RubyGems - fastlane-plugin-match_keystore - Versions diffs - 0.1.12 → 0.1.17 - Mend

fastlane-plugin-match_keystore 0.1.12 → 0.1.17

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/fastlane/plugin/match_keystore/actions/match_keystore_action.rb +281 -57
data/lib/fastlane/plugin/match_keystore/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 91d65c828bc6bc3ddd54e953955b1c01545fbd62481cc9aec4322f55aa9e44f8
-  data.tar.gz: d60ed3f2b4f0df42f3b09fd2c0bad9990732f1ea609fe88fca0f448dc1740fd8
+  metadata.gz: 215e841f331c07eb0cc8983092e98a7bab444866adb58c13d116baf2e50d735a
+  data.tar.gz: c1a225a8f120ee5727182341ab354b83cc2daf9b0b514a97b5b7fe0c3c0f5f7b
 SHA512:
-  metadata.gz: 6796ac4aed31fa6d4dee60fb649a21c0c185b6f19734b01256181c4949627f1ec4fe331c27683262f128ab243ed820e8a728d04166dda21390fd212227b6941e
-  data.tar.gz: 7ea032e3fdaac9da9281acff0f409ab2f5abf0b1e87e58f5765b853308ddfafcbe3f2efd8530a29245db38e8fa18b740736d7c2311fdb6e4a28142f93fec8416
+  metadata.gz: d1573d798e69ed20b7c262d2b19a636ed0bcb5b961ef98fb88c6afc043eb84d5fd2089b3928a249429a588539cc8e303d00876e4358835fd7d08991bd62a758c
+  data.tar.gz: e954784d29bcede31cc6ff12944f24f50d3b3035cb1f4b35122fac72f9db57758c374a2e1b0a9b4a5aeed6565cbafdc85208d7d3120949655ba08fb3bcf64570

data/lib/fastlane/plugin/match_keystore/actions/match_keystore_action.rb CHANGED

@@ -15,11 +15,21 @@ module Fastlane
     class MatchKeystoreAction < Action
+      def self.openssl_path
+        path = "/usr/local/opt/openssl@1.1/bin"
+        path
+      end
       def self.to_md5(value)
         hash_value = Digest::MD5.hexdigest value
         hash_value
       end
+      def self.sha512(value)
+        hash_value = Digest::SHA512.hexdigest value
+        hash_value
+      end
       def self.load_json(json_path)
         file = File.read(json_path)
         data_hash = JSON.parse(file)
@@ -53,54 +63,208 @@ module Fastlane
         android_home
       end
-      def self.get_build_tools
+      def self.get_build_tools_version(targeted_version)
+        path = self.get_build_tools(targeted_version)
+        version = path.split('/').last
+        version
+      end
+      def self.get_build_tools(targeted_version)
         android_home = self.get_android_home()
         build_tools_root = File.join(android_home, '/build-tools')
-        sub_dirs = Dir.glob(File.join(build_tools_root, '*', ''))
-        build_tools_last_version = ''
-        for sub_dir in sub_dirs
-          build_tools_last_version = sub_dir
+        build_tools_path = ""
+        if !targeted_version.to_s.strip.empty?
+          build_tools_path = File.join(build_tools_root, "/#{targeted_version}/")
         end
-        build_tools_last_version
+        if !File.directory?(build_tools_path)
+          sub_dirs = Dir.glob(File.join(build_tools_root, '*', ''))
+          build_tools_last_version = ''
+          for sub_dir in sub_dirs
+            build_tools_last_version = sub_dir
+          end
+          build_tools_path = build_tools_last_version
+        end
+        build_tools_path
       end
-      def self.check_openssl_version
-        output = `openssl version`
-        if !output.start_with?("OpenSSL")
-          raise "Please install OpenSSL 1.1.1 at least https://www.openssl.org/"
+      def self.check_ssl_version(forceOpenSSL)
+        libressl_min = '2.9'
+        openssl_min = '1.1.1'
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if !output.start_with?("LibreSSL") && !output.start_with?("OpenSSL")
+          raise "Please install OpenSSL '#{openssl_min}' at least OR LibreSSL #{libressl_min}' at least"
+        end
+        UI.message("SSL/TLS protocol library: '#{output.strip!}'")
+        # Check minimum verion:
+        vesion = output.to_str.scan(/[0-9\.]{1,}/).first
+        UI.message("SSL/TLS protocol version: '#{vesion}'")
+        if self.is_libre_ssl(forceOpenSSL)
+          if Gem::Version.new(vesion) < Gem::Version.new(libressl_min)
+            raise "Minimum version for LibreSSL is '#{libressl_min}', please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        else
+          if Gem::Version.new(vesion) > Gem::Version.new(openssl_min)
+            raise "Minimum version for OpenSSL is '#{openssl_min}' please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        end
+        output.strip
+      end
+      def self.openssl(forceOpenSSL)
+        if forceOpenSSL
+          path = openssl_path
+          output = "#{path}/openssl"
+        else
+          output = "openssl"
+        end
+        output
+      end
+      def self.is_libre_ssl(forceOpenSSL)
+        result = false
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if output.start_with?("LibreSSL")
+          result = true
         end
-        UI.message("OpenSSL version: " + output.strip)
+        result
       end
       def self.gen_key(key_path, password)
         `rm -f '#{key_path}'`
-        `echo "#{password}" | openssl dgst -sha512 | awk '{print $2}' | cut -c1-128 > '#{key_path}'`
+        shaValue = self.sha512(password)
+        `echo "#{shaValue}" > '#{key_path}'`
       end
-      def self.encrypt_file(clear_file, encrypt_file, key_path)
+      def self.encrypt_file(clear_file, encrypt_file, key_path, forceOpenSSL)
         `rm -f '#{encrypt_file}'`
-        `openssl enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
       end
-      def self.decrypt_file(encrypt_file, clear_file, key_path)
+      def self.decrypt_file(encrypt_file, clear_file, key_path, forceOpenSSL)
         `rm -f '#{clear_file}'`
-        `openssl enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+      end
+      def self.assert_equals(test_name, excepted, value)
+        puts "Unit Test: #{test_name}"
+        if value != excepted
+          puts " - Excepted: #{excepted}"
+          puts " - Returned: #{value}"
+          raise "Unit Test - #{test_name} error!"
+        else
+          puts " - OK"
+        end
+      end
+      def self.test_security
+        self.check_ssl_version(false)
+        # Clear temp files
+        temp_dir = File.join(Dir.pwd, '/temp/')
+        FileUtils.rm_rf(temp_dir)
+        Dir.mkdir(temp_dir)
+        fakeValue = "4esfsf4dsfds!efs5ZDOJF"
+        # Check MD5
+        md5value = self.to_md5(fakeValue)
+        excepted = "1c815cd208fe08076c9e7b6595d121d1"
+        self.assert_equals("MD5", excepted, md5value)
+        # Check SHA-512
+        shaValue = self.sha512(fakeValue)
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512", excepted, shaValue)
+        # Check SHA-512-File
+        key_path = File.join(Dir.pwd, '/temp/key.txt')
+        self.gen_key(key_path, fakeValue)
+        shaValue = self.get_file_content(key_path).strip!
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512-File", excepted, shaValue)
+        # Check LibreSSL
+        result = self.is_libre_ssl(false)
+        self.assert_equals("Is-LibreSSL", true, result)
+        result = self.is_libre_ssl(true)
+        self.assert_equals("Is-LibreSSL", false, result)
+        # Encrypt OpenSSL
+        clear_file = File.join(Dir.pwd, '/temp/clear.txt')
+        openssl_encrypt_file = File.join(Dir.pwd, '/temp/openssl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, openssl_encrypt_file, key_path, true)
+        result = File.file?(openssl_encrypt_file) && File.size(openssl_encrypt_file) > 10
+        self.assert_equals("Encrypt-OpenSSL", true, result)
+        # Encrypt LibreSSL
+        encrypt_file_libre = File.join(Dir.pwd, '/temp/libressl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, encrypt_file_libre, key_path, false)
+        result = File.file?(encrypt_file_libre) && File.size(encrypt_file_libre) > 10
+        self.assert_equals("Encrypt-LibreSSL", true, result)
+        # exit!
+        # Decrypt OpenSSL (from OpenSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL", fakeValue, decrypted)
+        # Decrypt LibreSSL (from LibreSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL", fakeValue, decrypted)
+        # Decrypt LibreSSL (from OpenSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_from_openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL-from-OpenSSL", fakeValue, decrypted)
+        # Decrypt OpenSSL (from LibreSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_from_libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL-from-LibreSSL", fakeValue, decrypted)
       end
-      def self.sign_apk(apk_path, keystore_path, key_password, alias_name, alias_password, zip_align)
+      def self.sign_apk(apk_path, keystore_path, key_password, alias_name, alias_password, zip_align, version_targeted)
-        build_tools_path = self.get_build_tools()
+        build_tools_path = self.get_build_tools(version_targeted)
+        UI.message("Build-tools path: #{build_tools_path}")
         # https://developer.android.com/studio/command-line/zipalign
-        if zip_align == true
+        if zip_align != false
           apk_path_aligned = apk_path.gsub(".apk", "-aligned.apk")
           `rm -f '#{apk_path_aligned}'`
-          UI.message("Aligning APK (zipalign): #{apk_path_aligned}")
-          `#{build_tools_path}zipalign 4 '#{apk_path}' '#{apk_path_aligned}'`
+          UI.message("Aligning APK (zipalign): #{apk_path}")
+          output = `#{build_tools_path}zipalign -v 4 '#{apk_path}' '#{apk_path_aligned}'`
+          puts ""
+          puts output
+          if !File.file?(apk_path_aligned)
+            raise "Aligned APK not exists!"
+          end
         else
-          UI.message("No zip align!")
+          UI.message("No zip align - deactivated via parameter!")
           apk_path_aligned = apk_path
         end
         apk_path_signed = apk_path.gsub(".apk", "-signed.apk")
@@ -109,12 +273,44 @@ module Fastlane
         # https://developer.android.com/studio/command-line/apksigner
         `rm -f '#{apk_path_signed}'`
-        `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true --out '#{apk_path_signed}' '#{apk_path_aligned}'`
-        `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
-        `rm -f '#{apk_path_aligned}'`
+        UI.message("Signing APK: #{apk_path_aligned}")
+        apksigner_opts = ""
+        build_tools_version = self.get_build_tools_version(version_targeted)
+        UI.message("Build-tools version: #{build_tools_version}")
+        if Gem::Version.new(build_tools_version) >= Gem::Version.new('30')
+          apksigner_opts = "--v4-signing-enabled false "
+        end
+        output = `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true #{apksigner_opts}--out '#{apk_path_signed}' '#{apk_path_aligned}'`
+        puts ""
+        puts output
+        UI.message("Verifing APK signature: #{apk_path_signed}")
+        output = `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
+        puts ""
+        puts output
+        if zip_align != false
+          `rm -f '#{apk_path_aligned}'`
+        end
         apk_path_signed
+      end
+      def self.resolve_dir(path)
+        if !File.directory?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+      def self.resolve_file(path)
+        if !File.file?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+      def self.content_to_file(file_path, content)
+        `echo #{content} > #{file_path}`
       end
       def self.get_file_content(file_path)
@@ -131,9 +327,7 @@ module Fastlane
         if !apk_path.to_s.end_with?(".apk")
-          if !File.directory?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
+          apk_path = self.resolve_dir(apk_path)
           pattern = File.join(apk_path, '*.apk')
           files = Dir[pattern]
@@ -146,11 +340,7 @@ module Fastlane
           end
         else
-          if !File.file?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
+          apk_path = self.resolve_file(apk_path)
         end
         apk_path
@@ -176,6 +366,16 @@ module Fastlane
         match_secret = params[:match_secret]
         override_keystore = params[:override_keystore]
         keystore_data = params[:keystore_data]
+        clear_keystore = params[:clear_keystore]
+        unit_test = params[:unit_test]
+        build_tools_version = params[:build_tools_version]
+        zip_align = params[:zip_align]
+        # Test OpenSSL/LibreSSL
+        if unit_test
+          result_test = self.test_security
+          exit!
+        end
         # Init constants:
         keystore_name = 'keystore.jks'
@@ -191,7 +391,7 @@ module Fastlane
         end
         # Check OpenSSL:
-        self.check_openssl_version
+        self.check_ssl_version(false)
         # Init workign local directory:
         dir_name = ENV['HOME'] + '/.match_keystore'
@@ -221,14 +421,30 @@ module Fastlane
           raise "The security key '#{key_name}' is malformed, or not initialized!"
         end
-        # Create repo directory to sync remote Keystores repository:
+        # Clear repo Keystore (local) - mostly for testing:
         repo_dir = File.join(dir_name, self.to_md5(git_url))
-        # UI.message(repo_dir)
+        if clear_keystore && File.directory?(repo_dir)
+          FileUtils.rm_rf(repo_dir)
+          UI.message("Local repo keystore (#{repo_dir}) directory deleted!")
+        end
+        # Create repo directory to sync remote Keystores repository:
         unless File.directory?(repo_dir)
           UI.message("Creating 'repo' directory...")
           FileUtils.mkdir_p(repo_dir)
         end
+        # Check if package name defined:
+        if package_name.to_s.strip.empty?
+          raise "Package name is not defined!"
+        end
+        # Define paths:
+        keystoreAppDir = File.join(repo_dir, package_name)
+        keystore_path = File.join(keystoreAppDir, keystore_name)
+        properties_path = File.join(keystoreAppDir, properties_name)
+        properties_encrypt_path = File.join(keystoreAppDir, properties_encrypt_name)
         # Cloning/pulling GIT remote repository:
         gitDir = File.join(repo_dir, '/.git')
         if !File.directory?(gitDir)
@@ -243,20 +459,6 @@ module Fastlane
           puts ''
         end
-        # Create sub-directory for Android app:
-        if package_name.to_s.strip.empty?
-          raise "Package name is not defined!"
-        end
-        keystoreAppDir = File.join(repo_dir, package_name)
-        unless File.directory?(keystoreAppDir)
-          UI.message("Creating '#{package_name}' keystore directory...")
-          FileUtils.mkdir_p(keystoreAppDir)
-        end
-        keystore_path = File.join(keystoreAppDir, keystore_name)
-        properties_path = File.join(keystoreAppDir, properties_name)
-        properties_encrypt_path = File.join(keystoreAppDir, properties_encrypt_name)
         # Load parameters from JSON for CI or Unit Tests:
         if keystore_data != nil && File.file?(keystore_data)
           data_json = self.load_json(keystore_data)
@@ -273,6 +475,7 @@ module Fastlane
         # Create keystore with command
         override_keystore = !existing_keystore.to_s.strip.empty? && File.file?(existing_keystore)
+        UI.message("Existing Keystore: #{existing_keystore}")
         if !File.file?(keystore_path) || override_keystore
           if File.file?(keystore_path)
@@ -293,7 +496,7 @@ module Fastlane
           end
           # https://developer.android.com/studio/publish/app-signing
-          if !File.file?(existing_keystore)
+          if existing_keystore.to_s.strip.empty? || !File.file?(existing_keystore)
             UI.message("Generating Android Keystore...")
             full_name = self.prompt2(text: "Certificate First and Last Name: ", value: data_full_name)
@@ -334,7 +537,7 @@ module Fastlane
           out_file.puts("aliasPassword=#{alias_password}")
           out_file.close
-          self.encrypt_file(properties_path, properties_encrypt_path, key_path)
+          self.encrypt_file(properties_path, properties_encrypt_path, key_path, false)
           File.delete(properties_path)
           # Print Keystore data in repo:
@@ -351,7 +554,7 @@ module Fastlane
         else
           UI.message "Keystore file already exists, continue..."
-          self.decrypt_file(properties_encrypt_path, properties_path, key_path)
+          self.decrypt_file(properties_encrypt_path, properties_path, key_path, false)
           properties = self.load_properties(properties_path)
           key_password = properties['keyPassword']
@@ -379,12 +582,13 @@ module Fastlane
               key_password,
               alias_name,
               alias_password,
-              true # Zip align
+              zip_align, # Zip align
+              build_tools_version # Buil-tools version
             )
             puts ''
           end
         else
-          UI.message("No APK file found to sign!")
+          UI.message("No APK file found at: #{apk_path}")
         end
         # Prepare contect shared values for next lanes:
@@ -456,7 +660,27 @@ module Fastlane
                                    env_name: "MATCH_KEYSTORE_JSON_PATH",
                                 description: "Required data to import an existing keystore, or create a new one",
                                    optional: true,
-                                       type: String)
+                                       type: String),
+          FastlaneCore::ConfigItem.new(key: :build_tools_version,
+                                   env_name: "MATCH_KEYSTORE_BUILD_TOOLS_VERSION",
+                                description: "Set built-tools version (by default latest available on machine)",
+                                   optional: true,
+                                       type: String),
+          FastlaneCore::ConfigItem.new(key: :zip_align,
+                                   env_name: "MATCH_KEYSTORE_ZIPALIGN",
+                                description: "Define if plugin will run zipalign on APK before sign it (true by default)",
+                                   optional: true,
+                                       type: Boolean),
+          FastlaneCore::ConfigItem.new(key: :clear_keystore,
+                                   env_name: "MATCH_KEYSTORE_CLEAR",
+                                description: "Clear the local keystore (false by default)",
+                                   optional: true,
+                                       type: Boolean),
+          FastlaneCore::ConfigItem.new(key: :unit_test,
+                                  env_name: "MATCH_KEYSTORE_UNIT_TESTS",
+                                description: "launch Unit Tests (false by default)",
+                                  optional: true,
+                                      type: Boolean)
         ]
       end

data/lib/fastlane/plugin/match_keystore/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Fastlane
   module MatchKeystore
-    VERSION = "0.1.12"
+    VERSION = "0.1.17"
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fastlane-plugin-match_keystore
 version: !ruby/object:Gem::Version
-  version: 0.1.12
+  version: 0.1.17
 platform: ruby
 authors:
 - Christopher NEY
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-07 00:00:00.000000000 Z
+date: 2020-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry