mysigner 0.1.2 → 0.1.4

data/lib/mysigner/export/exporter.rb

@@ -1,3 +1,6 @@
+# frozen_string_literal: true
+
+require 'English'
 require 'fileutils'
 require 'tmpdir'
 
@@ -9,31 +12,27 @@ module Mysigner
       def initialize(archive_path, output_dir: nil)
         @archive_path = File.expand_path(archive_path)
         @output_dir = output_dir || File.dirname(@archive_path)
-        
+
         validate_archive!
       end
 
       def export!(method: :appstore, team_id: nil, signing_style: 'automatic')
         say_exporting(method)
-        
+
         # Generate export options plist
         options_plist = generate_export_options(method, team_id, signing_style)
-        
+
         begin
           # Run xcodebuild -exportArchive
           success = execute_export(options_plist)
-          
-          unless success
-            raise ExportError, "Export failed. Check output above for errors."
-          end
-          
+
+          raise ExportError, 'Export failed. Check output above for errors.' unless success
+
           # Find the generated .ipa file
           ipa_path = find_ipa_file
-          
-          unless ipa_path
-            raise ExportError, "Export reported success but .ipa file not found in: #{@output_dir}"
-          end
-          
+
+          raise ExportError, "Export reported success but .ipa file not found in: #{@output_dir}" unless ipa_path
+
           ipa_path
         ensure
           # Clean up temp plist
@@ -44,42 +43,40 @@ module Mysigner
       private
 
       def validate_archive!
-        unless File.exist?(@archive_path)
-          raise ExportError, "Archive not found: #{@archive_path}"
-        end
-        
-        unless File.directory?(@archive_path) && @archive_path.end_with?('.xcarchive')
-          raise ExportError, "Invalid archive: #{@archive_path} (must be a .xcarchive directory)"
-        end
+        raise ExportError, "Archive not found: #{@archive_path}" unless File.exist?(@archive_path)
+
+        return if File.directory?(@archive_path) && @archive_path.end_with?('.xcarchive')
+
+        raise ExportError, "Invalid archive: #{@archive_path} (must be a .xcarchive directory)"
       end
 
       def generate_export_options(method, team_id, signing_style)
         require 'plist'
-        
+
         options = {
           'method' => export_method_string(method),
           'uploadBitcode' => false,
           'uploadSymbols' => false,
           'compileBitcode' => false
         }
-        
+
         # Add team ID if provided
         options['teamID'] = team_id if team_id
-        
+
         # Signing style
         if signing_style.to_s.downcase == 'manual'
           options['signingStyle'] = 'manual'
-          # Note: For manual signing, we'd need to specify provisioningProfiles
+          # NOTE: For manual signing, we'd need to specify provisioningProfiles
           # But since the archive was already signed during build, we can often omit this
         else
           options['signingStyle'] = 'automatic'
           options['signingCertificate'] = 'Apple Distribution'
         end
-        
+
         # Create temp plist file
         plist_path = File.join(Dir.tmpdir, "exportOptions-#{Time.now.to_i}.plist")
         File.write(plist_path, options.to_plist)
-        
+
         plist_path
       end
 
@@ -100,7 +97,7 @@ module Mysigner
 
       def execute_export(options_plist)
         FileUtils.mkdir_p(@output_dir)
-        puts ""
+        puts ''
 
         cmd = [
           'xcodebuild',
@@ -111,40 +108,44 @@ module Mysigner
           '-allowProvisioningUpdates' # Allow Xcode to update profiles if needed
         ].join(' ')
 
-        # Run command and capture output
-        IO.popen(cmd, err: [:child, :out]) do |io|
+        # Run command and capture output. xcodebuild output can contain
+        # non-ASCII bytes (smart quotes in Apple error messages, emoji in
+        # file paths) — force UTF-8 + scrub so `.strip` / `.include?` don't
+        # raise Encoding::CompatibilityError under the default US-ASCII
+        # locale (e.g. on CI runners without LANG set).
+        IO.popen(cmd, err: %i[child out]) do |io|
           io.each_line do |line|
+            line = line.force_encoding('UTF-8').scrub
             next if line.strip.empty?
-            
+
             # Show errors and warnings
             if line.include?('error:') || line.include?('warning:')
               puts line
             # Show progress markers
-            elsif line.include?('Exporting') || line.include?('Processing') || 
+            elsif line.include?('Exporting') || line.include?('Processing') ||
                   line.include?('Validating')
               print '.'
             end
           end
         end
 
-        puts "" # New line after dots
-        
-        $?.success?
+        puts '' # New line after dots
+
+        $CHILD_STATUS.success?
       end
 
       def find_ipa_file
         # Look for .ipa files in output directory
         ipa_files = Dir.glob(File.join(@output_dir, '*.ipa'))
-        
+
         # Return the most recently created one
         ipa_files.max_by { |f| File.mtime(f) }
       end
 
       def say_exporting(method)
         puts "📦 Exporting archive for #{method}..."
-        puts ""
+        puts ''
       end
     end
   end
 end
-

data/lib/mysigner/signing/certificate_checker.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'open3'
 require 'time'
 
@@ -42,23 +44,21 @@ module Mysigner
         cmd = 'security find-identity -v -p codesigning'
         stdout, stderr, status = Open3.capture3(cmd)
 
-        unless status.success?
-          raise CheckError, "Failed to query certificates: #{stderr}"
-        end
+        raise CheckError, "Failed to query certificates: #{stderr}" unless status.success?
 
         certificates = []
-        
+
         # Parse output: "  1) HASH \"Certificate Name\""
         stdout.each_line do |line|
           next unless line =~ /\d+\)\s+([A-F0-9]+)\s+"([^"]+)"/
-          
-          hash = $1
-          name = $2
-          
+
+          hash = ::Regexp.last_match(1)
+          name = ::Regexp.last_match(2)
+
           # Get certificate details
           details = get_certificate_details(name)
           next unless details
-          
+
           certificates << {
             hash: hash,
             name: name,
@@ -76,12 +76,10 @@ module Mysigner
       def get_certificate_details(name)
         # Get certificate in PEM format by name
         cmd = "security find-certificate -c \"#{name}\" -p"
-        stdout, stderr, status = Open3.capture3(cmd)
+        stdout, _, status = Open3.capture3(cmd)
 
         # If not found, return nil
-        if !status.success? || stdout.empty?
-          return nil
-        end
+        return nil if !status.success? || stdout.empty?
 
         # Save to temp file and use openssl to read expiry
         require 'tempfile'
@@ -92,12 +90,12 @@ module Mysigner
 
           # Get expiry date using openssl
           cmd = "openssl x509 -in #{temp.path} -noout -enddate"
-          out, err, stat = Open3.capture3(cmd)
+          out, _, stat = Open3.capture3(cmd)
 
           if stat.success? && out =~ /notAfter=(.+)/
-            expiry_str = $1.strip
+            expiry_str = ::Regexp.last_match(1).strip
             expires_at = Time.parse(expiry_str)
-            days_until_expiry = ((expires_at - Time.now) / 86400).to_i
+            days_until_expiry = ((expires_at - Time.now) / 86_400).to_i
 
             return {
               expires_at: expires_at,
@@ -113,11 +111,9 @@ module Mysigner
 
       def extract_team_id(name)
         # Team ID is usually in parentheses at the end
-        if name =~ /\(([A-Z0-9]{10})\)$/
-          $1
-        else
-          nil
-        end
+        return unless name =~ /\(([A-Z0-9]{10})\)$/
+
+        ::Regexp.last_match(1)
       end
 
       def determine_cert_type(name)
@@ -134,7 +130,7 @@ module Mysigner
       end
 
       def determine_status(days_until_expiry)
-        if days_until_expiry < 0
+        if days_until_expiry.negative?
           STATUS_EXPIRED
         elsif days_until_expiry < 30
           STATUS_EXPIRING_SOON
@@ -145,4 +141,3 @@ module Mysigner
     end
   end
 end
-

data/lib/mysigner/signing/gradle_signing_injector.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'tmpdir'
+
+module Mysigner
+  module Signing
+    class GradleSigningInjector
+      # Local variable is `aliasName` (not `keyAlias`) to avoid a Groovy
+      # `with { }` scoping ambiguity: `keyAlias = keyAlias` would resolve the
+      # RHS against the property being set (null at that point), silently
+      # signing with the wrong alias.
+      INIT_SCRIPT = <<~GROOVY
+        allprojects {
+          afterEvaluate { project ->
+            if (!project.hasProperty('android')) return
+            def storePw   = System.getenv('MYSIGNER_STORE_PASSWORD')
+            def keyPw     = System.getenv('MYSIGNER_KEY_PASSWORD')
+            def aliasName = System.getenv('MYSIGNER_KEY_ALIAS')
+            def ksPath    = System.getenv('MYSIGNER_STORE_FILE')
+            if (!storePw || !ksPath) return
+
+            def existing = project.android.signingConfigs.findByName('release')
+            def alreadyConfigured = existing != null && existing.storeFile != null
+            if (alreadyConfigured) {
+              println "MySigner: release signingConfig already set; skipping override."
+              return
+            }
+            project.android.signingConfigs.maybeCreate('release').with {
+              storeFile     = file(ksPath)
+              storePassword = storePw
+              keyAlias      = aliasName
+              keyPassword   = keyPw
+            }
+            project.android.buildTypes.findByName('release')?.signingConfig =
+              project.android.signingConfigs.getByName('release')
+          }
+        }
+      GROOVY
+
+      def initialize
+        @tmpdir = nil
+      end
+
+      def write_init_script!
+        @tmpdir = Dir.mktmpdir('mysigner-signing-')
+        path = File.join(@tmpdir, 'init.gradle')
+        File.write(path, INIT_SCRIPT)
+        path
+      end
+
+      def env_vars(keystore_path:, store_password:, key_password:, key_alias:)
+        {
+          'MYSIGNER_STORE_FILE' => keystore_path,
+          'MYSIGNER_STORE_PASSWORD' => store_password,
+          'MYSIGNER_KEY_PASSWORD' => key_password,
+          'MYSIGNER_KEY_ALIAS' => key_alias
+        }
+      end
+
+      def cleanup!
+        FileUtils.rm_rf(@tmpdir) if @tmpdir && Dir.exist?(@tmpdir)
+        @tmpdir = nil
+      end
+    end
+  end
+end

data/lib/mysigner/signing/keystore_manager.rb

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
+
+require 'English'
 require 'fileutils'
 require 'base64'
+require 'open3'
 
 module Mysigner
   module Signing
@@ -18,11 +22,13 @@ module Mysigner
 
       # List all keystores from API
       # @param android_app_id [Integer, nil] Filter by app ID
-      # @param include_secrets [Boolean] Include passwords in response (only for build operations)
-      def list(android_app_id: nil, include_secrets: false)
+      # @param include_secrets [Boolean] DEPRECATED and silently ignored. Kept
+      #   for signature-compat during the 10.0 transition; will be removed in
+      #   the next release. Passwords are now fetched via #fetch_secrets.
+      def list(android_app_id: nil, include_secrets: nil)
+        _ = include_secrets # intentionally unused — see note above
         params = {}
         params[:android_app_id] = android_app_id if android_app_id
-        params[:include_secrets] = true if include_secrets
 
         response = @client.get(
           "/api/v1/organizations/#{@organization_id}/android_keystores",
@@ -32,33 +38,43 @@ module Mysigner
       end
 
       # Get active keystore for an app (or any active keystore if no app specified)
-      # @param include_secrets [Boolean] Include passwords in response (only for build operations)
-      def active_keystore(android_app_id: nil, include_secrets: false)
-        keystores = list(android_app_id: android_app_id, include_secrets: include_secrets)
+      # @param include_secrets [Boolean] DEPRECATED — see #list.
+      def active_keystore(android_app_id: nil, include_secrets: nil)
+        _ = include_secrets
+        keystores = list(android_app_id: android_app_id)
         keystores.find { |k| k['active'] }
       end
 
+      # Phase 0: narrow audit-logged endpoint that returns the keystore
+      # password + key password + key alias for a single keystore. Replaces
+      # the insecure ?include_secrets=true list flag.
+      # Returns a hash: { 'keystore_password' =>, 'key_password' =>, 'key_alias' => }
+      def fetch_secrets(keystore_id)
+        response = @client.post(
+          "/api/v1/organizations/#{@organization_id}/android_keystores/#{keystore_id}/secrets"
+        )
+        response[:data] || {}
+      end
+
       # Download a keystore from API and save locally
       # Returns: { path: String, password: String, alias: String, key_password: String }
       def download(keystore_id)
         # Get keystore details
         keystores = list
         keystore = keystores.find { |k| k['id'].to_s == keystore_id.to_s }
-        
-        unless keystore
-          raise KeystoreNotFoundError, "Keystore with ID #{keystore_id} not found"
-        end
+
+        raise KeystoreNotFoundError, "Keystore with ID #{keystore_id} not found" unless keystore
 
         # Download the keystore file
         download_url = "/api/v1/organizations/#{@organization_id}/android_keystores/#{keystore_id}/download"
-        
+
         conn = build_download_connection
         response = conn.get(download_url)
-        
+
         unless response.success?
           error_msg = begin
             JSON.parse(response.body)['message']
-          rescue
+          rescue StandardError
             "HTTP #{response.status}"
           end
           raise DownloadError, "Failed to download keystore: #{error_msg}"
@@ -67,9 +83,9 @@ module Mysigner
         # Save to local file
         filename = "#{keystore['name'].gsub(/[^a-zA-Z0-9_.-]/, '_')}.jks"
         local_path = File.join(KEYSTORES_DIR, filename)
-        
+
         File.binwrite(local_path, response.body)
-        File.chmod(0600, local_path)  # Secure permissions
+        File.chmod(0o600, local_path) # Secure permissions
 
         {
           path: local_path,
@@ -79,40 +95,45 @@ module Mysigner
         }
       end
 
-      # Get or download keystore (uses cached version if available)
+      # Get or download keystore (uses cached version if available and fresh).
+      # Phase 0: cache has a TTL (default 24h, override via
+      # MYSIGNER_KEYSTORE_CACHE_HOURS). Stale files are deleted + re-downloaded.
       def get_or_download(keystore_id)
         keystores = list
         keystore = keystores.find { |k| k['id'].to_s == keystore_id.to_s }
-        
-        unless keystore
-          raise KeystoreNotFoundError, "Keystore with ID #{keystore_id} not found"
-        end
 
-        # Check if already cached locally
+        raise KeystoreNotFoundError, "Keystore with ID #{keystore_id} not found" unless keystore
+
         filename = "#{keystore['name'].gsub(/[^a-zA-Z0-9_.-]/, '_')}.jks"
         local_path = File.join(KEYSTORES_DIR, filename)
+        max_age_hours = (ENV['MYSIGNER_KEYSTORE_CACHE_HOURS'] || 24).to_i
 
         if File.exist?(local_path)
-          return {
-            path: local_path,
-            name: keystore['name'],
-            key_alias: keystore['key_alias'],
-            id: keystore['id'],
-            cached: true
-          }
+          age_seconds = Time.now - File.mtime(local_path)
+          if age_seconds < (max_age_hours * 3600)
+            return {
+              path: local_path,
+              name: keystore['name'],
+              key_alias: keystore['key_alias'],
+              id: keystore['id'],
+              cached: true
+            }
+          else
+            # Stale cache — delete and re-download below
+            File.delete(local_path)
+          end
         end
 
-        # Download if not cached
+        # Download if not cached (or stale)
         result = download(keystore_id)
         result[:cached] = false
         result
       end
 
       # Upload a keystore to API
-      def upload(name:, keystore_path:, keystore_password:, key_alias:, key_password: nil, android_app_id: nil, active: true)
-        unless File.exist?(keystore_path)
-          raise KeystoreError, "Keystore file not found: #{keystore_path}"
-        end
+      def upload(name:, keystore_path:, keystore_password:, key_alias:, key_password: nil, android_app_id: nil,
+                 active: true)
+        raise KeystoreError, "Keystore file not found: #{keystore_path}" unless File.exist?(keystore_path)
 
         # Read and encode keystore
         keystore_content = File.binread(keystore_path)
@@ -141,14 +162,18 @@ module Mysigner
       # Delete a keystore
       def delete(keystore_id)
         @client.delete("/api/v1/organizations/#{@organization_id}/android_keystores/#{keystore_id}")
-        
+
         # Also remove local cached file
-        keystores = list rescue []
+        keystores = begin
+          list
+        rescue StandardError
+          []
+        end
         keystore = keystores.find { |k| k['id'].to_s == keystore_id.to_s }
         if keystore
           filename = "#{keystore['name'].gsub(/[^a-zA-Z0-9_.-]/, '_')}.jks"
           local_path = File.join(KEYSTORES_DIR, filename)
-          File.delete(local_path) if File.exist?(local_path)
+          FileUtils.rm_f(local_path)
         end
 
         true
@@ -181,32 +206,32 @@ module Mysigner
         end
       end
 
-      # Get keystore info using keytool
+      # Get keystore info using keytool.
+      # Phase 0: passes the password via a temp env var consumed by
+      # `-storepass:env` so it's never in argv/ps output.
       def keystore_info(keystore_path, password)
         return nil unless File.exist?(keystore_path)
         return nil unless system('which keytool > /dev/null 2>&1')
 
-        output = `keytool -list -v -keystore #{shell_escape(keystore_path)} -storepass #{shell_escape(password)} 2>&1`
-        return nil unless $?.success?
+        env = { 'MYSIGNER_KS_PW' => password.to_s }
+        output, status = Open3.capture2e(
+          env,
+          'keytool', '-list', '-v',
+          '-keystore', keystore_path,
+          '-storepass:env', 'MYSIGNER_KS_PW'
+        )
+        return nil unless status.success?
 
         # Parse output
         info = {}
-        
-        if output =~ /Alias name: (.+)/
-          info[:aliases] = output.scan(/Alias name: (.+)/).flatten
-        end
-        
-        if output =~ /Valid from: .+ until: (.+)/
-          info[:expires] = $1
-        end
-        
-        if output =~ /SHA256: (.+)/
-          info[:sha256] = $1.strip
-        end
-        
-        if output =~ /SHA1: (.+)/
-          info[:sha1] = $1.strip
-        end
+
+        info[:aliases] = output.scan(/Alias name: (.+)/).flatten if output =~ /Alias name: (.+)/
+
+        info[:expires] = ::Regexp.last_match(1) if output =~ /Valid from: .+ until: (.+)/
+
+        info[:sha256] = ::Regexp.last_match(1).strip if output =~ /SHA256: (.+)/
+
+        info[:sha1] = ::Regexp.last_match(1).strip if output =~ /SHA1: (.+)/
 
         info
       end
@@ -215,7 +240,7 @@ module Mysigner
 
       def ensure_keystores_dir
         FileUtils.mkdir_p(KEYSTORES_DIR)
-        File.chmod(0700, KEYSTORES_DIR)  # Secure permissions
+        File.chmod(0o700, KEYSTORES_DIR) # Secure permissions
       end
 
       def build_download_connection
@@ -229,11 +254,6 @@ module Mysigner
           f.adapter Faraday.default_adapter
         end
       end
-
-      def shell_escape(str)
-        return "''" if str.nil? || str.empty?
-        "'" + str.gsub("'", "'\\''") + "'"
-      end
     end
   end
 end