simp-rake-helpers 5.11.2 → 5.12.0

data/lib/simp/rake/build/tar.rb

@@ -62,7 +62,7 @@ module Simp::Rake::Build
           else
             required_rpms['noarch'] << 'simp-rsync-skeleton'
             required_rpms['noarch'] << 'simp-environment-skeleton'
-            required_rpms['noarch'] << 'simp-environment-selinux-policy'
+            required_rpms['noarch'] << 'simp-selinux-policy'
           end
 
           rpm_dir = File.join(@build_dir,'SIMP','RPMS')

data/lib/simp/rake/helpers/version.rb

@@ -2,5 +2,5 @@ module Simp; end
 module Simp::Rake; end
 
 class Simp::Rake::Helpers
-  VERSION = '5.11.2'
+  VERSION = '5.12.0'
 end

data/lib/simp/rake/pkg.rb

@@ -235,7 +235,11 @@ module Simp::Rake
             %(-D '_sourcedir #{@rpm_srcdir}'),
             %(-D '_rpmdir #{@pkg_dir}'),
             %(-D '_srcrpmdir #{@pkg_dir}'),
-            %(-D '_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm')
+            %(-D '_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm'),
+
+            # needed on EL8 to disable the aggressive brp_mangle_shebangs script
+            # that results in invalid script shebangs; does nothing in EL7
+            %(-D '__brp_mangle_shebangs /usr/bin/true')
           ]
           rpm_opts << '-v' if @verbose
           rpm_opts << "-D 'lua_debug 1'" if (ENV.fetch('SIMP_RAKE_PKG_LUA_verbose','no') =='yes')

data/lib/simp/rake/pupmod/helpers.rb

@@ -290,6 +290,7 @@ class Simp::Rake::Pupmod::Helpers < ::Rake::TaskLib
     # That will give Travis a way of warning us if the changelog
     # will prevent the rpm from building.
     task :changelog_annotation, [:quiet] do |t,args|
+      warning('DEPRECATED: use pkg:create_tag_changelog')
       quiet = true if args[:quiet].to_s == 'true'
       puts changelog_annotation( quiet )
     end
@@ -332,6 +333,7 @@ class Simp::Rake::Pupmod::Helpers < ::Rake::TaskLib
       - doc directory
     EOM
     task :compare_latest_tag, [:tags_source, :ignore_owner, :verbose] do |t,args|
+      warning('DEPRECATED: use pkg:compare_latest_tag')
       require 'json'
 
       tags_source = args[:tags_source].nil? ? 'origin' : args[:tags_source]

data/lib/simp/rake/rubygem.rb

@@ -49,7 +49,11 @@ module Simp::Rake
         task :install_gem => [:clean, :gem] do
           Dir.chdir @rakefile_dir
           Dir.glob("dist/#{@package}*.gem") do |pkg|
-            sh %Q{bundle exec gem install --no-ri --no-rdoc #{pkg}}
+            if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('2.6')
+              sh %Q{bundle exec gem install --no-document #{pkg}}
+            else
+              sh %Q{bundle exec gem install --no-ri --no-rdoc #{pkg}}
+            end
           end
         end
       end

data/lib/simp/relchecks.rb

@@ -87,7 +87,7 @@ class Simp::RelChecks
         # determine mission-impacting files that have changed
         files_changed = `git diff tags/#{last_tag} --name-only`.strip.split("\n")
         files_changed.delete_if do |file|
-          file[0] ==  '.' or file == 'Rakefile' or file =~ /^Gemfile|^spec\/|^doc\/|^rakelib\//
+          file[0] ==  '.' or file == 'Rakefile' or file =~ /^Gemfile|^spec\/|^doc\/|^rakelib\/|.*\.md\Z/
         end
 
         if files_changed.empty?

data/lib/simp/rpm.rb

@@ -14,7 +14,6 @@ module Simp
     require 'pty'
     require 'rake'
 
-    @@gpg_keys = Hash.new
     attr_reader :verbose, :lua_debug, :packages
 
     if Gem.loaded_specs['rake'].version >= Gem::Version.new('0.9')
@@ -402,20 +401,20 @@ module Simp
       end
 
       if version_results[:exit_status] != 0
-        raise <<-EOE
-#{indent('Error getting RPM info:', 2)}
-#{indent(version_results[:stderr].strip, 5)}
-#{indent("Run '#{rpm_version_query.gsub("\n",'\\n')} #{query_source}' to recreate the issue.", 2)}
-EOE
+        raise <<~EOE
+          #{indent('Error getting RPM info for #{query_source}:', 2)}
+          #{indent(version_results[:stderr].strip, 5)}
+          #{indent("Run '#{rpm_version_query.gsub("\n",'\\n')} #{query_source}' to recreate the issue.", 2)}
+        EOE
       end
 
       unless signature_results.nil?
         if signature_results[:exit_status] != 0
-          raise <<-EOE
-#{indent('Error getting RPM signature:', 2)}
-#{indent(signature_results[:stderr].strip, 5)}
-#{indent("Run '#{rpm_signature_query.gsub("\n",'\\n')} #{query_source}' to recreate the issue.", 2)}
-EOE
+          raise <<~EOE
+            #{indent('Error getting RPM signature for #{query_source}:', 2)}
+            #{indent(signature_results[:stderr].strip, 5)}
+            #{indent("Run '#{rpm_signature_query.gsub("\n",'\\n')} #{query_source}' to recreate the issue.", 2)}
+          EOE
        else
          signature = signature_results[:stdout].strip
        end
@@ -498,120 +497,9 @@ EOE
       end
     end
 
-    # Loads metadata for a GPG key. The GPG key is to be used to sign RPMs. The
-    # value of gpg_key should be the full path of the directory where the key
-    # resides. If the metadata cannot be found, then the user will be prompted
-    # for it.
-    def self.load_key(gpg_key)
-      keydir = gpg_key
-      File.directory?(keydir) || fail("Error: Could not find '#{keydir}'")
-
-      gpg_key = File.basename(gpg_key)
-
-      if @@gpg_keys[gpg_key]
-          return @@gpg_keys[gpg_key]
-      end
-
-      gpg_name = nil
-      gpg_password = nil
-      begin
-        File.read("#{keydir}/gengpgkey").each_line do |ln|
-          name_line = ln.split(/^\s*Name-Email:/)
-          if name_line.length > 1
-            gpg_name = name_line.last.strip
-          end
-
-          passwd_line = ln.split(/^\s*Passphrase:/)
-          if passwd_line.length > 1
-            gpg_password = passwd_line.last.strip
-          end
-        end
-      rescue Errno::ENOENT
-      end
-
-      if gpg_name.nil?
-        puts "Warning: Could not find valid e-mail address for use with GPG."
-        puts "Please enter e-mail address to use:"
-        gpg_name = $stdin.gets.strip
-      end
-
-      if gpg_password.nil?
-        if File.exist?(%(#{keydir}/password))
-          gpg_password = File.read(%(#{keydir}/password)).chomp
-        end
-
-        if gpg_password.nil?
-          puts "Warning: Could not find a password in '#{keydir}/password'!"
-          puts "Please enter your GPG key password:"
-          system 'stty -echo'
-          gpg_password = $stdin.gets.strip
-          system 'stty echo'
-        end
-      end
-
-      gpg_key_size = nil
-      gpg_key_id = nil
-      %x(gpg --homedir=#{keydir} --list-keys #{gpg_name} 2>&1).each_line do |line|
-        head,data = line.split(/\s+/)
-        if head == 'pub'
-          gpg_key_size,gpg_key_id = data.split('/')
-          break
-        end
-      end
-
-      if !gpg_key_size || !gpg_key_id
-        fail("Error getting GPG Key metadata")
-      end
-
-      @@gpg_keys[gpg_key] = {
-        :dir => keydir,
-        :name => gpg_name,
-        :key_id => gpg_key_id,
-        :key_size => gpg_key_size,
-        :password => gpg_password
-      }
-    end
-
-    # Signs the given RPM with the given gpg_key (see Simp::RPM.load_key for
-    # details on the value of this parameter).
-    def self.signrpm(rpm, gpg_key)
-      gpgkey = load_key(gpg_key)
-
-      gpg_sig = nil
-      %x(rpm -Kv #{rpm}).each_line do |line|
-        if line =~ /key\sID\s(.*):/
-          gpg_sig = $1.strip
-        end
-      end
-
-      unless gpg_sig == gpgkey[:key_id]
-        signcommand = "rpm " +
-            "--define '%_signature gpg' " +
-            "--define '%__gpg %{_bindir}/gpg' " +
-            "--define '%_gpg_name #{gpgkey[:name]}' " +
-            "--define '%_gpg_path #{gpgkey[:dir]}' " +
-            "--resign #{rpm}"
-        begin
-          PTY.spawn(signcommand) do |read, write, pid|
-            begin
-              while !read.eof? do
-                read.expect(/pass\s?phrase:.*/) do |text|
-                  write.puts(gpgkey[:password])
-                  write.flush
-                end
-              end
-            rescue Errno::EIO
-              # This ALWAYS happens in Ruby 1.8.
-            end
-            Process.wait(pid)
-          end
-
-          raise "Failure running #{signcommand}" unless $?.success?
-        rescue Exception => e
-          puts "Error occured while attempting to sign #{rpm}, skipping."
-          puts e
-        end
-      end
+    # Returns the version of RPM installed on the system
+    def self.version
+      %x{rpm --version}.strip.split.last
     end
   end
 end

data/lib/simp/rpm_signer.rb

@@ -0,0 +1,321 @@
+require 'find'
+require 'parallel'
+require 'simp/rpm'
+require 'simp/command_utils'
+
+module Simp; end
+
+# Class to sign RPMs.  Uses 'gpg' and 'rpm' executables.
+class Simp::RpmSigner
+  require 'expect'
+  require 'pty'
+
+  extend Simp::CommandUtils
+
+  @@gpg_keys = Hash.new
+
+  # Kill the GPG agent operating with the specified key dir, if
+  # rpm version 4.13.0 or later.
+  #
+  # Beginning with version 4.13.0, rpm stands up a gpg-agent when
+  # a signing operation is requested.
+  def self.kill_gpg_agent(gpg_keydir)
+    return if Gem::Version.new(Simp::RPM.version) < Gem::Version.new('4.13.0')
+
+    %x(gpg-agent --homedir #{gpg_keydir} -q >& /dev/null)
+    if $? && ($?.exitstatus == 0)
+      # gpg-agent is running for specified keydir, so query it for its pid
+      output = %x{echo 'GETINFO pid' | gpg-connect-agent --homedir=#{gpg_keydir}}
+      if $? && ($?.exitstatus == 0)
+        pid = output.lines.first[1..-1].strip.to_i
+        begin
+          Process.kill(0, pid)
+          Process.kill(15, pid)
+        rescue Errno::ESRCH
+          # No longer running, so nothing to do!
+        end
+      end
+    end
+  end
+
+  # Loads metadata for a GPG key found in gpg_keydir.
+  #
+  # The GPG key is to be used to sign RPMs. If the required metadata cannot be
+  # retrieved from files found in the gpg_keydir, the user will be prompted
+  # for it.
+  #
+  # @param gpg_keydir The full path of the directory where the key resides
+  # @param verbose    Whether to log debug information.
+  #
+  # @raise If the 'gpg' executable cannot be found, the GPG key directory
+  #   does not exist or GPG key metadata cannot be determined via 'gpg'
+  #
+  def self.load_key(gpg_keydir, verbose = false)
+    which('gpg') || raise("ERROR: Cannot sign RPMs without 'gpg'")
+    File.directory?(gpg_keydir) || raise("ERROR: Could not find GPG keydir '#{gpg_keydir}'")
+
+    gpg_key = File.basename(gpg_keydir)
+
+    if @@gpg_keys[gpg_key]
+      return @@gpg_keys[gpg_key]
+    end
+
+    gpg_name = nil
+    gpg_password = nil
+    begin
+      File.read("#{gpg_keydir}/gengpgkey").each_line do |ln|
+        name_line = ln.split(/^\s*Name-Email:/)
+        if name_line.length > 1
+          gpg_name = name_line.last.strip
+        end
+
+        passwd_line = ln.split(/^\s*Passphrase:/)
+        if passwd_line.length > 1
+          gpg_password = passwd_line.last.strip
+        end
+      end
+    rescue Errno::ENOENT
+    end
+
+    if gpg_name.nil?
+      puts "Warning: Could not find valid e-mail address for use with GPG."
+      puts "Please enter e-mail address to use:"
+      gpg_name = $stdin.gets.strip
+    end
+
+    if gpg_password.nil?
+      if File.exist?(%(#{gpg_keydir}/password))
+        gpg_password = File.read(%(#{gpg_keydir}/password)).chomp
+      end
+
+      if gpg_password.nil?
+        puts "Warning: Could not find a password in '#{gpg_keydir}/password'!"
+        puts "Please enter your GPG key password:"
+        system 'stty -echo'
+        gpg_password = $stdin.gets.strip
+        system 'stty echo'
+      end
+    end
+
+    gpg_key_size = nil
+    gpg_key_id = nil
+    cmd = "gpg --with-colons --homedir=#{gpg_keydir} --list-keys '<#{gpg_name}>' 2>&1"
+    puts "Executing: #{cmd}" if verbose
+    %x(#{cmd}).each_line do |line|
+      # See https://github.com/CSNW/gnupg/blob/master/doc/DETAILS
+      # Index  Content
+      #   0    record type
+      #   2    key length
+      #   4    keyID
+      fields = line.split(':')
+      if fields[0] && (fields[0] == 'pub')
+        gpg_key_size = fields[2].to_i
+        gpg_key_id = fields[4]
+        break
+      end
+    end
+
+    if !gpg_key_size || !gpg_key_id
+      raise("Error getting GPG key ID or Key size metadata for #{gpg_name}")
+    end
+
+    @@gpg_keys[gpg_key] = {
+      :dir      => gpg_keydir,
+      :name     => gpg_name,
+      :key_id   => gpg_key_id,
+      :key_size => gpg_key_size,
+      :password => gpg_password
+    }
+  end
+
+  # Signs the given RPM with the GPG key found in gpg_keydir
+  #
+  # @param rpm          Fully qualified path to an RPM to be signed.
+  # @param gpg_keydir   The full path of the directory where the key resides.
+  # @param options      Options Hash
+  #
+  # @options options :digest_algo      Digest algorithm to use in RPM
+  #                                    signing operation; defaults to 'sha256'
+  # @options options :timeout_seconds  Timeout in seconds for an individual
+  #                                    RPM signing operation; defaults to 60.
+  # @options options :verbose          Whether to log debug information;
+  #                                    defaults to false.
+  #
+  # @return Whether package signing operation succeeded
+  # @raise RuntimeError if 'rpmsign' executable cannot be found, the 'gpg
+  #   'executable cannot be found, the GPG key directory does not exist or
+  #   the GPG key metadata cannot be determined via 'gpg'
+  def self.sign_rpm(rpm, gpg_keydir, options={})
+    # This may be a little confusing...Although we're using 'rpm --resign'
+    # in lieu of 'rpmsign --addsign', they are equivalent and the presence
+    # of 'rpmsign' is a legitimate check that the 'rpm --resign' capability
+    # is available (i.e., rpm-sign package has been installed).
+    which('rpmsign') || raise("ERROR: Cannot sign RPMs without 'rpmsign'.")
+
+    digest_algo = options.key?(:digest_algo) ?  options[:digest_algo] : 'sha256'
+    timeout_seconds = options.key?(:timeout_seconds) ?  options[:timeout_seconds] : 60
+    verbose = options.key?(:verbose) ?  options[:verbose] : false
+
+    gpgkey = load_key(gpg_keydir, verbose)
+
+    gpg_sign_cmd_extra_args = nil
+    if Gem::Version.new(Simp::RPM.version) >= Gem::Version.new('4.13.0')
+      gpg_sign_cmd_extra_args = "--define '%_gpg_sign_cmd_extra_args --pinentry-mode loopback --verbose'"
+    end
+
+    signcommand = [
+      'rpm',
+      "--define '%_signature gpg'",
+      "--define '%__gpg %{_bindir}/gpg'",
+      "--define '%_gpg_name #{gpgkey[:name]}'",
+      "--define '%_gpg_path #{gpgkey[:dir]}'",
+      "--define '%_gpg_digest_algo #{digest_algo}'",
+      gpg_sign_cmd_extra_args,
+      "--resign #{rpm}"
+    ].compact.join(' ')
+
+    success = false
+    begin
+      if verbose
+        puts "Signing #{rpm} with #{gpgkey[:name]} from #{gpgkey[:dir]}:\n  #{signcommand}"
+      end
+
+      require 'timeout'
+      # With rpm-sign-4.14.2-11.el8_0 (EL 8.0), if rpm cannot start the
+      # gpg-agent daemon, it will just hang. We need to be able to detect
+      # the problem and report the failure.
+      Timeout::timeout(timeout_seconds) do
+
+        status = nil
+        PTY.spawn(signcommand) do |read, write, pid|
+          begin
+            while !read.eof? do
+              # rpm version >= 4.13.0 will stand up a gpg-agent and so the
+              # prompt for the passphrase will only actually happen if this is
+              # the first RPM to be signed with the key after the gpg-agent is
+              # started and the key's passphrase has not been cleared from the
+              # agent's cache.
+              read.expect(/pass\s?phrase:.*/) do |text|
+                write.puts(gpgkey[:password])
+                write.flush
+              end
+            end
+          rescue Errno::EIO
+            # Will get here once input is no longer needed, which can be
+            # immediately, if a gpg-agent is already running and the
+            # passphrase for the key is loaded in its cache.
+          end
+
+          Process.wait(pid)
+          status = $?
+        end
+
+        if status && !status.success?
+          raise "Failure running <#{signcommand}>"
+        end
+      end
+
+      puts "Successfully signed #{rpm}" if verbose
+      success = true
+
+    rescue Timeout::Error
+      $stderr.puts "Failed to sign #{rpm} in #{timeout_seconds} seconds."
+    rescue Exception => e
+      $stderr.puts "Error occurred while attempting to sign #{rpm}:"
+      $stderr.puts e
+    end
+
+    success
+  end
+
+  # Signs any RPMs found within the entire rpm_dir directory tree with
+  # the GPG key found in gpg_keydir
+  #
+  # @param rpm_dir    A directory or directory glob pattern specifying 1 or
+  #                   more directories containing RPM files to sign.
+  # @param gpg_keydir The full path of the directory where the key resides
+  # @param options    Options Hash
+  #
+  # @options options :digest_algo        Digest algorithm to use in RPM
+  #                                      signing operation; defaults to
+  #                                      'sha256'
+  # @options options :force              Force RPMs that are already signed
+  #                                      to be resigned; defaults to false.
+  # @options options :max_concurrent     Maximum number of concurrent RPM
+  #                                      signing operations; defaults to 1.
+  # @options options :progress_bar_title Title for the progress bar logged to
+  #                                      the console during the signing process;
+  #                                      defaults to 'sign_rpms'.
+  # @options options :timeout_seconds    Timeout in seconds for an individual
+  #                                      RPM signing operation; defauls to 60.
+  # @options options :verbose            Whether to log debug information;
+  #                                      defaults to false.
+  #
+  # @return Hash of RPM signing results or nil if no RPMs found in rpm_dir
+  #   * Each Hash key is the path to a RPM
+  #   * Each Hash value is the status of the signing operation: :signed,
+  #     :unsigned, :skipped_already_signed
+  #
+  # @raise RuntimeError if 'rpmsign' executable cannot be found, the 'gpg'
+  #   executable cannot be found, the GPG key directory does not exist,
+  #   the GPG key metadata cannot be determined via 'gpg' or any RPM signing
+  #   operation failed
+  #
+  def self.sign_rpms(rpm_dir, gpg_keydir, options = {})
+   opts = {
+     :digest_algo        => 'sha256',
+     :force              => false,
+     :max_concurrent     => 1,
+     :progress_bar_title => 'sign_rpms',
+     :timeout_seconds    => 60,
+     :verbose            => false
+    }.merge(options)
+
+    rpm_dirs = Dir.glob(rpm_dir)
+    to_sign = []
+
+    rpm_dirs.each do |rpm_dir|
+      Find.find(rpm_dir) do |rpm|
+        next unless File.readable?(rpm)
+        to_sign << rpm if rpm =~ /\.rpm$/
+      end
+    end
+
+    return nil if to_sign.empty?
+
+    results = []
+    begin
+      results = Parallel.map(
+        to_sign,
+        :in_processes => opts[:max_concurrent],
+        :progress => opts[:progress_bar_title]
+      ) do |rpm|
+        _result = nil
+
+        begin
+          if opts[:force] || !Simp::RPM.new(rpm).signature
+            _result = [ rpm, sign_rpm(rpm, gpg_keydir, opts) ]
+            _result[1] = _result[1] ? :signed : :unsigned
+          else
+            puts "Skipping signed package #{rpm}" if opts[:verbose]
+            _result = [ rpm, :skipped_already_signed ]
+          end
+        rescue Exception => e
+          # can get here if rpm is malformed and Simp::RPM.new fails
+          $stderr.puts "Failed to sign #{rpm}:\n#{e.message}"
+          _result = [ rpm, :unsigned ]
+        end
+
+        _result
+      end
+    ensure
+      kill_gpg_agent(gpg_keydir)
+    end
+
+    results.to_h
+  end
+
+  def self.clear_gpg_keys_cache
+    @@gpg_keys.clear
+  end
+end