mysigner 0.1.2 → 0.1.4

data/lib/mysigner/cli/validate_commands.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module Mysigner
   class CLI < Thor
     module ValidateCommands
       def self.included(base)
         base.class_eval do
-          desc "validate", "Validate signing configuration on the server"
+          desc 'validate', 'Validate signing configuration on the server'
           long_desc <<~DESC
             Check if your bundle ID, certificate, and provisioning profile exist and
             are valid on the My Signer server.
@@ -42,15 +44,15 @@ module Mysigner
             signing_type = options[:type]
 
             unless bundle_id
-              error "Bundle ID is required. Use --bundle-id or run from an Xcode project directory."
-              say ""
-              say "Example: mysigner validate --bundle-id com.example.app --type development", :yellow
+              error 'Bundle ID is required. Use --bundle-id or run from an Xcode project directory.'
+              say ''
+              say 'Example: mysigner validate --bundle-id com.example.app --type development', :yellow
               exit 1
             end
 
             unless signing_type
-              error "Signing type is required. Use --type with one of: development, appstore, adhoc, inhouse"
-              say ""
+              error 'Signing type is required. Use --type with one of: development, appstore, adhoc, inhouse'
+              say ''
               say "Example: mysigner validate --bundle-id #{bundle_id} --type development", :yellow
               exit 1
             end
@@ -62,11 +64,11 @@ module Mysigner
               exit 1
             end
 
-            say "🔍 Validating signing configuration...", :cyan
-            say ""
+            say '🔍 Validating signing configuration...', :cyan
+            say ''
             say "  Bundle ID: #{bundle_id}", :white
             say "  Type:      #{signing_type}", :white
-            say ""
+            say ''
 
             begin
               response = client.post(
@@ -93,17 +95,17 @@ module Mysigner
                 end
               end
 
-              say ""
+              say ''
 
               if valid
-                say "✓ All checks passed! Signing configuration is valid.", :green
+                say '✓ All checks passed! Signing configuration is valid.', :green
               else
-                say "✗ Validation failed. Some checks did not pass.", :red
+                say '✗ Validation failed. Some checks did not pass.', :red
 
                 suggestions = result['suggestions'] || []
                 if suggestions.any?
-                  say ""
-                  say "💡 Suggestions:", :cyan
+                  say ''
+                  say '💡 Suggestions:', :cyan
                   suggestions.each do |suggestion|
                     say "   → #{suggestion}", :yellow
                   end
@@ -113,26 +115,24 @@ module Mysigner
               end
             rescue Mysigner::NotFoundError => e
               error "Not found: #{e.message}"
-              say ""
-              say "💡 Make sure your bundle ID is synced:", :cyan
+              say ''
+              say '💡 Make sure your bundle ID is synced:', :cyan
               say "   → Run 'mysigner sync ios' to sync from Apple Developer Portal", :yellow
               say "   → Run 'mysigner bundleid list' to list registered bundle IDs", :yellow
               exit 1
             rescue Mysigner::ValidationError => e
               error "Validation error: #{e.message}"
-              if e.details
-                e.details.each do |field, errors|
-                  errors_text = errors.is_a?(Array) ? errors.join(', ') : errors.to_s
-                  say "  #{field}: #{errors_text}", :red
-                end
+              e.details&.each do |field, errors|
+                errors_text = errors.is_a?(Array) ? errors.join(', ') : errors.to_s
+                say "  #{field}: #{errors_text}", :red
               end
               exit 1
             rescue Mysigner::ClientError => e
               error "Validation request failed: #{e.message}"
-              say ""
-              say "💡 Try these steps:", :cyan
-              say "   → Check your network connection", :yellow
-              say "   → Verify API token: mysigner status", :yellow
+              say ''
+              say '💡 Try these steps:', :cyan
+              say '   → Check your network connection', :yellow
+              say '   → Verify API token: mysigner status', :yellow
               exit 1
             end
           end

data/lib/mysigner/cli.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'thor'
 require 'json'
 require 'time'
@@ -12,6 +14,14 @@ require_relative 'cli/diagnostic_commands'
 require_relative 'cli/build_commands'
 require_relative 'cli/resource_commands'
 require_relative 'cli/validate_commands'
+require_relative 'cleanup/private_keys_purger'
+
+# Phase 0: one-time cleanup of legacy plaintext .p8 files that older CLI
+# versions wrote to ~/.private_keys/ and ~/.appstoreconnect/private_keys/.
+# Idempotent — a marker file at ~/.mysigner/.private_keys_purged prevents
+# re-running. Skipped when MYSIGNER_USE_LEGACY_ASC=1 so users who opted
+# back into the legacy altool path keep their existing keys.
+Mysigner::Cleanup::PrivateKeysPurger.new.call
 
 module Mysigner
   class CLI < Thor
@@ -42,4 +52,4 @@ module Mysigner
     map 'st' => :status
     map 'd' => :doctor
   end
-end
+end

data/lib/mysigner/client.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'faraday'
 require 'faraday/retry'
 require 'json'
@@ -57,7 +59,7 @@ module Mysigner
       get('/api/v1/status')
     rescue ClientError => e
       raise e
-    rescue => e
+    rescue StandardError => e
       raise ConnectionError, "Failed to connect: #{e.message}"
     end
 
@@ -69,9 +71,7 @@ module Mysigner
         f.request :json
 
         # Add X-User-Email header if email is present
-        if @user_email
-          f.headers['X-User-Email'] = @user_email
-        end
+        f.headers['X-User-Email'] = @user_email if @user_email
 
         # Retry failed requests
         f.request :retry, {
@@ -80,7 +80,7 @@ module Mysigner
           interval_randomness: 0.5,
           backoff_factor: 2,
           retry_statuses: [429, 502, 503, 504],
-          methods: [:get, :post, :patch, :delete]
+          methods: %i[get post patch delete]
         }
 
         # Response middleware
@@ -120,21 +120,28 @@ module Mysigner
 
       case response.status
       when 401
-        raise UnauthorizedError.new("Unauthorized: #{error_message}", error_code: error_code, suggestion: suggestion, details: error_data['details'], timestamp: timestamp)
+        raise UnauthorizedError.new("Unauthorized: #{error_message}", error_code: error_code, suggestion: suggestion,
+                                                                      details: error_data['details'], timestamp: timestamp)
       when 403
-        raise ForbiddenError.new("Forbidden: #{error_message}", error_code: error_code, suggestion: suggestion, details: error_data['details'], timestamp: timestamp)
+        raise ForbiddenError.new("Forbidden: #{error_message}", error_code: error_code, suggestion: suggestion,
+                                                                details: error_data['details'], timestamp: timestamp)
       when 404
-        raise NotFoundError.new("Not found: #{error_message}", error_code: error_code, suggestion: suggestion, details: error_data['details'], timestamp: timestamp)
+        raise NotFoundError.new("Not found: #{error_message}", error_code: error_code, suggestion: suggestion,
+                                                               details: error_data['details'], timestamp: timestamp)
       when 409
-        raise ValidationError.new(error_message, error_data['details'], suggestion: suggestion, error_code: error_code, timestamp: timestamp)
+        raise ValidationError.new(error_message, error_data['details'], suggestion: suggestion, error_code: error_code,
+                                                                        timestamp: timestamp)
       when 422
-        raise ValidationError.new(error_message, error_data['details'], suggestion: suggestion, error_code: error_code, timestamp: timestamp)
+        raise ValidationError.new(error_message, error_data['details'], suggestion: suggestion, error_code: error_code,
+                                                                        timestamp: timestamp)
       when 429
         raise RateLimitError.new(error_message, error_data['retry_after'])
       when 500..599
-        raise ServerError.new("Server error (#{response.status}): #{error_message}", error_code: error_code, timestamp: timestamp)
+        raise ServerError.new("Server error (#{response.status}): #{error_message}", error_code: error_code,
+                                                                                     timestamp: timestamp)
       else
-        raise ClientError.new("Request failed (#{response.status}): #{error_message}", error_code: error_code, timestamp: timestamp)
+        raise ClientError.new("Request failed (#{response.status}): #{error_message}", error_code: error_code,
+                                                                                       timestamp: timestamp)
       end
     end
 
@@ -146,15 +153,16 @@ module Mysigner
         # Check if it's a wrapped timeout error
         if error.wrapped_exception.is_a?(Net::OpenTimeout) || error.wrapped_exception.is_a?(Net::ReadTimeout)
           raise TimeoutError, "Request timeout: #{error.message}"
-        else
-          raise ConnectionError, "Connection failed: #{error.message}"
         end
+
+        raise ConnectionError, "Connection failed: #{error.message}"
+
       when Faraday::UnauthorizedError
-        raise UnauthorizedError, "Invalid or missing API token"
+        raise UnauthorizedError, 'Invalid or missing API token'
       when Faraday::ForbiddenError
-        raise ForbiddenError, "Access forbidden"
+        raise ForbiddenError, 'Access forbidden'
       when Faraday::ResourceNotFound
-        raise NotFoundError, "Resource not found"
+        raise NotFoundError, 'Resource not found'
       when Faraday::ClientError
         raise ClientError, "Client error: #{error.message}"
       when Faraday::ServerError
@@ -177,13 +185,14 @@ module Mysigner
       @timestamp = timestamp
     end
   end
+
   class ConnectionError < ClientError; end
   class TimeoutError < ClientError; end
   class UnauthorizedError < ClientError; end
   class ForbiddenError < ClientError; end
   class NotFoundError < ClientError; end
   class ServerError < ClientError; end
-  
+
   class ValidationError < ClientError
     def initialize(message, details = nil, suggestion: nil, error_code: nil, timestamp: nil)
       super(message, error_code: error_code, suggestion: suggestion, details: details, timestamp: timestamp)
@@ -199,4 +208,3 @@ module Mysigner
     end
   end
 end
-

data/lib/mysigner/config.rb

@@ -1,39 +1,80 @@
+# frozen_string_literal: true
+
+require 'English'
+
 require 'yaml'
 require 'fileutils'
 require 'openssl'
 require 'base64'
 require 'json'
 require 'securerandom'
+require 'rbconfig'
 
 module Mysigner
   class Config
-    CONFIG_DIR = File.expand_path("~/.mysigner").freeze
-    CONFIG_FILE = File.join(CONFIG_DIR, "config.yml").freeze
-    KEYCHAIN_SERVICE = "com.mysigner.cli".freeze
-    KEYCHAIN_ACCOUNT = "config_encryption_key".freeze
-
-    attr_accessor :api_url, :user_email, :current_organization_id
+    CONFIG_DIR = File.expand_path('~/.mysigner').freeze
+    CONFIG_FILE = File.join(CONFIG_DIR, 'config.yml').freeze
+    KEY_FILE = File.join(CONFIG_DIR, '.encryption_key').freeze
+    KEYCHAIN_SERVICE = 'com.mysigner.cli'
+    KEYCHAIN_ACCOUNT = 'config_encryption_key'
+
+    # Environment variable names for CI/CD support
+    ENV_API_TOKEN = 'MYSIGNER_API_TOKEN'
+    ENV_API_URL = 'MYSIGNER_API_URL'
+    ENV_EMAIL = 'MYSIGNER_EMAIL'
+    ENV_ORG_ID = 'MYSIGNER_ORG_ID'
+
+    attr_accessor :api_url, :user_email, :current_organization_id, :encryption_enabled
     attr_reader :organizations
-    attr_accessor :encryption_enabled
 
     def initialize
       @api_url = nil
       @user_email = nil
       @current_organization_id = nil
       @organizations = {}
-      @encryption_enabled = true  # Enable by default for security
+      @encryption_enabled = true # Enable by default for security
+      @from_env = false
       load if exists?
     end
 
+    # Check if all required env vars are set for CI/CD mode
+    def self.env_configured?
+      ENV.fetch(ENV_API_TOKEN, nil) && !ENV[ENV_API_TOKEN].empty? &&
+        ENV.fetch(ENV_ORG_ID, nil) && !ENV[ENV_ORG_ID].empty?
+    end
+
+    # Create a Config from environment variables (for CI/CD)
+    def self.from_env
+      config = allocate
+      config.instance_variable_set(:@encryption_enabled, false)
+      config.instance_variable_set(:@from_env, true)
+
+      org_id = ENV.fetch(ENV_ORG_ID, nil)
+      token = ENV.fetch(ENV_API_TOKEN, nil)
+      config.instance_variable_set(:@api_url, ENV[ENV_API_URL] || 'https://mysigner.dev')
+      config.instance_variable_set(:@user_email, ENV.fetch(ENV_EMAIL, nil))
+      config.instance_variable_set(:@current_organization_id, org_id.to_i)
+      config.instance_variable_set(:@organizations, {
+                                     org_id.to_s => { 'name' => 'CI', 'token' => token }
+                                   })
+
+      config
+    end
+
+    # Whether this config was loaded from environment variables
+    def from_env?
+      @from_env
+    end
+
     # Get API token for current organization (or specific org)
     def api_token(org_id = nil)
       org_id ||= @current_organization_id
       return nil if org_id.nil?
-      
+
       org_data = @organizations[org_id.to_s]
       token = org_data&.dig('token')
       return nil if token.nil?
-      
+
       # Decrypt if encrypted
       encrypted?(token) ? decrypt_token(token) : token
     end
@@ -57,7 +98,7 @@ module Mysigner
     def org_name(org_id = nil)
       org_id ||= @current_organization_id
       return nil if org_id.nil?
-      
+
       org_data = @organizations[org_id.to_s]
       org_data&.dig('name')
     end
@@ -81,17 +122,17 @@ module Mysigner
       return false unless exists?
 
       data = YAML.load_file(CONFIG_FILE)
-      
+
       @api_url = data['api_url']
       @user_email = data['user_email']
       @current_organization_id = data['current_organization_id']
       @organizations = data['organizations'] || {}
-      
+
       # Auto-detect encryption from config
       @encryption_enabled = encrypted_config?
-      
+
       true
-    rescue => e
+    rescue StandardError => e
       raise ConfigError, "Failed to load config: #{e.message}"
     end
 
@@ -107,9 +148,9 @@ module Mysigner
       }
 
       File.write(CONFIG_FILE, data.to_yaml)
-      File.chmod(0600, CONFIG_FILE) # Make file readable only by owner
+      File.chmod(0o600, CONFIG_FILE) # Make file readable only by owner
       true
-    rescue => e
+    rescue StandardError => e
       raise ConfigError, "Failed to save config: #{e.message}"
     end
 
@@ -119,12 +160,21 @@ module Mysigner
       @user_email = nil
       @current_organization_id = nil
       @organizations = {}
-      
-      if exists?
-        File.delete(CONFIG_FILE)
-      end
+
+      File.delete(CONFIG_FILE) if exists?
+
+      # On non-macOS the encryption key lives in a file fallback. Wipe it on
+      # logout so a fresh login can mint a new key — otherwise the old key
+      # would silently encrypt a new token that nobody else can decrypt.
+      FileUtils.rm_f(KEY_FILE)
+
+      # Phase 0: logout also purges the keystore cache so a shared machine
+      # doesn't leave prior-user keystore blobs on disk.
+      keystores_dir = File.expand_path('~/.mysigner/keystores')
+      FileUtils.rm_rf(keystores_dir)
+
       true
-    rescue => e
+    rescue StandardError => e
       raise ConfigError, "Failed to clear config: #{e.message}"
     end
 
@@ -136,8 +186,8 @@ module Mysigner
     # Check if configuration is complete (has required fields)
     def valid?
       !@api_url.nil? && !@api_url.empty? &&
-      !@current_organization_id.nil? &&
-      has_token_for_org?(@current_organization_id)
+        !@current_organization_id.nil? &&
+        has_token_for_org?(@current_organization_id)
     end
 
     # Get config as hash
@@ -153,14 +203,14 @@ module Mysigner
     def display
       current_org_name = org_name(@current_organization_id) || '(not set)'
       current_token = api_token(@current_organization_id)
-      
+
       display_data = {
         api_url: @api_url || '(not set)',
         user_email: @user_email || '(not set)',
         current_organization: "#{current_org_name} (ID: #{@current_organization_id || 'not set'})",
         current_token: current_token ? mask_token(current_token) : '(not set)'
       }
-      
+
       # Show all organizations
       if @organizations.any?
         display_data[:all_organizations] = @organizations.map do |org_id, org_data|
@@ -168,24 +218,24 @@ module Mysigner
           "#{org_data['name']} (ID: #{org_id}) #{token_status}"
         end.join(', ')
       end
-      
+
       display_data
     end
 
     # Enable encryption and re-encrypt all tokens
     def enable_encryption!
       return true if @encryption_enabled
-      
+
       @encryption_enabled = true
-      
+
       # Re-encrypt all existing tokens
-      @organizations.each do |org_id, org_data|
+      @organizations.each_value do |org_data|
         token = org_data['token']
         next if token.nil? || encrypted?(token)
-        
+
         org_data['token'] = encrypt_token(token)
       end
-      
+
       save
       true
     end
@@ -193,15 +243,15 @@ module Mysigner
     # Disable encryption and decrypt all tokens
     def disable_encryption!
       return true unless @encryption_enabled
-      
+
       # Decrypt all tokens first
-      @organizations.each do |org_id, org_data|
+      @organizations.each_value do |org_data|
         token = org_data['token']
         next if token.nil? || !encrypted?(token)
-        
+
         org_data['token'] = decrypt_token(token)
       end
-      
+
       @encryption_enabled = false
       save
       true
@@ -215,12 +265,13 @@ module Mysigner
     private
 
     def ensure_config_dir_exists
-      FileUtils.mkdir_p(CONFIG_DIR) unless Dir.exist?(CONFIG_DIR)
+      FileUtils.mkdir_p(CONFIG_DIR)
     end
 
     def mask_token(token)
       return token if token.length < 8
-      "#{token[0..3]}...#{token[-4..-1]}"
+
+      "#{token[0..3]}...#{token[-4..]}"
     end
 
     # Encryption methods
@@ -230,34 +281,34 @@ module Mysigner
       cipher.encrypt
       cipher.key = key
       iv = cipher.random_iv
-      
+
       encrypted = cipher.update(token) + cipher.final
       auth_tag = cipher.auth_tag
-      
+
       # Format: encrypted:base64(iv):base64(auth_tag):base64(encrypted_data)
       "encrypted:#{Base64.strict_encode64(iv)}:#{Base64.strict_encode64(auth_tag)}:#{Base64.strict_encode64(encrypted)}"
     end
 
     def decrypt_token(encrypted_token)
       return encrypted_token unless encrypted?(encrypted_token)
-      
+
       # Parse format
       parts = encrypted_token.split(':', 4)
       return encrypted_token if parts.length != 4 || parts[0] != 'encrypted'
-      
+
       iv = Base64.strict_decode64(parts[1])
       auth_tag = Base64.strict_decode64(parts[2])
       encrypted_data = Base64.strict_decode64(parts[3])
-      
+
       key = get_or_create_encryption_key
       decipher = OpenSSL::Cipher.new('aes-256-gcm')
       decipher.decrypt
       decipher.key = key
       decipher.iv = iv
       decipher.auth_tag = auth_tag
-      
+
       decipher.update(encrypted_data) + decipher.final
-    rescue => e
+    rescue StandardError => e
       raise ConfigError, "Failed to decrypt token: #{e.message}"
     end
 
@@ -266,46 +317,96 @@ module Mysigner
     end
 
     def get_or_create_encryption_key
-      # Try to get key from keychain
-      key = get_key_from_keychain
+      # macOS Keychain is the preferred key store. On Linux/Windows we fall
+      # back to a 0600 file in the config dir so the encrypted YAML token
+      # is still recoverable across CLI invocations. The fallback is roughly
+      # equivalent in security to the config file itself; for the strongest
+      # posture in CI, prefer the MYSIGNER_API_TOKEN env var path.
+      if macos_keychain?
+        key = get_key_from_keychain
+        return key if key
+
+        new_key = SecureRandom.bytes(32) # 256-bit key
+        store_key_in_keychain(new_key)
+        return new_key
+      end
+
+      key = read_key_from_file
       return key if key
-      
-      # Generate new key and store in keychain
+
+      warn_keychain_unavailable_once
+      ensure_config_dir_exists
       new_key = SecureRandom.bytes(32) # 256-bit key
-      store_key_in_keychain(new_key)
+      write_key_to_file(new_key)
       new_key
     end
 
+    def macos_keychain?
+      RbConfig::CONFIG['host_os'] =~ /darwin/i
+    end
+
     def get_key_from_keychain
       # Use macOS security command to get key from keychain
       cmd = "security find-generic-password -s '#{KEYCHAIN_SERVICE}' -a '#{KEYCHAIN_ACCOUNT}' -w 2>/dev/null"
       result = `#{cmd}`.strip
-      
-      return nil if result.empty? || $?.exitstatus != 0
-      
+
+      return nil if result.empty? || $CHILD_STATUS.exitstatus != 0
+
       # Decode from base64
       Base64.strict_decode64(result)
-    rescue => e
+    rescue StandardError
       nil
     end
 
     def store_key_in_keychain(key)
       # Encode key as base64
       encoded_key = Base64.strict_encode64(key)
-      
+
       # Delete existing key if present
       `security delete-generic-password -s '#{KEYCHAIN_SERVICE}' -a '#{KEYCHAIN_ACCOUNT}' 2>/dev/null`
-      
+
       # Add new key to keychain
       cmd = "security add-generic-password -s '#{KEYCHAIN_SERVICE}' -a '#{KEYCHAIN_ACCOUNT}' -w '#{encoded_key}'"
       system(cmd)
-      
-      $?.exitstatus == 0
-    rescue => e
+
+      $CHILD_STATUS.exitstatus.zero?
+    rescue StandardError => e
       raise ConfigError, "Failed to store encryption key in keychain: #{e.message}"
     end
+
+    def read_key_from_file
+      return nil unless File.exist?(KEY_FILE)
+
+      encoded = File.read(KEY_FILE).strip
+      return nil if encoded.empty?
+
+      Base64.strict_decode64(encoded)
+    rescue StandardError
+      nil
+    end
+
+    def write_key_to_file(key)
+      File.write(KEY_FILE, Base64.strict_encode64(key))
+      File.chmod(0o600, KEY_FILE)
+      true
+    rescue StandardError => e
+      raise ConfigError, "Failed to write encryption key file: #{e.message}"
+    end
+
+    def warn_keychain_unavailable_once
+      return if defined?(@keychain_warning_shown) && @keychain_warning_shown
+
+      @keychain_warning_shown = true
+      return unless $stderr.respond_to?(:tty?) && $stderr.tty?
+
+      warn(<<~MSG)
+        [mysigner] macOS Keychain is unavailable on this platform. Falling
+        back to file-based encryption key at #{KEY_FILE} (mode 0600).
+        For the strongest CI/CD posture, set MYSIGNER_API_TOKEN as an
+        encrypted secret instead — env-var auth never touches the disk.
+      MSG
+    end
   end
 
   class ConfigError < StandardError; end
 end
-