Menu
▾
▴
[Smartfrog-checkins] SF.net SVN: smartfrog:[7090] trunk/core/release
|
From: <st...@us...> - 2008-09-26 16:01:36
|
Revision: 7090
http://smartfrog.svn.sourceforge.net/smartfrog/?rev=7090&view=rev
Author: steve_l
Date: 2008-09-26 16:00:37 +0000 (Fri, 26 Sep 2008)
Log Message:
-----------
SFOS-879 Security: remove signedLib; all the JARs in lib/ are to be signed instead. -this is in secure mode only
SFOS-852 Write a redistributable build file to sign the JARs and create custom RPMs with these signed artifacts
Modified Paths:
--------------
trunk/core/release/build.xml
trunk/core/release/metadata/rpm/rpm.properties
trunk/core/release/metadata/rpm/smartfrog.spec
trunk/core/release/src/ant/build.xml
Modified: trunk/core/release/build.xml
===================================================================
--- trunk/core/release/build.xml 2008-09-24 16:09:27 UTC (rev 7089)
+++ trunk/core/release/build.xml 2008-09-26 16:00:37 UTC (rev 7090)
@@ -569,7 +569,8 @@
</exec>
</target>
- <target name="maybe-sign-rpm-jars" depends="copy-rpm-specs,create-link-dir,init-security,symlink-signed-lib"
+ <!--we've cut ,symlink-signed-lib from the depends list here-->
+ <target name="maybe-sign-rpm-jars" depends="copy-rpm-specs,create-link-dir,init-security"
xmlns:sec="http://security.smartfrog.org/">
</target>
@@ -1226,6 +1227,11 @@
todir="${build.dir}"/>
<!--commandResource="${build.dir}/rpm-queries.txt"-->
+ <!-- this sets a property to the query string to check the signedlib if the
+ security.enabled flag is set.
+ Checking this has been disabled while we experiment with not setting the symlink
+ up except in custom signed RPMs.
+ -->
<condition property="secureLibs"
value="rpm -qf ${rpm.install.dir}/signedLib/smartfrog-${smartfrog.version}.jar;
rpm -qf ${rpm.install.dir}/signedLib/sfServices-${smartfrog.version}.jar;
@@ -1266,9 +1272,9 @@
rpm -qf ${rpm.install.dir}/lib/sf-csvfiles-${smartfrog.version}.jar;
rpm -qf ${rpm.install.dir}/lib/opencsv-${opencsv.version}.jar;
rpm -qf ${rpm.install.dir}/links/sf-csvfiles.jar;
-rpm -qf ${rpm.install.dir}/links/opencsv.jar;
-${secureLibs}"
+rpm -qf ${rpm.install.dir}/links/opencsv.jar;"
outputProperty="rpm.queries.results"/>
+ <!--${secureLibs}"-->
<fail>
<condition>
Modified: trunk/core/release/metadata/rpm/rpm.properties
===================================================================
--- trunk/core/release/metadata/rpm/rpm.properties 2008-09-24 16:09:27 UTC (rev 7089)
+++ trunk/core/release/metadata/rpm/rpm.properties 2008-09-26 16:00:37 UTC (rev 7090)
@@ -2,7 +2,7 @@
#by the user at build time.
#release counter
-rpm.release.counter=2
+rpm.release.counter=1
#platform this RPM targets
rpm.distribution=el4
#the full release version combines the counter and target platform
Modified: trunk/core/release/metadata/rpm/smartfrog.spec
===================================================================
--- trunk/core/release/metadata/rpm/smartfrog.spec 2008-09-24 16:09:27 UTC (rev 7089)
+++ trunk/core/release/metadata/rpm/smartfrog.spec 2008-09-26 16:00:37 UTC (rev 7090)
@@ -73,6 +73,17 @@
%define sfExamples.jar sfExamples-${smartfrog.version}.jar
%define sfServices.jar sfServices-${smartfrog.version}.jar
+#choose the package name based on the operational mode
+%{!?_private_rpm:%define package_name smartfrog}
+%{?_private_rpm:%define package_name smartfrog-secure}
+%{!?_private_rpm:%define security_text This is an unsigned distribution}
+%{?_private_rpm:%define security_text This is a signed distribution with private information in the smartfrog-private rpm}
+
+%{?_private_rpm:%{error: this is a private rpm}}
+%{!?_private_rpm:%{error: this is not a private rpm}}
+
+
+
# -----------------------------------------------------------------------------
Summary: SmartFrog Deployment Framework
@@ -87,11 +98,9 @@
Packager: ${rpm.packager}
BuildArch: noarch
#%{name}-%{version}.tar.gz in the SOURCES dir
-Source0: %{name}-%{version}.tar.gz
-# add patches, if any, here
+Source0: %{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-#BuildRoot: %{basedir}
-Prefix: ${rpm.prefix}
+Prefix: ${rpm.prefix}
#Provides: SmartFrog
#Icon: docs/images/frog.gif
# build and runtime requirements here
@@ -107,7 +116,9 @@
activates and manages the components to deliver and maintain running systems.
SmartFrog and its components are implemented in Java.
-This RPM installs smartfrog into
+%{security_text}
+
+The RPM installs smartfrog into
%{basedir}
It also adds scripts to /etc/profile.d and /etc/sysconfig
so that SmartFrog is available on the command line.
@@ -271,7 +282,7 @@
%package quartz
Group: ${rpm.framework}
Summary: Work scheduling with Quartz
-Requires: %{name} = %{version}-%{release} , smartfrog-logging
+Requires: %{name} = %{version}-%{release} , %{name}-logging
#
%description quartz
Work scheduling. These components can be used to schedule work to a pool of machines,
@@ -295,7 +306,7 @@
%package xunit
Group: ${rpm.framework}
Summary: Testing under SmartFrog
-Requires: %{name} = %{version}-%{release} , smartfrog-logging
+Requires: %{name} = %{version}-%{release} , %{name}-logging
#
%description xunit
The base testing components. This contains the sfunit test components
@@ -306,7 +317,7 @@
%package junit
Group: ${rpm.framework}
Summary: JUnit testing
-Requires: %{name} = %{version}-%{release} , smartfrog-xunit
+Requires: %{name} = %{version}-%{release} , %{name}-xunit
#
%description junit
This contains the components for running JUnit ${junit.version} tests, and the
@@ -317,7 +328,7 @@
%package velocity
Group: ${rpm.framework}
Summary: Velocity template engine
-Requires: %{name} = %{version}-%{release} , smartfrog-logging
+Requires: %{name} = %{version}-%{release} , %{name}-logging
#
%description velocity
@@ -337,7 +348,7 @@
%package www
Group: ${rpm.framework}
Summary: WWW components
-Requires: %{name} = %{version}-%{release} , smartfrog-logging
+Requires: %{name} = %{version}-%{release} , %{name}-logging
#
%description www
This package contains components to deploy web applications on different
@@ -394,8 +405,8 @@
Do not install a private keys package except within your own organisation; do not
make a privately generated key package publicly available.
+%{security_text}
-
# -----------------------------------------------------------------------------
%prep
@@ -541,10 +552,8 @@
%{basedir}/testCA
-#the signedLib which used to be a directory, but which in the RPMs is a symbolic link
-#%dir %{basedir}/signedLib
-%{basedir}/signedLib
+
#the log output directory
#this is no longer world writeable, as the logging can fall back gracefully now
%attr(755, ${rpm.username},${rpm.groupname}) ${rpm.log.dir}
@@ -559,7 +568,19 @@
%docdir %{docs}
%{docs}
%doc %{basedir}/src.zip
+# -----------------------------------------------------------------------------
+# RPM Security section.
+# When secure RPMs are created. then signedLib is a symlink and not a directory
+# -----------------------------------------------------------------------------
+#the signedLib which used to be a directory, but which in the RPMs is a symbolic link
+#
+%{basedir}/signedLib
+
+# some switches; still experimenting with those
+#%{!?_private_rpm:%dir %{signedlib}}
+#%{?_private_rpm:%{signedlib}}
+
# -----------------------------------------------------------------------------
# this is the private dir unless the build says otherwise
%{!?_private_rpm:%{privatedir}}
@@ -574,20 +595,20 @@
# done as a script to deal with upgrade problems. Any existing directory
# is blown away by this operation, as is a symlink.
%post
-if [ -x %{signedlib} ] ; then
-rm -rf %{signedlib}
-fi
-ln -s %{libdir} %{signedlib}
+#if [ -x %{signedlib} ] ; then
+#rm -rf %{signedlib}
+#fi
+#ln -s %{libdir} %{signedlib}
# the symlink is only deleted if there is none left; this avoids
# stamping on any newly created links.
%postun
-if [ "$1" = "0" ] ; then
- if [ -x %{signedlib} ] ; then
- rm -rf %{signedlib}
- fi
-fi
+#if [ "$1" = "0" ] ; then
+# if [ -x %{signedlib} ] ; then
+# rm -rf %{signedlib}
+# fi
+#fi
%files demo
@@ -642,7 +663,7 @@
#and the etc stuff
%defattr(0644,root,root,0755)
%attr(755, root,root) /etc/rc.d/init.d/${rpm.daemon.name}
-%(0644,root,root) /etc/sysconfig/smartfrog
+%attr(0644,root,root) /etc/sysconfig/smartfrog
%files ant
@@ -808,15 +829,16 @@
# to get the date, run: date +"%a %b %d %Y"
%changelog
-* Tue Sep 16 2008 Steve Loughran <sma...@hp...> 3.12.0042-2.el4 changes to the security model so that signedLib is a symlink.
-* Mon May 12 2008 Steve Loughran <sma...@hp...> 3.12.0027-2.el4
+* Fri Sep 26 2008 Steve Loughran <sma...@hp...> 3.12.043-1.el4 changes to the security model so that signedLib is a symlink.
+* Tue Sep 16 2008 Steve Loughran <sma...@hp...> 3.12.042-2.el4 changes to the security model so that signedLib is a symlink.
+* Mon May 12 2008 Steve Loughran <sma...@hp...> 3.12.027-2.el4
- add velocity template
-* Thu Jan 24 2008 Steve Loughran <sma...@hp...> 3.12.0018-2.el4
+* Thu Jan 24 2008 Steve Loughran <sma...@hp...> 3.12.018-2.el4
- add ability to generate signed RPM files
-* Mon Dec 03 2007 Steve Loughran <sma...@hp...> 3.12.0013-1.el4
+* Mon Dec 03 2007 Steve Loughran <sma...@hp...> 3.12.013-1.el4
- add the javadocs RPM
- remove og-w permissions from the log directory
-* Wed Nov 21 2007 Steve Loughran <sma...@hp...> 3.12.0011-1.el4
+* Wed Nov 21 2007 Steve Loughran <sma...@hp...> 3.12.011-1.el4
- add the ant, database, jmx, junit,networking, quartz, scrpting, www, xml, xmpp,
xunit RPMs.
* Wed Oct 24 2007 Steve Loughran <sma...@hp...> 3.12.008-1.el4
Modified: trunk/core/release/src/ant/build.xml
===================================================================
--- trunk/core/release/src/ant/build.xml 2008-09-24 16:09:27 UTC (rev 7089)
+++ trunk/core/release/src/ant/build.xml 2008-09-26 16:00:37 UTC (rev 7090)
@@ -29,8 +29,8 @@
See http://wiki.smartfrog.org/wiki/display/sf/Signing+RPMs+for+secure+installations
+ To use it. you must have
-
</description>
<!--load an override file before anything else-->
@@ -39,9 +39,10 @@
<!--this is our parent directory-->
<property name="parent.project.dir" location="../.."/>
<property file="${parent.project.dir}/build.properties"/>
+ <property name="rpmbuild.properties.file" location="rpmbuild.properties" />
<!--Load the properties files, fail if missing-->
- <loadproperties srcFile="rpmbuild.properties" />
+ <loadproperties srcfile="${rpmbuild.properties.file}" />
<!--these are the RPM properties -->
<loadproperties srcFile="rpm.properties"/>
@@ -141,17 +142,18 @@
<target name="ready-to-prepare-binary-rpm"
- depends="rpmmacros,signjars"/>
+ depends="rpmmacros,signjars,symlink-signed-lib"/>
-
<target name="build-rpm" depends="ready-to-rpm"
description="create an RPM file of the core smartfrog libraries">
<rpm
specFile="smartfrog.spec"
topDir="${rpm.image.dir}"
cleanBuildDir="true"
- command="-bb --with=_private_rpm"
- failOnError="true"/>
+ command='-bb --define "_private_rpm _private_rpm"'
+ failOnError="true">
+<!-- <define key="_private_rpm" value="_private_rpm" /> -->
+ </rpm>
</target>
<target name="prepare-binary-rpm"
@@ -292,7 +294,7 @@
</dist>
</target>
- <target name="ready-to-sign" depends="init,init-security" if="sign.jars"/>
+ <target name="ready-to-sign" depends="init,init-security" />
<target name="signjars" depends="ready-to-sign">
@@ -312,4 +314,15 @@
</sec:signjar2>
</target>
+ <!--For the secure RPMs, we create symbolic links instead of a separate directory-->
+ <target name="symlink-signed-lib" depends="ready-to-sign"
+ >
+ <delete dir="${rpm.signed.lib.dir}" />
+ <exec executable="ln" failonerror="true">
+ <arg value="-sf"/>
+ <arg value="${rpm.install.dir}/lib"/>
+ <arg value="${rpm.signed.lib.dir}"/>
+ </exec>
+ </target>
+
</project>
\ No newline at end of file
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|