OpenVoxProject · nmburgan · Apr 25, 2025 · May 1, 2025 · nmburgan · May 1, 2025
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -13,9 +13,6 @@ jobs:
   rake_checks:
     name: Rake Checks
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        check: [ 'rubocop', 'commits' ]
     steps:
       - name: Checkout current PR
         uses: actions/checkout@v4
@@ -29,4 +26,4 @@ jobs:
         run: |
           gem update --system --silent --no-document
           bundle install --jobs 4 --retry 3
-      - run: bundle exec rake ${{ matrix.check }} --trace
+      - run: bundle exec rake rubocop --trace
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 vendor/*
 output/*
+signed/*
 .bundle
 Gemfile.lock
 Gemfile.local

diff --git a/configs/projects/openvox-agent.rb b/configs/projects/openvox-agent.rb
@@ -25,9 +25,8 @@
     proj.extra_file_to_sign File.join(proj.bindir, 'puppet')
     proj.extra_file_to_sign File.join(proj.bindir, 'pxp-agent')
     proj.extra_file_to_sign File.join(proj.bindir, 'wrapper.sh')
-    proj.signing_hostname 'osx-signer-prod-3.delivery.puppetlabs.net'
-    proj.signing_username 'jenkins'
-    proj.signing_command 'security -q unlock-keychain -p \$$OSX_SIGNING_KEYCHAIN_PW \$$OSX_SIGNING_KEYCHAIN; codesign --timestamp --keychain \$$OSX_SIGNING_KEYCHAIN -vfs \"\$$OSX_CODESIGNING_CERT\"'
+    proj.use_local_signing true
+    proj.signing_command 'codesign --timestamp --keychain $$OSX_SIGNING_KEYCHAIN -vfs "$$OSX_CODESIGNING_CERT"'
   end
 
   if platform.is_fedora? || platform.name =~ /el-10/

diff --git a/tasks/sign.rake b/tasks/sign.rake
@@ -0,0 +1,45 @@
+require 'fileutils'
+
+# Adapted from https://github.com/puppetlabs/packaging/blob/15da180e9574e4582c096b0537334627d3f0f814/lib/packaging/sign/dmg.rb#L43
+# Likely we can make this better at some point, probably integrating into Vanagon itself.
+namespace :vox do
+  desc 'Sign package with installer signing key'
+  task :sign, [:tag] do |_, args|
+    abort 'You must provide a tag.' if args[:tag].nil? || args[:tag].empty?
+    dmgs = Dir.glob("#{__dir__}/../output/**/*#{args[:tag]}*.dmg")
+    abort 'No files for the given tag found in the output directory.' if dmgs.empty?
+
+    mnt = Dir.mktmpdir('mnt')
+    puts "Temporary mount dir is #{mnt}"
+    working = Dir.mktmpdir('working')
+    puts "Temporary working dir is #{working}"
+    begin
+      FileUtils.mkdir_p('./signed')
+      dmgs.each do |dmg|
+        dmg_basename = File.basename(dmg)
+        puts "Signing #{dmg_basename}"
+        puts "Mounting dmg"
+        run_command("/usr/bin/hdiutil attach #{dmg} -mountpoint #{mnt} -nobrowse")
+        Dir.glob("#{mnt}/*").each do |f|
+          f_basename = File.basename(f)
+          if f.end_with?('.pkg')
+            puts "Signing #{f_basename}"
+            run_command("/usr/bin/productsign --keychain \"${OSX_SIGNING_KEYCHAIN}\" --sign \"${OSX_DMGSIGNING_CERT}\" #{f} #{working}/#{f_basename}")
+          else
+            puts "Copying #{f_basename}"
+            FileUtils.cp(f, "#{working}/#{f_basename}")
+          end
+        end
+        puts "Detatching dmg"
+        run_command("/usr/bin/hdiutil detach #{mnt} -quiet")
+        puts "Creating dmg with signed package"
+        run_command("/usr/bin/hdiutil create -volname #{dmg_basename} -size 500m -srcfolder #{working}/ ./signed/#{dmg_basename}")
+        puts "Signed package dmg at signed/#{dmg_basename}"
+        FileUtils.rm_rf("#{working}/*")
+      end
+    ensure
+      FileUtils.rm_rf(mnt)
+      FileUtils.rm_rf(working)
+    end
+  end
+end