Module: Pkg::Sign::Msi

Defined in:
lib/packaging/sign/msi.rb

Class Method Summary collapse

Class Method Details

.delete_signed_msis(bucket, signed_msis) ⇒ Object 



90
91
92
93
94
95
 
# File 'lib/packaging/sign/msi.rb', line 90

def delete_signed_msis(bucket, signed_msis)
  signed_msis.each do |msi, temp_name|
    signed_msi = bucket.file(temp_name)
    signed_msi.delete unless signed_msi.nil?
  end
end

.delete_tosign_msis(bucket, msis) ⇒ Object 



83
84
85
86
87
88
 
# File 'lib/packaging/sign/msi.rb', line 83

def delete_tosign_msis(bucket, msis)
  msis.each do |msi|
    tosign_msi = bucket.file(msi)
    tosign_msi.delete unless tosign_msi.nil?
  end
end

.sign(target_dir = 'pkg') ⇒ Object 



4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'lib/packaging/sign/msi.rb', line 4

def sign(target_dir = 'pkg')
  require 'google/cloud/storage'
  require 'googleauth'
  require 'json'
  require 'net/http'
  require 'uri'

   = Pkg::Config.
  signing_service_url = Pkg::Config.msi_signing_service_url

  begin
    authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
      json_key_io: File.open(),
      target_audience: signing_service_url
    )
  rescue StandardError => e
    fail "msis can only be signed by jenkins.\n#{e}"
  end

  gcp_auth_token = authorizer.fetch_access_token!['id_token']

  gcp_storage = Google::Cloud::Storage.new(
    project_id: 'puppet-release-engineering',
    credentials: 
  )
  tosign_bucket = gcp_storage.bucket('windows-tosign-bucket')
  signed_bucket = gcp_storage.bucket('windows-signed-bucket')

  service_uri = URI.parse(signing_service_url)
  headers = { 'Content-Type': 'application/json', 'Authorization': "Bearer #{gcp_auth_token}" }
  http = Net::HTTP.new(service_uri.host, service_uri.port)
  http.use_ssl = true
  request = Net::HTTP::Post.new(service_uri.request_uri, headers)

  # Create hash to keep track of the signed msis
  signed_msis = {}

  msis = Dir.glob("#{target_dir}/windows*/**/*.msi")

  # Upload msis to GCP and sign them
  msis.each do |msi|
    begin
      tosign_bucket.create_file(msi, msi)
    rescue StandardError => e
      delete_tosign_msis(tosign_bucket, msis)
      fail "There was an error uploading #{msi} to the windows-tosign-bucket gcp bucket.\n#{e}"
    end
    msi_json = { 'Path': msi }
    request.body = msi_json.to_json
    begin
      response = http.request(request)
      response_body = JSON.parse(JSON.parse(response.body.to_json), :quirks_mode => true)
    rescue StandardError => e
      delete_tosign_msis(tosign_bucket, msis)
      delete_signed_msis(signed_bucket, signed_msis)
      fail "There was an error signing #{msi}.\n#{e}"
    end
    # Store location of signed msi
    signed_msi = response_body['Path']
    signed_msis[msi] = signed_msi
  end

  # Download the signed msis
  msis.each do |msi|
    begin
      signed_msi = signed_bucket.file(signed_msis[msi])
      signed_msi.download(msi)
    rescue StandardError => e
      delete_tosign_msis(tosign_bucket, msis)
      delete_signed_msis(signed_bucket, signed_msis)
      fail "There was an error retrieving the signed msi:#{msi}.\n#{e}"
    end
  end

  # Cleanup buckets
  delete_tosign_msis(tosign_bucket, msis)
  delete_signed_msis(signed_bucket, signed_msis)
end