4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
# File 'lib/packaging/sign/msi.rb', line 4
def sign(target_dir = 'pkg')
require 'google/cloud/storage'
require 'googleauth'
require 'json'
require 'net/http'
require 'uri'
gcp_service_account_credentials = Pkg::Config.msi_signing_gcp_service_account_credentials
signing_service_url = Pkg::Config.msi_signing_service_url
begin
authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
json_key_io: File.open(gcp_service_account_credentials),
target_audience: signing_service_url
)
rescue StandardError => e
fail "msis can only be signed by jenkins.\n#{e}"
end
gcp_auth_token = authorizer.fetch_access_token!['id_token']
gcp_storage = Google::Cloud::Storage.new(
project_id: 'puppet-release-engineering',
credentials: gcp_service_account_credentials
)
tosign_bucket = gcp_storage.bucket('windows-tosign-bucket')
signed_bucket = gcp_storage.bucket('windows-signed-bucket')
service_uri = URI.parse(signing_service_url)
= { 'Content-Type': 'application/json', 'Authorization': "Bearer #{gcp_auth_token}" }
http = Net::HTTP.new(service_uri.host, service_uri.port)
http.use_ssl = true
request = Net::HTTP::Post.new(service_uri.request_uri, )
signed_msis = {}
msis = Dir.glob("#{target_dir}/windows*/**/*.msi")
msis.each do |msi|
begin
tosign_bucket.create_file(msi, msi)
rescue StandardError => e
delete_tosign_msis(tosign_bucket, msis)
fail "There was an error uploading #{msi} to the windows-tosign-bucket gcp bucket.\n#{e}"
end
msi_json = { 'Path': msi }
request.body = msi_json.to_json
begin
response = http.request(request)
response_body = JSON.parse(JSON.parse(response.body.to_json), :quirks_mode => true)
rescue StandardError => e
delete_tosign_msis(tosign_bucket, msis)
delete_signed_msis(signed_bucket, signed_msis)
fail "There was an error signing #{msi}.\n#{e}"
end
signed_msi = response_body['Path']
signed_msis[msi] = signed_msi
end
msis.each do |msi|
begin
signed_msi = signed_bucket.file(signed_msis[msi])
signed_msi.download(msi)
rescue StandardError => e
delete_tosign_msis(tosign_bucket, msis)
delete_signed_msis(signed_bucket, signed_msis)
fail "There was an error retrieving the signed msi:#{msi}.\n#{e}"
end
end
delete_tosign_msis(tosign_bucket, msis)
delete_signed_msis(signed_bucket, signed_msis)
end
|