RubyGems - fastlane - Versions diffs - 2.81.0.beta.20180206010002 → 2.81.0.beta.20180207010002 - Mend

fastlane 2.81.0.beta.20180206010002 → 2.81.0.beta.20180207010002

Files changed (6) hide show

checksums.yaml +4 -4
data/fastlane/lib/fastlane/version.rb +1 -1
data/fastlane_core/lib/fastlane_core/cert_checker.rb +7 -9
data/match/lib/match/encrypt.rb +52 -48
data/match/lib/match/utils.rb +6 -7
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: aa7bfc136d7e7c764be87d0d59b96c3a9fc7c146
-  data.tar.gz: e4ee701b3ec901c15fa264369f2297e6cb099c5d
+  metadata.gz: c180f27e03e5bfe73cb720d053f49f8e005c2914
+  data.tar.gz: bcec068462054d31c28a287fe270c1c8e12037aa
 SHA512:
-  metadata.gz: 07852f80e4fd1e3e3b8d8ea8f5f11fd9c9f889aaff3f028050e8199fc2d0cfdeabb82fbd3461ff5ea47372d4efa13c1780a60804b5b087bc25874bdc64e967d0
-  data.tar.gz: 7410e0d596e19cc757d860670deb3d6a10591a3c97dfba5f9b82369d0f19a669565356e7b475f5af26bee69906f66b4d2ca26190edf2639fcf11792e46eb876b
+  metadata.gz: 456e24304b146f4fd37b5a390bb42e07815aa81a7daea1aba0ea958365f3bbb03a5613ff535beff00361d744623cd5c5acea4010a7c9aa2a499fb8333ac96600
+  data.tar.gz: 89766e39865767b651ddb9bc20addb8d54c4005b3a1eb0091a828ff2c49d2fe301b831d47c88da8f67ea6c20be0ff9b599e1b940de3869df715bb2c343684254

data/fastlane/lib/fastlane/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Fastlane
-  VERSION = '2.81.0.beta.20180206010002'.freeze
+  VERSION = '2.81.0.beta.20180207010002'.freeze
   DESCRIPTION = "The easiest way to automate beta deployments and releases for your iOS and Android apps".freeze
   MINIMUM_XCODE_RELEASE = "7.0".freeze
   RUBOCOP_REQUIREMENT = '0.49.1'.freeze

data/fastlane_core/lib/fastlane_core/cert_checker.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 require 'tempfile'
+require 'openssl'
 require_relative 'helper'
@@ -102,15 +103,12 @@ module FastlaneCore
     end
     def self.sha1_fingerprint(path)
-      result = `openssl x509 -in "#{path}" -inform der -noout -sha1 -fingerprint`
-      begin
-        result = result.match(/SHA1 Fingerprint=(.*)/)[1]
-        result.delete!(':')
-        return result
-      rescue
-        UI.message(result)
-        UI.user_error!("Error parsing certificate '#{path}'")
-      end
+      file_data = File.read(path.to_s)
+      cert = OpenSSL::X509::Certificate.new(file_data)
+      return OpenSSL::Digest::SHA1.new(cert.to_der).to_s.upcase
+    rescue => error
+      UI.error(error)
+      UI.user_error!("Error parsing certificate '#{path}'")
     end
   end
 end

data/match/lib/match/encrypt.rb CHANGED Viewed

@@ -3,9 +3,11 @@ require_relative 'change_password'
 module Match
   class Encrypt
+    require 'base64'
+    require 'openssl'
+    require 'securerandom'
     require 'security'
     require 'shellwords'
-    require 'open3'
     def server_name(git_url)
       ["match", git_url].join("_")
@@ -46,9 +48,8 @@ module Match
     def encrypt_repo(path: nil, git_url: nil)
       iterate(path) do |current|
-        crypt(path: current,
-          password: password(git_url),
-           encrypt: true)
+        encrypt(path: current,
+          password: password(git_url))
         UI.success("🔒  Encrypted '#{File.basename(current)}'") if FastlaneCore::Globals.verbose?
       end
       UI.success("🔒  Successfully encrypted certificates repo")
@@ -57,9 +58,8 @@ module Match
     def decrypt_repo(path: nil, git_url: nil, manual_password: nil)
       iterate(path) do |current|
         begin
-          crypt(path: current,
-            password: manual_password || password(git_url),
-             encrypt: false)
+          decrypt(path: current,
+            password: manual_password || password(git_url))
         rescue
           UI.error("Couldn't decrypt the repo, please make sure you enter the right password!")
           UI.user_error!("Invalid password passed via 'MATCH_PASSWORD'") if ENV["MATCH_PASSWORD"]
@@ -81,49 +81,53 @@ module Match
       end
     end
-    def crypt(path: nil, password: nil, encrypt: true)
-      if password.to_s.strip.length == 0 && encrypt
-        UI.user_error!("No password supplied")
-      end
-      tmpfile = File.join(Dir.mktmpdir, "temporary")
-      command = ["openssl aes-256-cbc"]
-      command << "-k #{password.shellescape}"
-      command << "-in #{path.shellescape}"
-      command << "-out #{tmpfile.shellescape}"
-      command << "-a"
-      command << "-d" unless encrypt
-      _out, err, st = Open3.capture3(command.join(' '))
-      success = st.success?
-      unless err.to_s.empty?
-        # to show an error message if something goes wrong
-        if FastlaneCore::Globals.verbose?
-          UI.error("`openssl` failed with an error:")
-          UI.error(err)
-        end
-        # Ubuntu `openssl` does not fail on failure
-        # but at least outputs an error message -
-        # so we use that as indication of failure
-        success = false
-      end
-      UI.crash!("Error decrypting '#{path}'") unless success
+    # We encrypt with MD5 because that was the most common default value in older fastlane versions which used the local OpenSSL installation
+    # A more secure key and IV generation is needed in the future
+    # IV should be randomly generated and provided unencrypted
+    # salt should be randomly generated and provided unencrypted (like in the current implementation)
+    # key should be generated with OpenSSL::KDF::pbkdf2_hmac with properly chosen parameters
+    # Short explanation about salt and IV: https://stackoverflow.com/a/1950674/6324550
+    def encrypt(path: nil, password: nil)
+      UI.user_error!("No password supplied") if password.to_s.strip.length == 0
+      data_to_encrypt = File.read(path)
+      salt = SecureRandom.random_bytes(8)
+      cipher = OpenSSL::Cipher.new('AES-256-CBC')
+      cipher.encrypt
+      cipher.pkcs5_keyivgen(password, salt, 1, "MD5")
+      encrypted_data = "Salted__" + salt + cipher.update(data_to_encrypt) + cipher.final
+      File.write(path, Base64.encode64(encrypted_data))
+    rescue FastlaneCore::Interface::FastlaneError
+      raise
+    rescue => error
+      UI.error(error.to_s)
+      UI.crash!("Error encrypting '#{path}'")
+    end
-      # On non-Mac systems (more specific Ubuntu Linux) it might take some time for the file to actually be there (see #11182).
-      # To try to circumvent this flakyness (in tests), we wait a bit until the file appears (max 2s) (usually only 0.1 is actually waited)
-      unless FastlaneCore::Helper.mac?
-        count = 0
-        # sleep until file exists or 20*0.1s (=2s) passed
-        until File.exist?(tmpfile) || count == 20
-          sleep(0.1)
-          count += 1
-        end
+    # The encryption parameters in this implementations reflect the old behaviour which depended on the users' local OpenSSL version
+    # 1.0.x OpenSSL and earlier versions use MD5, 1.1.0c and newer uses SHA256, we try both before giving an error
+    def decrypt(path: nil, password: nil, hash_algorithm: "MD5")
+      stored_data = Base64.decode64(File.read(path))
+      salt = stored_data[8..15]
+      data_to_decrypt = stored_data[16..-1]
+      decipher = OpenSSL::Cipher.new('AES-256-CBC')
+      decipher.decrypt
+      decipher.pkcs5_keyivgen(password, salt, 1, hash_algorithm)
+      decrypted_data = decipher.update(data_to_decrypt) + decipher.final
+      File.write(path, decrypted_data)
+    rescue => error
+      fallback_hash_algorithm = "SHA256"
+      if hash_algorithm != fallback_hash_algorithm
+        decrypt(path, password, fallback_hash_algorithm)
+      else
+        UI.error(error.to_s)
+        UI.crash!("Error decrypting '#{path}'")
       end
-      FileUtils.mv(tmpfile, path)
     end
   end
 end

data/match/lib/match/utils.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 require 'fastlane_core/keychain_importer'
+require 'openssl'
 require_relative 'module'
 module Match
@@ -31,15 +32,11 @@ module Match
     end
     def self.get_cert_info(cer_certificate_path)
-      command = "openssl x509 -inform der -in #{cer_certificate_path.shellescape} -subject -dates -noout"
-      command << " &" # start in separate process
-      output = Helper.backticks(command, print: FastlaneCore::Globals.verbose?)
+      cert = OpenSSL::X509::Certificate.new(File.read(cer_certificate_path))
       # openssl output:
-      # subject= /UID={User ID}/CN={Certificate Name}/OU={Certificate User}/O={Organisation}/C={Country}\n
-      # notBefore={Start datetime}\n
-      # notAfter={End datetime}
-      cert_info = output.gsub(/\s*subject=\s*/, "").tr("/", "\n")
+      # subject= /UID={User ID}/CN={Certificate Name}/OU={Certificate User}/O={Organisation}/C={Country}
+      cert_info = cert.subject.to_s.gsub(/\s*subject=\s*/, "").tr("/", "\n")
       out_array = cert_info.split("\n")
       openssl_keys_to_readable_keys = {
            'UID' => 'User ID',
@@ -54,6 +51,8 @@ module Match
       return out_array.map { |x| x.split(/=+/) if x.include?("=") }
                       .compact
                       .map { |k, v| [openssl_keys_to_readable_keys.fetch(k, k), v] }
+                      .append([openssl_keys_to_readable_keys.fetch("notBefore"), cert.not_before])
+                      .append([openssl_keys_to_readable_keys.fetch("notAfter"), cert.not_after])
     rescue => ex
       UI.error(ex)
       return {}

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fastlane
 version: !ruby/object:Gem::Version
-  version: 2.81.0.beta.20180206010002
+  version: 2.81.0.beta.20180207010002
 platform: ruby
 authors:
 - Fumiya Nakamura
@@ -25,7 +25,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-02-06 00:00:00.000000000 Z
+date: 2018-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: slack-notifier