packaging 0.99.2 → 0.99.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/packaging.rb +1 -3
- data/lib/packaging/config.rb +14 -4
- data/lib/packaging/config/params.rb +2 -0
- data/lib/packaging/platforms.rb +8 -0
- data/lib/packaging/repo.rb +21 -0
- data/lib/packaging/retrieve.rb +5 -5
- data/lib/packaging/sign.rb +8 -0
- data/lib/packaging/sign/deb.rb +9 -0
- data/lib/packaging/sign/dmg.rb +36 -0
- data/lib/packaging/sign/ips.rb +57 -0
- data/lib/packaging/sign/msi.rb +89 -0
- data/lib/packaging/sign/rpm.rb +40 -0
- data/lib/packaging/util/ship.rb +73 -0
- data/spec/lib/packaging/platforms_spec.rb +12 -0
- data/spec/lib/packaging/repo_spec.rb +36 -0
- data/spec/lib/packaging/retrieve_spec.rb +4 -4
- data/tasks/apple.rake +2 -0
- data/tasks/jenkins.rake +18 -2
- data/tasks/nightly_repos.rake +3 -3
- data/tasks/retrieve.rake +7 -6
- data/tasks/ship.rake +71 -140
- data/tasks/sign.rake +46 -79
- metadata +8 -5
- data/lib/packaging/ips.rb +0 -57
- data/lib/packaging/msi.rb +0 -89
- data/lib/packaging/osx.rb +0 -36
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b3d51003d5651ebf7f787b4e7521d3106b4b6cbd
|
4
|
+
data.tar.gz: 74cc5216e07712f93115445bba1bb254cb98ae69
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 59a10ab93c4cf6fc589f913b7a7e364180a675d3f74ffa145e9469747ae83ac534810083377eae4dbea6920deff67b21428b5ac111ece7fa8c32bc5edc3616a4
|
7
|
+
data.tar.gz: 32a6cc69cf70489512ed4648a1411a7f1c7ad5d931163be83d63e263993053ecec972d8a6375289f03b92fa610a34c6788253831b87c0d59740a20782b741fa6
|
data/lib/packaging.rb
CHANGED
@@ -12,14 +12,12 @@ module Pkg
|
|
12
12
|
require 'packaging/tar'
|
13
13
|
require 'packaging/deb'
|
14
14
|
require 'packaging/rpm'
|
15
|
-
require 'packaging/osx'
|
16
|
-
require 'packaging/ips'
|
17
15
|
require 'packaging/nuget'
|
18
16
|
require 'packaging/gem'
|
19
|
-
require 'packaging/msi'
|
20
17
|
require 'packaging/repo'
|
21
18
|
require 'packaging/artifactory'
|
22
19
|
require 'packaging/retrieve'
|
20
|
+
require 'packaging/sign'
|
23
21
|
|
24
22
|
# Load configuration defaults
|
25
23
|
Pkg::Config.load_defaults
|
data/lib/packaging/config.rb
CHANGED
@@ -375,17 +375,27 @@ module Pkg
|
|
375
375
|
end
|
376
376
|
|
377
377
|
def yum_target_path(feature_branch = false)
|
378
|
+
target_path = "#{Pkg::Config.yum_repo_path}/#{Pkg::Config.pe_version}"
|
379
|
+
# Target path is different for feature (PEZ) or release branches
|
378
380
|
if feature_branch || Pkg::Config.pe_feature_branch
|
379
|
-
return "#{
|
381
|
+
return "#{target_path}/feature/repos/"
|
382
|
+
elsif Pkg::Config.pe_release_branch
|
383
|
+
return "#{target_path}/release/repos/"
|
384
|
+
else
|
385
|
+
return "#{target_path}/repos/"
|
380
386
|
end
|
381
|
-
"#{Pkg::Config.yum_repo_path}/#{Pkg::Config.pe_version}/repos/"
|
382
387
|
end
|
383
388
|
|
384
389
|
def apt_target_path(feature_branch = false)
|
390
|
+
target_path = "#{Pkg::Config.apt_repo_path}/#{Pkg::Config.pe_version}"
|
391
|
+
# Target path is different for feature (PEZ) or release branches
|
385
392
|
if feature_branch || Pkg::Config.pe_feature_branch
|
386
|
-
return "#{
|
393
|
+
return "#{target_path}/feature/repos/"
|
394
|
+
elsif Pkg::Config.pe_release_branch
|
395
|
+
return "#{target_path}/release/repos/"
|
396
|
+
else
|
397
|
+
return "#{target_path}/repos/"
|
387
398
|
end
|
388
|
-
"#{Pkg::Config.apt_repo_path}/#{Pkg::Config.pe_version}/repos/"
|
389
399
|
end
|
390
400
|
end
|
391
401
|
end
|
@@ -134,6 +134,7 @@ module Pkg::Params
|
|
134
134
|
:packaging_url,
|
135
135
|
:pbuild_conf,
|
136
136
|
:pe_feature_branch,
|
137
|
+
:pe_release_branch,
|
137
138
|
:pe_name,
|
138
139
|
:pe_platforms,
|
139
140
|
:pe_version,
|
@@ -320,6 +321,7 @@ module Pkg::Params
|
|
320
321
|
{ :var => :msi_signing_cert, :val => '$MSI_SIGNING_CERT' },
|
321
322
|
{ :var => :msi_signing_cert_pw, :val => '$MSI_SIGNING_CERT_PW' },
|
322
323
|
{ :var => :pe_feature_branch, :val => false },
|
324
|
+
{ :var => :pe_release_branch, :val => false },
|
323
325
|
{ :var => :s3_ship, :val => false },
|
324
326
|
{ :var => :apt_releases, :val => Pkg::Platforms.codenames }]
|
325
327
|
|
data/lib/packaging/platforms.rb
CHANGED
@@ -485,6 +485,14 @@ module Pkg::Platforms # rubocop:disable Metrics/ModuleLength
|
|
485
485
|
platform_tags
|
486
486
|
end
|
487
487
|
|
488
|
+
# Return a supported platform tag for the given platform, not caring about
|
489
|
+
# version or architecture
|
490
|
+
def generic_platform_tag(platform)
|
491
|
+
version = versions_for_platform(platform).first
|
492
|
+
arch = arches_for_platform_version(platform, version).first
|
493
|
+
return "#{platform}-#{version}-#{arch}"
|
494
|
+
end
|
495
|
+
|
488
496
|
# @method by_deb
|
489
497
|
# @return [Array] An Array of Strings, containing all platforms
|
490
498
|
# that use .deb packages
|
data/lib/packaging/repo.rb
CHANGED
@@ -51,5 +51,26 @@ module Pkg::Repo
|
|
51
51
|
rescue => e
|
52
52
|
fail "Could not populate repos directory in #{Pkg::Config.distribution_server}:#{artifact_parent_directory}"
|
53
53
|
end
|
54
|
+
|
55
|
+
def argument_required?(argument_name, repo_command)
|
56
|
+
repo_command.include?("__#{argument_name.upcase}__")
|
57
|
+
end
|
58
|
+
|
59
|
+
def update_repo(remote_host, command, options = {})
|
60
|
+
fail_message = "Missing required argument '%s', update your build_defaults?"
|
61
|
+
[:repo_name, :repo_path, :repo_host, :repo_url].each do |option|
|
62
|
+
fail fail_message % option.to_s if argument_required?(option.to_s, command) && !options[option]
|
63
|
+
end
|
64
|
+
|
65
|
+
whitelist = {
|
66
|
+
__REPO_NAME__: options[:repo_name],
|
67
|
+
__REPO_PATH__: options[:repo_path],
|
68
|
+
__REPO_HOST__: options[:repo_host],
|
69
|
+
__REPO_URL__: options[:repo_url],
|
70
|
+
__APT_PLATFORMS__: Pkg::Config.apt_releases.join(' '),
|
71
|
+
__GPG_KEY__: Pkg::Util::Gpg.key
|
72
|
+
}
|
73
|
+
Pkg::Util::Net.remote_ssh_cmd(remote_host, Pkg::Util::Misc.search_and_replace(command, whitelist))
|
74
|
+
end
|
54
75
|
end
|
55
76
|
end
|
data/lib/packaging/retrieve.rb
CHANGED
@@ -48,24 +48,24 @@ module Pkg::Retrieve
|
|
48
48
|
unless Pkg::Config.foss_platforms
|
49
49
|
fail "FOSS_ONLY specified, but I don't know anything about FOSS_PLATFORMS. Retrieve cancelled."
|
50
50
|
end
|
51
|
-
default_wget(local_target, "#{build_url}/
|
51
|
+
default_wget(local_target, "#{build_url}/", { 'level' => 1 })
|
52
52
|
yaml_path = File.join(local_target, "#{Pkg::Config.ref}.yaml")
|
53
53
|
unless File.readable?(yaml_path)
|
54
54
|
fail "Couldn't read #{Pkg::Config.ref}.yaml, which is necessary for FOSS_ONLY. Retrieve cancelled."
|
55
55
|
end
|
56
56
|
platform_data = Pkg::Util::Serialization.load_yaml(yaml_path)[:platform_data]
|
57
57
|
platform_data.each do |platform, paths|
|
58
|
-
default_wget(local_target, "#{build_url}
|
58
|
+
default_wget(local_target, "#{build_url}/#{paths[:artifact]}") if Pkg::Config.foss_platforms.include?(platform)
|
59
59
|
end
|
60
60
|
end
|
61
61
|
|
62
|
-
def retrieve_all(build_url, rsync_path,
|
62
|
+
def retrieve_all(build_url, rsync_path, local_target)
|
63
63
|
if Pkg::Util::Tool.find_tool("wget")
|
64
|
-
default_wget(local_target, "#{build_url}
|
64
|
+
default_wget(local_target, "#{build_url}/")
|
65
65
|
else
|
66
66
|
warn "Could not find `wget` tool. Falling back to rsyncing from #{Pkg::Config.distribution_server}."
|
67
67
|
begin
|
68
|
-
Pkg::Util::Net.rsync_from("#{rsync_path}
|
68
|
+
Pkg::Util::Net.rsync_from("#{rsync_path}/", Pkg::Config.distribution_server, "#{local_target}/")
|
69
69
|
rescue => e
|
70
70
|
fail "Couldn't rsync packages from distribution server.\n#{e}"
|
71
71
|
end
|
@@ -0,0 +1,9 @@
|
|
1
|
+
module Pkg::Sign::Deb
|
2
|
+
module_function
|
3
|
+
|
4
|
+
def sign_changes(file)
|
5
|
+
# Lazy lazy lazy lazy lazy
|
6
|
+
sign_program = "-p'gpg --use-agent --no-tty'" if ENV['RPM_GPG_AGENT']
|
7
|
+
Pkg::Util::Execution.capture3("debsign #{sign_program} --re-sign -k#{Pkg::Config.gpg_key} #{file}")
|
8
|
+
end
|
9
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
module Pkg::Sign::Dmg
|
2
|
+
module_function
|
3
|
+
|
4
|
+
def sign(target_dir = 'pkg')
|
5
|
+
use_identity = "-i #{Pkg::Config.osx_signing_ssh_key}" unless Pkg::Config.osx_signing_ssh_key.nil?
|
6
|
+
|
7
|
+
if Pkg::Config.osx_signing_server =~ /@/
|
8
|
+
host_string = "#{Pkg::Config.osx_signing_server}"
|
9
|
+
else
|
10
|
+
host_string = "#{ENV['USER']}@#{Pkg::Config.osx_signing_server}"
|
11
|
+
end
|
12
|
+
ssh_host_string = "#{use_identity} #{host_string}"
|
13
|
+
rsync_host_string = "-e 'ssh #{use_identity}' #{host_string}"
|
14
|
+
|
15
|
+
work_dir = "/tmp/#{Pkg::Util.rand_string}"
|
16
|
+
mount = File.join(work_dir, "mount")
|
17
|
+
signed = File.join(work_dir, "signed")
|
18
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p #{mount} #{signed}")
|
19
|
+
dmgs = Dir.glob("#{target_dir}/apple/**/*.dmg")
|
20
|
+
Pkg::Util::Net.rsync_to(dmgs.join(" "), rsync_host_string, work_dir)
|
21
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, %Q[for dmg in #{dmgs.map { |d| File.basename(d, ".dmg") }.join(" ")}; do
|
22
|
+
/usr/bin/hdiutil attach #{work_dir}/$dmg.dmg -mountpoint #{mount} -nobrowse -quiet ;
|
23
|
+
/usr/bin/security -q unlock-keychain -p "#{Pkg::Config.osx_signing_keychain_pw}" "#{Pkg::Config.osx_signing_keychain}" ;
|
24
|
+
for pkg in $(ls #{mount}/*.pkg | xargs -n 1 basename); do
|
25
|
+
/usr/bin/productsign --keychain "#{Pkg::Config.osx_signing_keychain}" --sign "#{Pkg::Config.osx_signing_cert}" #{mount}/$pkg #{signed}/$pkg ;
|
26
|
+
done
|
27
|
+
/usr/bin/hdiutil detach #{mount} -quiet ;
|
28
|
+
/bin/rm #{work_dir}/$dmg.dmg ;
|
29
|
+
/usr/bin/hdiutil create -volname $dmg -srcfolder #{signed}/ #{work_dir}/$dmg.dmg ;
|
30
|
+
/bin/rm #{signed}/* ; done])
|
31
|
+
dmgs.each do | dmg |
|
32
|
+
Pkg::Util::Net.rsync_from("#{work_dir}/#{File.basename(dmg)}", rsync_host_string, File.dirname(dmg))
|
33
|
+
end
|
34
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -d '#{work_dir}' ]; then rm -rf '#{work_dir}'; fi")
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,57 @@
|
|
1
|
+
module Pkg::Sign::Ips
|
2
|
+
module_function
|
3
|
+
|
4
|
+
def sign(target_dir = 'pkg')
|
5
|
+
use_identity = "-i #{Pkg::Config.ips_signing_ssh_key}" unless Pkg::Config.ips_signing_ssh_key.nil?
|
6
|
+
|
7
|
+
ssh_host_string = "#{use_identity} #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
|
8
|
+
rsync_host_string = "-e 'ssh #{use_identity}' #{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
|
9
|
+
|
10
|
+
p5ps = Dir.glob("#{target_dir}/solaris/11/**/*.p5p")
|
11
|
+
|
12
|
+
p5ps.each do |p5p|
|
13
|
+
work_dir = "/tmp/#{Pkg::Util.rand_string}"
|
14
|
+
unsigned_dir = "#{work_dir}/unsigned"
|
15
|
+
repo_dir = "#{work_dir}/repo"
|
16
|
+
signed_dir = "#{work_dir}/pkgs"
|
17
|
+
|
18
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}")
|
19
|
+
Pkg::Util::Net.rsync_to(p5p, rsync_host_string, unsigned_dir)
|
20
|
+
|
21
|
+
# Before we can get started with signing packages we need to create a repo
|
22
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
|
23
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com")
|
24
|
+
# And import all the packages into the repo.
|
25
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{File.basename(p5p)} -d #{repo_dir} '*'")
|
26
|
+
# We are going to hard code the values for signing cert locations for now.
|
27
|
+
# This autmation will require an update to actually become reusable, but
|
28
|
+
# for now these values will stay this way so solaris signing will stop
|
29
|
+
# failing. Please update soon. 06/23/16
|
30
|
+
#
|
31
|
+
# - Sean P. McDonald
|
32
|
+
#
|
33
|
+
# We sign the entire repo
|
34
|
+
sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2018.pem \
|
35
|
+
-i /root/signing/Thawte_SHA256_Code_Signing_CA.pem \
|
36
|
+
-i /root/signing/Thawte_Primary_Root_CA.pem \
|
37
|
+
-k /root/signing/signing_key_2018.pem \
|
38
|
+
-s 'file://#{work_dir}/repo' '*'"
|
39
|
+
puts "About to sign #{p5p} with #{sign_cmd} in #{work_dir}"
|
40
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, sign_cmd.squeeze(' '))
|
41
|
+
# pkgrecv with -a will pull packages out of the repo, so we need to do that too to actually get the packages we signed
|
42
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{File.basename(p5p)} -a -s #{repo_dir} '*'")
|
43
|
+
begin
|
44
|
+
# lets make sure we actually signed something?
|
45
|
+
# **NOTE** if we're repeatedly trying to sign the same version this
|
46
|
+
# might explode because I don't know how to reset the IPS cache.
|
47
|
+
# Everything is amazing.
|
48
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{File.basename(p5p)} '*' | grep '^signature '")
|
49
|
+
rescue RuntimeError
|
50
|
+
raise "Looks like #{File.basename(p5p)} was not signed correctly, quitting!"
|
51
|
+
end
|
52
|
+
# and pull the packages back.
|
53
|
+
Pkg::Util::Net.rsync_from("#{signed_dir}/#{File.basename(p5p)}", rsync_host_string, File.dirname(p5p))
|
54
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi")
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
@@ -0,0 +1,89 @@
|
|
1
|
+
module Pkg::Sign::Msi
|
2
|
+
module_function
|
3
|
+
|
4
|
+
def sign(target_dir = 'pkg')
|
5
|
+
use_identity = "-i #{Pkg::Config.msi_signing_ssh_key}" if Pkg::Config.msi_signing_ssh_key
|
6
|
+
|
7
|
+
ssh_host_string = "#{use_identity} Administrator@#{Pkg::Config.msi_signing_server}"
|
8
|
+
rsync_host_string = "-e 'ssh #{use_identity}' Administrator@#{Pkg::Config.msi_signing_server}"
|
9
|
+
|
10
|
+
work_dir = "Windows/Temp/#{Pkg::Util.rand_string}"
|
11
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "mkdir -p C:/#{work_dir}")
|
12
|
+
msis = Dir.glob("#{target_dir}/windows/**/*.msi")
|
13
|
+
Pkg::Util::Net.rsync_to(msis.join(" "), rsync_host_string, "/cygdrive/c/#{work_dir}")
|
14
|
+
|
15
|
+
# Please Note:
|
16
|
+
# We are currently adding two signatures to the msi.
|
17
|
+
#
|
18
|
+
# Microsoft compatable Signatures are composed of three different
|
19
|
+
# elements.
|
20
|
+
# 1) The Certificate used to sign the package. This is the element that
|
21
|
+
# is attached to organization. The certificate has an associated
|
22
|
+
# algorithm. We recently (February 2016) had to switch from a sha1 to
|
23
|
+
# a sha256 certificate. Sha1 was deprecated by many Microsoft
|
24
|
+
# elements on 2016-01-01, which forced us to switch to a sha256 cert.
|
25
|
+
# This sha256 certificate is recognized by all currently supported
|
26
|
+
# windows platforms (Windows 8/Vista forward).
|
27
|
+
# 2) The signature used to attach the certificate to the package. This
|
28
|
+
# can be a done with a variety of digest algorithms. Older platforms
|
29
|
+
# (i.e., Windows 8 and Windows Vista) don't recognize later
|
30
|
+
# algorithms like sha256.
|
31
|
+
# 3) The timestamp used to validate when the package was signed. This
|
32
|
+
# comes from an external source and can be delivered with a variety
|
33
|
+
# of digest algorithms. Older platforms do not recognize newer
|
34
|
+
# algorithms like sha256.
|
35
|
+
#
|
36
|
+
# We could have only one signature with the Sha256 Cert, Sha1 Signature,
|
37
|
+
# and Sha1 Timestamp, but that would be too easy. The sha256 signature
|
38
|
+
# and timestamp add more security to our packages. We can't have only
|
39
|
+
# sha256 elements in our package signature, though, because Windows 8
|
40
|
+
# and Windows Vista just don't recognize them at all.
|
41
|
+
#
|
42
|
+
# In order to add two signatures to an MSI, we also need to change the
|
43
|
+
# tool we use to sign packages with. Previously, we were using SignTool
|
44
|
+
# which is the Microsoft blessed program used to sign packages. However,
|
45
|
+
# this tool isn't able to add two signatures to an MSI specifically. It
|
46
|
+
# can dual-sign an exe, just not an MSI. In order to get the dual-signed
|
47
|
+
# packages, we decided to switch over to using osslsigncode. The original
|
48
|
+
# project didn't have support to compile on a windows system, so we
|
49
|
+
# decided to use this fork. The binaries on the signer were pulled from
|
50
|
+
# https://sourceforge.net/u/keeely/osslsigncode/ci/master/tree/
|
51
|
+
#
|
52
|
+
# These are our signatures:
|
53
|
+
# The first signature:
|
54
|
+
# * Sha256 Certificate
|
55
|
+
# * Sha1 Signature
|
56
|
+
# * Sha1 Timestamp
|
57
|
+
#
|
58
|
+
# The second signature:
|
59
|
+
# * Sha256 Certificate
|
60
|
+
# * Sha256 Signature
|
61
|
+
# * Sha256 Timestamp
|
62
|
+
#
|
63
|
+
# Once we no longer support Windows 8/Windows Vista, we can remove the
|
64
|
+
# first Sha1 signature.
|
65
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, %Q(for msi in #{msis.map { |d| File.basename(d) }.join(" ")}; do
|
66
|
+
"/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" sign \
|
67
|
+
-n "Puppet" -i "http://www.puppet.com" \
|
68
|
+
-h sha1 \
|
69
|
+
-pkcs12 "#{Pkg::Config.msi_signing_cert}" \
|
70
|
+
-pass "#{Pkg::Config.msi_signing_cert_pw}" \
|
71
|
+
-t "http://timestamp.verisign.com/scripts/timstamp.dll" \
|
72
|
+
-in "C:/#{work_dir}/$msi" \
|
73
|
+
-out "C:/#{work_dir}/signed-$msi"
|
74
|
+
"/cygdrive/c/tools/osslsigncode-fork/osslsigncode.exe" sign \
|
75
|
+
-n "Puppet" -i "http://www.puppet.com" \
|
76
|
+
-nest -h sha256 \
|
77
|
+
-pkcs12 "#{Pkg::Config.msi_signing_cert}" \
|
78
|
+
-pass "#{Pkg::Config.msi_signing_cert_pw}" \
|
79
|
+
-ts "http://sha256timestamp.ws.symantec.com/sha256/timestamp" \
|
80
|
+
-in "C:/#{work_dir}/signed-$msi" \
|
81
|
+
-out "C:/#{work_dir}/$msi"
|
82
|
+
rm "C:/#{work_dir}/signed-$msi"
|
83
|
+
done))
|
84
|
+
msis.each do | msi |
|
85
|
+
Pkg::Util::Net.rsync_from("/cygdrive/c/#{work_dir}/#{File.basename(msi)}", rsync_host_string, File.dirname(msi))
|
86
|
+
end
|
87
|
+
Pkg::Util::Net.remote_ssh_cmd(ssh_host_string, "if [ -d '/cygdrive/c/#{work_dir}' ]; then rm -rf '/cygdrive/c/#{work_dir}'; fi")
|
88
|
+
end
|
89
|
+
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
module Pkg::Sign::Rpm
|
2
|
+
module_function
|
3
|
+
|
4
|
+
def sign(rpm, sign_flags = nil)
|
5
|
+
# To enable support for wrappers around rpm and thus support for gpg-agent
|
6
|
+
# rpm signing, we have to be able to tell the packaging repo what binary to
|
7
|
+
# use as the rpm signing tool.
|
8
|
+
rpm_command = ENV['RPM'] || Pkg::Util::Tool.find_tool('rpm')
|
9
|
+
|
10
|
+
# If we're using the gpg agent for rpm signing, we don't want to specify the
|
11
|
+
# input for the passphrase, which is what '--passphrase-fd 3' does. However,
|
12
|
+
# if we're not using the gpg agent, this is required, and is part of the
|
13
|
+
# defaults on modern rpm. The fun part of gpg-agent signing of rpms is
|
14
|
+
# specifying that the gpg check command always return true
|
15
|
+
gpg_check_command = ''
|
16
|
+
input_flag = ''
|
17
|
+
if Pkg::Util.boolean_value(ENV['RPM_GPG_AGENT'])
|
18
|
+
gpg_check_command = "--define '%__gpg_check_password_cmd /bin/true'"
|
19
|
+
else
|
20
|
+
input_flag = "--passphrase-fd 3"
|
21
|
+
end
|
22
|
+
|
23
|
+
# Try this up to 5 times, to allow for incorrect passwords
|
24
|
+
Pkg::Util::Execution.retry_on_fail(:times => 5) do
|
25
|
+
# This definition of %__gpg_sign_cmd is the default on modern rpm. We
|
26
|
+
# accept extra flags to override certain signing behavior for older
|
27
|
+
# versions of rpm, e.g. specifying V3 signatures instead of V4.
|
28
|
+
Pkg::Util::Execution.capture3("#{rpm_command} #{gpg_check_command} --define '%_gpg_name #{Pkg::Util::Gpg.key}' --define '%__gpg_sign_cmd %{__gpg} gpg #{sign_flags} #{input_flag} --batch --no-verbose --no-armor --no-secmem-warning -u %{_gpg_name} -sbo %{__signature_filename} %{__plaintext_filename}' --addsign #{rpm}")
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
def legacy_sign(rpm)
|
33
|
+
sign(rpm, "--force-v3-sigs --digest-algo=sha1")
|
34
|
+
end
|
35
|
+
|
36
|
+
def has_sig?(rpm)
|
37
|
+
%x(rpm -Kv #{rpm} | grep "#{Pkg::Util::Gpg.key.downcase}" &> /dev/null)
|
38
|
+
$?.success?
|
39
|
+
end
|
40
|
+
end
|
data/lib/packaging/util/ship.rb
CHANGED
@@ -102,6 +102,79 @@ module Pkg::Util::Ship
|
|
102
102
|
end
|
103
103
|
end
|
104
104
|
|
105
|
+
def ship_rpms(local_staging_directory, remote_path, opts = {})
|
106
|
+
ship_pkgs(["#{local_staging_directory}/**/*.rpm", "#{local_staging_directory}/**/*.srpm"], Pkg::Config.yum_staging_server, remote_path, opts)
|
107
|
+
|
108
|
+
create_rolling_repo_link(Pkg::Platforms.generic_platform_tag('el'), Pkg::Config.yum_staging_server, remote_path)
|
109
|
+
end
|
110
|
+
|
111
|
+
def ship_debs(local_staging_directory, remote_path, opts = {})
|
112
|
+
ship_pkgs(["#{local_staging_directory}/**/*.debian.tar.gz", "#{local_staging_directory}/**/*.orig.tar.gz" "#{local_staging_directory}/**/*.dsc", "#{local_staging_directory}/**/*.deb", "#{local_staging_directory}/**/*.changes"], Pkg::Config.apt_signing_server, remote_path, opts)
|
113
|
+
|
114
|
+
# We need to iterate through all the supported platforms here because of
|
115
|
+
# how deb repos are set up. Each codename will have its own link from the
|
116
|
+
# current versioned repo (e.g. puppet5) to the rolling repo. The one thing
|
117
|
+
# we don't care about is architecture, so we just grab the first supported
|
118
|
+
# architecture for the code name we're working with at the moment. [written
|
119
|
+
# by Melissa, copied by Molly]
|
120
|
+
Pkg::Platforms.codenames.each do |codename|
|
121
|
+
create_rolling_repo_link(Pkg::Platforms.codename_to_tags(codename)[0], Pkg::Config.apt_signing_server, remote_path)
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
def ship_svr4(local_staging_directory, remote_path, opts = {})
|
126
|
+
ship_pkgs(["#{local_staging_directory}/**/*.pkg.gz"], Pkg::Config.svr4_host, remote_path, opts)
|
127
|
+
end
|
128
|
+
|
129
|
+
def ship_p5p(local_staging_directory, remote_path, opts = {})
|
130
|
+
ship_pkgs(["#{local_staging_directory}/**/*.p5p"], Pkg::Config.p5p_host, remote_path, opts)
|
131
|
+
end
|
132
|
+
|
133
|
+
def ship_dmg(local_staging_directory, remote_path, opts = {})
|
134
|
+
ship_pkgs(["#{local_staging_directory}/**/*.dmg"], Pkg::Config.dmg_staging_server, remote_path, opts)
|
135
|
+
|
136
|
+
create_rolling_repo_link(Pkg::Platforms.generic_platform_tag('osx'), Pkg::Config.dmg_staging_server, remote_path)
|
137
|
+
|
138
|
+
Pkg::Platforms.platform_tags_for_package_format('dmg').each do |platform_tag|
|
139
|
+
# TODO remove the PC1 links when we no longer need to maintain them
|
140
|
+
# [written by Melissa, copied by Molly]
|
141
|
+
_, version, arch = Pkg::Platforms.parse_platform_tag(platform_tag)
|
142
|
+
Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', "/opt/downloads/mac/#{version}/PC1/#{arch}", 'dmg')
|
143
|
+
# Create the latest symlink for the current supported repo
|
144
|
+
Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', Pkg::Paths.artifacts_path(platform_tag, remote_path), 'dmg')
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
def ship_swix(local_staging_directory, remote_path, opts = {})
|
149
|
+
ship_pkgs(["#{local_staging_directory}/**/*.swix"], Pkg::Config.swix_staging_server, remote_path, opts)
|
150
|
+
|
151
|
+
create_rolling_repo_link(Pkg::Platforms.generic_platform_tag('eos'), Pkg::Config.swix_staging_server, remote_path)
|
152
|
+
end
|
153
|
+
|
154
|
+
def ship_msi(local_staging_directory, remote_path, opts = {})
|
155
|
+
ship_pkgs(["#{local_staging_directory}/**/*.msi"], Pkg::Config.msi_staging_server, remote_path, opts)
|
156
|
+
|
157
|
+
create_rolling_repo_link(Pkg::Platforms.generic_platform_tag('windows'), Pkg::Config.msi_staging_server, remote_path)
|
158
|
+
# Create the symlinks for the latest supported repo
|
159
|
+
Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', Pkg::Paths.artifacts_path(Pkg::Platforms.generic_platform_tag('windows'), remote_path), 'msi', arch: 'x64')
|
160
|
+
Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', Pkg::Paths.artifacts_path(Pkg::Platforms.generic_platform_tag('windows'), remote_path), 'msi', arch: 'x86')
|
161
|
+
|
162
|
+
# We provide symlinks to the latest package in a given directory. This
|
163
|
+
# allows users to upgrade more easily to the latest version that we release
|
164
|
+
# TODO remove the links to PC1 when we no longer ship to that repo [written
|
165
|
+
# by Melissa, copied by Molly]
|
166
|
+
Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', '/opt/downloads/windows', 'msi', arch: 'x64')
|
167
|
+
Pkg::Util::Net.remote_create_latest_symlink('puppet-agent', '/opt/downloads/windows', 'msi', arch: 'x86')
|
168
|
+
end
|
169
|
+
|
170
|
+
def ship_gem(local_staging_directory, remote_path, opts = {})
|
171
|
+
ship_pkgs(["#{local_staging_directory}/*.gem*"], Pkg::Config.gem_host, remote_path, opts)
|
172
|
+
end
|
173
|
+
|
174
|
+
def ship_tar(local_staging_directory, remote_path, opts = {})
|
175
|
+
ship_pkgs(["#{local_staging_directory}/*.tar.gz*"], Pkg::Config.tar_staging_server, remote_path, opts)
|
176
|
+
end
|
177
|
+
|
105
178
|
def rolling_repo_link_command(platform_tag, repo_path)
|
106
179
|
base_path, link_path = Pkg::Paths.artifacts_base_path_and_link_path(platform_tag, repo_path)
|
107
180
|
|