simp-rake-helpers 5.6.1 → 5.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 6599aea873a06ae3cfaf152334a7effee7fed04f32fa5161b424475a2e350de8
-  data.tar.gz: 7034e551215bf0636963264f2c483179368d3ca653498929b0e1b563253d6324
+SHA1:
+  metadata.gz: 81eff52b592008f011ce1cbf7906a2de2b5a0b1a
+  data.tar.gz: 8b23f1eee1426b3966dcfdd5497c12842393f54c
 SHA512:
-  metadata.gz: f336088887b860878ced18d3391cf7b682cf0cdf460827bfb3525330fc41437a76dae20ed73e1a89875b8a63cc354288746e96cffff83be400d015e898d0972b
-  data.tar.gz: 709eb08291c9944c3d3929f872bff72dc36fff4603503945e0d33f2ba06ad4569e65ac933e4d7a1e4691a671372e660f84b26222f4ce049613b7c1ca561454a6
+  metadata.gz: b95308bf18a70abc0ed3e6c9c1141a2d93657ead6538b0d3672b23653ca1b80af049a9639d32022137d1a51ffa06f7de4e3c2ffe5e168a45442ebf7b5748ac4c
+  data.tar.gz: c9d08045244a15fdd38c5ee09d1600a0d17a3dea637273fba9b3a8dcf9a1e381cfc2165da69e45f635c16bcf016596664c1e2927cd094fc725d439e45bc27277

data/.travis.yml

@@ -35,6 +35,7 @@ jobs:
 
     - stage: deploy
       rvm: 2.4.4
+      if: 'fork = false AND tag = true'
       script:
         - true
       before_deploy:

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+### 5.6.2 / 2018-10-02
+* Refactor 'dev' GPG signing key logic into `Simp::LocalGpgSigningKey`
+* Add acceptance tests for GPG logic and `rake pkg:signrpms`
+
 ### 5.6.1 / 2018-10-01
 * Ensure that modules do not contain symlinks per the standard Puppet guidance.
 * Do not try to only use the system cache for yum operations since this

data/Gemfile

@@ -2,7 +2,7 @@
 #
 # SIMP_GEM_SERVERS | a space/comma delimited list of rubygem servers
 # PUPPET_VERSION   | specifies the version of the puppet gem to load
-puppetversion = ENV.key?('PUPPET_VERSION') ? "#{ENV['PUPPET_VERSION']}" : '~> 4'
+puppetversion = ENV.key?('PUPPET_VERSION') ? "#{ENV['PUPPET_VERSION']}" : '~> 5'
 gem_sources   = ENV.key?('SIMP_GEM_SERVERS') ? ENV['SIMP_GEM_SERVERS'].split(/[, ]+/) : ['https://rubygems.org']
 
 gem_sources.each { |gem_source| source gem_source }

data/lib/simp/local_gpg_signing_key.rb

@@ -0,0 +1,273 @@
+require 'securerandom'
+require 'rake'
+
+module Simp
+  # Ensure that a valid GPG signing key exists in a local directory
+  #
+  #   This is typically used to sign packages during development.
+  #
+  #   * The signing key will be generated if it is missing or expired.
+  #   * Generated keys are short-lived (default: 14 days).
+  #   * The signing key and its related assets are completely isolated from
+  #     the user's own GPG keys, keyrings, and agent.
+  #     - All files are kept under a local directory tree.
+  #     - New keys are generated using a temporary GPG agent with its own
+  #       settings and socket.
+  #
+  #   The local signing key's directory is structured like this:
+  #
+  #   ```
+  #   #{key_name}/                        # key directory
+  #     +-- RPM-GPG-KEY-SIMP-#{key_name}  # key file
+  #     +-- gengpgkey                     # --gen-key params file **
+  #     +-- pubring.gpg
+  #     +-- secring.gpg
+  #     +-- trustring.gpg
+  #   ```
+  #
+  #   `**` = `SIMP::RPM.sign_keys` will use the values in the `gengpgkey` file
+  #     for the GPG signing key's email and passphrase
+  #
+  #   If a new key is required, a project-only `gpg-agent` daemon is momentarily
+  #   created to generate it, and destroyed after this is done.  The daemon does
+  #   not interact with any other `gpg-agent` daemons on the system--it is
+  #   launched on a random socket and keeps all its files under the
+  #   #{key_name/} directory.
+  #
+  #   When instantiated, the daemon writes an "env-file" to the #{key_name}
+  #   directory.  This file specifies the location of the daemon's socket and
+  #   pid.
+  #
+  #   A typical env-file looks like:
+  #
+  #   ```sh
+  #   GPG_AGENT_INFO=/tmp/gpg-4yhfOB/S.gpg-agent:15495:1
+  #   ```
+  #
+  #   A brand-new gpg-agent daemon will output similar information, with an
+  #   additional export:
+  #
+  #   ```sh
+  #   GPG_AGENT_INFO=/tmp/gpg-4yhfOB/S.gpg-agent:15495:1; export GPG_AGENT_INFO;\n"
+  #   ```
+  class LocalGpgSigningKey
+    include FileUtils
+
+    # `SIMP::RPM.sign_keys` will look for a 'gengpgkey' file to
+    #   non-interactively sign packages.
+    #
+    #   @see SIMP::RPM.sign_keys
+    GPG_GENKEY_PARAMS_FILENAME = 'gengpgkey'.freeze
+
+    # @param dir  [String] path to gpg-agent / key directory
+    # @param opts [Hash] optional configurations
+    #
+    # @option opts [String]  :label         Defaults to the basename of `dir` (dev)
+    # @option opts [String]  :email         (gatekeeper@simp.development.key)
+    # @option opts [String]  :file          Default based on label (RPM-GPG-KEY-SIMP-Dev)
+    # @option opts [Boolean] :verbose       (false)
+    #
+    def initialize(dir = 'dev', opts = {})
+      @dir       = File.expand_path(dir)
+      @label     = opts[:label]   || File.basename(dir.downcase)
+      @key_email = opts[:email]   || 'gatekeeper@simp.development.key'
+      @key_file  = opts[:file]    || "RPM-GPG-KEY-SIMP-#{@label.capitalize}"
+      @verbose   = opts[:verbose] || false
+
+      @gpg_agent_env_file = 'gpg-agent-info.env'
+      @gpg_agent_script   = 'run_gpg_agent'
+    end
+
+    # Returns a gpg-agent's env string, if it can be detected from the
+    #   gpg-agent-info file
+    #
+    # @return [String] if the env string was detected
+    # @return [nil]    if the env string was not detected
+    #
+    def gpg_agent_info
+      if File.exist?(@gpg_agent_env_file)
+        puts "Reading gpg_agent_info from `#{@gpg_agent_env_file}`..." if @verbose
+        info = parse_gpg_agent_info_env(File.read(@gpg_agent_env_file))
+      else
+        puts "Couldn't find a valid source to read gpg_agent_info..." if @verbose
+        info = nil
+      end
+      info
+    end
+
+    # Return the number of days left before the GPG signing key expires
+    def dev_key_days_left
+      ensure_gpg_directory
+      days_left   = 0
+      current_key = %x(GPG_AGENT_INFO='' gpg --homedir=#{@dir} --list-keys #{@key_email} 2>/dev/null)
+      unless current_key.empty?
+        lasts_until = current_key.lines.first.strip.split("\s").last.delete(']')
+        days_left = (Date.parse(lasts_until) - Date.today).to_i
+      end
+      days_left
+    end
+
+    # Remove all files under the key directory
+    def clean_gpg_agent_directory
+      puts "  Removing all files under '#{@dir}'" if @verbose
+      Dir.glob(File.join(@dir, '*')).each do |todel|
+        rm_rf(todel, :verbose => @verbose)
+      end
+    end
+
+    # Make sure the local key's directory exists and has correct permissions
+    def ensure_gpg_directory
+      mkdir_p(@dir, :verbose => @verbose)
+      chmod(0o700, @dir, :verbose => @verbose)
+    end
+
+    # Ensure that the gpg-agent is running with a dev key
+    def ensure_key
+      ensure_gpg_directory
+
+      if (days_left = dev_key_days_left) > 0
+        puts "GPG key (#{@key_email}) will expire in #{days_left} days."
+        return
+      end
+
+      Dir.chdir @dir do |_dir|
+        puts 'Creating a new dev GPG agent...'
+
+        clean_gpg_agent_directory
+        write_genkey_parameter_file
+        write_gpg_agent_startup_script
+
+        begin
+          # Start the GPG agent.
+          gpg_agent_output = %x(./#{@gpg_agent_script}).strip
+
+          # Provide a local socket (needed by the `gpg` command when
+          local_socket     = File.join(Dir.pwd, 'S.gpg-agent')
+
+          # This condition was handled differently in previous logic.
+          #
+          #   a.) As the surrounding logic works now, it will _always_ be a new
+          #       agent by this point, because the directory is cleaned out
+          #   b.) The agent's information will be read from the env-file it
+          #        writes at startup
+          #   c.) The old command `gpg-agent --homedir=#{Dir.pwd} /get serverpid`
+          #       did not work on EL6 or EL7.
+          #
+          warn(empty_gpg_agent_message) if gpg_agent_output.empty?
+
+          agent_info = gpg_agent_info
+
+          # The socket is useful to get back info on the command line.
+          unless File.exist?(File.join(Dir.pwd, File.basename(agent_info[:socket])))
+            ln_s(agent_info[:socket], local_socket, :verbose => @verbose)
+          end
+          generate_key(agent_info[:info])
+        ensure
+          kill_agent(agent_info[:pid])
+        end
+        agent_info
+      end
+    end
+
+    # Provides an informative warning message to display in the unlikely event
+    #   that a new `gpg-agent` daemon returns empty output when it is started.
+    #
+    # @return [String] Warning message
+    def empty_gpg_agent_message
+      <<-WARNING.gsub(/^\s{8}/,'')
+        WARNING: Tried to start an project-only gpg-agent daemon on a random socket by
+                 running the script:
+
+                   #{@gpg_agent_script}
+
+                 However, the script returned no output, which usually means that a GPG
+                 Agent was already running on that socket.  This is extraordinarily
+                 unlikely, and is not expected to happen.
+
+                 If the '#{@label}' GPG signing key fails to generate after this
+                 message appears, please report this issue to the SIMP project,
+                 including the OS you were were running from and its versions of the
+                 `gpg-agent` and `gpg`/`gpg2` commands.
+      WARNING
+    end
+
+    # Kills the GPG agent by pid, if it is running
+    #
+    # @param pid [String] The GPG Agent PID to kill
+    def kill_agent(pid)
+      rm('S.gpg-agent') if File.symlink?('S.gpg-agent')
+      if pid
+        Process.kill(0, pid)
+        Process.kill(15, pid)
+      end
+    rescue Errno::ESRCH
+      # Not Running, Nothing to do!
+    end
+
+    # Generate a RPM GPG signing key for local development
+    #
+    # @param gpg_agent_info_str [String] value to set the GPG_AGENT_INFO
+    #   environment variable to use in order to use the correct `gpg-agent`.
+    def generate_key(gpg_agent_info_str)
+      puts "Generating new GPG key#{@verbose ? " under '#{@dir}'" : ''}..."
+      gpg_cmd = %(GPG_AGENT_INFO=#{gpg_agent_info_str} gpg --homedir="#{@dir}")
+      pipe    = @verbose ? '| tee' : '>'
+      sh %(#{gpg_cmd} --batch --gen-key #{GPG_GENKEY_PARAMS_FILENAME})
+      sh %(#{gpg_cmd} --armor --export #{@key_email} #{pipe} "#{@key_file}")
+    end
+
+    # Return a data structure from a gpg-agent env-file formatted string.
+    #
+    # @param str [String] path to gpg-agent / key directory
+    def parse_gpg_agent_info_env(str)
+      info    = %r{^(GPG_AGENT_INFO=)?(?<info>[^;]+)}.match(str)[:info]
+      matches = %r{^(?<socket>[^:]+):(?<pid>[^:]+)}.match(info)
+      { info: info.strip, socket: matches[:socket], pid: matches[:pid].to_i }
+    end
+
+    # Write the `gpg --genkey --batch` control parameter file
+    #
+    # @see "Unattended key generation" in /usr/share/doc/gnupg2-*/DETAILS for
+    #   documentation on the command parameters format
+    def write_genkey_parameter_file
+      now               = Time.now.to_i.to_s
+      expire_date       = Date.today + 14
+      passphrase        = SecureRandom.base64(500)
+      genkey_parameters = <<-GENKEY_PARAMETERS.gsub(%r{^ {8}}, '')
+        %echo Generating Development GPG Key
+        %echo
+        %echo This key will expire on #{expire_date}
+        %echo
+        Key-Type: RSA
+        Key-Length: 4096
+        Key-Usage: sign
+        Name-Real: SIMP Development
+        Name-Comment: Development key #{now}
+        Name-Email: #{@key_email}
+        Expire-Date: 2w
+        Passphrase: #{passphrase}
+        %pubring pubring.gpg
+        %secring secring.gpg
+        # The following creates the key, so we can print "Done!" afterwards
+        %commit
+        %echo New GPG Development Key Created
+      GENKEY_PARAMETERS
+      File.open(GPG_GENKEY_PARAMS_FILENAME, 'w') { |fh| fh.puts(genkey_parameters) }
+    end
+
+    # Write a local gpg-agent daemon script file
+    def write_gpg_agent_startup_script
+      gpg_agent_script = <<-AGENT_SCRIPT.gsub(%r{^ {20}}, '')
+        #!/bin/sh
+
+        gpg-agent --homedir=#{Dir.pwd} --daemon \
+          --no-use-standard-socket --sh --batch \
+          --write-env-file "#{@gpg_agent_env_file}" \
+          --pinentry-program /usr/bin/pinentry-curses < /dev/null &
+      AGENT_SCRIPT
+
+      File.open(@gpg_agent_script, 'w') { |fh| fh.puts(gpg_agent_script) }
+      chmod(0o755, @gpg_agent_script)
+    end
+  end
+end

data/lib/simp/rake/build/pkg.rb

@@ -1,6 +1,7 @@
 #!/usr/bin/rake -T
 
 require 'simp/yum'
+require 'simp/local_gpg_signing_key.rb'
 require 'simp/rake/pkg'
 require 'simp/rake/build/constants'
 require 'simp/rake/build/rpmdeps'
@@ -105,155 +106,63 @@ module Simp::Rake::Build
           end
         end
 
-=begin
         desc <<-EOM
-          Prepare the GPG key space for a SIMP build.
+          Prepare a GPG signing key to sign build packages
+
+            * :key - the name of the directory under build/build_keys to
+                     prepare (defaults to 'dev')
+
+          When :key is `dev`, a temporary signing key is created, if needed:
+
+            - A 14-day `dev` key will be created if none exists, including:
+              - The `<build_dir>/build_keys/dev/` dir
+              - gpgagent assets to create/update the key
+
+          When :key is *not* `dev`, the logic is much stricter:
 
-          If passed anything but 'dev', will fail if the directory is not present in
-          the 'build/build_keys' directory.
+            - You must already have create `<build_dir>/build_keys/<:key>/`
+              directoy, and placed a valid GPG signing key inside
+            - If the directory or key are missing, the task will fail.
 
           ENV vars:
             - Set `SIMP_PKG_verbose=yes` to report file operations as they happen.
         EOM
-=end
         task :key_prep,[:key] => [:prep] do |t,args|
-          require 'securerandom'
-          _verbose = ENV.fetch('SIMP_PKG_verbose','no') == 'yes'
-
           args.with_defaults(:key => 'dev')
+          key = args.key
+          build_keys_dir = File.join(@build_dir, 'build_keys')
+          key_dir = File.join(build_keys_dir,key)
+          dvd_dir = @dvd_src
 
-          FileUtils.mkdir_p("#{@build_dir}/build_keys")
+          FileUtils.mkdir_p build_keys_dir
 
-          Dir.chdir("#{@build_dir}/build_keys") do
-            if (args.key != 'dev')
-              fail("Could not find GPG keydir '#{args[:key]}' in '#{Dir.pwd}'") unless File.directory?(args[:key])
+          Dir.chdir(build_keys_dir) do
+            if key == 'dev'
+              Simp::LocalGpgSigningKey.new(key_dir,{verbose: @verbose}).ensure_key
             else
-
-              mkdir('dev') unless File.directory?('dev')
-              chmod(0700,'dev')
-
-              Dir.chdir('dev') do
-                dev_email = 'gatekeeper@simp.development.key'
-                current_key = `gpg --homedir=#{Dir.pwd} --list-keys #{dev_email} 2>/dev/null`
-                days_left = 0
-                unless current_key.empty?
-                  lasts_until = current_key.lines.first.strip.split("\s").last.delete(']')
-                  days_left = (Date.parse(lasts_until) - DateTime.now).to_i
-                end
-
-                if days_left > 0
-                  puts "GPG key will expire in #{days_left} days."
-                else
-                  puts "Generating new GPG key"
-
-                  Dir.glob('*').each do |todel|
-                    rm_rf(todel, :verbose => _verbose)
-                  end
-
-                  expire_date = (DateTime.now + 14)
-                  now = Time.now.to_i.to_s
-                  dev_email = 'gatekeeper@simp.development.key'
-                  passphrase = SecureRandom.base64(500)
-
-                  gpg_infile = <<-EOM
-        %echo Generating Development GPG Key
-        %echo
-        %echo This key will expire on #{expire_date}
-        %echo
-        Key-Type: RSA
-        Key-Length: 4096
-        Key-Usage: sign
-        Name-Real: SIMP Development
-        Name-Comment: Development key #{now}
-        Name-Email: #{dev_email}
-        Expire-Date: 2w
-        Passphrase: #{passphrase}
-        %pubring pubring.gpg
-        %secring secring.gpg
-        # The following creates the key, so we can print "Done!" afterwards
-        %commit
-        %echo New GPG Development Key Created
-                  EOM
-
-                  gpg_agent_script = <<-EOM
-        #!/bin/sh
-
-        gpg-agent --homedir=#{Dir.pwd} --batch --daemon --pinentry-program /usr/bin/pinentry-curses < /dev/null &
-                  EOM
-
-                  File.open('gengpgkey','w'){ |fh| fh.puts(gpg_infile) }
-                  File.open('run_gpg_agent','w'){ |fh| fh.puts(gpg_agent_script) }
-                  chmod(0755,'run_gpg_agent')
-
-                  gpg_agent_pid = nil
-                  gpg_agent_socket = nil
-
-                  if File.exist?(%(#{ENV['HOME']}/.gnupg/S.gpg-agent))
-                    gpg_agent_socket = %(#{ENV['HOME']}/.gnupg/S.gpg-agent)
-                    gpg_agent_socket = %(#{ENV['HOME']}/.gnupg/S.gpg-agent)
-                  end
-
-                  begin
-                    unless gpg_agent_socket
-                      gpg_agent_output = %x(./run_gpg_agent).strip
-
-                      if gpg_agent_output.empty?
-                        # This is a working version of gpg-agent, that means we need to
-                        # connect to it to figure out what's going on
-
-                        gpg_agent_socket = %(#{Dir.pwd}/S.gpg-agent)
-                        gpg_agent_pid_info = %x(gpg-agent --homedir=#{Dir.pwd} /get serverpid).strip
-                        gpg_agent_pid_info =~ %r(\[(\d+)\])
-                        gpg_agent_pid = $1
-                      else
-                        # Are we running a broken version of the gpg-agent? If so, we'll
-                        # get back info on the command line.
-
-                        gpg_agent_info = gpg_agent_output.split(';').first.split('=').last.split(':')
-                        gpg_agent_socket = gpg_agent_info[0]
-                        gpg_agent_pid = gpg_agent_info[1].strip.to_i
-
-                        unless File.exist?(%(#{Dir.pwd}/#{File.basename(gpg_agent_socket)}))
-                          ln_s(gpg_agent_socket,%(#{Dir.pwd}/#{File.basename(gpg_agent_socket)}))
-                        end
-                      end
-                    end
-
-                    sh %{gpg --homedir=#{Dir.pwd} --batch --gen-key gengpgkey}
-                    %x{gpg --homedir=#{Dir.pwd} --armor --export #{dev_email} > RPM-GPG-KEY-SIMP-Dev}
-                  ensure
-                    begin
-                      rm('S.gpg-agent') if File.symlink?('S.gpg-agent')
-
-                      if gpg_agent_pid
-                        Process.kill(0,gpg_agent_pid)
-                        Process.kill(15,gpg_agent_pid)
-                      end
-                      rescue Errno::ESRCH
-                      # Not Running, Nothing to do!
-                    end
-                  end
-                end
+              unless File.directory?(key_dir)
+                fail("Could not find GPG keydir '#{key_dir}' in '#{Dir.pwd}'")
               end
             end
 
-            Dir.chdir(args[:key]) do
+            Dir.chdir(key_dir) do
               rpm_build_keys = Dir.glob('RPM-GPG-KEY-*')
+              if rpm_build_keys.empty?
+                fail("Could not find any RPM-GPG-KEY-* files in '#{key_dir}'")
+              end
 
-              fail("Could not find any RPM-GPG-KEY files in '#{Dir.pwd}'") if rpm_build_keys.empty?
-
-              # Drop the development key in the root of the ISO for convenience
-              if args[:key] == 'dev'
-                target_dir = @dvd_src
-
-                fail("Could not find directory '#{target_dir}'") unless File.directory?(target_dir)
+              # Copy development keys into the root of the ISO for convenience
+              if key == 'dev'
+                unless File.directory?(dvd_dir)
+                  fail("Could not find DVD ISO root directory '#{dvd_dir}'")
+                end
 
                 rpm_build_keys.each do |gpgkey|
-                  cp(gpgkey,target_dir, :verbose => _verbose)
+                  cp(gpgkey, dvd_dir, :verbose => @verbose)
                 end
               # Otherwise, make sure it isn't present for the build
               else
-                Dir.glob(File.join(@dvd_src,'RPM-GPG-KEY-SIMP*')).each do |to_del|
+                Dir[File.join(dvd_dir,'RPM-GPG-KEY-SIMP*')].each do |to_del|
                   rm(to_del)
                 end
               end
@@ -279,7 +188,6 @@ module Simp::Rake::Build
             fail("No RPMs found at #{rpm_dir}") if (rpms.nil? || rpms.empty?)
 
             have_signed_rpm = false
-
             Dir.chdir(rpm_dir) do
               rpms.each_key do |rpm|
                 if @verbose
@@ -335,9 +243,6 @@ module Simp::Rake::Build
         EOM
 =end
         task :build,[:docs,:key] => [:prep,:key_prep] do |t,args|
-
-          _verbose = ENV.fetch('SIMP_PKG_verbose','no') == 'yes'
-
           args.with_defaults(:key => 'dev')
           args.with_defaults(:docs => 'true')
 
@@ -603,7 +508,6 @@ module Simp::Rake::Build
             args[:aux_dir] = File.expand_path(args[:aux_dir])
           end
 
-          _verbose = ENV.fetch('SIMP_PKG_verbose','no') == 'yes'
           _repoclose_pe = ENV.fetch('SIMP_PKG_repoclose_pe','no') == 'yes'
 
           yum_conf_template = <<-EOF
@@ -644,7 +548,7 @@ protect=1
                 Find.find(base_dir) do |path|
                   if (path =~ /.*\.rpm$/) and (path !~ /.*.src\.rpm$/)
                     sym_path = "repos/base/#{File.basename(path)}"
-                    ln_s(path,sym_path, :verbose => _verbose) unless File.exists?(sym_path)
+                    ln_s(path,sym_path, :verbose => @verbose) unless File.exists?(sym_path)
                   end
                 end
               end
@@ -654,7 +558,7 @@ protect=1
                   Find.find(aux_dir) do |path|
                     if (path =~ /.*\.rpm$/) and (path !~ /.*.src\.rpm$/)
                       sym_path = "repos/lookaside/#{File.basename(path)}"
-                      ln_s(path,sym_path, :verbose => _verbose) unless File.exists?(sym_path)
+                      ln_s(path,sym_path, :verbose => @verbose) unless File.exists?(sym_path)
                     end
                   end
                 end
@@ -909,15 +813,15 @@ protect=1
             Dir.chdir(dir) do
               built_rpm = false
 
-              if _verbose
+              if @verbose
                 $stderr.puts("\nPackaging #{File.basename(dir)}")
               end
 
               # We're building a module, override anything down there
               if File.exist?('metadata.json')
                 unique_namespace = generate_namespace
-                if require_rebuild?(dir, yum_helper, { :unique_namespace => unique_namespace, :fetch => true, :verbose => _verbose, :prefix => dbg_prefix})
-                  $stderr.puts("#{dbg_prefix}Running 'rake pkg:rpm' on #{File.basename(dir)}") if _verbose
+                if require_rebuild?(dir, yum_helper, { :unique_namespace => unique_namespace, :fetch => true, :verbose => @verbose, :prefix => dbg_prefix})
+                  $stderr.puts("#{dbg_prefix}Running 'rake pkg:rpm' on #{File.basename(dir)}") if @verbose
                   Rake::Task["#{unique_namespace}:pkg:rpm"].invoke
                 else
                   # Record metadata for the downloaded RPM
@@ -929,8 +833,8 @@ protect=1
               # We're building one of the extra assets and should honor its Rakefile
               # and RPM spec file.
               elsif File.exist?('Rakefile')
-                if require_rebuild?(dir, yum_helper, { :fetch => true, :verbose => _verbose, :prefix => dbg_prefix })
-                  $stderr.puts("#{dbg_prefix}Running 'rake pkg:rpm' in #{File.basename(dir)}") if _verbose
+                if require_rebuild?(dir, yum_helper, { :fetch => true, :verbose => @verbose, :prefix => dbg_prefix })
+                  $stderr.puts("#{dbg_prefix}Running 'rake pkg:rpm' in #{File.basename(dir)}") if @verbose
                   rake_flags = Rake.application.options.trace ? '--trace' : ''
                   cmd = %{SIMP_BUILD_version=#{@simp_version} rake pkg:rpm #{rake_flags} 2>&1}
 
@@ -945,7 +849,7 @@ protect=1
                   end
 
                   unless build_success
-                    if _verbose
+                    if @verbose
                       $stderr.puts("First 'rake pkg:rpm' attempt for #{dir} failed, running bundle and trying again.")
                     end
 
@@ -981,7 +885,7 @@ protect=1
                 raise("No RPMs generated for #{dir}") if rpms.empty?
               end
 
-              if _verbose
+              if @verbose
                 rpms = Dir.glob('dist/*.rpm')
 #                $stderr.puts("#{dbg_prefix}RPMS: #{rpms.join("\n#{dbg_prefix}      ")}")
                 $stderr.puts("Finished  #{File.basename(dir)}")
@@ -1005,4 +909,5 @@ protect=1
       end
     end
   end
+
 end

data/lib/simp/rake/helpers/version.rb

@@ -2,5 +2,5 @@ module Simp; end
 module Simp::Rake; end
 
 class Simp::Rake::Helpers
-  VERSION = '5.6.1'
+  VERSION = '5.6.2'
 end

data/spec/acceptance/50_local_gpg_signing_key_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper_acceptance'
+require_relative 'support/build_user_helpers'
+
+RSpec.configure do |c|
+  c.include Simp::BeakerHelpers::SimpRakeHelpers::BuildUserHelpers
+  c.extend  Simp::BeakerHelpers::SimpRakeHelpers::BuildUserHelpers
+end
+
+# These spec tests are run from inside beaker nodesets because the logic
+# Simp::LocalGpgSigningKey relies heavily on the behavior of the local OS's
+# `gpg` and `gpg-agent` commands.  Historically, these have caused us some
+# grief due to minor inconsistencies between versions of  gpg/gpg2/gpg-agent.
+#
+# It should be possible manage GPG keys using this logic from many OSes,
+# but it's silly to try to mock them all directly in RSpec.
+describe 'rake pkg:rpm with customized content' do
+
+  def hf_cmd( hosts, cmd, env_str=nil, opts={})
+    if ENV['PUPPET_VERSION']
+      env_str ||= %(export PUPPET_VERSION='#{ENV['PUPPET_VERSION']}';)
+    end
+    on hosts, %(#{run_cmd} "cd /home/build_user/host_files; #{env_str} #{cmd}"), opts
+  end
+
+  before :all do
+    copy_host_files_into_build_user_homedir(hosts)
+    hf_cmd(hosts, "bundle --local || bundle", nil, {run_in_parallel: true})
+  end
+
+  it 'can run the os-dependent Simp::LocalGpgSigningKey spec tests' do
+    hf_cmd( hosts, "bundle exec rspec spec/lib/simp/local_gpg_signing_key_spec.rb.beaker-only" );
+  end
+end
+

data/spec/acceptance/55_build_pkg_signing_spec.rb

@@ -0,0 +1,140 @@
+require 'spec_helper_acceptance'
+require_relative 'support/build_user_helpers'
+require_relative 'support/build_project_helpers'
+
+RSpec.configure do |c|
+  c.include Simp::BeakerHelpers::SimpRakeHelpers::BuildUserHelpers
+  c.extend  Simp::BeakerHelpers::SimpRakeHelpers::BuildUserHelpers
+  c.include Simp::BeakerHelpers::SimpRakeHelpers::BuildProjectHelpers
+  c.extend  Simp::BeakerHelpers::SimpRakeHelpers::BuildProjectHelpers
+end
+
+describe 'rake pkg:signrpms' do
+  def opts
+    { run_in_parallel: true, environment: { 'SIMP_PKG_verbose' => 'yes' } }
+  end
+
+  # Clean out RPMs dir and copy in a fresh dummy RPM
+  def prep_rpms_dir(rpms_dir, src_rpms, opts = {})
+    copy_cmds = src_rpms.map { |_rpm| "cp -a '#{_rpm}' '#{rpms_dir}'" }.join('; ')
+    on(hosts, %(#{run_cmd} "rm -f '#{rpms_dir}/*'; #{copy_cmds} "), opts)
+  end
+
+  # Provides a scaffolded test project and `let` variables
+  shared_context 'a freshly-scaffolded test project' do |dir|
+    opts = {}
+    test__dir  = "#{build_user_homedir}/test--#{dir}"
+    rpms__dir  = "#{test__dir}/test.rpms"
+    src__rpm   =  "#{build_user_host_files}/spec/lib/simp/files/testpackage-1-0.noarch.rpm"
+    host__dirs = {}
+
+    hosts.each do |host|
+      dist_dir = distribution_dir(host, test__dir, opts)
+      host__dirs[host] = {
+        test_dir:  test__dir,
+        dev_keydir: "#{dist_dir}/build_keys/dev",
+        dvd_dir: "#{dist_dir}/DVD",
+      }
+      host__dirs[host.name] = host__dirs[host]
+    end
+
+    before(:all) do
+      # Scaffold a project skeleton
+      scaffold_build_project(hosts, test__dir, opts)
+
+      # Provide an RPM directory to process and a dummy RPM to sign
+      on(hosts, %(#{run_cmd} "mkdir '#{rpms__dir}'"))
+
+      # Ensure a DVD directory exists that is appropriate to each SUT
+      hosts.each do |host|
+        on(host, %(#{run_cmd} "mkdir -p '#{host__dirs[host][:dvd_dir]}'"), opts)
+      end
+    end
+
+    let(:test_dir) { test__dir }
+    let(:rpms_dir) { rpms__dir }
+    let(:src_rpm) { src__rpm }
+    let(:test_rpm) { "#{rpms__dir}/#{File.basename(src__rpm)}" }
+    let(:dirs) { host__dirs }
+  end
+
+  let(:rpm_unsigned_regex) do
+    %r{^Signature\s+:\s+\(none\)$}
+  end
+
+  let(:rpm_signed_regex) do
+    %r{^Signature\s+:\s+.*,\s*Key ID (?<key_id>[0-9a-f]+)$}
+  end
+
+  let(:expired_keydir) do
+    "#{build_user_host_files}/spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06"
+  end
+
+  shared_examples 'it creates a new GPG dev signing key' do
+    it 'creates a new GPG dev signing key' do
+      on(hosts, %(#{run_cmd} "cd '#{test_dir}'; bundle exec rake pkg:signrpms[dev,'#{rpms_dir}']"), opts)
+      hosts.each do |host|
+        expect { dev_signing_key_id(host, test_dir, opts) }.not_to(raise_error)
+      end
+    end
+  end
+
+  shared_examples 'it begins with unsigned RPMs' do
+    it 'begins with unsigned RPMs' do
+      prep_rpms_dir(rpms_dir, [src_rpm], opts)
+      rpms_before_signing = on(hosts, %(#{run_cmd} "rpm -qip '#{test_rpm}' | grep ^Signature"), opts)
+      rpms_before_signing.each do |result|
+        expect(result.stdout).to match rpm_unsigned_regex
+      end
+    end
+  end
+
+  shared_examples 'it signs RPM packages in the directory using the GPG dev signing key' do
+    it 'signs RPM packages in the directory using the GPG dev signing key' do
+      on(hosts, %(#{run_cmd} "cd '#{test_dir}'; bundle exec rake pkg:signrpms[dev,'#{rpms_dir}']"), opts)
+      rpms_after_signing = on(hosts, %(#{run_cmd} "rpm -qip '#{test_rpm}' | grep ^Signature"), opts)
+      rpms_after_signing.each do |result|
+        host = hosts_with_name(hosts, result.host).first
+        on(host, "gpg --list-keys --homedir='#{dirs[host][:dev_keydir]}'", opts)
+
+        expect(result.stdout).to match rpm_signed_regex
+        signed_rpm_data = rpm_signed_regex.match(result.stdout)
+        expect(signed_rpm_data[:key_id]).to eql dev_signing_key_id(host, test_dir, opts)
+      end
+    end
+  end
+
+  describe 'when starting without a dev key' do
+    include_context('a freshly-scaffolded test project', 'pkg-signrpms')
+    include_examples('it creates a new GPG dev signing key')
+    include_examples('it begins with unsigned RPMs')
+    include_examples('it signs RPM packages in the directory using the GPG dev signing key')
+
+    context 'when there is an unexpired GPG dev signing key' do
+      include_examples('it begins with unsigned RPMs')
+      include_examples('it signs RPM packages in the directory using the GPG dev signing key')
+    end
+  end
+
+  describe 'when starting with an expired dev key' do
+    include_context('a freshly-scaffolded test project', 'pkg-signrpms-expired_dev_key')
+
+    it 'begins with an expired GPG signing key' do
+      prep_rpms_dir(rpms_dir, [src_rpm], opts)
+      hosts.each do |host|
+        copy_expired_keydir_to_dev_cmds = [
+          "mkdir -p '$(dirname '#{dirs[host][:dev_keydir]}')'",
+          "cp -aT '#{expired_keydir}' '#{dirs[host][:dev_keydir]}'",
+          "ls -lart '#{expired_keydir}'"
+        ].join(' && ')
+        on(host, %(#{run_cmd} "#{copy_expired_keydir_to_dev_cmds}"), opts)
+        result = on(host, %(#{run_cmd} "gpg --list-keys --homedir='#{dirs[host][:dev_keydir]}'"), opts)
+        expect(result.stdout).to match(/expired: 2018-04-06/)
+      end
+    end
+
+    include_examples('it creates a new GPG dev signing key')
+    include_examples('it begins with unsigned RPMs')
+    include_examples('it signs RPM packages in the directory using the GPG dev signing key')
+  end
+end

data/spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/RPM-GPG-KEY-SIMP-Dev

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBFq1adoBEACrnso3sC9+10Z+v0m1KU1EeFFTBZve5OO9vxGDFa0GSn9aLAm7
+UQcaVxEnXeB83fKS6AndXD0tR9/ut64WYGUCIVusW7iYhUL26w5qHYfK3M8PTa/A
+mNTeV5327NmkJ8Ky5Djvx4nR43e2vhtzHK+WjfFdaFLpHqvATnQFohl/VtT8DGHg
+zB7jHnif4rWx36wS2ftJCYFAtvrTqGT1ZQ+FNT64Y5NG8U8X1DRRgOiuY7z/fXqD
+9akOglP9hhmaWBBKHySjO/7JC6SOdiNDDGD/Ay4IpYeBb1RP1WheKvrP6VNVLp3N
+wNrmZouZvh/itxrmEaeOrGkLjlpSa5BTZz+Cyrig+fR4DjeSwHrQRFsVHpzKwt01
+tBssfpvC5x23MFyEnsqaCR/XlpjE/PFG5NeNR+hwNolhGr30vbrht6iaGfAjbh8G
+V5jmYHFIdFT+Q0V3zwviCznZPSEHcjay769wp39wa0rgqG9pIX/zYTdetolI6+Mn
+3cskueoiVfSTL3iDA6rObFdg2c72JGdQpZRxr5oC5pD1ecdGULOCv47ppTQW+r8O
+cnCNotXPw/2GNoofPGP6wKx7wimUIBATn2gAGLRtXip1MyzmzCY6Hz9an+aiPlJ+
+Fo1fnJGxiiLbBwS/gPCdhrDPHFbcHjROA0i1HTnYwqvSqfdJFvXuk9oZMQARAQAB
+tE9TSU1QIERldmVsb3BtZW50IChEZXZlbG9wbWVudCBrZXkgMTUyMTgzODU1NCkg
+PGdhdGVrZWVwZXJAc2ltcC5kZXZlbG9wbWVudC5rZXk+iQI+BBMBAgApBQJatWna
+AhsDBQkAEnUABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQciuXqAjn2uqG
+Ow/45WoHH4k06jT98uM0qTzwCMUeuNSlCLcGUw+MmcAqC00lApEzRSmTWXFJDr+E
+DMHCNTl5gK+vVXkhY/VGS+xBTrjO7Zc/jtCHIYRu92hRc18WSkfdzmP1rEnhmrrT
+sCjdbBfV5vccSG2QCsqrf8boZ25FDMUQy2yW7CYiP3jMIaWZGcN5YXmVotq4e9g7
+/9UIvoSk6ra45VXSBcfqUKDHvCn44PV7Qq3V9Z1TLRVxUIHVIujmVabUey5cSK9X
+frzg9C0q5C0ksOLeC4RhUsS/FFxPPOaZ2u/LCUCad60Pwmdfxdx8QqPHKfhW52V7
+tAtfW2LwWTu0tJ5nmUPSup12Jm36JUxZRK1bxQMgt90jL0LcY7L5VlXtaHO4sWhV
+B1rUDRyhYmLceex585IdjyUTczEwOB7FuYdF8sR0Y/5a2gZKsrDk1A5Aq2QSi7pJ
+ISFEnTfO6KRBpa4Oqo3DB5ABKqnL4aoROiqNaGp+6/Wgg7seErK6ZBDhTHqK+muF
+eBVlmei0iZa5H3BwFEtWNRjeiNaWbWqVROTchezBlu1IjDnordBHC3T7r1Wal+Mg
+boATaK9hyQfo2Gnab8IgsF+mwWYpU8lN3H/u4rEVoLr43YWDGVqaD8gcQFK7qzRq
+jwfirprHBAW567vUqgloljq9w9xsAJl4PijX6mQcIy31RQ==
+=bq4o
+-----END PGP PUBLIC KEY BLOCK-----

data/spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/gengpgkey

@@ -0,0 +1,17 @@
+        %echo Generating Development GPG Key
+        %echo
+        %echo This key will expire on 2018-04-06T20:55:54+00:00
+        %echo
+        Key-Type: RSA
+        Key-Length: 4096
+        Key-Usage: sign
+        Name-Real: SIMP Development
+        Name-Comment: Development key 1521838554
+        Name-Email: gatekeeper@simp.development.key
+        Expire-Date: 2w
+        Passphrase: rcGDDzNywQNTuRmAN145EQJBEwCtHMTNmzYtMdYin9H+VrAIwn4Facv5e6l2mvu8IkyRXL38GpJjopCN3L9Hj6Jk22xkUvOPP+sabE8zzMdJpmsO0eOoxkUM7JEj4uF2CgCC5FFnWOD2zodpBBC3EJQbfdeCrjQlNYcMrbHCz+VODDhq954ZXhM94DmE3MXKqV5FyhGCy4r3IV3nfquQsZts9hbqcJquJ7vrX3ES0LYv1h6tz9Wcm5cRXSUo8eYPY3kSeQulseeyLR1sQgaQmAqRVBWSMD2hBkV8EBHfwRnyTPgHkL990oP5t7ER08fGBTnHcqPKr23Jij9BTSDWMKkwGagLbg+kfPoLRfW7R/791Xr3tN/kb02vainGjiRHgt/VlAQluzZZ60XFnDwBk8AoOopDXTX5lUrlVUsaBOi5KtEVEHLZdVtBqANQxtlpZtUWsnvjpoBrmu85kqbXX9YEoRitraS/Y4bf5ybOkMjixjthk5vGaHFZnYwON4gEbhN1fhxN4ElPyqahLQuBRmy4cF+8YJGlsOjnaVRzgm0XFu3O1INIwC7ZejXdkKumqajSRfmPCVy8NpEAJrb5h6Z9al/3Bu2mjAPU9MfDWYgSsqvS1V40nRI6Af1uLnCupWkyrcnLnBaV7VeDf8pasI0NQ1U=
+        %pubring pubring.gpg
+        %secring secring.gpg
+        # The following creates the key, so we can print "Done!" afterwards
+        %commit
+        %echo New GPG Development Key Created

data/spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/run_gpg_agent

@@ -0,0 +1,3 @@
+        #!/bin/sh
+
+        gpg-agent --homedir=/src/build/distributions/CentOS/7/x86_64/build_keys/dev --batch --daemon --pinentry-program /usr/bin/pinentry-curses < /dev/null &

data/spec/acceptance/files/build/project_skeleton/Puppetfile.tracking

@@ -0,0 +1 @@
+# Dummy file

data/spec/acceptance/files/build/project_skeleton/README.md

@@ -0,0 +1,17 @@
+# Dummy super-release (`simp-core`) project
+
+The contents of this directory tree provide _just enough _directories and dummy
+files for a `rake -T` to avoid failing during ` Simp::Rake::Build::Helpers.new`
+
+## What this provides
+
+* A (paper-thin) dummy for a super-release project like [`simp-core`][simp-core])
+* A means to acceptance-test `simp/rake/build/helpers`
+
+## How to use this project in your acceptance tests
+
+To use this project in your acceptance tests:
+
+* `rsync` this directory tree into a test-specific directory root
+* copy in any specific assets you need for your tests
+* run `bundle exec rake <task>` to test the scenario you have modeled.

data/spec/acceptance/files/build/project_skeleton/Rakefile

@@ -0,0 +1,8 @@
+begin
+  require 'simp/rake/build/helpers'
+  BASEDIR    = File.dirname(__FILE__)
+  Simp::Rake::Build::Helpers.new( BASEDIR )
+rescue LoadError => e
+  warn "WARNING: #{e.message}"
+end
+

data/spec/acceptance/files/build/project_skeleton/src/assets/simp/build/simp.spec

@@ -0,0 +1,32 @@
+Name:           testpackage
+Version:        1
+Release:        0
+Summary:        dummy test package
+BuildArch:      noarch
+
+License:        Apache-2.0
+URL:            http://foo.bar
+
+%description
+A dummy package used to test Simp::RPM methods
+
+%prep
+exit 0
+
+%build
+exit 0
+
+
+%install
+exit 0
+
+%clean
+exit 0
+
+%files
+%doc
+
+
+%changelog
+* Wed Jun 10 2015 nobody
+- some comment

data/spec/acceptance/nodesets/default.yml

@@ -53,6 +53,7 @@ HOSTS:
       - 'runuser build_user -l -c "rvm install 2.1"'
       - 'runuser build_user -l -c "rvm use --default 2.1"'
       - 'runuser build_user -l -c "rvm all do gem install bundler"'
+      - 'yum install -y rpm-sign'
     mount_folders:
       folder1:
         host_path: ./

data/spec/acceptance/support/build_project_helpers.rb

@@ -0,0 +1,72 @@
+module Simp::BeakerHelpers::SimpRakeHelpers::BuildProjectHelpers
+  # Scaffolds _just_ enough of a super-release project to run `bundle exec rake
+  #   -T` using this repository's source code as the simp-rake-helper source
+  #
+  # @param [Host, Array<Host>, String, Symbol] hosts Beaker host/hosts/role
+  # @param [Hash{Symbol=>String}] opts Beaker options Hash for `#on` ({})
+  #
+  def scaffold_build_project(hosts, test_dir, opts = {})
+    copy_host_files_into_build_user_homedir(hosts, opts)
+    skeleton_dir = "#{build_user_host_files}/spec/acceptance/files/build/project_skeleton/"
+
+    on(hosts, %(mkdir "#{test_dir}"; chown build_user:build_user "#{test_dir}"), opts)
+    on(hosts, %(#{run_cmd} "cp -aT '#{skeleton_dir}' '#{test_dir}'"), opts)
+    gemfile = <<-GEMFILE.gsub(%r{^ {6}}, '')
+      gem_sources = ENV.fetch('GEM_SERVERS','https://rubygems.org').split(/[, ]+/)
+      gem_sources.each { |gem_source| source gem_source }
+      gem 'simp-rake-helpers', :path => '#{build_user_host_files}'
+      gem 'simp-build-helpers', ENV.fetch('SIMP_BUILD_HELPERS_VERSION', '>= 0.1.0')
+    GEMFILE
+    create_remote_file(hosts, "#{test_dir}/Gemfile", gemfile, opts)
+    on(hosts, "chown build_user:build_user #{test_dir}/Gemfile", opts)
+    on(hosts, %(#{run_cmd} "cd '#{test_dir}'; rvm use default; bundle --local || bundle"), opts)
+  end
+
+  # Returns the distribution directory path appropriate for a given SUT
+  #
+  # @example The distribution directory format looks like:
+  #
+  #     `build/distributions/CentOS/6/x86_64
+  #
+  # @param [Host, String, Symbol] host Beaker host
+  # @param [String] proj_dir Absolute path to the parent project directory
+  #   If this is set, the returned path will be absolute as well.
+  # @param [Hash{Symbol=>String}] opts Beaker options Hash for `#on` ({})
+  # @return [String] distribution directory matching the SUT's properties
+  #
+  def distribution_dir(host, proj_dir, opts = {})
+    opts ||= {}
+    @distribution_dirs ||= {}
+    return @distribution_dirs[host.to_s] if @distribution_dirs.key?(host.to_s)
+
+    result = on(host, %(#{run_cmd} 'facter --yaml'), opts.merge(silent: true))
+    facts_string = result.stdout.lines[1..-1].join
+    facts = YAML.load(facts_string)
+
+    # This logic should work regardless of the version of facter
+    name = facts['operatingsystem'] || facts['os']['name']
+    maj_rel = facts['operatingsystemmajrelease'] ||
+              facts.fetch('os', {}).fetch('release', {})['major'] ||
+              facts['operatingsystemrelease'].split('.').first
+    architecture = facts['architecture']
+
+    dir = "#{proj_dir}/build/distributions/#{name}/#{maj_rel}/#{architecture}"
+    @distribution_dirs[host.to_s] = dir
+  end
+
+  # Scans a host path for the 'SIMP Development' GPG key and returns its Key ID
+  #
+  # @param [Host, String, Symbol] host Beaker host
+  # @param [Hash{Symbol=>String}] opts Beaker options Hash for `#on` ({})
+  # @param [String] proj_dir Absolute path to the parent project directory
+  # @param [Hash{Symbol=>String}] opts Beaker options Hash for `#on` ({})
+  # @return [String] GPG dev signing Key ID
+  #
+  def dev_signing_key_id(host, proj_dir, opts = {})
+    key_dir = distribution_dir(host, proj_dir, opts) + '/build_keys/dev'
+    res = on(host, %(#{run_cmd} "gpg --list-keys --fingerprint --homedir='#{key_dir}' 'SIMP Development'"))
+    lines = res.stdout.lines.select { |x| x =~ %r{Key fingerprint =} }
+    raise "No 'SIMP Development' GPG keys found under ''" if lines.empty?
+    lines.first.strip.split(%r{\s+})[-4..-1].join.downcase
+  end
+end

data/spec/acceptance/support/build_user_helpers.rb

@@ -0,0 +1,20 @@
+module Simp::BeakerHelpers::SimpRakeHelpers::BuildUserHelpers
+  def build_user_homedir
+    '/home/build_user'
+  end
+
+  def build_user_host_files
+    "#{build_user_homedir}/host_files"
+  end
+
+  def copy_host_files_into_build_user_homedir(hosts, opts = {})
+    commands = <<-COMMANDS.gsub(/^ {6}/,'')
+      cp -aT /host_files #{build_user_host_files} ;
+      find #{build_user_host_files} \\
+        -type d -a \\( -name dist -o -name junit -o -name log \\) \\
+        -exec chmod -R go=u-w {} \\; ;
+      chown -R build_user:build_user #{build_user_host_files}
+    COMMANDS
+    on(hosts,commands,opts)
+  end
+end

data/spec/acceptance/support/pkg_rpm_helpers.rb

@@ -1,5 +1,8 @@
 module Simp::BeakerHelpers::SimpRakeHelpers::PkgRpmHelpers
 
+  require_relative 'build_user_helpers'
+  include Simp::BeakerHelpers::SimpRakeHelpers::BuildUserHelpers
+
   # rake command string to run on hosts
   # passes on useful troubleshooting env vars
   def rake_cmd
@@ -17,17 +20,6 @@ module Simp::BeakerHelpers::SimpRakeHelpers::PkgRpmHelpers
   end
 
 
-  def copy_host_files_into_build_user_homedir(
-    hosts,
-    root_dir=File.expand_path('../../../',__FILE__)
-  )
-    # I've added the `ch* -R` on the SUT-side, which seems to work on a fresh checkout
-    on hosts, 'cp -a /host_files /home/build_user/; ' +
-             'chmod -R go=u-w /home/build_user/host_files/{dist,**/dist,junit,log}; ' +
-             'chown -R build_user:build_user /home/build_user/host_files; '
-  end
-
-
   # key   = what `rpm -q --scripts` calls each scriptlet
   # value = the label passed to `simp_rpm_helper`
   def scriptlet_label_map

data/spec/acceptance/support/simp_rake_helpers.rb

@@ -0,0 +1,11 @@
+module Simp::BeakerHelpers::SimpRakeHelpers
+  # Add RSpec log comments within examples ("it blocks")
+  def comment(msg, indent = 10)
+    logger.optionally_color(Beaker::Logger::MAGENTA, ' ' * indent + msg)
+  end
+
+  # basic command + arguments for executing `runuser` within an SUT
+  def run_cmd
+    @run_cmd ||= 'runuser build_user -l -c '
+  end
+end

data/spec/lib/simp/local_gpg_signing_key_spec.rb.beaker-only

@@ -0,0 +1,96 @@
+require 'simp/local_gpg_signing_key'
+require 'spec_helper'
+require 'fileutils'
+require 'tmpdir'
+
+describe Simp::LocalGpgSigningKey do
+  include FileUtils
+
+  before :all do
+    TMP_DIR     = Dir.mktmpdir('spec_test__simp_local_gpg_signing_key')
+    TMP_DEV_DIR = File.join(TMP_DIR, 'dev')
+    OPTS        = {verbose: ENV['VERBOSE'].to_s =~ /^(yes|true)$/ }
+
+    mkdir_p TMP_DIR
+
+    # Be a good citizen and preserve pre-existing agent variables
+    ORIGINAL_GPG_AGENT_INFO = ENV['GPG_AGENT_INFO']
+  end
+
+  after :all do
+    rm_rf TMP_DIR
+
+    # Be a good citizen and preserve pre-existing agent variables
+    ENV['GPG_AGENT_INFO'] = ORIGINAL_GPG_AGENT_INFO
+  end
+
+  shared_examples_for 'it just generated a local gpg signing key' do
+    it 'creates a local gpg-agent' do
+      expect(agent_info.reject{|x| x.nil?}.keys).to include(:info, :socket, :pid)
+    end
+
+    it 'had a gpg-agent socket' do
+      socket = agent_info[:socket]
+      expect(File.absolute_path(socket.to_s)).to eq socket.to_s
+    end
+
+    it 'has killed the local gpg-agent' do
+      expect(File.exist?(agent_info[:socket])).to be false
+    end
+  end
+
+
+  shared_examples_for 'a valid gpg signing key environment' do
+    it 'has a local GPG signing key' do
+      Dir.chdir(TMP_DEV_DIR) { expect(Dir['*']).to include('RPM-GPG-KEY-SIMP-Dev') }
+    end
+
+    it 'has a populated a gpg-agent directory' do
+      Dir.chdir(TMP_DEV_DIR) do |_dir|
+        expect(Dir['*'].sort).to include(
+          'gengpgkey',
+          'pubring.gpg',
+        )
+      end
+    end
+  end
+
+  shared_examples_for 'it encountered an unexpired local gpg signing key' do
+    it 'reuses an unexpired local gpg signing key' do
+      expect{described_class.new(TMP_DEV_DIR,OPTS).ensure_key}.to output(
+        /^GPG key \(gatekeeper@simp\.development\.key\) will expire in 14 days\./
+      ).to_stdout
+    end
+
+    it 'reuses an unexpired local gpg signing key' do
+      expect{described_class.new(TMP_DEV_DIR,OPTS).ensure_key}.to output(
+        /^GPG key \(gatekeeper@simp\.development\.key\) will expire in 14 days\./
+      ).to_stdout
+    end
+  end
+
+  context '#ensure_key' do
+    before :all do
+      rm_rf   TMP_DEV_DIR
+      ENV['GPG_AGENT_INFO'] = nil
+    end
+
+    context 'when run from scratch' do
+      before :all do
+        FIRST_RUN_AGENT_INFO  = described_class.new(TMP_DEV_DIR,OPTS).ensure_key
+      end
+      let(:agent_info){ FIRST_RUN_AGENT_INFO }
+      it_behaves_like 'it just generated a local gpg signing key'
+      it_behaves_like 'a valid gpg signing key environment'
+    end
+
+    context 'when run again' do
+      before :all do
+        SECOND_RUN_AGENT_INFO = described_class.new(TMP_DEV_DIR,OPTS).ensure_key
+      end
+      let(:agent_info){ SECOND_RUN_AGENT_INFO }
+      it_behaves_like 'it encountered an unexpired local gpg signing key'
+      it_behaves_like 'a valid gpg signing key environment'
+    end
+  end
+end

data/spec/spec_helper_acceptance.rb

@@ -4,19 +4,9 @@ include Simp::BeakerHelpers
 require 'tmpdir'
 require 'pry' if ENV['PRY'] == 'yes'
 
+require 'acceptance/support/simp_rake_helpers'
 $LOAD_PATH.unshift(File.expand_path('../acceptance/support',__FILE__))
 
-module Simp::BeakerHelpers::SimpRakeHelpers
-  # Add RSpec log comments within examples ("it blocks")
-  def comment(msg, indent=10)
-    logger.optionally_color(Beaker::Logger::MAGENTA, " "*indent + msg)
-  end
-
-  # basic command + arguments for executing `runuser` within an SUT
-  def run_cmd
-    @run_cmd ||= 'runuser build_user -l -c '
-  end
-end
 
 RSpec.configure do |c|
   # provide helper methods to individual examples AND example groups

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: simp-rake-helpers
 version: !ruby/object:Gem::Version
-  version: 5.6.1
+  version: 5.6.2
 platform: ruby
 authors:
 - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-02 00:00:00.000000000 Z
+date: 2018-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: simp-beaker-helpers
@@ -225,8 +225,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.0'
-description: |2
-      "simp-rake-helpers provides common methods for SIMP Rake Tasks"
+description: '    "simp-rake-helpers provides common methods for SIMP Rake Tasks"
+
+'
 email: simp@simp-project.org
 executables: []
 extensions: []
@@ -243,6 +244,7 @@ files:
 - Rakefile
 - bin/simp_rake_helpers
 - lib/simp/componentinfo.rb
+- lib/simp/local_gpg_signing_key.rb
 - lib/simp/rake.rb
 - lib/simp/rake/build/auto.rb
 - lib/simp/rake/build/build.rb
@@ -278,6 +280,8 @@ files:
 - spec/acceptance/10_pkg_rpm_spec.rb
 - spec/acceptance/20_pkg_rpm_safely_upgrading_obsolete_modules_spec.rb
 - spec/acceptance/30_pkg_misc_spec.rb
+- spec/acceptance/50_local_gpg_signing_key_spec.rb
+- spec/acceptance/55_build_pkg_signing_spec.rb
 - spec/acceptance/development/docker_env.sh
 - spec/acceptance/development/rerun_acceptance_tests.sh
 - spec/acceptance/development/vagrant_rsync.sh
@@ -285,6 +289,17 @@ files:
 - spec/acceptance/files/asset/build/asset.spec
 - spec/acceptance/files/asset_with_misordered_entries/Rakefile
 - spec/acceptance/files/asset_with_misordered_entries/build/asset_with_misordered_entries.spec
+- spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/RPM-GPG-KEY-SIMP-Dev
+- spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/gengpgkey
+- spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/pubring.gpg
+- spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/random_seed
+- spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/run_gpg_agent
+- spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/secring.gpg
+- spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06/trustdb.gpg
+- spec/acceptance/files/build/project_skeleton/Puppetfile.tracking
+- spec/acceptance/files/build/project_skeleton/README.md
+- spec/acceptance/files/build/project_skeleton/Rakefile
+- spec/acceptance/files/build/project_skeleton/src/assets/simp/build/simp.spec
 - spec/acceptance/files/custom_scriptlet_triggers/pupmod-new-package-2.1/CHANGELOG
 - spec/acceptance/files/custom_scriptlet_triggers/pupmod-new-package-2.1/Rakefile
 - spec/acceptance/files/custom_scriptlet_triggers/pupmod-new-package-2.1/build/rpm_metadata/custom/overrides
@@ -370,7 +385,10 @@ files:
 - spec/acceptance/files/testpackage_without_changelog/build/rpm_metadata/requires
 - spec/acceptance/files/testpackage_without_changelog/metadata.json
 - spec/acceptance/nodesets/default.yml
+- spec/acceptance/support/build_project_helpers.rb
+- spec/acceptance/support/build_user_helpers.rb
 - spec/acceptance/support/pkg_rpm_helpers.rb
+- spec/acceptance/support/simp_rake_helpers.rb
 - spec/lib/simp/componentinfo_changelog_regex_spec.rb
 - spec/lib/simp/componentinfo_spec.rb
 - spec/lib/simp/files/build/testpackage.spec
@@ -429,6 +447,7 @@ files:
 - spec/lib/simp/files/testpackage-dist.spec
 - spec/lib/simp/files/testpackage-multi.spec
 - spec/lib/simp/files/testpackage.spec
+- spec/lib/simp/local_gpg_signing_key_spec.rb.beaker-only
 - spec/lib/simp/rake/build/files/changed_name_mod/metadata.json
 - spec/lib/simp/rake/build/files/dependencies.yaml
 - spec/lib/simp/rake/build/files/malformed_dep_meta_mod/metadata.json
@@ -506,7 +525,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 2.6.14.1
 signing_key: 
 specification_version: 4
 summary: SIMP rake helpers