fastlane-plugin-match_keystore 0.1.10 → 0.1.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e26b0b531512693d08eedc46159379bded6984aa802a32f6d6296d94a0116c3
-  data.tar.gz: ae4ba30e68e58c3c85bfa15a6a57ec0ab93fd98fc90bf23c597124e57235d4c5
+  metadata.gz: 87a32db98559102adaf6fd2b1d7da31143fe593fa0ed170865a1da8b3ef5d4d8
+  data.tar.gz: 4c3b0130a705055ad7d9e6c51f8ac1a19c2a4a2df96ddca7011d72275487bb89
 SHA512:
-  metadata.gz: 8c5983fd39c9d8d92b9981d153e59e21121eb992bb52f04d882b99918e199d1a6edf96588a8a905d3f17b26856a3aa66da7f8f63a587be4d969c29370fbbc3a5
-  data.tar.gz: 961c71d337aed1417bf10cbe1b682974fb2c262a830ff04efa99f9a063f32c7ad15345b5a8344a170cded7bdd53eb1ae56839a43e3f571b59a273f385feeec18
+  metadata.gz: 9522a73a0ca9b71adcc82f8d986c39a68d2c7b64f4273df5736933d1a0db43c4e9f6aa3414cfe538c99c513f2d3eeb06efb93e2624844ca9fac045b62f7a989d
+  data.tar.gz: 0f7fe8a732b905f6bf751d42e87c622412e1e446561e2e8b0ee534997d562246afbe5deef77827002f8ca3198cf07a490603aef684815ec06f38d9de836a0f6c

data/README.md

@@ -24,13 +24,18 @@ The keystore properties are encrypted with AES in order to secure sensitive data
 
 ```ruby
   lane :release_and_sign do |options|
-  	gradle(task: "clean")
+    gradle(task: "clean")
     gradle(task: 'assemble', build_type: 'Release')
 
     signed_apk_path = match_keystore(
       git_url: "https://github.com/<GITHUB_USERNAME>/keystores.git", # Please use a private Git repository !
       package_name: "com.your.package.name",
       apk_path: "/app/build/outputs/apk/app-release.apk" # Or path without APK: /app/build/outputs/apk/
+      # Optional:
+      match_secret: "A-very-str0ng-password!", # The secret use to encrypt/decrypt Keystore passwords on Git repo (for CI)
+      existing_keystore: "assets/existing-keystore.jks", # Optional, if needed to import an existing keystore
+      override_keystore: true, # Optional, override an existing Keystore on Git repo
+      keystore_data: "assets/keystore.json" # Optional, all data required to create a new Keystore (use to bypass prompt)
     )
 
     # Return the path of signed APK (useful for other lanes such as `publish_to_firebase`, `upload_to_play_store`)

data/lib/fastlane/plugin/match_keystore/actions/match_keystore_action.rb

@@ -15,11 +15,21 @@ module Fastlane
 
     class MatchKeystoreAction < Action
 
+      def self.openssl_path
+        path = "/usr/local/opt/openssl@1.1/bin"
+        path
+      end
+
       def self.to_md5(value)
         hash_value = Digest::MD5.hexdigest value
         hash_value
       end
 
+      def self.sha512(value)
+        hash_value = Digest::SHA512.hexdigest value
+        hash_value
+      end
+
       def self.load_json(json_path)
         file = File.read(json_path)
         data_hash = JSON.parse(file)
@@ -55,7 +65,7 @@ module Fastlane
 
       def self.get_build_tools
         android_home = self.get_android_home()
-        build_tools_root = android_home + '/build-tools'
+        build_tools_root = File.join(android_home, '/build-tools')
 
         sub_dirs = Dir.glob(File.join(build_tools_root, '*', ''))
         build_tools_last_version = ''
@@ -66,39 +76,181 @@ module Fastlane
         build_tools_last_version
       end
       
-      def self.check_openssl_version
-        output = `openssl version`
-        if !output.start_with?("OpenSSL")
-          raise "Please install OpenSSL 1.1.1 at least https://www.openssl.org/"
+      def self.check_ssl_version(forceOpenSSL)
+        libressl_min = '2.9'
+        openssl_min = '1.1.1'
+
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if !output.start_with?("LibreSSL") && !output.start_with?("OpenSSL")
+          raise "Please install OpenSSL '#{openssl_min}' at least OR LibreSSL #{libressl_min}' at least"
+        end
+        UI.message("SSL/TLS protocol library: '#{output.strip!}'")
+
+        # Check minimum verion:
+        vesion = output.to_str.scan(/[0-9\.]{1,}/).first
+        UI.message("SSL/TLS protocol version: '#{vesion}'")
+        if self.is_libre_ssl(forceOpenSSL)
+          if Gem::Version.new(vesion) < Gem::Version.new(libressl_min)
+            raise "Minimum version for LibreSSL is '#{libressl_min}', please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        else
+          if Gem::Version.new(vesion) > Gem::Version.new(openssl_min)
+            raise "Minimum version for OpenSSL is '#{openssl_min}' please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        end
+
+        output.strip
+      end
+
+      def self.openssl(forceOpenSSL)
+        if forceOpenSSL
+          path = openssl_path
+          output = "#{path}/openssl"
+        else
+          output = "openssl"
+        end
+        output
+      end
+
+      def self.is_libre_ssl(forceOpenSSL)
+        result = false
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if output.start_with?("LibreSSL")
+          result = true
         end
-        UI.message("OpenSSL version: " + output.strip)
+        result
       end
 
       def self.gen_key(key_path, password)
-        `rm -f #{key_path}`
-        `echo "#{password}" | openssl dgst -sha512 | awk '{print $2}' | cut -c1-128 > #{key_path}`
+        `rm -f '#{key_path}'`
+        shaValue = self.sha512(password)
+        `echo "#{shaValue}" > '#{key_path}'`
       end
 
-      def self.encrypt_file(clear_file, encrypt_file, key_path)
-        `rm -f #{encrypt_file}`
-        `openssl enc -aes-256-cbc -salt -pbkdf2 -in #{clear_file} -out #{encrypt_file} -pass file:#{key_path}`
+      def self.encrypt_file(clear_file, encrypt_file, key_path, forceOpenSSL)
+        `rm -f '#{encrypt_file}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
       end
 
-      def self.decrypt_file(encrypt_file, clear_file, key_path)
-        `rm -f #{clear_file}`
-        `openssl enc -d -aes-256-cbc -pbkdf2 -in #{encrypt_file} -out #{clear_file} -pass file:#{key_path}`
+      def self.decrypt_file(encrypt_file, clear_file, key_path, forceOpenSSL)
+        `rm -f '#{clear_file}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+      end
+
+      def self.assert_equals(test_name, excepted, value)
+        puts "Unit Test: #{test_name}"
+        if value != excepted
+          puts " - Excepted: #{excepted}"
+          puts " - Returned: #{value}"
+          raise "Unit Test - #{test_name} error!"
+        else
+          puts " - OK"
+        end
+      end
+
+      def self.test_security
+
+        self.check_ssl_version(false)
+        
+        # Clear temp files
+        temp_dir = File.join(Dir.pwd, '/temp/')
+        FileUtils.rm_rf(temp_dir)
+        Dir.mkdir(temp_dir)
+
+        fakeValue = "4esfsf4dsfds!efs5ZDOJF"
+        # Check MD5
+        md5value = self.to_md5(fakeValue)
+        excepted = "1c815cd208fe08076c9e7b6595d121d1"
+        self.assert_equals("MD5", excepted, md5value)
+
+        # Check SHA-512
+        shaValue = self.sha512(fakeValue)
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512", excepted, shaValue)
+
+        # Check SHA-512-File
+        key_path = File.join(Dir.pwd, '/temp/key.txt')
+        self.gen_key(key_path, fakeValue)
+        shaValue = self.get_file_content(key_path).strip!
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512-File", excepted, shaValue)
+        
+
+        # Check LibreSSL
+        result = self.is_libre_ssl(false)
+        self.assert_equals("Is-LibreSSL", true, result)
+        result = self.is_libre_ssl(true)
+        self.assert_equals("Is-LibreSSL", false, result)
+
+        # Encrypt OpenSSL
+        clear_file = File.join(Dir.pwd, '/temp/clear.txt')
+        openssl_encrypt_file = File.join(Dir.pwd, '/temp/openssl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, openssl_encrypt_file, key_path, true)
+        result = File.file?(openssl_encrypt_file) && File.size(openssl_encrypt_file) > 10
+        self.assert_equals("Encrypt-OpenSSL", true, result)
+
+        # Encrypt LibreSSL
+        encrypt_file_libre = File.join(Dir.pwd, '/temp/libressl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, encrypt_file_libre, key_path, false)
+        result = File.file?(encrypt_file_libre) && File.size(encrypt_file_libre) > 10
+        self.assert_equals("Encrypt-LibreSSL", true, result)
+
+        # exit!
+
+        # Decrypt OpenSSL (from OpenSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL", fakeValue, decrypted)
+
+        # Decrypt LibreSSL (from LibreSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL", fakeValue, decrypted)
+
+        # Decrypt LibreSSL (from OpenSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_from_openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL-from-OpenSSL", fakeValue, decrypted)
+
+        # Decrypt OpenSSL (from LibreSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_from_libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL-from-LibreSSL", fakeValue, decrypted)
+
       end
 
       def self.sign_apk(apk_path, keystore_path, key_password, alias_name, alias_password, zip_align)
 
         build_tools_path = self.get_build_tools()
+        UI.message("Build-tools path: #{build_tools_path}")
 
         # https://developer.android.com/studio/command-line/zipalign
         if zip_align == true
           apk_path_aligned = apk_path.gsub(".apk", "-aligned.apk")
-          `rm -f #{apk_path_aligned}`
-          `#{build_tools_path}zipalign 4 #{apk_path} #{apk_path_aligned}`
+          `rm -f '#{apk_path_aligned}'`
+          UI.message("Aligning APK (zipalign): #{apk_path}")
+          output = `#{build_tools_path}zipalign -v 4 '#{apk_path}' '#{apk_path_aligned}'`
+          puts ""
+          puts output
+
+          if !File.file?(apk_path_aligned)
+            raise "Aligned APK not exists!"
+          end
+
         else
+          UI.message("No zip align!")
           apk_path_aligned = apk_path
         end
         apk_path_signed = apk_path.gsub(".apk", "-signed.apk")
@@ -106,13 +258,37 @@ module Fastlane
         apk_path_signed = apk_path_signed.gsub("--", "-")
 
         # https://developer.android.com/studio/command-line/apksigner
-        `rm -f #{apk_path_signed}`
-        `#{build_tools_path}apksigner sign --ks #{keystore_path} --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true --out #{apk_path_signed} #{apk_path_aligned}`
-        
-        `#{build_tools_path}apksigner verify #{apk_path_signed}`
-        `rm -f #{apk_path_aligned}`
+        `rm -f '#{apk_path_signed}'`
+        UI.message("Signing APK: #{apk_path_aligned}")
+        output = `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true --v4-signing-enabled false --out '#{apk_path_signed}' '#{apk_path_aligned}'`
+        puts ""
+        puts output
+
+        UI.message("Verifing APK signature: #{apk_path_signed}")
+        output = `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
+        puts ""
+        puts output
+        `rm -f '#{apk_path_aligned}'`
 
         apk_path_signed
+      end 
+
+      def self.resolve_dir(path)
+        if !File.directory?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+
+      def self.resolve_file(path)
+        if !File.file?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+
+      def self.content_to_file(file_path, content)
+        `echo #{content} > #{file_path}`
       end
 
       def self.get_file_content(file_path)
@@ -129,9 +305,7 @@ module Fastlane
 
         if !apk_path.to_s.end_with?(".apk") 
 
-          if !File.directory?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
+          apk_path = self.resolve_dir(apk_path)
 
           pattern = File.join(apk_path, '*.apk')
           files = Dir[pattern]
@@ -144,11 +318,7 @@ module Fastlane
           end
 
         else
-
-          if !File.file?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
-
+          apk_path = self.resolve_file(apk_path)
         end
         
         apk_path
@@ -174,6 +344,14 @@ module Fastlane
         match_secret = params[:match_secret]
         override_keystore = params[:override_keystore]
         keystore_data = params[:keystore_data]
+        clear_keystore = params[:clear_keystore]
+        unit_test = params[:unit_test]
+
+        # Test OpenSSL/LibreSSL
+        if unit_test
+          result_test = self.test_security
+          exit!
+        end
 
         # Init constants:
         keystore_name = 'keystore.jks'
@@ -189,7 +367,7 @@ module Fastlane
         end
 
         # Check OpenSSL:
-        self.check_openssl_version
+        self.check_ssl_version(false)
 
         # Init workign local directory:
         dir_name = ENV['HOME'] + '/.match_keystore'
@@ -219,37 +397,44 @@ module Fastlane
           raise "The security key '#{key_name}' is malformed, or not initialized!"
         end
 
-        # Create repo directory to sync remote Keystores repository:
+        # Clear repo Keystore (local) - mostly for testing:
         repo_dir = File.join(dir_name, self.to_md5(git_url))
-        # UI.message(repo_dir)
+        if clear_keystore && File.directory?(repo_dir)
+          FileUtils.rm_rf(repo_dir)
+          UI.message("Local repo keystore (#{repo_dir}) directory deleted!")
+        end
+
+        # Create repo directory to sync remote Keystores repository:
         unless File.directory?(repo_dir)
           UI.message("Creating 'repo' directory...")
           FileUtils.mkdir_p(repo_dir)
         end
 
-        # Cloning GIT remote repository:
-        gitDir = repo_dir + '/.git'
-        unless File.directory?(gitDir)
+        # Check if package name defined:
+        if package_name.to_s.strip.empty?
+          raise "Package name is not defined!"
+        end
+
+        # Define paths:
+        keystoreAppDir = File.join(repo_dir, package_name)
+        keystore_path = File.join(keystoreAppDir, keystore_name)
+        properties_path = File.join(keystoreAppDir, properties_name)
+        properties_encrypt_path = File.join(keystoreAppDir, properties_encrypt_name)
+
+        # Cloning/pulling GIT remote repository:
+        gitDir = File.join(repo_dir, '/.git')
+        if !File.directory?(gitDir)
           UI.message("Cloning remote Keystores repository...")
           puts ''
           `git clone #{git_url} #{repo_dir}`
           puts ''
+        else
+          UI.message("Pulling remote Keystores repository...")
+          puts ''
+          `cd #{repo_dir} && git pull`
+          puts ''
         end
 
-        # Create sub-directory for Android app:
-        if package_name.to_s.strip.empty?
-          raise "Package name is not defined!"
-        end
-        keystoreAppDir = repo_dir + '/' + package_name
-        unless File.directory?(keystoreAppDir)
-          UI.message("Creating '#{package_name}' keystore directory...")
-          FileUtils.mkdir_p(keystoreAppDir)
-        end
-
-        keystore_path = keystoreAppDir + '/' + keystore_name
-        properties_path = keystoreAppDir + '/' + properties_name
-        properties_encrypt_path = keystoreAppDir + '/' + properties_encrypt_name
-
         # Load parameters from JSON for CI or Unit Tests:
         if keystore_data != nil && File.file?(keystore_data)
           data_json = self.load_json(keystore_data)
@@ -266,6 +451,7 @@ module Fastlane
 
         # Create keystore with command
         override_keystore = !existing_keystore.to_s.strip.empty? && File.file?(existing_keystore)
+        UI.message("Existing Keystore: #{existing_keystore}")
         if !File.file?(keystore_path) || override_keystore 
 
           if File.file?(keystore_path)
@@ -286,7 +472,7 @@ module Fastlane
           end
 
           # https://developer.android.com/studio/publish/app-signing
-          if !File.file?(existing_keystore)
+          if existing_keystore.to_s.strip.empty? || !File.file?(existing_keystore)
             UI.message("Generating Android Keystore...")
             
             full_name = self.prompt2(text: "Certificate First and Last Name: ", value: data_full_name)
@@ -298,11 +484,11 @@ module Fastlane
             
             keytool_parts = [
               "keytool -genkey -v",
-              "-keystore #{keystore_path}",
-              "-alias #{alias_name}",
+              "-keystore '#{keystore_path}'",
+              "-alias '#{alias_name}'",
               "-keyalg RSA -keysize 2048 -validity 10000",
-              "-storepass #{alias_password} ",
-              "-keypass #{key_password}",
+              "-storepass '#{alias_password}'",
+              "-keypass '#{key_password}'",
               "-dname \"CN=#{full_name}, OU=#{org_unit}, O=#{org}, L=#{city_locality}, S=#{state_province}, C=#{country}\"",
             ]
             sh keytool_parts.join(" ")
@@ -317,6 +503,7 @@ module Fastlane
             FileUtils.remove_dir(properties_path)
           end
         
+          # Build URL:
           store_file = git_url + '/' + package_name + '/' + keystore_name
 
           out_file = File.new(properties_path, "w")
@@ -326,24 +513,24 @@ module Fastlane
           out_file.puts("aliasPassword=#{alias_password}")
           out_file.close
 
-          self.encrypt_file(properties_path, properties_encrypt_path, key_path)
+          self.encrypt_file(properties_path, properties_encrypt_path, key_path, false)
           File.delete(properties_path)
 
           # Print Keystore data in repo:
-          keystore_info_path = keystoreAppDir + '/' + keystore_info_name
-          `yes "" | keytool -list -v -keystore #{keystore_path} -storepass #{key_password} > #{keystore_info_path}`
+          keystore_info_path = File.join(keystoreAppDir, keystore_info_name)
+          `yes "" | keytool -list -v -keystore '#{keystore_path}' -storepass '#{key_password}' > '#{keystore_info_path}'`
           
           UI.message("Upload new Keystore to remote repository...")
           puts ''
-          `cd #{repo_dir} && git add .`
-          `cd #{repo_dir} && git commit -m "[ADD] Keystore for app '#{package_name}'."`
-          `cd #{repo_dir} && git push`
+          `cd '#{repo_dir}' && git add .`
+          `cd '#{repo_dir}' && git commit -m "[ADD] Keystore for app '#{package_name}'."`
+          `cd '#{repo_dir}' && git push`
           puts ''
 
         else  
           UI.message "Keystore file already exists, continue..."
 
-          self.decrypt_file(properties_encrypt_path, properties_path, key_path)
+          self.decrypt_file(properties_encrypt_path, properties_path, key_path, false)
 
           properties = self.load_properties(properties_path)
           key_password = properties['keyPassword']
@@ -448,7 +635,17 @@ module Fastlane
                                    env_name: "MATCH_KEYSTORE_JSON_PATH",
                                 description: "Required data to import an existing keystore, or create a new one",
                                    optional: true,
-                                       type: String)
+                                       type: String),
+          FastlaneCore::ConfigItem.new(key: :clear_keystore,
+                                   env_name: "MATCH_KEYSTORE_CLEAR",
+                                description: "Clear the local keystore (false by default)",
+                                   optional: true,
+                                       type: Boolean),
+          FastlaneCore::ConfigItem.new(key: :unit_test,
+                                  env_name: "MATCH_KEYSTORE_UNIT_TESTS",
+                                description: "launch Unit Tests (false by default)",
+                                  optional: true,
+                                      type: Boolean)
         ]
       end
 

data/lib/fastlane/plugin/match_keystore/version.rb

@@ -1,5 +1,5 @@
 module Fastlane
   module MatchKeystore
-    VERSION = "0.1.10"
+    VERSION = "0.1.15"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fastlane-plugin-match_keystore
 version: !ruby/object:Gem::Version
-  version: 0.1.10
+  version: 0.1.15
 platform: ruby
 authors:
 - Christopher NEY
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-14 00:00:00.000000000 Z
+date: 2020-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry
@@ -167,7 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Easily sync your Android keystores across your team