4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
# File 'lib/packaging/sign/ips.rb', line 4
def sign(packages_root = 'pkg')
identity_spec = ''
unless Pkg::Config.ips_signing_ssh_key.nil?
identity_spec = "-i #{Pkg::Config.ips_signing_ssh_key}"
end
signing_server_spec = Pkg::Config.ips_signing_server
unless Pkg::Config.ips_signing_server.match(%r{.+@.+})
signing_server_spec = "#{ENV['USER']}@#{Pkg::Config.ips_signing_server}"
end
ssh_host_spec = "#{identity_spec} #{signing_server_spec}"
rsync_host_spec = "-e 'ssh #{identity_spec}' #{signing_server_spec}"
packages = Dir.glob("#{packages_root}/solaris/11/**/*.p5p")
packages.each do |package|
work_dir = "/tmp/#{Pkg::Util.rand_string}"
unsigned_dir = "#{work_dir}/unsigned"
repo_dir = "#{work_dir}/repo"
signed_dir = "#{work_dir}/pkgs"
package_name = File.basename(package)
Pkg::Util::Net.remote_execute(
ssh_host_spec,
"mkdir -p #{repo_dir} #{unsigned_dir} #{signed_dir}"
)
Pkg::Util::Net.rsync_to(package, rsync_host_spec, unsigned_dir)
Pkg::Util::Net.remote_execute(ssh_host_spec, "sudo -E /usr/bin/pkgrepo create #{repo_dir}")
Pkg::Util::Net.remote_execute(
ssh_host_spec,
"sudo -E /usr/bin/pkgrepo set -s #{repo_dir} publisher/prefix=puppetlabs.com"
)
Pkg::Util::Net.remote_execute(
ssh_host_spec,
"sudo -E /usr/bin/pkgrecv -s #{unsigned_dir}/#{package_name} -d #{repo_dir} '*'"
)
sign_cmd = "sudo -E /usr/bin/pkgsign -c /root/signing/signing_cert_2022.pem \
-i /root/signing/DigiCert_Code_Signing_Certificate.pem \
-i /root/signing/DigiCert_Trusted_Root.pem \
-k /root/signing/signing_key_2022.pem \
-s 'file://#{work_dir}/repo' '*'"
puts "Signing #{package} with #{sign_cmd} in #{work_dir}"
Pkg::Util::Net.remote_execute(ssh_host_spec, sign_cmd.squeeze(' '))
Pkg::Util::Net.remote_execute(
ssh_host_spec,
"sudo -E /usr/bin/pkgrecv -d #{signed_dir}/#{package_name} -a -s #{repo_dir} '*'"
)
begin
Pkg::Util::Net.remote_execute(
ssh_host_spec,
"sudo -E /usr/bin/pkg contents -m -g #{signed_dir}/#{package_name} '*' " \
"| grep '^signature '"
)
rescue RuntimeError
raise "Error: #{package_name} was not signed correctly."
end
Pkg::Util::Net.rsync_from(
"#{signed_dir}/#{package_name}",
rsync_host_spec,
File.dirname(package)
)
Pkg::Util::Net.remote_execute(
ssh_host_spec,
"if [ -e '#{work_dir}' ] ; then sudo rm -r '#{work_dir}' ; fi"
)
end
end
|