From 20f274eb4ab9e35e483ad3d7bbf2ad0a945eadae Mon Sep 17 00:00:00 2001 From: poorndm Date: Fri, 10 May 2024 13:42:31 +0530 Subject: [PATCH 01/33] Test rpm-signing Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 8 +++++--- resources/rpm/signing.erb | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 9606b9811..f7e3c8d14 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -421,10 +421,10 @@ def create_rpm_file log.info(log_key) { "Creating .rpm file" } shellout!("#{command}") - + log.info(log_key) { "<< home }) @@ -510,7 +512,7 @@ def rpm_file def with_rpm_signing(&block) directory = Dir.mktmpdir destination = "#{directory}/sign-rpm" - + log.info(log_key) { " << Date: Fri, 10 May 2024 15:14:34 +0530 Subject: [PATCH 02/33] Correction - syntax Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index f7e3c8d14..a3128acbc 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -451,7 +451,7 @@ def create_rpm_file # takes care of the passphrase entering on the signing if dist_tag != ".el8" && dist_tag != ".el9" && dist_tag != ".amazon2023" sign_cmd.prepend("#{signing_script} \"").concat("\"") - log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb RHEL 8 and Amazon-2023 has gpg-agent running so skipping the expect script -sign_cmd - #{sign_cmd}"} + log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb RHEL 8 and Amazon-2023 has gpg-agent running so skipping the expect script -sign_cmd - #{sign_cmd}" } end shellout!("#{sign_cmd}", environment: { "HOME" => home }) From babc4480123256e61c5242a9ab614bb2c67dd86c Mon Sep 17 00:00:00 2001 From: poorndm Date: Fri, 10 May 2024 16:28:40 +0530 Subject: [PATCH 03/33] Debugging stmt Signed-off-by: poorndm --- resources/rpm/signing.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/rpm/signing.erb b/resources/rpm/signing.erb index 24fe31931..940d27ddc 100755 --- a/resources/rpm/signing.erb +++ b/resources/rpm/signing.erb @@ -10,7 +10,7 @@ password = '<%= passphrase %>' require 'pty' puts rpm_cmd -log.info(log_key) { " <<< DEBUGGING Stmt - omnibus-signing.erb rpm_cmd - #{rpm_cmd}"} +puts " <<< DEBUGGING Stmt - omnibus-signing.erb rpm_cmd - #{rpm_cmd}" PTY.spawn(rpm_cmd) do |r, w, pid| # Older versions of rpmsign will prompt right away for the passphrase prompt = r.read(19) From 3c988486545d10ef1bf757b51d2fac985c920589 Mon Sep 17 00:00:00 2001 From: poorndm Date: Mon, 13 May 2024 14:20:39 +0530 Subject: [PATCH 04/33] signing-pass-phrase Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index a3128acbc..7f5f98504 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -512,7 +512,7 @@ def rpm_file def with_rpm_signing(&block) directory = Dir.mktmpdir destination = "#{directory}/sign-rpm" - log.info(log_key) { " << Date: Mon, 13 May 2024 14:57:15 +0530 Subject: [PATCH 05/33] debug- signing script Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 7f5f98504..ae62fb839 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -451,7 +451,7 @@ def create_rpm_file # takes care of the passphrase entering on the signing if dist_tag != ".el8" && dist_tag != ".el9" && dist_tag != ".amazon2023" sign_cmd.prepend("#{signing_script} \"").concat("\"") - log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb RHEL 8 and Amazon-2023 has gpg-agent running so skipping the expect script -sign_cmd - #{sign_cmd}" } + log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb RHEL 8 and Amazon-2023 has gpg-agent running so skipping the expect script -sign_cmd - #{sign_cmd} AND signing_script -> #{signing_script}" } end shellout!("#{sign_cmd}", environment: { "HOME" => home }) From 236199c7af1663026f1b6e35d40711d12ea89be0 Mon Sep 17 00:00:00 2001 From: poorndm Date: Mon, 13 May 2024 15:54:21 +0530 Subject: [PATCH 06/33] debug stmt to know signign script Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index ae62fb839..f1e1529bf 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -452,6 +452,7 @@ def create_rpm_file if dist_tag != ".el8" && dist_tag != ".el9" && dist_tag != ".amazon2023" sign_cmd.prepend("#{signing_script} \"").concat("\"") log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb RHEL 8 and Amazon-2023 has gpg-agent running so skipping the expect script -sign_cmd - #{sign_cmd} AND signing_script -> #{signing_script}" } + echo "<<<<<< signing_script - `cat #{signing_script}` " end shellout!("#{sign_cmd}", environment: { "HOME" => home }) From 68518f0be4cdf4f946dd47b69a26ffb5d17c1eee Mon Sep 17 00:00:00 2001 From: poorndm Date: Tue, 14 May 2024 15:52:22 +0530 Subject: [PATCH 07/33] add debugging stmt for signing script Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index f1e1529bf..8aa76f9f8 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -452,7 +452,9 @@ def create_rpm_file if dist_tag != ".el8" && dist_tag != ".el9" && dist_tag != ".amazon2023" sign_cmd.prepend("#{signing_script} \"").concat("\"") log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb RHEL 8 and Amazon-2023 has gpg-agent running so skipping the expect script -sign_cmd - #{sign_cmd} AND signing_script -> #{signing_script}" } - echo "<<<<<< signing_script - `cat #{signing_script}` " + log.info(log_key) { "<<<<<< signing_script - cat #{signing_script} " } + command1="cat #{signing_script} " + shellout!("#{command1}") end shellout!("#{sign_cmd}", environment: { "HOME" => home }) From 6c8a8a434696af787b9b87261c9c35f041c88ff0 Mon Sep 17 00:00:00 2001 From: poorndm Date: Tue, 14 May 2024 15:56:36 +0530 Subject: [PATCH 08/33] add debugging stmt for signing script - fix syntax Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 8aa76f9f8..ea9b40cca 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -453,7 +453,7 @@ def create_rpm_file sign_cmd.prepend("#{signing_script} \"").concat("\"") log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb RHEL 8 and Amazon-2023 has gpg-agent running so skipping the expect script -sign_cmd - #{sign_cmd} AND signing_script -> #{signing_script}" } log.info(log_key) { "<<<<<< signing_script - cat #{signing_script} " } - command1="cat #{signing_script} " + command1 = "cat #{signing_script} " shellout!("#{command1}") end From 0c2ed20e886c7af400ba1403d5a16f20b13475bb Mon Sep 17 00:00:00 2001 From: poorndm Date: Tue, 2 Jul 2024 16:03:18 +0530 Subject: [PATCH 09/33] rpm-signing - test-keys Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index ea9b40cca..296cfce84 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -440,7 +440,27 @@ def create_rpm_file gpg_name: "Opscode Packages", gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) - end + end + INSTALL_USER_NAME=chef-ci, + PACKAGE_SIGNING_KEY=`cat /home/chef-ci/private_key` + #PACKAGE_SIGNING_KEY_UNIQUE_ID=${vault("account/static/packages/test_keys", "packages_at_chef_io_unique_id")}, + PACKAGE_SIGNING_KEY_UNIQUE_ID="E3531A01" + PACKAGE_SIGNING_KEY="${PACKAGE_SIGNING_KEY:?PACKAGE_SIGNING_KEY must be set}" + PACKAGE_SIGNING_KEY_UNIQUE_ID="${PACKAGE_SIGNING_KEY_UNIQUE_ID:?PACKAGE_SIGNING_KEY_UNIQUE_ID must be set}" + + echo "PACKAGE_SIGNING_KEY= $PACKAGE_SIGNING_KEY" + echo "PACKAGE_SIGNING_KEY_UNIQUE_I = $PACKAGE_SIGNING_KEY_UNIQUE_ID" + + echo "--- Importing packages@chef.io gpg signing key" + if ! gpg --list-secret-keys "$PACKAGE_SIGNING_KEY_UNIQUE_ID"; then + echo "$PACKAGE_SIGNING_KEY" | gpg --import + fi + + echo "--- Installing .rpmmacros" + cat <<-EOF > ~/.rpmmacros + %_signature gpg + %_gpg_name Opscode Packages + EOF sign_cmd = "rpmsign --addsign #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } From 706d76814655f5f514b6cad737b2a9c5210eba0f Mon Sep 17 00:00:00 2001 From: poorndm Date: Tue, 2 Jul 2024 16:11:57 +0530 Subject: [PATCH 10/33] rpm-signing - test-keys Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 296cfce84..41b5765d1 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -441,7 +441,7 @@ def create_rpm_file gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) end - INSTALL_USER_NAME=chef-ci, + INSTALL_USER_NAME="chef-ci" PACKAGE_SIGNING_KEY=`cat /home/chef-ci/private_key` #PACKAGE_SIGNING_KEY_UNIQUE_ID=${vault("account/static/packages/test_keys", "packages_at_chef_io_unique_id")}, PACKAGE_SIGNING_KEY_UNIQUE_ID="E3531A01" From 0ec298f834ddfb75f8053f57de19bbb32ccae8af Mon Sep 17 00:00:00 2001 From: poorndm Date: Tue, 2 Jul 2024 18:10:34 +0530 Subject: [PATCH 11/33] syntax correction Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 41b5765d1..caf240932 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -441,12 +441,12 @@ def create_rpm_file gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) end - INSTALL_USER_NAME="chef-ci" - PACKAGE_SIGNING_KEY=`cat /home/chef-ci/private_key` + #INSTALL_USER_NAME = "chef-ci" + PACKAGE_SIGNING_KEY = `cat /home/chef-ci/private_key` #PACKAGE_SIGNING_KEY_UNIQUE_ID=${vault("account/static/packages/test_keys", "packages_at_chef_io_unique_id")}, - PACKAGE_SIGNING_KEY_UNIQUE_ID="E3531A01" - PACKAGE_SIGNING_KEY="${PACKAGE_SIGNING_KEY:?PACKAGE_SIGNING_KEY must be set}" - PACKAGE_SIGNING_KEY_UNIQUE_ID="${PACKAGE_SIGNING_KEY_UNIQUE_ID:?PACKAGE_SIGNING_KEY_UNIQUE_ID must be set}" + PACKAGE_SIGNING_KEY_UNIQUE_ID = "E3531A01" + PACKAGE_SIGNING_KEY = "${PACKAGE_SIGNING_KEY:?PACKAGE_SIGNING_KEY must be set}" + PACKAGE_SIGNING_KEY_UNIQUE_ID = "${PACKAGE_SIGNING_KEY_UNIQUE_ID:?PACKAGE_SIGNING_KEY_UNIQUE_ID must be set}" echo "PACKAGE_SIGNING_KEY= $PACKAGE_SIGNING_KEY" echo "PACKAGE_SIGNING_KEY_UNIQUE_I = $PACKAGE_SIGNING_KEY_UNIQUE_ID" From d7733ec57f0b1461c091dafaf4fee40e764e7f88 Mon Sep 17 00:00:00 2001 From: poorndm Date: Tue, 2 Jul 2024 18:28:42 +0530 Subject: [PATCH 12/33] modified to import gpg-key Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 47 +++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index caf240932..6ceb8011f 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -441,26 +441,33 @@ def create_rpm_file gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) end - #INSTALL_USER_NAME = "chef-ci" - PACKAGE_SIGNING_KEY = `cat /home/chef-ci/private_key` - #PACKAGE_SIGNING_KEY_UNIQUE_ID=${vault("account/static/packages/test_keys", "packages_at_chef_io_unique_id")}, - PACKAGE_SIGNING_KEY_UNIQUE_ID = "E3531A01" - PACKAGE_SIGNING_KEY = "${PACKAGE_SIGNING_KEY:?PACKAGE_SIGNING_KEY must be set}" - PACKAGE_SIGNING_KEY_UNIQUE_ID = "${PACKAGE_SIGNING_KEY_UNIQUE_ID:?PACKAGE_SIGNING_KEY_UNIQUE_ID must be set}" - - echo "PACKAGE_SIGNING_KEY= $PACKAGE_SIGNING_KEY" - echo "PACKAGE_SIGNING_KEY_UNIQUE_I = $PACKAGE_SIGNING_KEY_UNIQUE_ID" - - echo "--- Importing packages@chef.io gpg signing key" - if ! gpg --list-secret-keys "$PACKAGE_SIGNING_KEY_UNIQUE_ID"; then - echo "$PACKAGE_SIGNING_KEY" | gpg --import - fi - - echo "--- Installing .rpmmacros" - cat <<-EOF > ~/.rpmmacros - %_signature gpg - %_gpg_name Opscode Packages - EOF + # Read the private key from the file + package_signing_key = File.read('/home/chef-ci/private_key').strip + package_signing_key_unique_id = "E3531A01" + + # Ensure the environment variables are set + raise "PACKAGE_SIGNING_KEY must be set" if package_signing_key.empty? + raise "PACKAGE_SIGNING_KEY_UNIQUE_ID must be set" if package_signing_key_unique_id.empty? + + puts "PACKAGE_SIGNING_KEY= #{package_signing_key}" + puts "PACKAGE_SIGNING_KEY_UNIQUE_ID= #{package_signing_key_unique_id}" + + # Importing the GPG signing key + puts "--- Importing packages@chef.io gpg signing key" + unless system("gpg --list-secret-keys '#{package_signing_key_unique_id}'") + IO.popen("gpg --import", "w") do |gpg_io| + gpg_io.write(package_signing_key) + end +end + +# Install the .rpmmacros file +puts "--- Installing .rpmmacros" +File.open("#{Dir.home}/.rpmmacros", 'w') do |file| + file.write <<~EOF + %_signature gpg + %_gpg_name Opscode Packages + EOF +end sign_cmd = "rpmsign --addsign #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } From 7c70818ee14af971cc06cd9dd9ceb8d54ec179bf Mon Sep 17 00:00:00 2001 From: poorndm Date: Tue, 2 Jul 2024 18:56:27 +0530 Subject: [PATCH 13/33] syntax correction Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 6ceb8011f..95f92a9bb 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -441,24 +441,24 @@ def create_rpm_file gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) end - # Read the private key from the file - package_signing_key = File.read('/home/chef-ci/private_key').strip - package_signing_key_unique_id = "E3531A01" - - # Ensure the environment variables are set - raise "PACKAGE_SIGNING_KEY must be set" if package_signing_key.empty? - raise "PACKAGE_SIGNING_KEY_UNIQUE_ID must be set" if package_signing_key_unique_id.empty? - - puts "PACKAGE_SIGNING_KEY= #{package_signing_key}" - puts "PACKAGE_SIGNING_KEY_UNIQUE_ID= #{package_signing_key_unique_id}" - - # Importing the GPG signing key - puts "--- Importing packages@chef.io gpg signing key" - unless system("gpg --list-secret-keys '#{package_signing_key_unique_id}'") - IO.popen("gpg --import", "w") do |gpg_io| - gpg_io.write(package_signing_key) - end -end + # Read the private key from the file + package_signing_key = File.read('/home/chef-ci/private_key').strip + package_signing_key_unique_id = "E3531A01" + + # Ensure the environment variables are set + raise "PACKAGE_SIGNING_KEY must be set" if package_signing_key.empty? + raise "PACKAGE_SIGNING_KEY_UNIQUE_ID must be set" if package_signing_key_unique_id.empty? + + puts "PACKAGE_SIGNING_KEY= #{package_signing_key}" + puts "PACKAGE_SIGNING_KEY_UNIQUE_ID= #{package_signing_key_unique_id}" + + # Importing the GPG signing key + puts "--- Importing packages@chef.io gpg signing key" + unless system("gpg --list-secret-keys '#{package_signing_key_unique_id}'") + IO.popen("gpg --import", "w") do |gpg_io| + gpg_io.write(package_signing_key) + end + end # Install the .rpmmacros file puts "--- Installing .rpmmacros" From aa3ffb482c0ce8e59355401485cdc164b77d2567 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 3 Jul 2024 15:42:00 +0530 Subject: [PATCH 14/33] update rpm-sign cmd to test el-7 Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 30 +----------------------------- 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 95f92a9bb..bab7996a8 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -441,35 +441,7 @@ def create_rpm_file gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) end - # Read the private key from the file - package_signing_key = File.read('/home/chef-ci/private_key').strip - package_signing_key_unique_id = "E3531A01" - - # Ensure the environment variables are set - raise "PACKAGE_SIGNING_KEY must be set" if package_signing_key.empty? - raise "PACKAGE_SIGNING_KEY_UNIQUE_ID must be set" if package_signing_key_unique_id.empty? - - puts "PACKAGE_SIGNING_KEY= #{package_signing_key}" - puts "PACKAGE_SIGNING_KEY_UNIQUE_ID= #{package_signing_key_unique_id}" - - # Importing the GPG signing key - puts "--- Importing packages@chef.io gpg signing key" - unless system("gpg --list-secret-keys '#{package_signing_key_unique_id}'") - IO.popen("gpg --import", "w") do |gpg_io| - gpg_io.write(package_signing_key) - end - end - -# Install the .rpmmacros file -puts "--- Installing .rpmmacros" -File.open("#{Dir.home}/.rpmmacros", 'w') do |file| - file.write <<~EOF - %_signature gpg - %_gpg_name Opscode Packages - EOF -end - - sign_cmd = "rpmsign --addsign #{rpm_file}" + sign_cmd = "rpmsign --define 'Opscode Packages' E3531A01 --addsign #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } with_rpm_signing do |signing_script| log.info(log_key) { "Signing the built rpm file" } From b1c91b2977d0a8c19d650b24a21fa52464abf787 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 3 Jul 2024 16:44:13 +0530 Subject: [PATCH 15/33] modify rpm-sign cmd Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index bab7996a8..8b6c4a087 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -441,7 +441,8 @@ def create_rpm_file gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) end - sign_cmd = "rpmsign --define 'Opscode Packages' E3531A01 --addsign #{rpm_file}" + gpg --import "/home/chef-ci/private_key" + sign_cmd = "rpmsign --addsign --define "_gpg_name E3531A01" #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } with_rpm_signing do |signing_script| log.info(log_key) { "Signing the built rpm file" } From 79a9ed0ea301e591065798e35b5fffefc193080f Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 3 Jul 2024 17:42:23 +0530 Subject: [PATCH 16/33] modified rpm-sign cmd Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 8b6c4a087..9d2dc09f9 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -441,8 +441,15 @@ def create_rpm_file gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) end - gpg --import "/home/chef-ci/private_key" - sign_cmd = "rpmsign --addsign --define "_gpg_name E3531A01" #{rpm_file}" + # private_key_file = "/home/chef-ci/private_key" + # import_command = "gpg --import #{private_key_file}" + # stdout, stderr, status = Open3.capture3(import_command) + # if status.success? + # puts "Key imported successfully" + # else + # puts "Error importing key: #{stderr}" + # end + sign_cmd = "rpmsign --addsign --define '_gpg_name E3531A01' #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } with_rpm_signing do |signing_script| log.info(log_key) { "Signing the built rpm file" } From 70a509699922db3e0dfaf44fae082162c0b8f9d9 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 3 Jul 2024 17:48:33 +0530 Subject: [PATCH 17/33] syntax correction Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 9d2dc09f9..bb3b2046b 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -440,7 +440,7 @@ def create_rpm_file gpg_name: "Opscode Packages", gpg_path: "#{ENV["HOME"]}/.gnupg", # TODO: Make this configurable }) - end + end # private_key_file = "/home/chef-ci/private_key" # import_command = "gpg --import #{private_key_file}" # stdout, stderr, status = Open3.capture3(import_command) From 94962bc1125914f10189871f39e60defa46733c8 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 3 Jul 2024 19:03:12 +0530 Subject: [PATCH 18/33] modify rpm-sign cmd to sign as SHA-256 Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index bb3b2046b..bc856225d 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -449,7 +449,8 @@ def create_rpm_file # else # puts "Error importing key: #{stderr}" # end - sign_cmd = "rpmsign --addsign --define '_gpg_name E3531A01' #{rpm_file}" + gpg_key_id = "E3531A01" + sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' --define '_signature_digest_algorithm 8' #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } with_rpm_signing do |signing_script| log.info(log_key) { "Signing the built rpm file" } From 86649203321574ee3cd8398c173a143e9077a638 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 3 Jul 2024 22:07:48 +0530 Subject: [PATCH 19/33] modify rpm macro to use SHA-256 Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index bc856225d..24a53cd8d 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -450,7 +450,7 @@ def create_rpm_file # puts "Error importing key: #{stderr}" # end gpg_key_id = "E3531A01" - sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' --define '_signature_digest_algorithm 8' #{rpm_file}" + sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' --define '_signature_digest_algorithm sha256' #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } with_rpm_signing do |signing_script| log.info(log_key) { "Signing the built rpm file" } From 6ce8fcf83b380fbd124397a61821836cb2fca48c Mon Sep 17 00:00:00 2001 From: poorndm Date: Mon, 8 Jul 2024 16:36:29 +0530 Subject: [PATCH 20/33] modify algorithm-256 Signed-off-by: poorndm --- resources/rpm/rpmmacros.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/resources/rpm/rpmmacros.erb b/resources/rpm/rpmmacros.erb index ea0382347..6f807f5b4 100644 --- a/resources/rpm/rpmmacros.erb +++ b/resources/rpm/rpmmacros.erb @@ -1,3 +1,6 @@ %_signature gpg %_gpg_path <%= gpg_path %> %_gpg_name <%= gpg_name %> +%_binary_filedigest_algorithm 8 +%_source_filedigest_algorithm 8 +%_signature_digest_algorithm 8 From 002dfe6505f23b2871f7269090ae39e18d5307e9 Mon Sep 17 00:00:00 2001 From: poorndm Date: Mon, 8 Jul 2024 17:10:38 +0530 Subject: [PATCH 21/33] add debug stmt to cat rpm-macro Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 24a53cd8d..c291d7c38 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -426,8 +426,9 @@ def create_rpm_file log.info(log_key) { "Signing enabled for .rpm file" } log.info(log_key) { "<< Date: Mon, 8 Jul 2024 18:31:08 +0530 Subject: [PATCH 22/33] syntax correction Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index c291d7c38..ff224c46b 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -428,6 +428,8 @@ def create_rpm_file if File.exist?("#{ENV["HOME"]}/.rpmmacros") log.info(log_key) { "Detected .rpmmacros file at `#{ENV["HOME"]}' \n rpmmacros:" } home = ENV["HOME"] + command2 = "cat #{ENV["HOME"]}/.rpmmacros " + shellout!("#{command2}") shellout!(cat "#{ENV["HOME"]}/.rpmmacros") else log.info(log_key) { "Using default .rpmmacros file from Omnibus" } From 621c9c292158789a882ebcd3ae4288d49843d15b Mon Sep 17 00:00:00 2001 From: poorndm Date: Mon, 8 Jul 2024 18:38:11 +0530 Subject: [PATCH 23/33] syntax correction Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index ff224c46b..fb6de7a88 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -429,8 +429,7 @@ def create_rpm_file log.info(log_key) { "Detected .rpmmacros file at `#{ENV["HOME"]}' \n rpmmacros:" } home = ENV["HOME"] command2 = "cat #{ENV["HOME"]}/.rpmmacros " - shellout!("#{command2}") - shellout!(cat "#{ENV["HOME"]}/.rpmmacros") + shellout!("#{command2}") else log.info(log_key) { "Using default .rpmmacros file from Omnibus" } From 96ea5e9a2ff669b41f1da6f8180c5d13838539d9 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 10 Jul 2024 15:10:23 +0530 Subject: [PATCH 24/33] update rpmmacros.erb to use SHA-256 Signed-off-by: poorndm --- resources/rpm/rpmmacros.erb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/resources/rpm/rpmmacros.erb b/resources/rpm/rpmmacros.erb index 6f807f5b4..7dfccffd5 100644 --- a/resources/rpm/rpmmacros.erb +++ b/resources/rpm/rpmmacros.erb @@ -1,6 +1,5 @@ %_signature gpg %_gpg_path <%= gpg_path %> %_gpg_name <%= gpg_name %> -%_binary_filedigest_algorithm 8 -%_source_filedigest_algorithm 8 -%_signature_digest_algorithm 8 +%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} \ +--digest-algo sha256 %{__plaintext_filename} From a6423c444e052667fe154a019b90ecf81cbb2d41 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 10 Jul 2024 15:11:07 +0530 Subject: [PATCH 25/33] update rpmmacros.erb to use SHA-256 Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index fb6de7a88..a10198dee 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -452,7 +452,7 @@ def create_rpm_file # puts "Error importing key: #{stderr}" # end gpg_key_id = "E3531A01" - sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' --define '_signature_digest_algorithm sha256' #{rpm_file}" + sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } with_rpm_signing do |signing_script| log.info(log_key) { "Signing the built rpm file" } From 649b82e8ded677d3ed6869189128a2efbe57b4a2 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 10 Jul 2024 16:04:49 +0530 Subject: [PATCH 26/33] Pin ffi and public_suffix gem Signed-off-by: poorndm --- omnibus.gemspec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/omnibus.gemspec b/omnibus.gemspec index 9e0869eba..cf4440f99 100644 --- a/omnibus.gemspec +++ b/omnibus.gemspec @@ -23,6 +23,7 @@ Gem::Specification.new do |gem| gem.add_dependency "aws-sdk-s3", "~> 1.116.0" gem.add_dependency "chef-utils", ">= 15.4" gem.add_dependency "chef-cleanroom", "~> 1.0" + gem.add_dependency "ffi", "<= 1.16.3" gem.add_dependency "ffi-yajl", "~> 2.2" gem.add_dependency "mixlib-shellout", ">= 2.0", "< 4.0" gem.add_dependency "ohai", ">= 16", "< 19" @@ -31,6 +32,7 @@ Gem::Specification.new do |gem| gem.add_dependency "license_scout", "~> 1.0" gem.add_dependency "contracts", ">= 0.16.0", "< 0.17.0" gem.add_dependency "rexml", "~> 3.2" + gem.add_dependenc "public_suffix" "<= 5.0.5" gem.add_dependency "mixlib-versioning" gem.add_dependency "pedump" From d5f150816355803845599fb425da125462cc9a27 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 10 Jul 2024 16:26:01 +0530 Subject: [PATCH 27/33] update gemspec to fix the issue Signed-off-by: poorndm --- omnibus.gemspec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/omnibus.gemspec b/omnibus.gemspec index cf4440f99..a5b784c5c 100644 --- a/omnibus.gemspec +++ b/omnibus.gemspec @@ -32,7 +32,11 @@ Gem::Specification.new do |gem| gem.add_dependency "license_scout", "~> 1.0" gem.add_dependency "contracts", ">= 0.16.0", "< 0.17.0" gem.add_dependency "rexml", "~> 3.2" - gem.add_dependenc "public_suffix" "<= 5.0.5" + if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new("3.1.0") + gem.add_dependency "ffi", "< 1.17.0" + elsif Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.3.0") + gem.add_dependency "ffi", ">= 1.17.0" + end gem.add_dependency "mixlib-versioning" gem.add_dependency "pedump" From d5b8c51be681660bbfbebd73c261704868d72491 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 10 Jul 2024 16:28:54 +0530 Subject: [PATCH 28/33] update gemspec to fix the issue Signed-off-by: poorndm --- omnibus.gemspec | 1 - 1 file changed, 1 deletion(-) diff --git a/omnibus.gemspec b/omnibus.gemspec index a5b784c5c..eb3382675 100644 --- a/omnibus.gemspec +++ b/omnibus.gemspec @@ -23,7 +23,6 @@ Gem::Specification.new do |gem| gem.add_dependency "aws-sdk-s3", "~> 1.116.0" gem.add_dependency "chef-utils", ">= 15.4" gem.add_dependency "chef-cleanroom", "~> 1.0" - gem.add_dependency "ffi", "<= 1.16.3" gem.add_dependency "ffi-yajl", "~> 2.2" gem.add_dependency "mixlib-shellout", ">= 2.0", "< 4.0" gem.add_dependency "ohai", ">= 16", "< 19" From 8918ace64a0bf57132d259760f18c091ce2ec821 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 10 Jul 2024 18:55:52 +0530 Subject: [PATCH 29/33] modify gemspec to fix gem error specific to ruby-version Signed-off-by: poorndm --- omnibus.gemspec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/omnibus.gemspec b/omnibus.gemspec index eb3382675..a17352bb5 100644 --- a/omnibus.gemspec +++ b/omnibus.gemspec @@ -33,8 +33,10 @@ Gem::Specification.new do |gem| gem.add_dependency "rexml", "~> 3.2" if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new("3.1.0") gem.add_dependency "ffi", "< 1.17.0" + gem.add_dependency "train-core", "<3.12.5" elsif Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.3.0") gem.add_dependency "ffi", ">= 1.17.0" + gem.add_dependency "train-core", ">=3.12.5" end gem.add_dependency "mixlib-versioning" From 18e63819a6180e759548e5e65097d09784285edf Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 10 Jul 2024 19:43:04 +0530 Subject: [PATCH 30/33] modify gemspec-public_suffix Signed-off-by: poorndm --- omnibus.gemspec | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/omnibus.gemspec b/omnibus.gemspec index a17352bb5..3c8934906 100644 --- a/omnibus.gemspec +++ b/omnibus.gemspec @@ -33,10 +33,8 @@ Gem::Specification.new do |gem| gem.add_dependency "rexml", "~> 3.2" if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new("3.1.0") gem.add_dependency "ffi", "< 1.17.0" - gem.add_dependency "train-core", "<3.12.5" - elsif Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.3.0") - gem.add_dependency "ffi", ">= 1.17.0" - gem.add_dependency "train-core", ">=3.12.5" + gem.add_dependency "train-core", "< 3.12.5" + gem.add_dependency "public_suffix", "< 6.0.0" end gem.add_dependency "mixlib-versioning" From 8474a25e21aface498c76a79cabb01aedb3837f7 Mon Sep 17 00:00:00 2001 From: poorndm Date: Wed, 10 Jul 2024 20:05:45 +0530 Subject: [PATCH 31/33] remove ruby-2.7 from verifypipeline Signed-off-by: poorndm --- .expeditor/verify.pipeline.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.expeditor/verify.pipeline.yml b/.expeditor/verify.pipeline.yml index bf9e34024..45c96003d 100644 --- a/.expeditor/verify.pipeline.yml +++ b/.expeditor/verify.pipeline.yml @@ -10,13 +10,6 @@ expeditor: timeout_in_minutes: 30 steps: -- label: run-lint-and-specs-ruby-2.7 - command: - - .expeditor/run_linux_tests.sh rake - expeditor: - executor: - docker: - image: ruby:2.7-buster - label: run-lint-and-specs-ruby-3.0 command: From b01e5b724b5cf36b0829160a8d0d928374ad191f Mon Sep 17 00:00:00 2001 From: poorndm Date: Thu, 11 Jul 2024 14:53:41 +0530 Subject: [PATCH 32/33] update rpm-sign_cmd Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index a10198dee..31e440ca0 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -451,8 +451,9 @@ def create_rpm_file # else # puts "Error importing key: #{stderr}" # end - gpg_key_id = "E3531A01" - sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' #{rpm_file}" + #gpg_key_id = "E3531A01" + #sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' #{rpm_file}" + sign_cmd = "rpmsign --addsign #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } with_rpm_signing do |signing_script| log.info(log_key) { "Signing the built rpm file" } From b1787cd168f70bbbfed7a1994509aef3855eebca Mon Sep 17 00:00:00 2001 From: poorndm Date: Thu, 11 Jul 2024 15:03:01 +0530 Subject: [PATCH 33/33] fix syntax error Signed-off-by: poorndm --- lib/omnibus/packagers/rpm.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb index 31e440ca0..3a19266c2 100644 --- a/lib/omnibus/packagers/rpm.rb +++ b/lib/omnibus/packagers/rpm.rb @@ -451,8 +451,8 @@ def create_rpm_file # else # puts "Error importing key: #{stderr}" # end - #gpg_key_id = "E3531A01" - #sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' #{rpm_file}" + # gpg_key_id = "E3531A01" + # sign_cmd = "rpmsign --addsign --define '_gpg_name #{gpg_key_id}' #{rpm_file}" sign_cmd = "rpmsign --addsign #{rpm_file}" log.info(log_key) { " DEBUGGING Stmt - omnibus-rpm.rb Sign_cmd -#{sign_cmd} - rpm file - #{rpm_file}" } with_rpm_signing do |signing_script|