simp-rake-helpers 5.11.6 → 5.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cd1fc58d4764acdc2a2160e63a50a2a16015c1dd2a41f7b530baad394d6a397e
-  data.tar.gz: 6f322c3850b40ff56c8aa49a86146a176311e999495ada8cc8270ecf806f2d81
+  metadata.gz: 1d979c12113e415884ec44b2880134bde9e20a3efc99495520e3518a994118f6
+  data.tar.gz: f9da255f0c077f662f00757ca2428b9375b1b4bd2d39de1b484c1a047d87c1f4
 SHA512:
-  metadata.gz: d58adb8bae7eba07b696cbfd3add6ce335672a7ddc6d9063f6057ca3da8f23e5492d6cecb805afe13104f377fac3c16cc38a8925791eef9c3f2543017c609bcf
-  data.tar.gz: baaf3228b15df258dcdd6030f7fa95d995ac4a08cf735218cbc941543eef389c881f9f31bed619d605b230da154fee39353eabcebb9165cbb70f3b44b88e595a
+  metadata.gz: 493c503f1ead3608b3718e113188ef08af8905d96fd7297f439adc4809c44e70f4ec6b1c3d08c1eb09458ef4ab1499db61ec3519f1d18ab297e1b8812c5620d1
+  data.tar.gz: bf8bd8cbbf5c36ac268a23e346554a6f7132523f5f32a3f76162fdc8d77dd01898362d51dadd6012e2e07efb08e61737c1398c123e09092b422b94e631a0b43a

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+### 5.12.0 / 2021-02-16
+- Ensure that pkg:install_gem uses the correct documentation options for the
+  version of Ruby in use.
+- Disable brp-mangle-shebangs when building RPMs.
+- Mitigated problem where gpg-agent daemon fails to start because
+  its socket path is longer than 108 characters.
+  - Changed the default location of the GPG keys directory used in the
+    pkg:key_prep and pkg:signrpms Rake tasks to <base_dir>/.dev_gpgkeys.
+  - Added a SIMP_PKG_build_keys_dir environment variable that overrides
+    the default location of the GPG keys directory used in the
+    pkg:key_prep and pkg:signrpms Rake tasks.
+- Added SIMP_PKG_rpmsign_timeout environment variable that overrides
+  default timeout in seconds to wait for an individual RPM signing
+  operation to complete.
+  - Default timeout is 30 seconds.
+  - Most relevant when signing on RPMs on EL8 and the gpg-agent
+    started by rpmsign fails to start, but rpmsign does not detect
+    the failure and hangs.
+- Improved pkg:signrpms error handling and reporting.
+- Fixed bug in GPG handling for GPG 2.1+ in which an existing
+  GPG key that was not cached internally was not detected.
+- Fixed bug where pkg:signrpms failed to sign RPMs on EL8.
+- Fixed bug where pkg:checksig reported failure on EL8, even when
+  the signatures were valid.
+- Deprecated the following top-level Rake tasks for Puppet modules:
+  - compare_latest_tag: use pkg:compare_latest_tag instead
+  - changelog_annotation: use pkg:create_tag_changelog instead
+
 ### 5.11.6 / 2021-02-03
 * Fix GPG handling for GPG 2.1+
 

data/CONTRIBUTING.md

@@ -1,4 +1,4 @@
 ## Contributing
 
-Please refer to the main [SIMP Project Contributing Guide](https://github.com/NationalSecurityAgency/SIMP/blob/master/CONTRIBUTING.md)
+Please refer to the main [SIMP Project Contributing Guide](https://simp-doc.readthedocs.io/en/stable/contributors_guide/index.html)
 for details on contributing to this project.

data/README.md

@@ -39,7 +39,7 @@ The `simp-rake-helpers` gem provides common Rake tasks to support the SIMP build
 
 ### This gem is part of SIMP
 
-This gem is part of (the build tooling for) the [System Integrity Management Platform](https://github.com/NationalSecurityAgency/SIMP), a compliance-management framework built on [Puppet](https://puppetlabs.com/).
+This gem is part of (the build tooling for) the [System Integrity Management Platform](https://simp-project.com), a compliance-management framework built on [Puppet](https://puppetlabs.com/).
 
 
 ### Features

data/lib/simp/command_utils.rb

@@ -0,0 +1,21 @@
+module Simp; end
+module Simp::CommandUtils
+  require 'facter'
+
+  def which(cmd, fail=false)
+    @which_cache ||= {}
+
+    if @which_cache.has_key?(cmd)
+      command = @which_cache[cmd]
+    else
+      command = Facter::Core::Execution.which(cmd)
+      @which_cache[cmd] = command
+    end
+
+    msg = "Warning: Command #{cmd} not found on the system."
+
+    ( fail ? raise(msg) : warn(msg) ) unless command
+
+    command
+  end
+end

data/lib/simp/local_gpg_signing_key.rb

@@ -1,5 +1,6 @@
 require 'securerandom'
 require 'rake'
+require 'simp/command_utils'
 
 module Simp
   # Ensure that a valid GPG signing key exists in a local directory
@@ -14,49 +15,52 @@ module Simp
   #     - New keys are generated using a temporary GPG agent with its own
   #       settings and socket.
   #
-  #   The local signing key's directory is structured like this:
+  #   The local signing key's directory includes the following:
+  #   gpg < 2.1.0 (EL7):
   #
   #   ```
   #   #{key_name}/                        # key directory
   #     +-- RPM-GPG-KEY-SIMP-#{key_name}  # key file
   #     +-- gengpgkey                     # --gen-key params file **
+  #     +-- gpg-agent-info.env            # Lists location of gpg-agent socket + pid
+  #     +-- run_gpg_agnet                 # Script used to start gpg-agent
   #     +-- pubring.gpg
   #     +-- secring.gpg
-  #     +-- trustring.gpg
+  #     +-- trustdb.gpg
   #   ```
   #
-  #   `**` = `SIMP::RPM.sign_keys` will use the values in the `gengpgkey` file
+  #   gpg >= 2.1.0 (EL8):
+  #   ```
+  #   #{key_name}/                        # key directory
+  #     +-- RPM-GPG-KEY-SIMP-#{key_name}  # key file
+  #     +-- gengpgkey                     # --gen-key params file **
+  #     +-- openpgp-revocs.d/<fingerprint id>.rev
+  #     +-- private-keys-v1.d/<user id>.key
+  #     +-- pubring.kbx
+  #     +-- trustdb.gpg
+  #   ```
+  #
+  #   `**` = `SIMP::RpmSigner.sign_rpms` will use the values in the `gengpgkey` file
   #     for the GPG signing key's email and passphrase
   #
   #   If a new key is required, a project-only `gpg-agent` daemon is momentarily
   #   created to generate it, and destroyed after this is done.  The daemon does
-  #   not interact with any other `gpg-agent` daemons on the system--it is
-  #   launched on a random socket and keeps all its files under the
-  #   #{key_name/} directory.
-  #
-  #   When instantiated, the daemon writes an "env-file" to the #{key_name}
-  #   directory.  This file specifies the location of the daemon's socket and
-  #   pid.
-  #
-  #   A typical env-file looks like:
-  #
-  #   ```sh
-  #   GPG_AGENT_INFO=/tmp/gpg-4yhfOB/S.gpg-agent:15495:1
-  #   ```
+  #   not interact with any other `gpg-agent` daemons on the system. It is
+  #   launched on random socket(s) whose socket file(s) can be found as follows:
   #
-  #   A brand-new gpg-agent daemon will output similar information, with an
-  #   additional export:
+  #   Location                           Environment
+  #   #{key_name} dir                    Docker container for EL8
+  #   temp dir in /run/user/<uid>/gnupg  EL8
+  #   temp dir in /tmp                   EL7
   #
-  #   ```sh
-  #   GPG_AGENT_INFO=/tmp/gpg-4yhfOB/S.gpg-agent:15495:1; export GPG_AGENT_INFO;\n"
-  #   ```
   class LocalGpgSigningKey
     include FileUtils
+    include Simp::CommandUtils
 
-    # `SIMP::RPM.sign_keys` will look for a 'gengpgkey' file to
+    # `SIMP::RpmSigner.sign_rpms` will look for a 'gengpgkey' file to
     #   non-interactively sign packages.
     #
-    #   @see SIMP::RPM.sign_keys
+    #   @see SIMP::RpmSigner.sign_rpms
     GPG_GENKEY_PARAMS_FILENAME = 'gengpgkey'.freeze
 
     # @param dir  [String] path to gpg-agent / key directory
@@ -74,11 +78,12 @@ module Simp
       @key_file  = opts[:file]    || "RPM-GPG-KEY-SIMP-#{@label.capitalize}"
       @verbose   = opts[:verbose] || false
 
+      # for EL7 only
       @gpg_agent_env_file = 'gpg-agent-info.env'
       @gpg_agent_script   = 'run_gpg_agent'
     end
 
-    # Return the version of GPG instealled on the system
+    # Return the version of GPG installed on the system
     #
     # @return [Gem::Version]
     def gpg_version
@@ -111,17 +116,45 @@ module Simp
       info
     end
 
-    # Return the number of days left before the GPG signing key expires
+    # Return the number of days left before the GPG signing key expires or
+    # 0 if the key does not exist or the key is missing an expiration date.
     def dev_key_days_left
+      which('gpg', true)
       ensure_gpg_directory
-      days_left   = 0
 
-      which('gpg', true)
-      current_key = %x(GPG_AGENT_INFO='' gpg --homedir=#{@dir} --list-keys #{@key_email} 2>/dev/null)
-      unless current_key.empty?
-        lasts_until = current_key.lines.first.strip.split("\s").last.delete(']')
-        days_left = (Date.parse(lasts_until) - Date.today).to_i
+      days_left = 0
+      cmd = "gpg --with-colons --homedir=#{@dir} --list-keys '<#{@key_email}>' 2>&1"
+      puts "Executing: #{cmd}" if @verbose
+      %x(#{cmd}).each_line do |line|
+        # See https://github.com/CSNW/gnupg/blob/master/doc/DETAILS
+        # Index  Content
+        #   0    record type
+        #   6    expiration date
+        #
+        # If expiration date contains a 'T', it is in an ISO 8601 format
+        # (e.g., 20210223T091500). Otherwise it is seconds since the epoch.
+        #
+        fields = line.split(':')
+        if fields[0] && (fields[0] == 'pub')
+          raw_exp_date = fields[6]
+          unless raw_exp_date.nil? || raw_exp_date.strip.empty?
+            require 'date'
+
+            exp_date = nil
+            if raw_exp_date.include?('T')
+              exp_date = DateTime.parse(raw_exp_date).to_date
+            else
+              exp_date = Time.at(raw_exp_date.to_i).to_date
+            end
+
+            days_left = (exp_date - Date.today).to_i
+            days_left = 0 if days_left < 0
+          end
+
+          break
+        end
       end
+
       days_left
     end
 
@@ -153,55 +186,16 @@ module Simp
 
         clean_gpg_agent_directory
         write_genkey_parameter_file
-        write_gpg_agent_startup_script
 
+        agent_info = nil
         begin
           if gpg_version < Gem::Version.new('2.1')
-            # Start the GPG agent.
-            gpg_agent_output = %x(./#{@gpg_agent_script}).strip
-
-            # Provide a local socket (needed by the `gpg` command when
-            local_socket = File.join(Dir.pwd, 'S.gpg-agent')
-
-            # This condition was handled differently in previous logic.
-            #
-            #   a.) As the surrounding logic works now, it will _always_ be a new
-            #       agent by this point, because the directory is cleaned out
-            #   b.) The agent's information will be read from the env-file it
-            #        writes at startup
-            #   c.) The old command `gpg-agent --homedir=#{Dir.pwd} /get serverpid`
-            #       did not work on EL6 or EL7.
-            #
-            warn(empty_gpg_agent_message) if gpg_agent_output.empty?
-
-            agent_info = gpg_agent_info
-
-            # The socket is useful to get back info on the command line.
-            unless File.exist?(File.join(Dir.pwd, File.basename(agent_info[:socket])))
-              ln_s(agent_info[:socket], local_socket, :verbose => @verbose)
-            end
-
-            generate_key(agent_info[:info])
+            agent_info = start_gpg_agent_old
           else
-            which('gpg', true)
-            which('gpg-agent', true)
-            which('gpg-connect-agent', true)
-
-            # Start the GPG agent
-            %x{gpg-agent --homedir=#{Dir.pwd} >&/dev/null || gpg-agent --homedir=#{Dir.pwd} --daemon >&/dev/null}
-
-            agent_info = {}
-
-            # Provide a local socket (needed by the `gpg` command when
-            agent_info[:socket] = %x{echo 'GETINFO socket_name' | gpg-connect-agent --homedir=#{Dir.pwd}}.lines.first[1..-1].strip
-
-            # Get the pid
-            agent_info[:pid] = %x{echo 'GETINFO pid' | gpg-connect-agent --homedir=#{Dir.pwd}}.lines.first[1..-1].strip.to_i
-
-            generate_key(%{#{agent_info[:socket]}:#{agent_info[:pid]}:1})
+            agent_info = start_gpg_agent
           end
         ensure
-          kill_agent(agent_info[:pid])
+          kill_agent(agent_info[:pid]) if agent_info
         end
 
         agent_info
@@ -213,7 +207,7 @@ module Simp
     #
     # @return [String] Warning message
     def empty_gpg_agent_message
-      <<-WARNING.gsub(/^\s{8}/,'')
+      <<~WARNING
         WARNING: Tried to start an project-only gpg-agent daemon on a random socket by
                  running the script:
 
@@ -234,7 +228,6 @@ module Simp
     #
     # @param pid [String] The GPG Agent PID to kill
     def kill_agent(pid)
-      rm('S.gpg-agent') if File.symlink?('S.gpg-agent')
       if pid
         Process.kill(0, pid)
         Process.kill(15, pid)
@@ -254,8 +247,8 @@ module Simp
       gpg_cmd = %(GPG_AGENT_INFO=#{gpg_agent_info_str} gpg --homedir="#{@dir}")
 
       pipe    = @verbose ? '| tee' : '>'
-      sh %(#{gpg_cmd} --batch --gen-key #{GPG_GENKEY_PARAMS_FILENAME})
-      sh %(#{gpg_cmd} --armor --export #{@key_email} #{pipe} "#{@key_file}")
+      %x(#{gpg_cmd} --batch --gen-key #{GPG_GENKEY_PARAMS_FILENAME})
+      %x(#{gpg_cmd} --armor --export '<#{@key_email}>' #{pipe} "#{@key_file}")
 
       if File.stat(@key_file).size == 0
         fail "Error: Something went wrong generating #{@key_file}"
@@ -271,6 +264,62 @@ module Simp
       { info: info.strip, socket: matches[:socket], pid: matches[:pid].to_i }
     end
 
+    # Start the gpg-agent
+    # @return Hash of agent info
+    # @raise if gpg-agent fails to start
+    def start_gpg_agent
+      which('gpg', true)
+      which('gpg-agent', true)
+      which('gpg-connect-agent', true)
+
+      # Start the GPG agent, if it is not already running
+      check_agent = "gpg-agent -q --homedir=#{Dir.pwd} >&/dev/null"
+      start_agent = "gpg-agent --homedir=#{Dir.pwd} --daemon >&/dev/null"
+      cmd = "#{check_agent} || #{start_agent}"
+      puts "Executing: #{cmd}" if @verbose
+      %x(#{cmd})
+      if $? && ($?.exitstatus != 0)
+        err_msg = [
+          'Failed to start gpg-agent during key creation.',
+          "  Execute '#{start_agent.gsub(' >&/dev/null','')}' to debug."
+        ].join("\n")
+        raise(err_msg)
+      end
+
+      agent_info = {}
+
+      # Provide a local socket (needed by the `gpg` command when
+      agent_info[:socket] = %x{echo 'GETINFO socket_name' | gpg-connect-agent --homedir=#{Dir.pwd}}.lines.first[1..-1].strip
+
+      # Get the pid
+      agent_info[:pid] = %x{echo 'GETINFO pid' | gpg-connect-agent --homedir=#{Dir.pwd}}.lines.first[1..-1].strip.to_i
+
+      generate_key(%{#{agent_info[:socket]}:#{agent_info[:pid]}:1})
+
+      agent_info
+    end
+
+    # Start the gpg-agent with options suitable for gpg version < 2.1
+    # @return Hash of agent info
+    def start_gpg_agent_old
+      write_gpg_agent_startup_script
+      gpg_agent_output = %x(./#{@gpg_agent_script}).strip
+
+      # By the time we get here, we can be assured we will be starting a
+      # new agent, because the directory is cleaned out.
+      #
+      # Follow-on gpg actions will read the agent's information from
+      # the env-file the agent writes at startup.
+
+      # We're using the --sh option which will spew out the agent config
+      # when the agent starts. If it is empty, this is a problem.
+      warn(empty_gpg_agent_message) if gpg_agent_output.empty?
+
+      agent_info = gpg_agent_info
+      generate_key(agent_info[:info])
+      agent_info
+    end
+
     # Write the `gpg --genkey --batch` control parameter file
     #
     # @see "Unattended key generation" in /usr/share/doc/gnupg2-*/DETAILS for
@@ -311,7 +360,7 @@ module Simp
       which('gpg-agent', true)
       pinentry_cmd = which('pinentry-curses', true)
 
-      gpg_agent_script = <<-AGENT_SCRIPT.gsub(%r{^ {20}}, '')
+      gpg_agent_script = <<~AGENT_SCRIPT
         #!/bin/sh
 
         gpg-agent --homedir=#{Dir.pwd} --daemon \

data/lib/simp/rake.rb

@@ -9,9 +9,12 @@ module Simp::Rake
   require 'parallel'
   require 'tempfile'
   require 'facter'
+  require 'simp/command_utils'
   require 'simp/rpm'
   require 'simp/rake/pkg'
 
+  include Simp::CommandUtils
+
   attr_reader(:puppetfile)
   attr_reader(:module_paths)
 
@@ -96,23 +99,6 @@ module Simp::Rake
     exec pager rescue exec "/bin/sh", "-c", pager
   end
 
-  def which(cmd, fail=false)
-    @which_cache ||= {}
-
-    if @which_cache.has_key?(cmd)
-      command = @which_cache[cmd]
-    else
-      command = Facter::Core::Execution.which(cmd)
-      @which_cache[cmd] = command
-    end
-
-    msg = "Warning: Command #{cmd} not found on the system."
-
-    fail ? raise(msg) : warn(msg) unless command
-
-    command
-  end
-
   def help
     run_pager
 

data/lib/simp/rake/build/pkg.rb

@@ -1,7 +1,6 @@
 #!/usr/bin/rake -T
 
 require 'simp/yum'
-require 'simp/local_gpg_signing_key.rb'
 require 'simp/rake/pkg'
 require 'simp/rake/build/constants'
 require 'simp/rake/build/rpmdeps'
@@ -17,9 +16,18 @@ module Simp::Rake::Build
     def initialize( base_dir )
       init_member_vars( base_dir )
 
+      @cpu_limit = get_cpu_limit
       @verbose = ENV.fetch('SIMP_PKG_verbose','no') == 'yes'
       @rpm_build_metadata = 'last_rpm_build_metadata.yaml'
       @rpm_dependency_file = File.join(@base_dir, 'build', 'rpm', 'dependencies.yaml')
+      @build_keys_dir = ENV.fetch('SIMP_PKG_build_keys_dir', File.join(@base_dir, '.dev_gpgkeys'))
+      @long_gpg_socket_err_msg = <<~EOM
+        If the problem is 'socket name <xxx> is too long', use SIMP_PKG_build_keys_dir
+        to override
+        #{@build_keys_dir}
+        with a shorter path. The socket name must be < 108 characters.
+
+      EOM
 
       define_tasks
     end
@@ -66,7 +74,7 @@ module Simp::Rake::Build
           @build_dirs.each_pair do |k,dirs|
             Parallel.map(
               Array(dirs),
-              :in_processes => get_cpu_limit,
+              :in_processes => @cpu_limit,
               :progress => t.name
             ) do |dir|
               Dir.chdir(dir) do
@@ -95,7 +103,7 @@ module Simp::Rake::Build
           @build_dirs.each_pair do |k,dirs|
             Parallel.map(
               Array(dirs),
-              :in_processes => get_cpu_limit,
+              :in_processes => @cpu_limit,
               :progress => t.name
             ) do |dir|
               Dir.chdir(dir) do
@@ -109,36 +117,49 @@ module Simp::Rake::Build
         desc <<-EOM
           Prepare a GPG signing key to sign build packages
 
-            * :key - the name of the directory under build/build_keys to
-                     prepare (defaults to 'dev')
+            * :key - the name of the build keys subdirectory to prepare
+              (defaults to 'dev')
+
+              - The default build keys directory is
+                `#{@build_keys_dir}`
+
 
           When :key is `dev`, a temporary signing key is created, if needed:
 
-            - A 14-day `dev` key will be created if none exists, including:
-              - The `<build_dir>/build_keys/dev/` dir
-              - gpgagent assets to create/update the key
+            * A 14-day `dev` key will be created if none exists or the existing
+              key has expired.  This includes creating
+              - A `dev` directory in the build keys directory
+              - gpg-agent assets to create/update the key within that `dev`
+                directory
 
           When :key is *not* `dev`, the logic is much stricter:
 
-            - You must already have create `<build_dir>/build_keys/<:key>/`
-              directoy, and placed a valid GPG signing key inside
+            - You must already have created the `<:key>` subdirectory within
+              the build keys directory and placed a valid GPG signing key and
+              requisite gpg-agent assets to access the key within the directory.
             - If the directory or key are missing, the task will fail.
 
           ENV vars:
             - Set `SIMP_PKG_verbose=yes` to report file operations as they happen.
+            - Set `SIMP_PKG_build_keys_dir` to override the default build keys path.
         EOM
         task :key_prep,[:key] => [:prep] do |t,args|
           args.with_defaults(:key => 'dev')
           key = args.key
-          build_keys_dir = File.join(@build_dir, 'build_keys')
-          key_dir = File.join(build_keys_dir,key)
+          key_dir = File.join(@build_keys_dir,key)
           dvd_dir = @dvd_src
 
-          FileUtils.mkdir_p build_keys_dir
+          FileUtils.mkdir_p @build_keys_dir
 
-          Dir.chdir(build_keys_dir) do
+          Dir.chdir(@build_keys_dir) do
             if key == 'dev'
-              Simp::LocalGpgSigningKey.new(key_dir,{verbose: @verbose}).ensure_key
+              require 'simp/local_gpg_signing_key'
+
+              begin
+                Simp::LocalGpgSigningKey.new(key_dir,{verbose: @verbose}).ensure_key
+              rescue Exception => e
+                raise("#{e.message}\n\n#{@long_gpg_socket_err_msg}")
+              end
             else
               unless File.directory?(key_dir)
                 fail("Could not find GPG keydir '#{key_dir}' in '#{Dir.pwd}'")
@@ -356,41 +377,79 @@ module Simp::Rake::Build
           Sign a set of RPMs.
 
             Signs any unsigned RPMs in the specified directory
-              * :key - The key directory to use under #{@build_dir}/build_keys
-                * Defaults to #{File.join(File.dirname(@rpm_dir), '*RPMS')}
+              * :key - The key directory to use under the build keys directory
+                * key defaults to 'dev'
+                * build keys directory defaults to
+                  `#{@build_keys_dir}`
               * :rpm_dir - A directory containing RPM files to sign. Will recurse!
-                * Defaults to 'dev'
+                * Defaults to #{File.join(File.dirname(@rpm_dir), '*RPMS')}
               * :force - Force rpms that are already signed to be resigned
                 * Defaults to 'false', can be enabled with 'true'
+              * :digest_algo - Digest algorithm to be used when signing the RPMs
+                * Defaults to 'sha256'
+
+          ENV vars:
+            * Set `SIMP_RPM_verbose=yes` to report RPM operations as they happen.
+            * Set `SIMP_PKG_build_keys_dir` to override the default build keys path.
+            * Set `SIMP_PKG_rpmsign_timeout` to override the maximum time in seconds
+              to wait for an individual RPM signing operation to complete.
+              - Defaults to 60 seconds.
         EOM
-        task :signrpms,[:key,:rpm_dir,:force] => [:prep,:key_prep] do |t,args|
-          which('rpmsign') || raise(StandardError, 'Could not find rpmsign on your system. Exiting.')
+        task :signrpms,[:key,:rpm_dir,:force,:digest_algo] => [:prep,:key_prep] do |t,args|
+          require 'simp/rpm_signer'
 
           args.with_defaults(:key => 'dev')
           args.with_defaults(:rpm_dir => File.join(File.dirname(@rpm_dir), '*RPMS'))
           args.with_defaults(:force => 'false')
+          args.with_defaults(:digest_algo => 'sha256')
 
           force = (args[:force].to_s == 'false' ? false : true)
+          timeout = ENV['SIMP_PKG_rpmsign_timeout'] ? ENV['SIMP_PKG_rpmsign_timeout'].to_i : 60
+
+          opts = {
+            :digest_algo        => args[:digest_algo],
+            :force              => force,
+            :max_concurrent     => @cpu_limit,
+            :progress_bar_title => t.name,
+            :timeout_seconds    => timeout,
+            :verbose            => @verbose
+          }
 
-          rpm_dirs = Dir.glob(args[:rpm_dir])
-          to_sign = []
+          results = nil
+          begin
+            results = Simp::RpmSigner.sign_rpms(
+              args[:rpm_dir],
+              File.join(@build_keys_dir, args[:key]),
+              opts
+            )
+          rescue Exception => e
+            raise("#{e.message}\n\n#{@long_gpg_socket_err_msg}")
+          end
 
-          rpm_dirs.each do |rpm_dir|
-            Find.find(rpm_dir) do |rpm|
-              next unless File.readable?(rpm)
-              to_sign << rpm if rpm =~ /\.rpm$/
+          if results
+            successes = results.select { |rpm,status| status == :signed }
+            failures = results.select { |rpm,status| status == :unsigned }
+            already_signed = results.select { |rpm,status| status == :skipped_already_signed }
+
+            if opts[:verbose]
+              puts
+              puts 'Summary'
+              puts '======='
+              puts "# RPMs already signed:      #{already_signed.size}"
+              puts "# RPMs successfully signed: #{successes.size}"
+              puts "# RPM signing failures:     #{failures.size}"
+              puts
             end
-          end
 
-          Parallel.map(
-            to_sign,
-            :in_processes => get_cpu_limit,
-            :progress => t.name
-          ) do |rpm|
-            rpm_info = Simp::RPM.new(rpm)
-
-            if force || !rpm_info.signature
-              Simp::RPM.signrpm(rpm, "#{@build_dir}/build_keys/#{args[:key]}")
+            if !failures.empty?
+              if ((results.size - already_signed.size) == (failures.size))
+                detail = already_signed.empty? ? '' : 'unsigned '
+                raise("ERROR: Failed to sign all #{detail}RPMs in #{args[:rpm_dir]}")
+              else
+                err_msg = "ERROR: Failed to sign some RPMs in #{args[:rpm_dir]}:\n"
+                err_msg += "  #{failures.keys.join("\n  ")}"
+                raise(err_msg)
+              end
             end
           end
         end
@@ -446,7 +505,9 @@ module Simp::Rake::Build
                 $stderr.puts "pkg:checksig: Warning no GPG keys found in #{key_dirs_tried}"
               end
             end
-            public_keys += Dir.glob(File.join(@build_dir, 'build_keys', '*', 'RPM-GPG-KEY*'))
+
+            # be sure to include any development keys packaged with the DVD
+            public_keys += Dir.glob(File.join(@dvd_src, 'RPM-GPG-KEY*'))
 
             # Only import thngs that look like GPG keys...
             public_keys.each do |key|
@@ -464,8 +525,9 @@ module Simp::Rake::Build
             rpm_dirs.each do |rpm_dir|
               Find.find(rpm_dir) do |path|
                 if (path =~ /.*\.rpm$/)
-                  result = %x{#{rpm_cmd} --checksig #{path}}.strip
-                  if result !~ /:.*\(\S+\).* OK$/
+                  %x{#{rpm_cmd} --checksig #{path}}.strip
+                  result = $?
+                  unless result && (result.exitstatus == 0)
                     bad_rpms << path.split(/\s/).first
                   end
                 end
@@ -862,7 +924,7 @@ protect=1
           Parallel.map(
             # Allow for shell globs
             Array(dirs),
-            :in_processes => get_cpu_limit,
+            :in_processes => @cpu_limit,
             :progress => task.name
           ) do |dir|
             fail("Could not find directory #{dir}") unless Dir.exist?(dir)