RubyGems - fastlane - Versions diffs - 2.81.0.beta.20180206010002 → 2.81.0.beta.20180207010002 - Mend

fastlane 2.81.0.beta.20180206010002 → 2.81.0.beta.20180207010002

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/fastlane/lib/fastlane/version.rb +1 -1
data/fastlane_core/lib/fastlane_core/cert_checker.rb +7 -9
data/match/lib/match/encrypt.rb +52 -48
data/match/lib/match/utils.rb +6 -7
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: aa7bfc136d7e7c764be87d0d59b96c3a9fc7c146
-  data.tar.gz: e4ee701b3ec901c15fa264369f2297e6cb099c5d
+  metadata.gz: c180f27e03e5bfe73cb720d053f49f8e005c2914
+  data.tar.gz: bcec068462054d31c28a287fe270c1c8e12037aa
 SHA512:
-  metadata.gz: 07852f80e4fd1e3e3b8d8ea8f5f11fd9c9f889aaff3f028050e8199fc2d0cfdeabb82fbd3461ff5ea47372d4efa13c1780a60804b5b087bc25874bdc64e967d0
-  data.tar.gz: 7410e0d596e19cc757d860670deb3d6a10591a3c97dfba5f9b82369d0f19a669565356e7b475f5af26bee69906f66b4d2ca26190edf2639fcf11792e46eb876b
+  metadata.gz: 456e24304b146f4fd37b5a390bb42e07815aa81a7daea1aba0ea958365f3bbb03a5613ff535beff00361d744623cd5c5acea4010a7c9aa2a499fb8333ac96600
+  data.tar.gz: 89766e39865767b651ddb9bc20addb8d54c4005b3a1eb0091a828ff2c49d2fe301b831d47c88da8f67ea6c20be0ff9b599e1b940de3869df715bb2c343684254

data/fastlane/lib/fastlane/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Fastlane
-  VERSION = '2.81.0.beta.20180206010002'.freeze
+  VERSION = '2.81.0.beta.20180207010002'.freeze
   DESCRIPTION = "The easiest way to automate beta deployments and releases for your iOS and Android apps".freeze
   MINIMUM_XCODE_RELEASE = "7.0".freeze
   RUBOCOP_REQUIREMENT = '0.49.1'.freeze

data/fastlane_core/lib/fastlane_core/cert_checker.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 require 'tempfile'
+require 'openssl'
 require_relative 'helper'
@@ -102,15 +103,12 @@ module FastlaneCore
     end
     def self.sha1_fingerprint(path)
-      result = `openssl x509 -in "#{path}" -inform der -noout -sha1 -fingerprint`
-      begin
-        result = result.match(/SHA1 Fingerprint=(.*)/)[1]
-        result.delete!(':')
-        return result
-      rescue
-        UI.message(result)
-        UI.user_error!("Error parsing certificate '#{path}'")
-      end
+      file_data = File.read(path.to_s)
+      cert = OpenSSL::X509::Certificate.new(file_data)
+      return OpenSSL::Digest::SHA1.new(cert.to_der).to_s.upcase
+    rescue => error
+      UI.error(error)
+      UI.user_error!("Error parsing certificate '#{path}'")
     end
   end
 end

data/match/lib/match/encrypt.rb CHANGED Viewed

@@ -3,9 +3,11 @@ require_relative 'change_password'
 module Match
   class Encrypt
+    require 'base64'
+    require 'openssl'
+    require 'securerandom'
     require 'security'
     require 'shellwords'
-    require 'open3'
     def server_name(git_url)
       ["match", git_url].join("_")
@@ -46,9 +48,8 @@ module Match
     def encrypt_repo(path: nil, git_url: nil)
       iterate(path) do |current|
-        crypt(path: current,
-          password: password(git_url),
-           encrypt: true)
+        encrypt(path: current,
+          password: password(git_url))
         UI.success("🔒  Encrypted '#{File.basename(current)}'") if FastlaneCore::Globals.verbose?
       end
       UI.success("🔒  Successfully encrypted certificates repo")
@@ -57,9 +58,8 @@ module Match
     def decrypt_repo(path: nil, git_url: nil, manual_password: nil)
       iterate(path) do |current|
         begin
-          crypt(path: current,
-            password: manual_password || password(git_url),
-             encrypt: false)
+          decrypt(path: current,
+            password: manual_password || password(git_url))
         rescue
           UI.error("Couldn't decrypt the repo, please make sure you enter the right password!")
           UI.user_error!("Invalid password passed via 'MATCH_PASSWORD'") if ENV["MATCH_PASSWORD"]
@@ -81,49 +81,53 @@ module Match
       end
     end
-    def crypt(path: nil, password: nil, encrypt: true)
-      if password.to_s.strip.length == 0 && encrypt
-        UI.user_error!("No password supplied")
-      end
-      tmpfile = File.join(Dir.mktmpdir, "temporary")
-      command = ["openssl aes-256-cbc"]
-      command << "-k #{password.shellescape}"
-      command << "-in #{path.shellescape}"
-      command << "-out #{tmpfile.shellescape}"
-      command << "-a"
-      command << "-d" unless encrypt
-      _out, err, st = Open3.capture3(command.join(' '))
-      success = st.success?
-      unless err.to_s.empty?
-        # to show an error message if something goes wrong
-        if FastlaneCore::Globals.verbose?
-          UI.error("`openssl` failed with an error:")
-          UI.error(err)
-        end
-        # Ubuntu `openssl` does not fail on failure
-        # but at least outputs an error message -
-        # so we use that as indication of failure
-        success = false
-      end
-      UI.crash!("Error decrypting '#{path}'") unless success
+    # We encrypt with MD5 because that was the most common default value in older fastlane versions which used the local OpenSSL installation
+    # A more secure key and IV generation is needed in the future
+    # IV should be randomly generated and provided unencrypted
+    # salt should be randomly generated and provided unencrypted (like in the current implementation)
+    # key should be generated with OpenSSL::KDF::pbkdf2_hmac with properly chosen parameters
+    # Short explanation about salt and IV: https://stackoverflow.com/a/1950674/6324550
+    def encrypt(path: nil, password: nil)
+      UI.user_error!("No password supplied") if password.to_s.strip.length == 0
+      data_to_encrypt = File.read(path)
+      salt = SecureRandom.random_bytes(8)
+      cipher = OpenSSL::Cipher.new('AES-256-CBC')
+      cipher.encrypt
+      cipher.pkcs5_keyivgen(password, salt, 1, "MD5")
+      encrypted_data = "Salted__" + salt + cipher.update(data_to_encrypt) + cipher.final
+      File.write(path, Base64.encode64(encrypted_data))
+    rescue FastlaneCore::Interface::FastlaneError
+      raise
+    rescue => error
+      UI.error(error.to_s)
+      UI.crash!("Error encrypting '#{path}'")
+    end
-      # On non-Mac systems (more specific Ubuntu Linux) it might take some time for the file to actually be there (see #11182).
-      # To try to circumvent this flakyness (in tests), we wait a bit until the file appears (max 2s) (usually only 0.1 is actually waited)
-      unless FastlaneCore::Helper.mac?
-        count = 0
-        # sleep until file exists or 20*0.1s (=2s) passed
-        until File.exist?(tmpfile) || count == 20
-          sleep(0.1)
-          count += 1
-        end
+    # The encryption parameters in this implementations reflect the old behaviour which depended on the users' local OpenSSL version
+    # 1.0.x OpenSSL and earlier versions use MD5, 1.1.0c and newer uses SHA256, we try both before giving an error
+    def decrypt(path: nil, password: nil, hash_algorithm: "MD5")
+      stored_data = Base64.decode64(File.read(path))
+      salt = stored_data[8..15]
+      data_to_decrypt = stored_data[16..-1]
+      decipher = OpenSSL::Cipher.new('AES-256-CBC')
+      decipher.decrypt
+      decipher.pkcs5_keyivgen(password, salt, 1, hash_algorithm)
+      decrypted_data = decipher.update(data_to_decrypt) + decipher.final
+      File.write(path, decrypted_data)
+    rescue => error
+      fallback_hash_algorithm = "SHA256"
+      if hash_algorithm != fallback_hash_algorithm
+        decrypt(path, password, fallback_hash_algorithm)
+      else
+        UI.error(error.to_s)
+        UI.crash!("Error decrypting '#{path}'")
       end
-      FileUtils.mv(tmpfile, path)
     end
   end
 end

data/match/lib/match/utils.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 require 'fastlane_core/keychain_importer'
+require 'openssl'
 require_relative 'module'
 module Match
@@ -31,15 +32,11 @@ module Match
     end
     def self.get_cert_info(cer_certificate_path)
-      command = "openssl x509 -inform der -in #{cer_certificate_path.shellescape} -subject -dates -noout"
-      command << " &" # start in separate process
-      output = Helper.backticks(command, print: FastlaneCore::Globals.verbose?)
+      cert = OpenSSL::X509::Certificate.new(File.read(cer_certificate_path))
       # openssl output:
-      # subject= /UID={User ID}/CN={Certificate Name}/OU={Certificate User}/O={Organisation}/C={Country}\n
-      # notBefore={Start datetime}\n
-      # notAfter={End datetime}
-      cert_info = output.gsub(/\s*subject=\s*/, "").tr("/", "\n")
+      # subject= /UID={User ID}/CN={Certificate Name}/OU={Certificate User}/O={Organisation}/C={Country}
+      cert_info = cert.subject.to_s.gsub(/\s*subject=\s*/, "").tr("/", "\n")
       out_array = cert_info.split("\n")
       openssl_keys_to_readable_keys = {
            'UID' => 'User ID',
@@ -54,6 +51,8 @@ module Match
       return out_array.map { |x| x.split(/=+/) if x.include?("=") }
                       .compact
                       .map { |k, v| [openssl_keys_to_readable_keys.fetch(k, k), v] }
+                      .append([openssl_keys_to_readable_keys.fetch("notBefore"), cert.not_before])
+                      .append([openssl_keys_to_readable_keys.fetch("notAfter"), cert.not_after])
     rescue => ex
       UI.error(ex)
       return {}

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fastlane
 version: !ruby/object:Gem::Version
-  version: 2.81.0.beta.20180206010002
+  version: 2.81.0.beta.20180207010002
 platform: ruby
 authors:
 - Fumiya Nakamura
@@ -25,7 +25,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-02-06 00:00:00.000000000 Z
+date: 2018-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: slack-notifier