fastlane-plugin-match_keystore 0.1.13 → 0.1.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5c402baf5a7ce59cb81cc842718697d1854539f5a9d9ea37f5005110a0b7a82
-  data.tar.gz: 4885c27fb682f3fb03b6e9e8c30406f1888365df72b6a9d5172b0650753f5cea
+  metadata.gz: a109e0eb2a91578a04778376e7a615618e06a85e4b62f303bb05e02b17475d82
+  data.tar.gz: 1d1c7e90bded78f03eb4056e5a1789f06de6e47fa8b1c0d53eb70e2f5a7c224a
 SHA512:
-  metadata.gz: ccb884061e5c1a9151539fc4eaa4466a334e5ada0174b5fef38030bb386f82714a843e4ec0b06baea1245744c91dfffafd5aa5d808d0cdeb2c54d756743e6899
-  data.tar.gz: 763e7decf059eb0343e9dedf79f561b904ed24b7daa8a3be0bdbf6cc7ddbf51b86a02e991325ebe875f4fb29f7232859b78d7015f3c26c70c6149aa088d6b292
+  metadata.gz: 1da211c6429b73a41c3f997215902de7329d397e8976e42bbb79c4a61663bf4843ea1872e3a9756bb112039c7d11e0f42ec9f3d2346f7c4e0071fe0f190d92a4
+  data.tar.gz: 1c6abba20d95cd5b01659fd787c6e0fbbb718fc62cb4785781c3710bc6289933f6454fc54d67bd03c5dae4e47c03690b94992713c1ca18cdd0a2a4c52d975e84

data/README.md

@@ -2,6 +2,13 @@
 
 [![fastlane Plugin Badge](https://rawcdn.githack.com/fastlane/fastlane/master/fastlane/assets/plugin-badge.svg)](https://rubygems.org/gems/fastlane-plugin-match_keystore)
 
+## Machine requirements
+
+* OpenSSL 1.1.1 min OR LibreSSL 2.9 min installed
+* Git installed
+* Android SDK & Build-tools installed
+* ANDROID_HOME environment variable defined
+
 ## Getting Started
 
 This project is a [_fastlane_](https://github.com/fastlane/fastlane) plugin. To get started with `fastlane-plugin-match_keystore`, add it to your project by running:

data/lib/fastlane/plugin/match_keystore/actions/match_keystore_action.rb

@@ -2,6 +2,7 @@ require 'fastlane/action'
 require 'fileutils'
 require 'os'
 require 'json'
+require 'pry'
 require 'digest'
 require_relative '../helper/match_keystore_helper'
 
@@ -15,11 +16,21 @@ module Fastlane
 
     class MatchKeystoreAction < Action
 
+      def self.openssl_path
+        path = "/usr/local/opt/openssl@1.1/bin"
+        path
+      end
+
       def self.to_md5(value)
         hash_value = Digest::MD5.hexdigest value
         hash_value
       end
 
+      def self.sha512(value)
+        hash_value = Digest::SHA512.hexdigest value
+        hash_value
+      end
+
       def self.load_json(json_path)
         file = File.read(json_path)
         data_hash = JSON.parse(file)
@@ -53,55 +64,213 @@ module Fastlane
         android_home
       end
 
-      def self.get_build_tools
+      def self.get_build_tools_version(targeted_version)
+        path = self.get_build_tools(targeted_version)
+        version = path.split('/').last
+        version
+      end
+
+      def self.get_build_tools(targeted_version)
         android_home = self.get_android_home()
         build_tools_root = File.join(android_home, '/build-tools')
 
-        sub_dirs = Dir.glob(File.join(build_tools_root, '*', ''))
-        build_tools_last_version = ''
-        for sub_dir in sub_dirs
-          build_tools_last_version = sub_dir
+        build_tools_path = ""
+        if !targeted_version.to_s.strip.empty?
+          build_tools_path = File.join(build_tools_root, "/#{targeted_version}/")
         end
 
-        build_tools_last_version
+        if !File.directory?(build_tools_path)
+          sub_dirs = Dir.glob(File.join(build_tools_root, '*', ''))
+          build_tools_last_version = ''
+          for sub_dir in sub_dirs
+            build_tools_last_version = sub_dir
+          end
+          build_tools_path = build_tools_last_version
+        end
+      
+        build_tools_path
       end
       
-      def self.check_openssl_version
-        output = `openssl version`
-        if !output.start_with?("OpenSSL")
-          raise "Please install OpenSSL 1.1.1 at least https://www.openssl.org/"
+      def self.check_ssl_version(forceOpenSSL)
+        libressl_min = '2.9'
+        openssl_min = '1.1.1'
+
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if !output.start_with?("LibreSSL") && !output.start_with?("OpenSSL")
+          raise "Please install OpenSSL '#{openssl_min}' at least OR LibreSSL #{libressl_min}' at least"
+        end
+        UI.message("SSL/TLS protocol library: '#{output.strip!}'")
+
+        # Check minimum verion:
+        vesion = output.to_str.scan(/[0-9\.]{1,}/).first
+        UI.message("SSL/TLS protocol version: '#{vesion}'")
+        if self.is_libre_ssl(forceOpenSSL)
+          if Gem::Version.new(vesion) < Gem::Version.new(libressl_min)
+            raise "Minimum version for LibreSSL is '#{libressl_min}', please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        else
+          if Gem::Version.new(vesion) > Gem::Version.new(openssl_min)
+            raise "Minimum version for OpenSSL is '#{openssl_min}' please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        end
+
+        output.strip
+      end
+
+      def self.openssl(forceOpenSSL)
+        if forceOpenSSL
+          path = openssl_path
+          output = "#{path}/openssl"
+        else
+          output = "openssl"
+        end
+        output
+      end
+
+      def self.is_libre_ssl(forceOpenSSL)
+        result = false
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if output.start_with?("LibreSSL")
+          result = true
         end
-        UI.message("OpenSSL version: " + output.strip)
+        result
       end
 
-      def self.gen_key(key_path, password)
+      def self.gen_key(key_path, password, compat_key)
         `rm -f '#{key_path}'`
-        `echo "#{password}" | openssl dgst -sha512 | awk '{print $2}' | cut -c1-128 > '#{key_path}'`
+        shaValue = self.sha512(password)
+        # Backward-compatibility
+        if compat_key == "1"
+          `echo "#{password}" | openssl dgst -sha512 | awk '{print $2}' | cut -c1-128 > '#{key_path}'`
+        else
+          `echo "#{shaValue}" > '#{key_path}'`
+        end
       end
 
-      def self.encrypt_file(clear_file, encrypt_file, key_path)
+      def self.encrypt_file(clear_file, encrypt_file, key_path, forceOpenSSL)
         `rm -f '#{encrypt_file}'`
-        `openssl enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
       end
 
-      def self.decrypt_file(encrypt_file, clear_file, key_path)
+      def self.decrypt_file(encrypt_file, clear_file, key_path, forceOpenSSL)
         `rm -f '#{clear_file}'`
-        `openssl enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+      end
+
+      def self.assert_equals(test_name, excepted, value)
+        puts "Unit Test: #{test_name}"
+        if value != excepted
+          puts " - Excepted: #{excepted}"
+          puts " - Returned: #{value}"
+          raise "Unit Test - #{test_name} error!"
+        else
+          puts " - OK"
+        end
       end
 
-      def self.sign_apk(apk_path, keystore_path, key_password, alias_name, alias_password, zip_align)
+      def self.test_security
 
-        build_tools_path = self.get_build_tools()
-        UI.message("BUild tools path: #{build_tools_path}")
+        self.check_ssl_version(false)
+        
+        # Clear temp files
+        temp_dir = File.join(Dir.pwd, '/temp/')
+        FileUtils.rm_rf(temp_dir)
+        Dir.mkdir(temp_dir)
+
+        fakeValue = "4esfsf4dsfds!efs5ZDOJF"
+        # Check MD5
+        md5value = self.to_md5(fakeValue)
+        excepted = "1c815cd208fe08076c9e7b6595d121d1"
+        self.assert_equals("MD5", excepted, md5value)
+
+        # Check SHA-512
+        shaValue = self.sha512(fakeValue)
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512", excepted, shaValue)
+
+        # Check SHA-512-File
+        key_path = File.join(Dir.pwd, '/temp/key.txt')
+        self.gen_key(key_path, fakeValue, false)
+        shaValue = self.get_file_content(key_path).strip!
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512-File", excepted, shaValue)
+        
+
+        # Check LibreSSL
+        result = self.is_libre_ssl(false)
+        self.assert_equals("Is-LibreSSL", true, result)
+        result = self.is_libre_ssl(true)
+        self.assert_equals("Is-LibreSSL", false, result)
+
+        # Encrypt OpenSSL
+        clear_file = File.join(Dir.pwd, '/temp/clear.txt')
+        openssl_encrypt_file = File.join(Dir.pwd, '/temp/openssl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, openssl_encrypt_file, key_path, true)
+        result = File.file?(openssl_encrypt_file) && File.size(openssl_encrypt_file) > 10
+        self.assert_equals("Encrypt-OpenSSL", true, result)
+
+        # Encrypt LibreSSL
+        encrypt_file_libre = File.join(Dir.pwd, '/temp/libressl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, encrypt_file_libre, key_path, false)
+        result = File.file?(encrypt_file_libre) && File.size(encrypt_file_libre) > 10
+        self.assert_equals("Encrypt-LibreSSL", true, result)
+
+        # exit!
+
+        # Decrypt OpenSSL (from OpenSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL", fakeValue, decrypted)
+
+        # Decrypt LibreSSL (from LibreSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL", fakeValue, decrypted)
+
+        # Decrypt LibreSSL (from OpenSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_from_openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL-from-OpenSSL", fakeValue, decrypted)
+
+        # Decrypt OpenSSL (from LibreSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_from_libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL-from-LibreSSL", fakeValue, decrypted)
+
+      end
+
+      def self.sign_apk(apk_path, keystore_path, key_password, alias_name, alias_password, zip_align, version_targeted)
+
+        build_tools_path = self.get_build_tools(version_targeted)
+        UI.message("Build-tools path: #{build_tools_path}")
 
         # https://developer.android.com/studio/command-line/zipalign
-        if zip_align == true
+        if zip_align != false
           apk_path_aligned = apk_path.gsub(".apk", "-aligned.apk")
           `rm -f '#{apk_path_aligned}'`
-          UI.message("Aligning APK (zipalign): #{apk_path_aligned}")
-          `#{build_tools_path}zipalign -f -c -v 4 '#{apk_path}' '#{apk_path_aligned}'`
+          UI.message("Aligning APK (zipalign): #{apk_path}")
+          output = `#{build_tools_path}zipalign -v 4 '#{apk_path}' '#{apk_path_aligned}'`
+          puts ""
+          puts output
+
+          if !File.file?(apk_path_aligned)
+            raise "Aligned APK not exists!"
+          end
+
         else
-          UI.message("No zip align!")
+          UI.message("No zip align - deactivated via parameter!")
           apk_path_aligned = apk_path
         end
         apk_path_signed = apk_path.gsub(".apk", "-signed.apk")
@@ -110,12 +279,44 @@ module Fastlane
 
         # https://developer.android.com/studio/command-line/apksigner
         `rm -f '#{apk_path_signed}'`
-        `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true --out '#{apk_path_signed}' '#{apk_path_aligned}'`
-        
-        `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
-        `rm -f '#{apk_path_aligned}'`
+        UI.message("Signing APK: #{apk_path_aligned}")
+        apksigner_opts = ""
+        build_tools_version = self.get_build_tools_version(version_targeted)
+        UI.message("Build-tools version: #{build_tools_version}")
+        if Gem::Version.new(build_tools_version) >= Gem::Version.new('30')
+          apksigner_opts = "--v4-signing-enabled false "
+        end
+        output = `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true #{apksigner_opts}--out '#{apk_path_signed}' '#{apk_path_aligned}'`
+        puts ""
+        puts output
+
+        UI.message("Verifing APK signature: #{apk_path_signed}")
+        output = `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
+        puts ""
+        puts output
+        if zip_align != false
+          `rm -f '#{apk_path_aligned}'`
+        end
 
         apk_path_signed
+      end 
+
+      def self.resolve_dir(path)
+        if !File.directory?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+
+      def self.resolve_file(path)
+        if !File.file?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+
+      def self.content_to_file(file_path, content)
+        `echo #{content} > #{file_path}`
       end
 
       def self.get_file_content(file_path)
@@ -132,9 +333,7 @@ module Fastlane
 
         if !apk_path.to_s.end_with?(".apk") 
 
-          if !File.directory?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
+          apk_path = self.resolve_dir(apk_path)
 
           pattern = File.join(apk_path, '*.apk')
           files = Dir[pattern]
@@ -147,11 +346,7 @@ module Fastlane
           end
 
         else
-
-          if !File.file?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
-
+          apk_path = self.resolve_file(apk_path)
         end
         
         apk_path
@@ -177,6 +372,17 @@ module Fastlane
         match_secret = params[:match_secret]
         override_keystore = params[:override_keystore]
         keystore_data = params[:keystore_data]
+        clear_keystore = params[:clear_keystore]
+        unit_test = params[:unit_test]
+        build_tools_version = params[:build_tools_version]
+        zip_align = params[:zip_align]
+        compat_key = params[:compat_key]
+
+        # Test OpenSSL/LibreSSL
+        if unit_test
+          result_test = self.test_security
+          exit!
+        end
 
         # Init constants:
         keystore_name = 'keystore.jks'
@@ -192,7 +398,7 @@ module Fastlane
         end
 
         # Check OpenSSL:
-        self.check_openssl_version
+        self.check_ssl_version(false)
 
         # Init workign local directory:
         dir_name = ENV['HOME'] + '/.match_keystore'
@@ -211,7 +417,7 @@ module Fastlane
             raise "Security password is not defined! Please use 'match_secret' parameter for CI."
           end
           UI.message "Generating security key '#{key_name}'..."
-          self.gen_key(key_path, security_password)
+          self.gen_key(key_path, security_password, compat_key)
         end
 
         # Check is 'security password' is well initialized:
@@ -222,14 +428,30 @@ module Fastlane
           raise "The security key '#{key_name}' is malformed, or not initialized!"
         end
 
-        # Create repo directory to sync remote Keystores repository:
+        # Clear repo Keystore (local) - mostly for testing:
         repo_dir = File.join(dir_name, self.to_md5(git_url))
-        # UI.message(repo_dir)
+        if clear_keystore && File.directory?(repo_dir)
+          FileUtils.rm_rf(repo_dir)
+          UI.message("Local repo keystore (#{repo_dir}) directory deleted!")
+        end
+
+        # Create repo directory to sync remote Keystores repository:
         unless File.directory?(repo_dir)
           UI.message("Creating 'repo' directory...")
           FileUtils.mkdir_p(repo_dir)
         end
 
+        # Check if package name defined:
+        if package_name.to_s.strip.empty?
+          raise "Package name is not defined!"
+        end
+
+        # Define paths:
+        keystoreAppDir = File.join(repo_dir, package_name)
+        keystore_path = File.join(keystoreAppDir, keystore_name)
+        properties_path = File.join(keystoreAppDir, properties_name)
+        properties_encrypt_path = File.join(keystoreAppDir, properties_encrypt_name)
+
         # Cloning/pulling GIT remote repository:
         gitDir = File.join(repo_dir, '/.git')
         if !File.directory?(gitDir)
@@ -244,20 +466,6 @@ module Fastlane
           puts ''
         end
 
-        # Create sub-directory for Android app:
-        if package_name.to_s.strip.empty?
-          raise "Package name is not defined!"
-        end
-        keystoreAppDir = File.join(repo_dir, package_name)
-        unless File.directory?(keystoreAppDir)
-          UI.message("Creating '#{package_name}' keystore directory...")
-          FileUtils.mkdir_p(keystoreAppDir)
-        end
-
-        keystore_path = File.join(keystoreAppDir, keystore_name)
-        properties_path = File.join(keystoreAppDir, properties_name)
-        properties_encrypt_path = File.join(keystoreAppDir, properties_encrypt_name)
-
         # Load parameters from JSON for CI or Unit Tests:
         if keystore_data != nil && File.file?(keystore_data)
           data_json = self.load_json(keystore_data)
@@ -274,6 +482,7 @@ module Fastlane
 
         # Create keystore with command
         override_keystore = !existing_keystore.to_s.strip.empty? && File.file?(existing_keystore)
+        UI.message("Existing Keystore: #{existing_keystore}")
         if !File.file?(keystore_path) || override_keystore 
 
           if File.file?(keystore_path)
@@ -294,7 +503,7 @@ module Fastlane
           end
 
           # https://developer.android.com/studio/publish/app-signing
-          if !File.file?(existing_keystore)
+          if existing_keystore.to_s.strip.empty? || !File.file?(existing_keystore)
             UI.message("Generating Android Keystore...")
             
             full_name = self.prompt2(text: "Certificate First and Last Name: ", value: data_full_name)
@@ -335,7 +544,7 @@ module Fastlane
           out_file.puts("aliasPassword=#{alias_password}")
           out_file.close
 
-          self.encrypt_file(properties_path, properties_encrypt_path, key_path)
+          self.encrypt_file(properties_path, properties_encrypt_path, key_path, false)
           File.delete(properties_path)
 
           # Print Keystore data in repo:
@@ -352,9 +561,10 @@ module Fastlane
         else  
           UI.message "Keystore file already exists, continue..."
 
-          self.decrypt_file(properties_encrypt_path, properties_path, key_path)
+          self.decrypt_file(properties_encrypt_path, properties_path, key_path, false)
 
           properties = self.load_properties(properties_path)
+          Pry::ColorPrinter.pp(properties)
           key_password = properties['keyPassword']
           alias_name = properties['aliasName']
           alias_password = properties['aliasPassword']
@@ -380,12 +590,13 @@ module Fastlane
               key_password, 
               alias_name, 
               alias_password, 
-              true # Zip align
+              zip_align, # Zip align
+              build_tools_version # Buil-tools version
             )
             puts ''
           end 
         else
-          UI.message("No APK file found to sign!")
+          UI.message("No APK file found at: #{apk_path}")
         end
 
         # Prepare contect shared values for next lanes:
@@ -457,7 +668,32 @@ module Fastlane
                                    env_name: "MATCH_KEYSTORE_JSON_PATH",
                                 description: "Required data to import an existing keystore, or create a new one",
                                    optional: true,
-                                       type: String)
+                                       type: String),
+          FastlaneCore::ConfigItem.new(key: :build_tools_version,
+                                   env_name: "MATCH_KEYSTORE_BUILD_TOOLS_VERSION",
+                                description: "Set built-tools version (by default latest available on machine)",
+                                   optional: true,
+                                       type: String),      
+          FastlaneCore::ConfigItem.new(key: :zip_align,
+                                   env_name: "MATCH_KEYSTORE_ZIPALIGN",
+                                description: "Define if plugin will run zipalign on APK before sign it (true by default)",
+                                   optional: true,
+                                       type: Boolean),                    
+          FastlaneCore::ConfigItem.new(key: :compat_key,
+                                   env_name: "MATCH_KEYSTORE_COMPAT_KEY",
+                                description: "Define the compatibility key version used on local machine (nil by default)",
+                                   optional: true,
+                                       type: String),
+          FastlaneCore::ConfigItem.new(key: :clear_keystore,
+                                   env_name: "MATCH_KEYSTORE_CLEAR",
+                                description: "Clear the local keystore (false by default)",
+                                   optional: true,
+                                       type: Boolean),
+          FastlaneCore::ConfigItem.new(key: :unit_test,
+                                   env_name: "MATCH_KEYSTORE_UNIT_TESTS",
+                                description: "launch Unit Tests (false by default)",
+                                   optional: true,
+                                       type: Boolean)
         ]
       end
 

data/lib/fastlane/plugin/match_keystore/version.rb

@@ -1,5 +1,5 @@
 module Fastlane
   module MatchKeystore
-    VERSION = "0.1.13"
+    VERSION = "0.1.18"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fastlane-plugin-match_keystore
 version: !ruby/object:Gem::Version
-  version: 0.1.13
+  version: 0.1.18
 platform: ruby
 authors:
 - Christopher NEY
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-07 00:00:00.000000000 Z
+date: 2020-09-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry