fastlane-plugin-hexsign 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67ae47604a746cc168dd35f48cc3f58d8eb9d70f9c28613004673ecf22b0491d
-  data.tar.gz: f20b85fc29619f3a33bed881b02d49f25bd1db91d9f697776910ef37ea8e60a1
+  metadata.gz: f17f684819fe3e6e0b9d2d972ad9bff85f302efe7cabba4177d1059d110bfc17
+  data.tar.gz: e0060da7f20a7936f19d5b8f9de1b18de8b88d43dd8bcd182a32da4ceff56fac
 SHA512:
-  metadata.gz: 56c2e8435a98b6e2e25291eb317bc8eaa4c61cc983264072056d230c8cbad5eba3a17f9d6d089ead9354620da8e2dfba53d80d2b7f6af04a5242873d60c11cde
-  data.tar.gz: a32eae25d357b1676bcb5b15821e77c3609f5842dd0043d90ad9bc7e9edbe0c7cbdf189257c0366f5a1da381b6bc55d527e9cd36946d9c688498cb1a505f336d
+  metadata.gz: e34fa388365f8cb1b649e1cf5d5be8c9aea20e0a769d6db2622266e1ca4a96410aa4c09c792ea4891389b9f87d4f80080ee1505669e0dd5efc48c39077ca4fa4
+  data.tar.gz: d0338cac4e02ae2fefc96d54c001fb95b2f1570cffa9def3cf8871db8a459c510c174ef0a536382c8589c3c58caaa5373d0d480b722178688199ebbb568f1773

data/README.md

@@ -63,6 +63,7 @@ hexsign_certificates_download(
 | `id` | `HEXSIGN_CERTIFICATE_ID` | yes | Certificate ID |
 | `output_dir` | `HEXSIGN_CERTIFICATE_OUTPUT_DIR` | no | Output directory |
 | `filename` | `HEXSIGN_CERTIFICATE_FILENAME` | no | Base filename (no extension) |
+| `keychain` | `HEXSIGN_KEYCHAIN` | no | macOS only — keychain to create and import the `.p12` into, ready for codesigning |
 
 ### `hexsign_profiles_download`
 
@@ -80,6 +81,53 @@ hexsign_profiles_download(
 | `id` | `HEXSIGN_PROFILE_ID` | yes | Provisioning profile ID |
 | `output_dir` | `HEXSIGN_PROFILE_OUTPUT_DIR` | no | Output directory |
 | `filename` | `HEXSIGN_PROFILE_FILENAME` | no | Filename (no extension) |
+| `install` | `HEXSIGN_PROFILE_INSTALL` | no | macOS only — also install the profile where Xcode finds it |
+
+### `hexsign_certificates_download_by_type`
+
+Downloads **every** signing certificate of a given type for one Apple Developer
+team. Survives certificate rotation: no UUID to update when a cert is renewed.
+
+Returns an array of `{ p12:, password: }` hashes — one per downloaded certificate.
+
+```ruby
+pairs = hexsign_certificates_download_by_type(
+  type:       "IOS_DISTRIBUTION",
+  team_id:    "ABCDE12345",
+  output_dir: "build/sign"
+)
+# => [{ p12: "build/sign/foo.p12", password: "build/sign/foo.password" }, ...]
+```
+
+| Option | Env | Required | Description |
+|---|---|---|---|
+| `type` | `HEXSIGN_CERTIFICATE_TYPE` | yes | Apple cert type (e.g. `IOS_DISTRIBUTION`) |
+| `team_id` | `HEXSIGN_TEAM_ID` | yes | Apple Developer team id |
+| `output_dir` | `HEXSIGN_CERTIFICATE_OUTPUT_DIR` | no | Output directory |
+| `keychain` | `HEXSIGN_KEYCHAIN` | no | macOS only — keychain to create and import every downloaded `.p12` into, ready for codesigning |
+
+### `hexsign_profiles_download_by_bundle_id`
+
+Downloads **every** provisioning profile for a bundle identifier. Survives
+profile rotation: no UUID to update when a profile is regenerated.
+
+Returns an array of absolute paths to the downloaded `.mobileprovision` files.
+
+```ruby
+paths = hexsign_profiles_download_by_bundle_id(
+  bundle_id:  "com.example.app",
+  team_id:    "ABCDE12345",   # optional — scopes across linked Apple accounts
+  output_dir: "build/sign"
+)
+# => ["build/sign/foo.mobileprovision", "build/sign/bar.mobileprovision"]
+```
+
+| Option | Env | Required | Description |
+|---|---|---|---|
+| `bundle_id` | `HEXSIGN_BUNDLE_ID` | yes | App bundle identifier (exact match) |
+| `team_id` | `HEXSIGN_TEAM_ID` | no | Apple Developer team id — scopes across linked accounts |
+| `output_dir` | `HEXSIGN_PROFILE_OUTPUT_DIR` | no | Output directory |
+| `install` | `HEXSIGN_PROFILE_INSTALL` | no | macOS only — also install every downloaded profile where Xcode finds them |
 
 ## Example lane
 

data/lib/fastlane/plugin/hexsign/actions/hexsign_certificates_download.rb

@@ -10,6 +10,7 @@ module Fastlane
         args = ["certificates", "download", params[:id]]
         args.push("--output-dir", params[:output_dir]) if params[:output_dir]
         args.push("--filename", params[:filename]) if params[:filename]
+        args.push("--keychain", params[:keychain]) if params[:keychain]
 
         Helper::HexsignHelper.run(args).tap { UI.success("Downloaded certificate #{params[:id]}") }
       end
@@ -54,6 +55,13 @@ module Fastlane
             description: "Base filename (no extension) for the downloaded files",
             optional: true,
             type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :keychain,
+            env_name: "HEXSIGN_KEYCHAIN",
+            description: "macOS only: create this keychain and import the downloaded .p12 into it, ready for codesigning",
+            optional: true,
+            type: String
           )
         ]
       end
@@ -64,7 +72,8 @@ module Fastlane
 
       def self.example_code
         [
-          'hexsign_certificates_download(id: "cert-abc123", output_dir: "build/sign")'
+          'hexsign_certificates_download(id: "cert-abc123", output_dir: "build/sign")',
+          'hexsign_certificates_download(id: "cert-abc123", keychain: "/tmp/hexsign-ci.keychain-db")'
         ]
       end
 

data/lib/fastlane/plugin/hexsign/actions/hexsign_certificates_download_by_type.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+require "fastlane/action"
+require_relative "../helper/hexsign_helper"
+
+module Fastlane
+  module Actions
+    class HexsignCertificatesDownloadByTypeAction < Action
+      def self.run(params)
+        args = [
+          "certificates", "download",
+          "--type", params[:type],
+          "--team-id", params[:team_id]
+        ]
+        args.push("--output-dir", params[:output_dir]) if params[:output_dir]
+        args.push("--keychain", params[:keychain]) if params[:keychain]
+
+        stdout = Helper::HexsignHelper.run(args)
+        pairs = parse_stdout(stdout)
+
+        UI.success("Downloaded #{pairs.size} #{params[:type]} certificate(s) for team #{params[:team_id]}")
+        pairs
+      end
+
+      # The CLI prints two lines per certificate: .p12 path then .password path.
+      # With --keychain it also prints a trailing "imported N certificate(s)…"
+      # summary line, which is dropped by keeping only file-path lines.
+      # Returns [{ p12: "...", password: "..." }, ...].
+      def self.parse_stdout(stdout)
+        lines = stdout.split("\n").map(&:strip).reject(&:empty?)
+        lines = lines.select { |line| line.end_with?(".p12", ".password") }
+        pairs = []
+        lines.each_slice(2) do |p12, password|
+          pairs << { p12: p12, password: password }
+        end
+        pairs
+      end
+
+      def self.description
+        "Download every signing certificate of a given type for one Apple Developer team via the HexSign CLI."
+      end
+
+      def self.authors
+        ["HexSign"]
+      end
+
+      def self.details
+        <<~DETAILS
+          Wraps `hexsign certificates download --type <T> --team-id <ID>`. Returns an
+          array of { p12:, password: } hashes — one per downloaded certificate.
+
+          Survives certificate rotation: you point at a cert type (e.g. IOS_DISTRIBUTION)
+          rather than a specific UUID that changes when a cert is renewed.
+
+          The hexsign binary must be on PATH — install via `brew install hexsign` or the
+          hexsign/hexsign-cli GitHub Action. Set HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET
+          so the CLI runs in machine mode.
+
+          Accepted types: IOS_DEVELOPMENT, IOS_DISTRIBUTION, MAC_APP_DEVELOPMENT,
+          MAC_APP_DISTRIBUTION, MAC_INSTALLER_DISTRIBUTION, DEVELOPER_ID_APPLICATION,
+          DEVELOPER_ID_APPLICATION_G2, DEVELOPER_ID_KEXT, DEVELOPER_ID_KEXT_G2,
+          DEVELOPER_ID_INSTALLER, DEVELOPMENT, DISTRIBUTION, PASS_TYPE_ID,
+          PASS_TYPE_ID_WITH_NFC.
+        DETAILS
+      end
+
+      def self.available_options
+        [
+          FastlaneCore::ConfigItem.new(
+            key: :type,
+            env_name: "HEXSIGN_CERTIFICATE_TYPE",
+            description: "Apple certificate type, e.g. IOS_DISTRIBUTION",
+            optional: false,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :team_id,
+            env_name: "HEXSIGN_TEAM_ID",
+            description: "Apple Developer team identifier to scope the download to",
+            optional: false,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :output_dir,
+            env_name: "HEXSIGN_CERTIFICATE_OUTPUT_DIR",
+            description: "Directory to write the .p12 and .password files into",
+            optional: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :keychain,
+            env_name: "HEXSIGN_KEYCHAIN",
+            description: "macOS only: create this keychain and import every downloaded .p12 into it, ready for codesigning",
+            optional: true,
+            type: String
+          )
+        ]
+      end
+
+      def self.output
+        [
+          ["HEXSIGN_CERTIFICATES_DOWNLOAD_BY_TYPE_COUNT", "Number of certificates downloaded"]
+        ]
+      end
+
+      def self.return_value
+        "Array of { p12:, password: } hashes — one per downloaded certificate."
+      end
+
+      def self.is_supported?(platform)
+        %i[ios mac tvos watchos visionos].include?(platform)
+      end
+
+      def self.example_code
+        [
+          'pairs = hexsign_certificates_download_by_type(
+            type: "IOS_DISTRIBUTION",
+            team_id: "ABCDE12345",
+            output_dir: "build/sign"
+          )
+          # => [{ p12: "build/sign/foo.p12", password: "build/sign/foo.password" }, ...]'
+        ]
+      end
+
+      def self.category
+        :code_signing
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/hexsign/actions/hexsign_profiles_download.rb

@@ -10,6 +10,7 @@ module Fastlane
         args = ["profiles", "download", params[:id]]
         args.push("--output-dir", params[:output_dir]) if params[:output_dir]
         args.push("--filename", params[:filename]) if params[:filename]
+        args.push("--install") if params[:install]
 
         Helper::HexsignHelper.run(args).tap { UI.success("Downloaded provisioning profile #{params[:id]}") }
       end
@@ -54,6 +55,14 @@ module Fastlane
             description: "Filename (no extension) for the downloaded profile",
             optional: true,
             type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :install,
+            env_name: "HEXSIGN_PROFILE_INSTALL",
+            description: "macOS only: also install the profile into ~/Library/MobileDevice/Provisioning Profiles, where Xcode finds it",
+            optional: true,
+            type: Boolean,
+            default_value: false
           )
         ]
       end
@@ -64,7 +73,8 @@ module Fastlane
 
       def self.example_code
         [
-          'hexsign_profiles_download(id: "prof-xyz789", output_dir: "build/sign")'
+          'hexsign_profiles_download(id: "prof-xyz789", output_dir: "build/sign")',
+          'hexsign_profiles_download(id: "prof-xyz789", install: true)'
         ]
       end
 

data/lib/fastlane/plugin/hexsign/actions/hexsign_profiles_download_by_bundle_id.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+require "fastlane/action"
+require_relative "../helper/hexsign_helper"
+
+module Fastlane
+  module Actions
+    class HexsignProfilesDownloadByBundleIdAction < Action
+      def self.run(params)
+        args = ["profiles", "download", "--bundle-id", params[:bundle_id]]
+        args.push("--team-id", params[:team_id]) if params[:team_id]
+        args.push("--output-dir", params[:output_dir]) if params[:output_dir]
+        args.push("--install") if params[:install]
+
+        stdout = Helper::HexsignHelper.run(args)
+        # With --install the CLI also prints "installed <name> -> <path>" lines;
+        # keep only the downloaded-file paths.
+        paths = stdout.split("\n").map(&:strip).reject(&:empty?)
+                      .reject { |line| line.start_with?("installed ") }
+
+        UI.success("Downloaded #{paths.size} provisioning profile(s) for bundle #{params[:bundle_id]}")
+        paths
+      end
+
+      def self.description
+        "Download every provisioning profile for a given bundle identifier via the HexSign CLI."
+      end
+
+      def self.authors
+        ["HexSign"]
+      end
+
+      def self.details
+        <<~DETAILS
+          Wraps `hexsign profiles download --bundle-id <ID> [--team-id <TID>]`. Returns an
+          array of absolute paths to the downloaded `.mobileprovision` files.
+
+          Survives profile rotation: you point at a bundle identifier rather than the
+          UUID of a specific provisioning profile.
+
+          Pass `team_id` when the same bundle id exists in more than one linked Apple
+          account to avoid pulling profiles from the wrong team.
+
+          The hexsign binary must be on PATH — install via `brew install hexsign` or the
+          hexsign/hexsign-cli GitHub Action. Set HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET
+          so the CLI runs in machine mode.
+        DETAILS
+      end
+
+      def self.available_options
+        [
+          FastlaneCore::ConfigItem.new(
+            key: :bundle_id,
+            env_name: "HEXSIGN_BUNDLE_ID",
+            description: "App bundle identifier (exact match)",
+            optional: false,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :team_id,
+            env_name: "HEXSIGN_TEAM_ID",
+            description: "Apple Developer team identifier — scopes the download across linked accounts",
+            optional: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :output_dir,
+            env_name: "HEXSIGN_PROFILE_OUTPUT_DIR",
+            description: "Directory to write the .mobileprovision files into",
+            optional: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :install,
+            env_name: "HEXSIGN_PROFILE_INSTALL",
+            description: "macOS only: also install every downloaded profile into the directory Xcode reads",
+            optional: true,
+            type: Boolean,
+            default_value: false
+          )
+        ]
+      end
+
+      def self.return_value
+        "Array of absolute paths to the downloaded .mobileprovision files."
+      end
+
+      def self.is_supported?(platform)
+        %i[ios mac tvos watchos visionos].include?(platform)
+      end
+
+      def self.example_code
+        [
+          'paths = hexsign_profiles_download_by_bundle_id(
+            bundle_id: "com.example.app",
+            team_id: "ABCDE12345",
+            output_dir: "build/sign"
+          )
+          # => ["build/sign/foo.mobileprovision", "build/sign/bar.mobileprovision"]'
+        ]
+      end
+
+      def self.category
+        :code_signing
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/hexsign/version.rb

@@ -2,6 +2,6 @@
 
 module Fastlane
   module Hexsign
-    VERSION = "0.1.0"
+    VERSION = "0.3.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fastlane-plugin-hexsign
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - HexSign
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-12 00:00:00.000000000 Z
+date: 2026-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fastlane
@@ -76,7 +76,9 @@ files:
 - README.md
 - lib/fastlane/plugin/hexsign.rb
 - lib/fastlane/plugin/hexsign/actions/hexsign_certificates_download.rb
+- lib/fastlane/plugin/hexsign/actions/hexsign_certificates_download_by_type.rb
 - lib/fastlane/plugin/hexsign/actions/hexsign_profiles_download.rb
+- lib/fastlane/plugin/hexsign/actions/hexsign_profiles_download_by_bundle_id.rb
 - lib/fastlane/plugin/hexsign/helper/hexsign_helper.rb
 - lib/fastlane/plugin/hexsign/version.rb
 homepage: https://github.com/hexsign/fastlane-plugin-hexsign