+      Pkg::Util::Net.rsync_to(p5p, rsync_host_string, unsigned_dir)
+
+      # Before we can get started with signing packages we need to create a repo
+      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
+      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com")
+      # And import all the packages into the repo.
+      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{File.basename(p5p)} -d #{repo_dir} '*'")
+      # We are going to hard code the values for signing cert locations for now.
+      # This autmation will require an update to actually become reusable, but
+      # for now these values will stay this way so solaris signing will stop
+      # failing. Please update soon. 06/23/16
+      #
+      #            - Sean P. McDonald
+      #
+      # We sign the entire repo
+      sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2018.pem \
+                  -i /root/signing/Thawte_SHA256_Code_Signing_CA.pem \
+                  -i /root/signing/Thawte_Primary_Root_CA.pem \
+                  -k /root/signing/signing_key_2018.pem \
+                  -s 'file://#{work_dir}/repo' '*'"
+      puts "About to sign #{p5p} with #{sign_cmd} in #{work_dir}"
+      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, sign_cmd.squeeze(' '))
+      # pkgrecv with -a will pull packages out of the repo, so we need to do that too to actually get the packages we signed
+      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{File.basename(p5p)} -a -s #{repo_dir} '*'")
+      begin
+        # lets make sure we actually signed something?
+        # **NOTE** if we're repeatedly trying to sign the same version this
+        # might explode because I don't know how to reset the IPS cache.
+        # Everything is amazing.
+        Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{File.basename(p5p)} '*' | grep '^signature '")
+      rescue RuntimeError
+        raise "Looks like #{File.basename(p5p)} was not signed correctly, quitting!"
+      end
+      # and pull the packages back.
+      Pkg::Util::Net.rsync_from("#{signed_dir}/#{File.basename(p5p)}", rsync_host_string, File.dirname(p5p))
+      Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi")
+    end
+  end
+end

data/lib/packaging/sign/msi.rb

@@ -0,0 +1,89 @@
+module Pkg::Sign::Msi
+  module_function
+
+  def sign(target_dir = 'pkg')
+    use_identity = "-i #{Pkg::Config.msi_signing_ssh_key}" if Pkg::Config.msi_signing_ssh_key
+
+    ssh_host_string = "#{use_identity} Administrator@#{Pkg::Config.msi_signing_server}"
+    rsync_host_string = "-e 'ssh #{use_identity}' Administrator@#{Pkg::Config.msi_signing_server}"
+
+    work_dir = "Windows/Temp/#{Pkg::Util.rand_string}"
+    Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p C:/#{work_dir}")
+    msis = Dir.glob("#{target_dir}/windows/**/*.msi")
+    Pkg::Util::Net.rsync_to(msis.join(" "), rsync_host_string, "/cygdrive/c/#{work_dir}")
+
+    # Please Note:
+    # We are currently adding two signatures to the msi.
+    #
+    # Microsoft compatable Signatures are composed of three different
+    # elements.
+    #   1) The Certificate used to sign the package. This is the element that
+    #     is attached to organization. The certificate has an associated
+    #     algorithm. We recently (February 2016) had to switch from a sha1 to
+    #     a sha256 certificate. Sha1 was deprecated by many Microsoft
+    #     elements on 2016-01-01, which forced us to switch to a sha256 cert.
+    #     This sha256 certificate is recognized by all currently supported
+    #     windows platforms (Windows 8/Vista forward).
+    #   2) The signature used to attach the certificate to the package. This
+    #     can be a done with a variety of digest algorithms. Older platforms
+    #     (i.e., Windows 8 and Windows Vista) don't recognize later
+    #     algorithms like sha256.
+    #   3) The timestamp used to validate when the package was signed. This
+    #     comes from an external source and can be delivered with a variety
+    #     of digest algorithms. Older platforms do not recognize newer
+    #     algorithms like sha256.
+    #
+    # We could have only one signature with the Sha256 Cert, Sha1 Signature,
+    # and Sha1 Timestamp, but that would be too easy. The sha256 signature
+    # and timestamp add more security to our packages. We can't have only
+    # sha256 elements in our package signature, though, because Windows 8
+    # and Windows Vista just don't recognize them at all.
+    #
+    # In order to add two signatures to an MSI, we also need to change the
+    # tool we use to sign packages with. Previously, we were using SignTool
+    # which is the Microsoft blessed program used to sign packages. However,
+    # this tool isn't able to add two signatures to an MSI specifically. It
+    # can dual-sign an exe, just not an MSI. In order to get the dual-signed
+    # packages, we decided to switch over to using osslsigncode. The original
+    # project didn't have support to compile on a windows system, so we
+    # decided to use this fork. The binaries on the signer were pulled from
+    # https://sourceforge.net/u/keeely/osslsigncode/ci/master/tree/
+    #
+    # These are our signatures:
+    # The first signature:
+    #   * Sha256 Certificate
+    #   * Sha1 Signature
+    #   * Sha1 Timestamp
+    #
+    # The second signature:
+    #   * Sha256 Certificate
+    #   * Sha256 Signature
+    #   * Sha256 Timestamp
+    #
+    # Once we no longer support Windows 8/Windows Vista, we can remove the
+    # first Sha1 signature.
+    Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, %Q(for msi in #{msis.map { |d| File.basename(d) }.join(" ")}; do
+      "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" sign \
+        -n "Puppet" -i "http://www.puppet.com" \
+        -h sha1 \
+        -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
+        -pass "#{Pkg::Config.msi_signing_cert_pw}" \
+        -t "http://timestamp.verisign.com/scripts/timstamp.dll" \
+        -in "C:/#{work_dir}/$msi" \
+        -out "C:/#{work_dir}/signed-$msi"
+      "/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" sign \
+        -n "Puppet" -i "http://www.puppet.com" \
+        -nest -h sha256 \
+        -pkcs12 "#{Pkg::Config.msi_signing_cert}" \
+        -pass "#{Pkg::Config.msi_signing_cert_pw}" \
+        -ts "http://sha256timestamp.ws.symantec.com/sha256/timestamp" \
+        -in "C:/#{work_dir}/signed-$msi" \
+        -out "C:/#{work_dir}/$msi"
+      rm "C:/#{work_dir}/signed-$msi"
+    done))
+    msis.each do | msi |
+      Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{File.basename(msi)}", rsync_host_string, File.dirname(msi))
+    end
+    Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")
+  end
+end

data/lib/packaging/sign/rpm.rb

@@ -0,0 +1,40 @@
+module Pkg::Sign::Rpm
+  module_function
+
+  def sign(rpm, sign_flags = nil)
+    # To enable support for wrappers around rpm and thus support for gpg-agent
+    # rpm signing, we have to be able to tell the packaging repo what binary to
+    # use as the rpm signing tool.
+    rpm_command = ENV['RPM'] || Pkg::Util::Tool.find_tool('rpm')
+
+    # If we're using the gpg agent for rpm signing, we don't want to specify the
+    # input for the passphrase, which is what '--passphrase-fd 3' does. However,
+    # if we're not using the gpg agent, this is required, and is part of the
+    # defaults on modern rpm. The fun part of gpg-agent signing of rpms is
+    # specifying that the gpg check command always return true
+    gpg_check_command = ''
+    input_flag = ''
+    if Pkg::Util.boolean_value(ENV['RPM_GPG_AGENT'])
+      gpg_check_command = "--define '%__gpg_check_password_cmd /bin/true'"
+    else
+      input_flag = "--passphrase-fd 3"
+    end
+
+    # Try this up to 5 times, to allow for incorrect passwords
+    Pkg::Util::Execution.retry_on_fail(:times => 5) do
+      # This definition of %__gpg_sign_cmd is the default on modern rpm. We
+      # accept extra flags to override certain signing behavior for older
+      # versions of rpm, e.g. specifying V3 signatures instead of V4.
+      Pkg::Util::Execution.capture3("#{rpm_command} #{gpg_check_command} --define '%_gpg_name #{Pkg::Util::Gpg.key}' --define '%__gpg_sign_cmd %{__gpg} gpg #{sign_flags} #{input_flag} --batch --no-verbose --no-armor --no-secmem-warning -u %{_gpg_name} -sbo %{__signature_filename} %{__plaintext_filename}' --addsign #{rpm}")
+    end
+  end
+
+  def legacy_sign(rpm)
+    sign(rpm, "--force-v3-sigs --digest-algo=sha1")
+  end
+
+  def has_sig?(rpm)
+    %x(rpm -Kv #{rpm} | grep "#{Pkg::Util::Gpg.key.downcase}" &> /dev/null)
+    $?.success?
+  end
+end

data/lib/packaging/util/ship.rb

@@ -102,6 +102,79 @@ module Pkg::Util::Ship
     end
   end
 
+  def ship_rpms(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/**/*.rpm", "#{local_staging_directory}/**/*.srpm"], Pkg::Config.yum_staging_server, remote_path, opts)
+
+    create_rolling_repo_link(Pkg::Platforms.generic_platform_tag('el'), Pkg::Config.yum_staging_server, remote_path)
+  end
+
+  def ship_debs(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/**/*.debian.tar.gz", "#{local_staging_directory}/**/*.orig.tar.gz" "#{local_staging_directory}/**/*.dsc", "#{local_staging_directory}/**/*.deb", "#{local_staging_directory}/**/*.changes"], Pkg::Config.apt_signing_server, remote_path, opts)
+
+    # We need to iterate through all the supported platforms here because of
+    # how deb repos are set up. Each codename will have its own link from the
+    # current versioned repo (e.g. puppet5) to the rolling repo. The one thing
+    # we don't care about is architecture, so we just grab the first supported
+    # architecture for the code name we're working with at the moment. [written
+    # by Melissa, copied by Molly]
+    Pkg::Platforms.codenames.each do |codename|
+      create_rolling_repo_link(Pkg::Platforms.codename_to_tags(codename)[0], Pkg::Config.apt_signing_server, remote_path)
+    end
+  end
+
+  def ship_svr4(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/**/*.pkg.gz"], Pkg::Config.svr4_host, remote_path, opts)
+  end
+
+  def ship_p5p(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/**/*.p5p"], Pkg::Config.p5p_host, remote_path, opts)
+  end
+
+  def ship_dmg(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/**/*.dmg"], Pkg::Config.dmg_staging_server, remote_path, opts)
+
+    create_rolling_repo_link(Pkg::Platforms.generic_platform_tag('osx'), Pkg::Config.dmg_staging_server, remote_path)
+
+    Pkg::Platforms.platform_tags_for_package_format('dmg').each do |platform_tag|
+      # TODO remove the PC1 links when we no longer need to maintain them
+      # [written by Melissa, copied by Molly]
+      _, version, arch = Pkg::Platforms.parse_platform_tag(platform_tag)
+      Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', "/opt/downloads/mac/#{version}/PC1/#{arch}", 'dmg')
+      # Create the latest symlink for the current supported repo
+      Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', Pkg::Paths.artifacts_path(platform_tag, remote_path), 'dmg')
+    end
+  end
+
+  def ship_swix(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/**/*.swix"], Pkg::Config.swix_staging_server, remote_path, opts)
+
+    create_rolling_repo_link(Pkg::Platforms.generic_platform_tag('eos'), Pkg::Config.swix_staging_server, remote_path)
+  end
+
+  def ship_msi(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/**/*.msi"], Pkg::Config.msi_staging_server, remote_path, opts)
+
+    create_rolling_repo_link(Pkg::Platforms.generic_platform_tag('windows'), Pkg::Config.msi_staging_server, remote_path)
+    # Create the symlinks for the latest supported repo
+    Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', Pkg::Paths.artifacts_path(Pkg::Platforms.generic_platform_tag('windows'), remote_path), 'msi', arch: 'x64')
+    Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', Pkg::Paths.artifacts_path(Pkg::Platforms.generic_platform_tag('windows'), remote_path), 'msi', arch: 'x86')
+
+    # We provide symlinks to the latest package in a given directory. This
+    # allows users to upgrade more easily to the latest version that we release
+    # TODO remove the links to PC1 when we no longer ship to that repo [written
+    # by Melissa, copied by Molly]
+    Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', '/opt/downloads/windows', 'msi', arch: 'x64')
+    Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', '/opt/downloads/windows', 'msi', arch: 'x86')
+  end
+
+  def ship_gem(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/*.gem*"], Pkg::Config.gem_host, remote_path, opts)
+  end
+
+  def ship_tar(local_staging_directory, remote_path, opts = {})
+    ship_pkgs(["#{local_staging_directory}/*.tar.gz*"], Pkg::Config.tar_staging_server, remote_path, opts)
+  end
+
   def rolling_repo_link_command(platform_tag, repo_path)
     base_path, link_path = Pkg::Paths.artifacts_base_path_and_link_path(platform_tag, repo_path)