-
-
Save theopolis/1638221811ad04d1787c72a51728e2c8 to your computer and use it in GitHub Desktop.
osquery-signing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [osquery-s3-rpm-repo] | |
| name=name=osquery RPM repository - $basearch | |
| baseurl=https://s3.amazonaws.com/osquery-packages/rpm/$basearch/ | |
| enabled=1 | |
| gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-osquery | |
| gpgcheck=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # | |
| # Script to sign and publish in s3 the RPM and DEB signed packages | |
| # and the PKG package. | |
| # | |
| # main entrypoint to signing | |
| # | |
| USER=$(whoami) | |
| # Expect this script to run in the home directory of the osquery user. | |
| SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |
| TOOLS_DIR="$( dirname "$( realpath "${BASH_SOURCE[0]}" )" )" | |
| TOOLS_DIR="$TOOLS_DIR/.." | |
| PKG_SIGNING_LOCAL=true | |
| OHOME=$(realpath ~) | |
| GPG_KEY=C9D8B80B | |
| PKG11_BINARY_IDENTITY="Developer ID Application: Theodore Reed (B89LNTUADM)" | |
| PKG11_PACKAGE_IDENTITY="B89LNTUADM" | |
| PKG11_EXTENSION_IDENTITY="B89LNTUADM" | |
| if $PKG_SIGNING_LOCAL; then | |
| # Check bash version | |
| export PATH=/usr/local/opt/findutils/libexec/gnubin:$PATH | |
| export PATH=/usr/local/Cellar/coreutils/8.26/libexec/gnubin:$PATH | |
| fi | |
| # Locations to store packages locally | |
| LOCAL_PACKAGES=$OHOME/local_packages | |
| PKG11_DIR=$LOCAL_PACKAGES/darwin | |
| DEB_DIR=$LOCAL_PACKAGES/deb | |
| RPM_DIR=$LOCAL_PACKAGES/rpm | |
| LINUX_DIR=$LOCAL_PACKAGES/linux | |
| # Locations to store repositories | |
| LOCAL_REPOSITORIES=$OHOME/repositories | |
| PKG11_REPO=$LOCAL_REPOSITORIES/darwin | |
| DEB_REPO=$LOCAL_REPOSITORIES/deb | |
| RPM_REPO=$LOCAL_REPOSITORIES/rpm | |
| LINUX_REPO=$LOCAL_REPOSITORIES/linux | |
| # Files to keep track of downloaded packages | |
| LOCAL_PROCESSED=$OHOME/processed | |
| PKG11_PROCESSED=$LOCAL_PROCESSED/pkg11.list | |
| DEB_PROCESSED=$LOCAL_PROCESSED/deb.list | |
| RPM_PROCESSED=$LOCAL_PROCESSED/rpm.list | |
| LINUX_PROCESSED=$LOCAL_PROCESSED/linux.list | |
| # Files to keep track of signed packages | |
| LOCAL_SIGNED=$OHOME/signed | |
| PKG11_SIGNED=$LOCAL_SIGNED/pkg11.list | |
| DEB_SIGNED=$LOCAL_SIGNED/deb.list | |
| RPM_SIGNED=$LOCAL_SIGNED/rpm.list | |
| LINUX_SIGNED=$LOCAL_SIGNED/linux.list | |
| # Debian packaging freight variables | |
| FREIGHT_CACHE=/usr/local/var/cache/freight | |
| FREIGHT_CONFIGS=/usr/local/etc | |
| # This libdir is not used, included only for reference | |
| FREIGHT_LIB=/usr/local/var/lib/freight | |
| # OS X binaries/packages are signed on an external signing host, using osx_sign. | |
| PKG_SIGNING_HOST=osquery-osx-signing | |
| PKG_SIGNING_KEY=$OHOME/OSQUERY-OSX-SIGNING.key | |
| PKG11_KEYCHAIN=osquery.keychain | |
| PKG11_WORKING_DIR=working | |
| function need_tool { | |
| TOOL=$1 | |
| EXISTS=$(which $TOOL || true) | |
| if [[ ! -f "$EXISTS" ]]; then | |
| echo "[$2] Need to install $TOOL..." | |
| return 1 | |
| fi | |
| return 0 | |
| } | |
| if [[ $1 = "setup" ]]; then | |
| set -e | |
| if [[ ! -d $OHOME ]]; then | |
| sudo mkdir -p $OHOME | |
| sudo chown $USER $OHOME | |
| echo "[0] Created: $OHOME" | |
| fi | |
| if [[ ! "$(pwd)" = "$OHOME" ]]; then | |
| echo "[!] You should be running this script from $OHOME" | |
| ln -sf $TOOLS_DIR/bin/package_publisher $OHOME/ | |
| echo "[!] Please re-execute: $OHOME/package_publisher" | |
| exit 1 | |
| fi | |
| if [[ ! -f "$OHOME/.s3cfg" ]]; then | |
| cp $TOOLS_DIR/config/s3cfg $OHOME/.s3cfg | |
| echo "[1] Installed: $OHOME/.s3cfg" | |
| fi | |
| if [[ ! `cat $OHOME/.s3cfg | grep PLEASE_ENTER || true` = "" ]]; then | |
| echo "[2] Please fill in ACCESS, SECRET, PASSWORD in $OHOME/.s3cfg" | |
| fi | |
| if [[ ! -f "$OHOME/.rpmmacros" ]]; then | |
| ln -sf $TOOLS_DIR/config/rpmmacros $OHOME/.rpmmacros | |
| echo "[3] Installed: $OHOME/.rpmmacros" | |
| fi | |
| if [[ ! -f "$OHOME/osquery-s3-rpm.repo" ]]; then | |
| ln -sf $TOOLS_DIR/repos/osquery-s3-rpm.repo $OHOME/osquery-s3-rpm.repo | |
| echo "[4-2] Installed: $OHOME/osquery-s3-rpm.repo" | |
| fi | |
| if [[ ! -e "$OHOME/rpm_sign.exp" || ! -e "$OHOME/osx_sign.sh" ]]; then | |
| ln -sf $TOOLS_DIR/bin/osx_sign $OHOME/osx_sign.sh | |
| ln -sf $TOOLS_DIR/bin/rpm_sign $OHOME/rpm_sign.exp | |
| echo "[5] Installed: $OHOME/{osx_sign.sh,rpm_sign.exp}" | |
| fi | |
| if [[ ! -f "$OHOME/OSQUERY-S3-RPM-REPO-GPGKEY" ]]; then | |
| ln -sf $TOOLS_DIR/config/rpm.gpg.pub $OHOME/OSQUERY-S3-RPM-REPO-GPGKEY | |
| echo "[5] Installed: $OHOME/OSQUERY-S3-RPM-REPO-GPGKEY (public key)" | |
| fi | |
| cd $OHOME | |
| mkdir -p $PKG11_DIR | |
| mkdir -p $DEB_DIR | |
| mkdir -p $RPM_DIR | |
| mkdir -p $LINUX_DIR | |
| mkdir -p $PKG11_REPO | |
| mkdir -p $DEB_REPO | |
| mkdir -p $RPM_REPO/x86_64 | |
| mkdir -p $LINUX_REPO | |
| mkdir -p $LOCAL_PROCESSED | |
| touch $PKG11_PROCESSED | |
| touch $DEB_PROCESSED | |
| touch $RPM_PROCESSED | |
| touch $LINUX_PROCESSED | |
| mkdir -p $LOCAL_SIGNED | |
| touch $PKG11_SIGNED | |
| touch $DEB_SIGNED | |
| touch $RPM_SIGNED | |
| touch $LINUX_SIGNED | |
| set +e | |
| if ! need_tool debsigs 6; then | |
| echo "[6] Installing debsigs..." | |
| brew install coreutils | |
| brew install binutils | |
| pushd /tmp/ | |
| git clone https://gitlab.com/debsigs/debsigs.git | |
| pushd debsigs | |
| perl Makefile.PL | |
| make | |
| if $PKG_SIGNING_LOCAL; then | |
| grep -lr "/usr/bin/gpg" . | xargs sed -i.bak 's/\/usr\/bin\/gpg/\/usr\/local\/bin\/gpg/g' | |
| grep -lr "/usr/bin/ar" . | xargs sed -i.bak 's/\/usr\/bin\/ar/\/usr\/local\/bin\/gar/g' | |
| fi | |
| sudo make install | |
| popd | |
| popd | |
| fi | |
| if ! need_tool s3cmd 7; then | |
| if $PKG_SIGNING_LOCAL; then | |
| brew install s3cmd | |
| else | |
| sudo apt install -y s3cmd | |
| fi | |
| fi | |
| if ! need_tool gpg 9; then | |
| if $PKG_SIGNING_LOCAL; then | |
| brew install gpg | |
| else | |
| sudo apt install -y gpg | |
| fi | |
| fi | |
| if ! need_tool createrepo 8; then | |
| if $PKG_SIGNING_LOCAL; then | |
| brew tap stepanstipl/noop | |
| brew install createrepo | |
| brew uninstall --ignore-dependencies libxml2 | |
| brew install --with-python homebrew/homebrew-core/libxml2 | |
| echo /usr/local/opt/libxml2/lib/python2.7/site-packages >> /usr/local/lib/python2.7/site-packages/libxml2.pth | |
| true | |
| else | |
| sudo apt install -y createrepo | |
| fi | |
| fi | |
| if ! need_tool rpm 9; then | |
| if $PKG_SIGNING_LOCAL; then | |
| brew install rpm | |
| else | |
| sudo apt install -y rpm | |
| fi | |
| fi | |
| if ! need_tool ts 8; then | |
| if $PKG_SIGNING_LOCAL; then | |
| brew install moreutils | |
| else | |
| sudo apt install -y moreutils | |
| fi | |
| fi | |
| if ! need_tool expect 10; then | |
| if $PKG_SIGNING_LOCAL; then | |
| brew install expect | |
| else | |
| sudo apt install -y expect | |
| fi | |
| fi | |
| if ! need_tool freight 10; then | |
| pushd /tmp | |
| git clone https://github.com/freight-team/freight | |
| pushd freight | |
| if $PKG_SIGNING_LOCAL; then | |
| brew install findutils | |
| ln -s /usr/local/bin/ginstall /usr/local/bin/install | |
| fi | |
| make | |
| sudo make install-bin | |
| sudo make install-lib | |
| popd | |
| popd | |
| fi | |
| set -e | |
| if [[ ! -f "$FREIGHT_CONFIGS?freight.deb.conf" ]]; then | |
| sudo ln -sf "$TOOLS_DIR/config/freight.deb.conf" "$FREIGHT_CONFIGS/" | |
| echo "[11-2] Installed freight configuration: deb" | |
| fi | |
| if [[ ! -d "$FREIGHT_CACHE" ]]; then | |
| mkdir -p $OHOME/repositories/freight | |
| sudo mkdir -p `dirname $FREIGHT_CACHE` | |
| sudo ln -s $OHOME/repositories/freight $FREIGHT_CACHE | |
| echo "[12] Creating freight cache" | |
| fi | |
| if [[ ! -d "$FREIGHT_LIB" ]]; then | |
| sudo mkdir -p $FREIGHT_LIB | |
| sudo chown $USER "$FREIGHT_LIB" | |
| echo "[12] Creating freight lib" | |
| fi | |
| PUBKEY=$(gpg --list-keys | grep $GPG_KEY || true) | |
| if [[ "$PUBKEY" = "" ]]; then | |
| echo "[99] Installing public GPG key into keyring $GPG_KEY" | |
| gpg --import OSQUERY-S3-RPM-REPO-GPGKEY | |
| fi | |
| GPG=$(gpg --export-secret-key -a $GPG_KEY | grep "KEY BLOCK" || true) | |
| if [[ "$GPG" = "" ]]; then | |
| echo "[99] Please install the private key for $GPG_KEY: gpg --import private.key" | |
| fi | |
| rm -f "$OHOME/.gnupg/gpg.conf" | |
| cp $TOOLS_DIR/config/gpg.conf $OHOME/.gnupg/gpg.conf | |
| if $PKG_SIGNING_LOCAL; then | |
| KEYCHAIN="$OHOME/Library/Keychains/osquery.keychain" | |
| if [[ ! -f $KEYCHAIN ]]; then | |
| echo "[100] Cannot find osquery keychain: $KEYCHAIN" | |
| exit 1 | |
| fi | |
| PASSWORD="$OHOME/.keychain.key" | |
| if [[ ! -f $PASSWORD ]]; then | |
| echo "[100] Cannot find osquery keychain secret: $PASSWORD" | |
| exit 1 | |
| fi | |
| fi | |
| exit 0 | |
| fi | |
| if [[ ! $1 = "please" ]]; then | |
| echo "Would create lists, repos, etc in: $SCRIPT_DIR" | |
| echo "The tools directory, for configs is: $TOOLS_DIR" | |
| echo "Sorry, you didn't say the magic word" | |
| exit 1 | |
| fi | |
| # Log file | |
| LOG_FILE=./publisher.log | |
| touch $LOG_FILE || exit | |
| function log { | |
| echo "$1" | ts "[%Y-%m-%d %H:%M:%S]" | |
| } | |
| # S3 bucket | |
| S3_URL="s3://osquery-packages" | |
| if [[ ! -d "$FREIGHT_CACHE" ]]; then | |
| echo "Sorry, cannot find freight cache: $FREIGHT_CACHE" | |
| exit 1 | |
| elif [[ ! -d "$FREIGHT_CONFIGS" ]]; then | |
| echo "Sorry, cannot find freight configs: $FREIGHT_CONFIGS" | |
| exit 1 | |
| fi | |
| if [[ "$PKG_SIGNING_LOCAL" = "false" && ! "`ping -c 1 $PKG_SIGNING_HOST`" ]]; then | |
| echo "Sorry, cannot ping OS X signing host: $PKG_SIGNING_HOST" | |
| echo "If you'd like to sign OS X packages locally see PKG_SIGNING_LOCAL" | |
| echo "" | |
| # exit 1 | |
| fi | |
| set -e | |
| # Number of historic packages | |
| HISTORIC=5 | |
| HISTORIC_KERNEL=5 | |
| HISTORIC_COMMIT=5 | |
| # Function to check if package has been published already, parameters: | |
| # $1 - package name | |
| # $2 - /path/to/history file of packages | |
| # $3 - type of package | |
| # $4 - package directory | |
| # $5 - package URL | |
| function retrieve_last { | |
| echo "retrieve_last $1 $2 $3 $4 $5 $6" | |
| if [ -z $(grep "$6" "$2") ]; then | |
| log "$3: $6 not found, processing..." | |
| wget -O "$4/$6" "$5/$1" | |
| echo "$6" >> "$2" | |
| else | |
| log "$3: nothing new" | |
| # break # Keep processing changes | |
| fi | |
| } | |
| # Function to check if package has been published already, parameters: | |
| # $1 - package name | |
| # $2 - /path/to/history file of signed packages | |
| function signed_already { | |
| if [ -z $(grep "$1" "$2") ]; then | |
| echo "not" | |
| else | |
| echo "signed" | |
| exit | |
| fi | |
| } | |
| # Function to set signed status, parameters: | |
| # $1 - package name | |
| # $2 - /path/to/history file of signed packages | |
| function update_signed { | |
| echo "$1" >> "$2" | |
| } | |
| # Function to publish in s3, parameters: | |
| # $1 - /path/to/package/ | |
| # $2 - s3 subdirectory | |
| function publish_s3 { | |
| if [[ -d "$1" ]]; then | |
| echo "Publishing $1 to S3: $S3_URL/$2/" | |
| s3cmd -P sync "$1/" "$S3_URL/$2/" | |
| fi | |
| } | |
| # Function to publish centos repos in s3, parameters: | |
| # $1 - /path/to/package/ | |
| # $2 - (centos7/centos6) repo | |
| function publish_centos_s3 { | |
| if [[ -d "$1" ]]; then | |
| echo "Publishing (centos) $1 to S3: $S3_URL/$2/" | |
| s3cmd -P sync "$1/" "$S3_URL/$2/" --exclude "*x86_64/*" | |
| fi | |
| if [[ -z "$SYNC" ]]; then | |
| echo "Skipping publishing repo (centos)" | |
| return 0 | |
| fi | |
| # Sync the $2/x86_64 dir | |
| echo "Publishing (centos) repo $1 to S3: $S3_URL/$2/" | |
| s3cmd -P sync "$1/" "$S3_URL/$2/" | |
| } | |
| # Function to publish linux repos in s3, parameters: | |
| # $1 - /path/to/package/ | |
| # $2 - repo | |
| function publish_linux_s3 { | |
| if [[ -d "$1" ]]; then | |
| echo "Publishing (linux) $1 to S3: $S3_URL/$2/" | |
| s3cmd -P sync "$1/" "$S3_URL/$2/" --exclude "*x86_64/*" | |
| fi | |
| } | |
| # Function to publish debian repos in s3, parameters: | |
| # $1 - /path/to/package/ | |
| # $2 - (trusty/precise) repo | |
| function publish_debian_s3 { | |
| VERSION=$2 | |
| if [[ -d "$1" ]]; then | |
| echo "Publishing (debian) $1/ to S3: $S3_URL/$VERSION/" | |
| s3cmd -P sync "$1/" "$S3_URL/$VERSION/" | |
| fi | |
| if [[ -z "$SYNC" ]]; then | |
| echo "Skipping publishing repo (debian)" | |
| return 0 | |
| fi | |
| if [[ -d "$FREIGHT_CACHE/$VERSION" ]]; then | |
| echo "Publishing $FREIGHT_CACHE/$VERSION/ to S3: $S3_URL/$VERSION/" | |
| s3cmd -P sync $FREIGHT_CACHE/$VERSION/ "$S3_URL/$VERSION/" --exclude "*dists/*" | |
| echo "Publishing $FREIGHT_CACHE/$VERSION/dists/$VERSION/ to S3: $S3_URL/$VERSION/dists/$VERSION/" | |
| s3cmd -P sync $FREIGHT_CACHE/$VERSION/dists/$VERSION/ "$S3_URL/$VERSION/dists/$VERSION/" --delete-removed --exclude "*.refs*" | |
| fi | |
| } | |
| # 'Remote' function to sign PKG packages (binaries/extensions), parameters: | |
| # $1 - /path/to/package | |
| function sign_osx_11 { | |
| PKG11_FILE=$1 | |
| PKG11_NAME=`basename $1` | |
| PKG11_PASSWORD=`cat ~/.keychain.key` | |
| security unlock-keychain -p $PKG11_PASSWORD $PKG11_KEYCHAIN | |
| echo "unlocked" | |
| security default-keychain -s $PKG11_KEYCHAIN | |
| echo "default" | |
| log "Using identity '$PKG11_PACKAGE_IDENTITY' to sign: $PKG11_FILE" | |
| log "Expanding package metadata and payload..." | |
| mkdir -p $PKG11_WORKING_DIR | |
| echo "need sudo" | |
| sudo rm -rf $PKG11_WORKING_DIR/$PKG11_NAME | |
| echo "finished sudo" | |
| log "Expanding '$PKG11_FILE' into '$PKG11_WORKING_DIR/$PKG11_NAME'" | |
| pkgutil --expand $PKG11_FILE $PKG11_WORKING_DIR/$PKG11_NAME | |
| mkdir -p $PKG11_WORKING_DIR/$PKG11_NAME/root | |
| pushd $PKG11_WORKING_DIR/$PKG11_NAME/root | |
| # Extract the package payload. | |
| log "Extracting package payload..." | |
| cat ../Payload | gzip -d | cpio -id | |
| # Find all binary executables. | |
| BINARIES=`find . -type f -perm -u+x | xargs file | grep Mach-O | awk -F: '{print $1}'` | |
| for BIN in $BINARIES; do | |
| if [[ $BIN != "" ]]; then | |
| log "Signing binary: $BIN" | |
| codesign --keychain $PKG11_KEYCHAIN -s "$PKG11_BINARY_IDENTITY" --timestamp "$BIN" || true | |
| fi | |
| done | |
| # Find all kernel extensions. | |
| KEXTS=`find . -type d | grep -E ".*ext$" || true` | |
| for EXT in ${KEXTS}; do | |
| if [[ $EXT != "" ]]; then | |
| log "Signing kernel extension: $EXT" | |
| codesign --keychain $PKG11_KEYCHAIN -s "$PKG11_EXTENSION_IDENTITY" --timestamp "$EXT" || true | |
| fi | |
| done | |
| # Regenerate the package payload. | |
| log "Regenerating package payload..." | |
| sudo chown -R root:wheel . | |
| find . | cpio -o --format odc | gzip -c > ../Payload | |
| popd | |
| # Regenerate the package bill of materials. | |
| rm $PKG11_WORKING_DIR/$PKG11_NAME/Bom | |
| mkbom $PKG11_WORKING_DIR/$PKG11_NAME/root $PKG11_WORKING_DIR/$PKG11_NAME/Bom | |
| sudo rm -rf $PKG11_WORKING_DIR/$PKG11_NAME/root | |
| # Regenerate the package. | |
| log "Rebuilding package with signed binaries: $PKG11_NAME.rebuilt" | |
| pkgutil --flatten $PKG11_WORKING_DIR/$PKG11_NAME $PKG11_WORKING_DIR/$PKG11_NAME.rebuilt | |
| # Sign the package itself | |
| log "Signing package: $PKG11_WORKING_DIR/$PKG11_NAME.signed" | |
| productsign --keychain $PKG11_KEYCHAIN --sign "$PKG11_PACKAGE_IDENTITY" \ | |
| --timestamp $PKG11_WORKING_DIR/$PKG11_NAME.rebuilt $PKG11_WORKING_DIR/$PKG11_NAME.signed | |
| mv $PKG11_WORKING_DIR/$PKG11_NAME.signed $PKG11_REPO/$PKG11_NAME | |
| rm -rf $PKG11_WORKING_DIR/$PKG11_NAME* | |
| } | |
| # Function to sign DEB packages, parameters: | |
| # $1 - /path/to/package | |
| function sign_deb { | |
| #echo "Sign DEB $1" | |
| debsigs --sign=origin -k $GPG_KEY "$1" | |
| } | |
| # Function to sign RPM packages, parameters: | |
| # $1 - /path/to/package | |
| function sign_rpm { | |
| #echo "Sign RPM $1" | |
| # .rpmmacros should be in the target directory | |
| ./rpm_sign.exp "$1" | |
| rpm -qivp "$1" | grep -i $GPG_KEY | |
| } | |
| # Function to copy last packages to distribute static links in s3 | |
| # $1 - /path/to/local_packages | |
| # $2 - /path/to/repository | |
| # $3 - type of package | |
| function last_package { | |
| # Create new last osquery-latest | |
| OSQUERY_LATEST="$(ls -lt "$1" | grep "osquery[-_][0-9].*\.$3" | head -1 | awk '{print $9}')" | |
| cp "$1/$OSQUERY_LATEST" "$2/osquery.$3" | |
| cp "$1/$OSQUERY_LATEST" "$2/osquery-latest.$3" | |
| } | |
| # Process PKGs for OSX 10.11, parameters: | |
| # $1 - package name | |
| function process_pkg11 { | |
| #echo "executed process_pkg11 $1" | |
| # Get and log new packages | |
| #retrieve_last "$1" "$PKG11_PROCESSED" "PKG" "$PKG11_DIR" "$PKG11_URL" "$2" | |
| # Sign package if not done already | |
| PKG_already_signed=$(signed_already "$1" "$PKG11_SIGNED") | |
| if [[ $PKG_already_signed = "not" ]]; then | |
| log "PKG: $1 has not been signed, signining..." | |
| if [[ "$1" =~ "rpm" ]]; then | |
| sign_rpm "$PKG11_DIR/$1" | |
| else | |
| sign_osx_11 "$PKG11_DIR/$1" | |
| fi | |
| else | |
| return 0 | |
| fi | |
| update_signed "$1" "$PKG11_SIGNED" | |
| # Update last package | |
| if [[ "$1" =~ "rpm" ]]; then | |
| cp "$PKG11_DIR/$1" $PKG11_REPO/ | |
| last_package "$PKG11_DIR" "$PKG11_REPO" "rpm" | |
| else | |
| last_package "$PKG11_REPO" "$PKG11_REPO" "pkg" | |
| fi | |
| } | |
| # Process DEBs for deb (universal), parameters: | |
| # $1 - package name | |
| function process_deb { | |
| # Get and log new packages | |
| FILENAME="$1" | |
| # Sign package if not done already | |
| DEB_deb_already_signed=$(signed_already "$FILENAME" "$DEB_SIGNED") | |
| if [[ $DEB_deb_already_signed = "not" ]]; then | |
| log "DEB(all): $FILENAME has not been signed, signining..." | |
| sign_deb "$DEB_DIR/$FILENAME" | |
| else | |
| return 0 | |
| fi | |
| # NEW: Update freight repository | |
| cp "$DEB_DIR/$1" $DEB_REPO/ | |
| freight add -c $FREIGHT_CONFIGS/freight.deb.conf "$DEB_DIR/$FILENAME" apt/deb | |
| freight cache -c $FREIGHT_CONFIGS/freight.deb.conf | |
| update_signed "$1" "$DEB_SIGNED" | |
| # Update last package | |
| last_package "$DEB_DIR" "$DEB_REPO" "deb" | |
| } | |
| # Process RPMs, parameters: | |
| # $1 - package name | |
| function process_rpm { | |
| # Sign package if not done already | |
| RPM_rpm_already_signed=$(signed_already "$1" "$RPM_SIGNED") | |
| if [[ $RPM_rpm_already_signed = "not" ]]; then | |
| log "RPM (all): $1 has not been signed, signining..." | |
| sign_rpm "$RPM_DIR/$1" | |
| else | |
| return 0 | |
| fi | |
| # Update repository | |
| cp "$RPM_DIR/$1" $RPM_REPO/ | |
| cp "$RPM_DIR/$1" $RPM_REPO/x86_64 | |
| for a in $RPM_REPO/x86_64 | |
| do | |
| createrepo -v --update $a/ | |
| done | |
| update_signed "$1" "$RPM_SIGNED" | |
| # Update last package | |
| last_package "$RPM_DIR" "$RPM_REPO" "rpm" | |
| } | |
| # Process TARs for Linux, parameters: | |
| # $1 - package name | |
| function process_linux { | |
| # Sign package if not done already | |
| TAR_already_signed=$(signed_already "$1" "$LINUX_SIGNED") | |
| if [[ $TAR_already_signed = "not" ]]; then | |
| log "TAR (all): $1 has not been signed, signining..." | |
| # sign_rpm "$RPM_DIR/$1" | |
| else | |
| return 0 | |
| fi | |
| # Update repository | |
| cp "$LINUX_DIR/$1" $LINUX_REPO/ | |
| update_signed "$1" "$LINUX_SIGNED" | |
| # Update last package | |
| # last_package "$LINUX_DIR" "$LINUX_REPO" "rpm" | |
| } | |
| # Here is where the magic happens! | |
| declare -a SYSTEM | |
| declare -A SYSTEM_STAGE | |
| declare -A SYSTEM_TYPE | |
| declare -A SYSTEM_FUNCTION | |
| declare -A SYSTEM_REPO | |
| SYSTEM[0]="darwin" | |
| SYSTEM_TYPE["darwin"]="pkg" | |
| SYSTEM_STAGE["darwin"]=$PKG11_DIR | |
| SYSTEM_FUNCTION["darwin"]=process_pkg11 | |
| SYSTEM_REPO["darwin"]=$PKG11_REPO | |
| SYSTEM[2]="deb" | |
| SYSTEM_TYPE["deb"]="deb" | |
| SYSTEM_STAGE["deb"]=$DEB_DIR | |
| SYSTEM_FUNCTION["deb"]=process_deb | |
| SYSTEM_REPO["deb"]=$DEB_REPO | |
| SYSTEM[3]="rpm" | |
| SYSTEM_TYPE["rpm"]="rpm" | |
| SYSTEM_STAGE["rpm"]=$RPM_DIR | |
| SYSTEM_FUNCTION["rpm"]=process_rpm | |
| SYSTEM_REPO["rpm"]=$RPM_REPO | |
| SYSTEM[4]="linux" | |
| SYSTEM_TYPE["linux"]="tar" | |
| SYSTEM_STAGE["linux"]=$LINUX_DIR | |
| SYSTEM_FUNCTION["linux"]=process_linux | |
| SYSTEM_REPO["linux"]=$LINUX_REPO | |
| for S in "${SYSTEM[@]}" | |
| do | |
| echo "Enumerating packages for $S in ${SYSTEM_STAGE[$S]}..." | |
| for FILE in `ls "${SYSTEM_STAGE[$S]}/"`; do | |
| ${SYSTEM_FUNCTION[$S]} "$FILE" | |
| done | |
| # Now publish the results for this platform | |
| if [[ "${SYSTEM_TYPE[$S]}" = "deb" ]]; then | |
| publish_debian_s3 ${SYSTEM_REPO[$S]} "$S" | |
| true | |
| elif [[ "${SYSTEM_TYPE[$S]}" = "rpm" && ! "$S" = "darwin" ]]; then | |
| publish_centos_s3 ${SYSTEM_REPO[$S]} "$S" | |
| true | |
| elif [[ "${SYSTEM_TYPE[$S]}" = "tar" ]]; then | |
| publish_linux_s3 ${SYSTEM_REPO[$S]} "$S" | |
| true | |
| else | |
| publish_s3 ${SYSTEM_REPO[$S]} "$S" | |
| true | |
| fi | |
| echo "" | |
| #fi | |
| done | |
| exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/expect -f | |
| spawn rpm -D "__gpg /usr/local/bin/gpg" -D "_signature gpg" -D "_gpg_name osquery (osquery) <osquery@fb.com>" --addsign {*}$argv | |
| expect -exact "Enter pass phrase: " { | |
| send -- "\r" | |
| expect eof | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment