1. 29 Jan, 2018 3 commits
  2. 26 Jan, 2018 5 commits
  3. 25 Jan, 2018 3 commits
  4. 24 Jan, 2018 1 commit
  5. 23 Jan, 2018 5 commits
  6. 19 Jan, 2018 5 commits
  7. 27 Nov, 2017 1 commit
  8. 17 Nov, 2017 4 commits
  9. 09 Nov, 2017 3 commits
  10. 09 Oct, 2017 1 commit
  11. 27 Sep, 2017 1 commit
    • Jason Plum's avatar
      Add Debian (.deb) package signing (implementing debsig) · a02a2c95
      Jason Plum authored
      See:
      
      - https://gitlab.com/gitlab-org/omnibus/merge_requests/7
      - https://github.com/chef/omnibus/issues/402
      
      Add Debian package signing, via methodology describe in `debsigs` documentation
      https://gitlab.com/debsigs/debsigs
      
      Addition of a `sign_deb_file` function to `Packager::DEB`, after `create_deb_file`. The essential concepts of what is required to sign a `.deb` with with a `type: origin` signature is delineated per the link to `debsigs` above. There is no current functionailty built into `dpkg` scripting akin to `rpm --addsign`. Since the `.deb` file format is simple, we extract the contents of the archvice (`ar x`), sign the concatenated (specifically ordered) contents, and then append the created signature to the archive (`ar rc debfile _gpgorigin`).
      
      These steps could have been accomplished in pure Ruby with the addition of several modules (GPGME, libarchive) except for two concerns: age & maintenance, `fakeroot` requirements.
      
      Tests have been added to attempt to cover the behavior correctly.
      
      - `gpg` : This is already an existing requirement of `Packager::RPM` due to the use of `rpmsign`
      - `ar` : Most systems that attempt to build Debian packages will have the `ar` command, and it has been confirmed that MacOS also has this utility.
      - `fakeroot` : This is inline with `ar`, however it should be noted that not all systems had this program, and as such it has been added to the Omnibus cookbook.
      
      Adding `ar` and `fakeroot` to the required tools compiled by Omnibus for ensuring this presence was done by @kwilczynski in #217
      
      There is *no need* to add `debsigs`/`debsig-verify` as a requirement, as we are implmenting the login in Ruby and `Shellout`.
      
      Care was taken to ensure compatibility with distribution provided binary versions of `gpg2` or `gpg` for LTS versions of distributions supported by GitLab. This list can be seen at https://gitlab.com/gitlab-org/omnibus/merge_requests/7#note_35053215 . The code is written to prefer `gpg2` if present.
      
      GitLab experienced issues in regards to `gpg --import`, and eventually settled on `gpg --batch --no-tty --allow-secret-key-import --import` as a part of our CI job. So long as the key is present for the GPG calls (via `--homedir #{ENV['HOME']}/.gnupg`) this should not be an issue for any non-automated use. Note that this behavior is the same with RPM signing behaviors. As the GPG key import process is not a part of Omnibus itself, this should be of little concern to this code changes in this MR.
      
      Relates to https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2537
      Relates to https://github.com/chef-cookbooks/omnibus/pull/217
      Closes https://github.com/chef/omnibus/issues/402
      
      Submitted with the approval of GitLab, and with great thanks for the project!
      Signed-off-by: Jason Plum's avatarJason Plum <jplum@gitlab.com>
      a02a2c95
  12. 19 Aug, 2017 1 commit
  13. 15 Aug, 2017 1 commit
  14. 09 Aug, 2017 1 commit
  15. 08 Aug, 2017 2 commits
  16. 07 Aug, 2017 1 commit
  17. 04 Aug, 2017 2 commits