fastlane-plugin-match_keystore 0.1.11 → 0.1.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cac1a24c49a6233b5fdd03dd8990957f72d394fadbeee931e88a58d0da45db3e
-  data.tar.gz: 69b75bd951e729c83b16410381553046983438d9bc3d4501598c74b9bdf78370
+  metadata.gz: aaedb3d25e8614b96c43af4e88ddbc46f56e71a7a97a92d2336507afc3afded8
+  data.tar.gz: 741fc33e956879046126da3fec54cb6f939b34eb8859e22d27244de8a7e6f823
 SHA512:
-  metadata.gz: 0f1f4143bd748ca19d6e48ef5fdbe38ba2f3069731abe810849cf0704ed999d66bc01846ad8cb919d6c6758460b7e54d51286471d43d9e53a6319b25559b93fa
-  data.tar.gz: ba9f612f57265b7724f88674ee6d187b5b3ddb87758a513b02b172b4372626f7989e5acedde6a288a6d59b9f68596af66c8684cc8b53151260b0a17f5fa5f260
+  metadata.gz: e0d3ef8b5d0b9c5a66fcc8bece867e8d230e9f44764b963774cbdfbe110b38f7ef2446bf9592fd913716da8267471ef1cb7d2b6d30a70e494ef8ae75d78c84a9
+  data.tar.gz: 37849dd986d716d6ce16ab7fe8af4f3d18d7b8c3a1840f6f7d4ccade7121b7ced9ac2085e486c8c4442da6f7bf76435ac7581267a730bb204619f5c41d8b558a

data/README.md

@@ -24,13 +24,18 @@ The keystore properties are encrypted with AES in order to secure sensitive data
 
 ```ruby
   lane :release_and_sign do |options|
-  	gradle(task: "clean")
+    gradle(task: "clean")
     gradle(task: 'assemble', build_type: 'Release')
 
     signed_apk_path = match_keystore(
       git_url: "https://github.com/<GITHUB_USERNAME>/keystores.git", # Please use a private Git repository !
       package_name: "com.your.package.name",
       apk_path: "/app/build/outputs/apk/app-release.apk" # Or path without APK: /app/build/outputs/apk/
+      # Optional:
+      match_secret: "A-very-str0ng-password!", # The secret use to encrypt/decrypt Keystore passwords on Git repo (for CI)
+      existing_keystore: "assets/existing-keystore.jks", # Optional, if needed to import an existing keystore
+      override_keystore: true, # Optional, override an existing Keystore on Git repo
+      keystore_data: "assets/keystore.json" # Optional, all data required to create a new Keystore (use to bypass prompt)
     )
 
     # Return the path of signed APK (useful for other lanes such as `publish_to_firebase`, `upload_to_play_store`)

data/lib/fastlane/plugin/match_keystore/actions/match_keystore_action.rb

@@ -15,11 +15,21 @@ module Fastlane
 
     class MatchKeystoreAction < Action
 
+      def self.openssl_path
+        path = "/usr/local/opt/openssl@1.1/bin"
+        path
+      end
+
       def self.to_md5(value)
         hash_value = Digest::MD5.hexdigest value
         hash_value
       end
 
+      def self.sha512(value)
+        hash_value = Digest::SHA512.hexdigest value
+        hash_value
+      end
+
       def self.load_json(json_path)
         file = File.read(json_path)
         data_hash = JSON.parse(file)
@@ -53,52 +63,208 @@ module Fastlane
         android_home
       end
 
-      def self.get_build_tools
+      def self.get_build_tools_version(targeted_version)
+        path = self.get_build_tools(targeted_version)
+        version = path.split('/').last
+        version
+      end
+
+      def self.get_build_tools(targeted_version)
         android_home = self.get_android_home()
         build_tools_root = File.join(android_home, '/build-tools')
 
-        sub_dirs = Dir.glob(File.join(build_tools_root, '*', ''))
-        build_tools_last_version = ''
-        for sub_dir in sub_dirs
-          build_tools_last_version = sub_dir
+        build_tools_path = ""
+        if !targeted_version.to_s.strip.empty?
+          build_tools_path = File.join(build_tools_root, "/#{targeted_version}/")
         end
 
-        build_tools_last_version
+        if !File.directory?(build_tools_path)
+          sub_dirs = Dir.glob(File.join(build_tools_root, '*', ''))
+          build_tools_last_version = ''
+          for sub_dir in sub_dirs
+            build_tools_last_version = sub_dir
+          end
+          build_tools_path = build_tools_last_version
+        end
+      
+        build_tools_path
       end
       
-      def self.check_openssl_version
-        output = `openssl version`
-        if !output.start_with?("OpenSSL")
-          raise "Please install OpenSSL 1.1.1 at least https://www.openssl.org/"
+      def self.check_ssl_version(forceOpenSSL)
+        libressl_min = '2.9'
+        openssl_min = '1.1.1'
+
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if !output.start_with?("LibreSSL") && !output.start_with?("OpenSSL")
+          raise "Please install OpenSSL '#{openssl_min}' at least OR LibreSSL #{libressl_min}' at least"
         end
-        UI.message("OpenSSL version: " + output.strip)
+        UI.message("SSL/TLS protocol library: '#{output.strip!}'")
+
+        # Check minimum verion:
+        vesion = output.to_str.scan(/[0-9\.]{1,}/).first
+        UI.message("SSL/TLS protocol version: '#{vesion}'")
+        if self.is_libre_ssl(forceOpenSSL)
+          if Gem::Version.new(vesion) < Gem::Version.new(libressl_min)
+            raise "Minimum version for LibreSSL is '#{libressl_min}', please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        else
+          if Gem::Version.new(vesion) > Gem::Version.new(openssl_min)
+            raise "Minimum version for OpenSSL is '#{openssl_min}' please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        end
+
+        output.strip
+      end
+
+      def self.openssl(forceOpenSSL)
+        if forceOpenSSL
+          path = openssl_path
+          output = "#{path}/openssl"
+        else
+          output = "openssl"
+        end
+        output
+      end
+
+      def self.is_libre_ssl(forceOpenSSL)
+        result = false
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if output.start_with?("LibreSSL")
+          result = true
+        end
+        result
       end
 
       def self.gen_key(key_path, password)
         `rm -f '#{key_path}'`
-        `echo "#{password}" | openssl dgst -sha512 | awk '{print $2}' | cut -c1-128 > '#{key_path}'`
+        shaValue = self.sha512(password)
+        `echo "#{shaValue}" > '#{key_path}'`
       end
 
-      def self.encrypt_file(clear_file, encrypt_file, key_path)
+      def self.encrypt_file(clear_file, encrypt_file, key_path, forceOpenSSL)
         `rm -f '#{encrypt_file}'`
-        `openssl enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
       end
 
-      def self.decrypt_file(encrypt_file, clear_file, key_path)
+      def self.decrypt_file(encrypt_file, clear_file, key_path, forceOpenSSL)
         `rm -f '#{clear_file}'`
-        `openssl enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+      end
+
+      def self.assert_equals(test_name, excepted, value)
+        puts "Unit Test: #{test_name}"
+        if value != excepted
+          puts " - Excepted: #{excepted}"
+          puts " - Returned: #{value}"
+          raise "Unit Test - #{test_name} error!"
+        else
+          puts " - OK"
+        end
       end
 
-      def self.sign_apk(apk_path, keystore_path, key_password, alias_name, alias_password, zip_align)
+      def self.test_security
 
-        build_tools_path = self.get_build_tools()
+        self.check_ssl_version(false)
+        
+        # Clear temp files
+        temp_dir = File.join(Dir.pwd, '/temp/')
+        FileUtils.rm_rf(temp_dir)
+        Dir.mkdir(temp_dir)
+
+        fakeValue = "4esfsf4dsfds!efs5ZDOJF"
+        # Check MD5
+        md5value = self.to_md5(fakeValue)
+        excepted = "1c815cd208fe08076c9e7b6595d121d1"
+        self.assert_equals("MD5", excepted, md5value)
+
+        # Check SHA-512
+        shaValue = self.sha512(fakeValue)
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512", excepted, shaValue)
+
+        # Check SHA-512-File
+        key_path = File.join(Dir.pwd, '/temp/key.txt')
+        self.gen_key(key_path, fakeValue)
+        shaValue = self.get_file_content(key_path).strip!
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512-File", excepted, shaValue)
+        
+
+        # Check LibreSSL
+        result = self.is_libre_ssl(false)
+        self.assert_equals("Is-LibreSSL", true, result)
+        result = self.is_libre_ssl(true)
+        self.assert_equals("Is-LibreSSL", false, result)
+
+        # Encrypt OpenSSL
+        clear_file = File.join(Dir.pwd, '/temp/clear.txt')
+        openssl_encrypt_file = File.join(Dir.pwd, '/temp/openssl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, openssl_encrypt_file, key_path, true)
+        result = File.file?(openssl_encrypt_file) && File.size(openssl_encrypt_file) > 10
+        self.assert_equals("Encrypt-OpenSSL", true, result)
+
+        # Encrypt LibreSSL
+        encrypt_file_libre = File.join(Dir.pwd, '/temp/libressl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, encrypt_file_libre, key_path, false)
+        result = File.file?(encrypt_file_libre) && File.size(encrypt_file_libre) > 10
+        self.assert_equals("Encrypt-LibreSSL", true, result)
+
+        # exit!
+
+        # Decrypt OpenSSL (from OpenSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL", fakeValue, decrypted)
+
+        # Decrypt LibreSSL (from LibreSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL", fakeValue, decrypted)
+
+        # Decrypt LibreSSL (from OpenSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_from_openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL-from-OpenSSL", fakeValue, decrypted)
+
+        # Decrypt OpenSSL (from LibreSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_from_libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL-from-LibreSSL", fakeValue, decrypted)
+
+      end
+
+      def self.sign_apk(apk_path, keystore_path, key_password, alias_name, alias_password, zip_align, version_targeted)
+
+        build_tools_path = self.get_build_tools(version_targeted)
+        UI.message("Build-tools path: #{build_tools_path}")
 
         # https://developer.android.com/studio/command-line/zipalign
         if zip_align == true
           apk_path_aligned = apk_path.gsub(".apk", "-aligned.apk")
           `rm -f '#{apk_path_aligned}'`
-          `#{build_tools_path}zipalign 4 '#{apk_path}' '#{apk_path_aligned}'`
+          UI.message("Aligning APK (zipalign): #{apk_path}")
+          output = `#{build_tools_path}zipalign -v 4 '#{apk_path}' '#{apk_path_aligned}'`
+          puts ""
+          puts output
+
+          if !File.file?(apk_path_aligned)
+            raise "Aligned APK not exists!"
+          end
+
         else
+          UI.message("No zip align!")
           apk_path_aligned = apk_path
         end
         apk_path_signed = apk_path.gsub(".apk", "-signed.apk")
@@ -107,12 +273,42 @@ module Fastlane
 
         # https://developer.android.com/studio/command-line/apksigner
         `rm -f '#{apk_path_signed}'`
-        `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true --out '#{apk_path_signed}' '#{apk_path_aligned}'`
-        
-        `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
+        UI.message("Signing APK: #{apk_path_aligned}")
+        apksigner_opts = ""
+        build_tools_version = self.get_build_tools_version(version_targeted)
+        UI.message("Build-tools version: #{build_tools_version}")
+        if Gem::Version.new(build_tools_version) >= Gem::Version.new('30')
+          apksigner_opts = "--v4-signing-enabled false "
+        end
+        output = `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true #{apksigner_opts}--out '#{apk_path_signed}' '#{apk_path_aligned}'`
+        puts ""
+        puts output
+
+        UI.message("Verifing APK signature: #{apk_path_signed}")
+        output = `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
+        puts ""
+        puts output
         `rm -f '#{apk_path_aligned}'`
 
         apk_path_signed
+      end 
+
+      def self.resolve_dir(path)
+        if !File.directory?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+
+      def self.resolve_file(path)
+        if !File.file?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+
+      def self.content_to_file(file_path, content)
+        `echo #{content} > #{file_path}`
       end
 
       def self.get_file_content(file_path)
@@ -129,9 +325,7 @@ module Fastlane
 
         if !apk_path.to_s.end_with?(".apk") 
 
-          if !File.directory?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
+          apk_path = self.resolve_dir(apk_path)
 
           pattern = File.join(apk_path, '*.apk')
           files = Dir[pattern]
@@ -144,11 +338,7 @@ module Fastlane
           end
 
         else
-
-          if !File.file?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
-
+          apk_path = self.resolve_file(apk_path)
         end
         
         apk_path
@@ -174,6 +364,15 @@ module Fastlane
         match_secret = params[:match_secret]
         override_keystore = params[:override_keystore]
         keystore_data = params[:keystore_data]
+        clear_keystore = params[:clear_keystore]
+        unit_test = params[:unit_test]
+        build_tools_version = params[:build_tools_version]
+
+        # Test OpenSSL/LibreSSL
+        if unit_test
+          result_test = self.test_security
+          exit!
+        end
 
         # Init constants:
         keystore_name = 'keystore.jks'
@@ -189,7 +388,7 @@ module Fastlane
         end
 
         # Check OpenSSL:
-        self.check_openssl_version
+        self.check_ssl_version(false)
 
         # Init workign local directory:
         dir_name = ENV['HOME'] + '/.match_keystore'
@@ -219,37 +418,44 @@ module Fastlane
           raise "The security key '#{key_name}' is malformed, or not initialized!"
         end
 
-        # Create repo directory to sync remote Keystores repository:
+        # Clear repo Keystore (local) - mostly for testing:
         repo_dir = File.join(dir_name, self.to_md5(git_url))
-        # UI.message(repo_dir)
+        if clear_keystore && File.directory?(repo_dir)
+          FileUtils.rm_rf(repo_dir)
+          UI.message("Local repo keystore (#{repo_dir}) directory deleted!")
+        end
+
+        # Create repo directory to sync remote Keystores repository:
         unless File.directory?(repo_dir)
           UI.message("Creating 'repo' directory...")
           FileUtils.mkdir_p(repo_dir)
         end
 
-        # Cloning GIT remote repository:
-        gitDir = File.join(repo_dir, '/.git')
-        unless File.directory?(gitDir)
-          UI.message("Cloning remote Keystores repository...")
-          puts ''
-          `git clone #{git_url} #{repo_dir}`
-          puts ''
-        end
-
-        # Create sub-directory for Android app:
+        # Check if package name defined:
         if package_name.to_s.strip.empty?
           raise "Package name is not defined!"
         end
-        keystoreAppDir = File.join(repo_dir, package_name)
-        unless File.directory?(keystoreAppDir)
-          UI.message("Creating '#{package_name}' keystore directory...")
-          FileUtils.mkdir_p(keystoreAppDir)
-        end
 
+        # Define paths:
+        keystoreAppDir = File.join(repo_dir, package_name)
         keystore_path = File.join(keystoreAppDir, keystore_name)
         properties_path = File.join(keystoreAppDir, properties_name)
         properties_encrypt_path = File.join(keystoreAppDir, properties_encrypt_name)
 
+        # Cloning/pulling GIT remote repository:
+        gitDir = File.join(repo_dir, '/.git')
+        if !File.directory?(gitDir)
+          UI.message("Cloning remote Keystores repository...")
+          puts ''
+          `git clone #{git_url} #{repo_dir}`
+          puts ''
+        else
+          UI.message("Pulling remote Keystores repository...")
+          puts ''
+          `cd #{repo_dir} && git pull`
+          puts ''
+        end
+
         # Load parameters from JSON for CI or Unit Tests:
         if keystore_data != nil && File.file?(keystore_data)
           data_json = self.load_json(keystore_data)
@@ -266,6 +472,7 @@ module Fastlane
 
         # Create keystore with command
         override_keystore = !existing_keystore.to_s.strip.empty? && File.file?(existing_keystore)
+        UI.message("Existing Keystore: #{existing_keystore}")
         if !File.file?(keystore_path) || override_keystore 
 
           if File.file?(keystore_path)
@@ -286,7 +493,7 @@ module Fastlane
           end
 
           # https://developer.android.com/studio/publish/app-signing
-          if !File.file?(existing_keystore)
+          if existing_keystore.to_s.strip.empty? || !File.file?(existing_keystore)
             UI.message("Generating Android Keystore...")
             
             full_name = self.prompt2(text: "Certificate First and Last Name: ", value: data_full_name)
@@ -327,7 +534,7 @@ module Fastlane
           out_file.puts("aliasPassword=#{alias_password}")
           out_file.close
 
-          self.encrypt_file(properties_path, properties_encrypt_path, key_path)
+          self.encrypt_file(properties_path, properties_encrypt_path, key_path, false)
           File.delete(properties_path)
 
           # Print Keystore data in repo:
@@ -344,7 +551,7 @@ module Fastlane
         else  
           UI.message "Keystore file already exists, continue..."
 
-          self.decrypt_file(properties_encrypt_path, properties_path, key_path)
+          self.decrypt_file(properties_encrypt_path, properties_path, key_path, false)
 
           properties = self.load_properties(properties_path)
           key_password = properties['keyPassword']
@@ -372,7 +579,8 @@ module Fastlane
               key_password, 
               alias_name, 
               alias_password, 
-              true # Zip align
+              true, # Zip align
+              build_tools_version # Buil-tools version
             )
             puts ''
           end 
@@ -449,7 +657,22 @@ module Fastlane
                                    env_name: "MATCH_KEYSTORE_JSON_PATH",
                                 description: "Required data to import an existing keystore, or create a new one",
                                    optional: true,
-                                       type: String)
+                                       type: String),
+          FastlaneCore::ConfigItem.new(key: :build_tools_version,
+                                   env_name: "MATCH_KEYSTORE_BUILD_TOOLS_VERSION",
+                                description: "Set built-tools version (by default latest available on machine)",
+                                   optional: true,
+                                       type: String),                             
+          FastlaneCore::ConfigItem.new(key: :clear_keystore,
+                                   env_name: "MATCH_KEYSTORE_CLEAR",
+                                description: "Clear the local keystore (false by default)",
+                                   optional: true,
+                                       type: Boolean),
+          FastlaneCore::ConfigItem.new(key: :unit_test,
+                                  env_name: "MATCH_KEYSTORE_UNIT_TESTS",
+                                description: "launch Unit Tests (false by default)",
+                                  optional: true,
+                                      type: Boolean)
         ]
       end
 

data/lib/fastlane/plugin/match_keystore/version.rb

@@ -1,5 +1,5 @@
 module Fastlane
   module MatchKeystore
-    VERSION = "0.1.11"
+    VERSION = "0.1.16"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fastlane-plugin-match_keystore
 version: !ruby/object:Gem::Version
-  version: 0.1.11
+  version: 0.1.16
 platform: ruby
 authors:
 - Christopher NEY
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-14 00:00:00.000000000 Z
+date: 2020-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry
@@ -167,7 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Easily sync your Android keystores across your team