mysigner 0.1.2 → 0.1.4

data/lib/mysigner/upload/uploader.rb

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
+
+require 'English'
 require 'fileutils'
 require 'json'
+require 'tmpdir'
 
 module Mysigner
   module Upload
@@ -11,15 +15,39 @@ module Mysigner
       TRANSPORTER_PATHS = [
         '/Applications/Xcode.app/Contents/Developer/usr/bin/iTMSTransporter', # Bundled with Xcode (primary)
         '/Applications/Transporter.app/Contents/itms/bin/iTMSTransporter',    # Standalone Transporter app
-        '/usr/local/itms/bin/iTMSTransporter'                                  # Custom installation
+        '/usr/local/itms/bin/iTMSTransporter' # Custom installation
       ].freeze
 
+      # Parses CFBundleVersion + CFBundleShortVersionString from an .ipa
+      # (reads Info.plist from the Payload/*.app/ inside the zip).
+      # Used by the new ASC REST upload flow in build_commands.rb.
+      def self.extract_ipa_info(ipa_path)
+        require 'open3'
+        result = { cf_bundle_version: nil, cf_bundle_short_version_string: nil, bundle_id: nil }
+        Dir.mktmpdir('mysigner-ipa-inspect-') do |tmp|
+          plist_path = File.join(tmp, 'Info.plist')
+          zip_out, status = Open3.capture2e('unzip', '-p', ipa_path, 'Payload/*.app/Info.plist')
+          return result unless status.success? && !zip_out.empty?
+
+          File.binwrite(plist_path, zip_out)
+          xml_out, xml_status = Open3.capture2e('plutil', '-convert', 'xml1', '-o', '-', plist_path)
+          return result unless xml_status.success?
+
+          result[:cf_bundle_version] = xml_out[%r{<key>CFBundleVersion</key>\s*<string>([^<]+)</string>}, 1]
+          result[:cf_bundle_short_version_string] = xml_out[%r{<key>CFBundleShortVersionString</key>\s*<string>([^<]+)</string>}, 1]
+          result[:bundle_id] = xml_out[%r{<key>CFBundleIdentifier</key>\s*<string>([^<]+)</string>}, 1]
+        end
+        result
+      rescue StandardError
+        { cf_bundle_version: nil, cf_bundle_short_version_string: nil, bundle_id: nil }
+      end
+
       def initialize(ipa_path, api_key:, api_issuer:, private_key:)
         @ipa_path = File.expand_path(ipa_path)
         @api_key = api_key
         @api_issuer = api_issuer
         @private_key = private_key
-        
+
         validate_ipa!
         detect_transporter!
         setup_private_key!
@@ -27,94 +55,90 @@ module Mysigner
 
       def upload!(wait_for_processing: false)
         say_uploading
-        
+
         begin
           # Validate IPA first
           validate_result = validate_ipa
-          unless validate_result[:success]
-            raise UploadError, "IPA validation failed: #{validate_result[:error]}"
-          end
-          
+          raise UploadError, "IPA validation failed: #{validate_result[:error]}" unless validate_result[:success]
+
           # Upload to App Store Connect
           upload_result = upload_ipa
-          unless upload_result[:success]
-            raise UploadError, "Upload failed: #{upload_result[:error]}"
-          end
-          
+          raise UploadError, "Upload failed: #{upload_result[:error]}" unless upload_result[:success]
+
           say_success
-          
+
           # Optionally wait for processing
           if wait_for_processing
             say_waiting_for_processing
-            # Note: Build processing status is polled via the dashboard's sync API
+            # NOTE: Build processing status is polled via the dashboard's sync API
             # in build_commands.rb, not directly here. This flag is reserved for
             # future use or manual uploads outside the `ship` command flow.
           end
-          
+
           {
             success: true,
-            message: "Upload completed successfully"
+            message: 'Upload completed successfully'
           }
-        rescue => e
+        rescue StandardError => e
           raise UploadError, "Upload failed: #{e.message}"
+        ensure
+          cleanup_private_key!
         end
       end
 
       private
 
       def validate_ipa!
-        unless File.exist?(@ipa_path)
-          raise UploadError, "IPA file not found: #{@ipa_path}"
-        end
-        
-        unless @ipa_path.end_with?('.ipa')
-          raise UploadError, "Invalid file type: #{@ipa_path} (must be .ipa)"
-        end
-        
+        raise UploadError, "IPA file not found: #{@ipa_path}" unless File.exist?(@ipa_path)
+
+        raise UploadError, "Invalid file type: #{@ipa_path} (must be .ipa)" unless @ipa_path.end_with?('.ipa')
+
         # Check file size (should be at least 10KB to catch truly corrupt files)
         file_size = File.size(@ipa_path)
-        if file_size < 10_000
-          raise UploadError, "IPA file seems too small: #{file_size} bytes (possible corruption)"
-        end
+        return unless file_size < 10_000
+
+        raise UploadError, "IPA file seems too small: #{file_size} bytes (possible corruption)"
       end
 
       def detect_transporter!
         # We primarily use xcrun altool, but check for iTMSTransporter as fallback
         @transporter_path = TRANSPORTER_PATHS.find { |path| File.exist?(path) }
-        
+
         # Even if iTMSTransporter is not found, xcrun altool should work
         # This is just for informational purposes
         @using_altool = true
       end
 
       def setup_private_key!
-        # iTMSTransporter looks for .p8 files in these locations:
-        # - ./private_keys/AuthKey_<KEY_ID>.p8
-        # - ~/private_keys/AuthKey_<KEY_ID>.p8
-        # - ~/.private_keys/AuthKey_<KEY_ID>.p8  
-        # - ~/.appstoreconnect/private_keys/AuthKey_<KEY_ID>.p8
-        
-        @private_keys_dir = File.expand_path("~/.private_keys")
-        FileUtils.mkdir_p(@private_keys_dir)
-        
+        # Phase 0: write the .p8 to a per-run tempdir (0600) and point altool
+        # there via API_PRIVATE_KEYS_DIR. #cleanup_private_key! in the upload!
+        # ensure block removes the tempdir, so the key never persists across
+        # invocations. Replaces the old ~/.private_keys/ persistent write.
+        @private_keys_dir = Dir.mktmpdir('mysigner-p8-')
         @private_key_path = File.join(@private_keys_dir, "AuthKey_#{@api_key}.p8")
-        
-        # Write the private key to disk
         File.write(@private_key_path, @private_key)
-        File.chmod(0600, @private_key_path) # Secure permissions
+        File.chmod(0o600, @private_key_path)
+        ENV['API_PRIVATE_KEYS_DIR'] = @private_keys_dir
+      end
+
+      def cleanup_private_key!
+        FileUtils.rm_rf(@private_keys_dir) if @private_keys_dir && Dir.exist?(@private_keys_dir)
+        ENV.delete('API_PRIVATE_KEYS_DIR')
+      rescue StandardError
+        # Best-effort cleanup; never raise from ensure.
       end
 
       def validate_ipa
-        puts "📋 Validating IPA..."
-        puts ""
-        
+        puts '📋 Validating IPA...'
+        puts ''
+
         # Try altool first (simpler, works today)
         if altool_available?
           validate_with_altool
         elsif @transporter_path
           validate_with_transporter
         else
-          puts "⚠️  Skipping validation (no tools available)"
+          puts '⚠️  Skipping validation (no tools available)'
           { success: true } # Continue anyway
         end
       end
@@ -128,12 +152,12 @@ module Mysigner
           '--apiKey', @api_key,
           '--apiIssuer', @api_issuer
         ].join(' ')
-        
+
         output = `#{cmd} 2>&1`
-        success = $?.success?
-        
+        success = $CHILD_STATUS.success?
+
         if success
-          puts "✓ Validation passed (altool)"
+          puts '✓ Validation passed (altool)'
           { success: true }
         else
           error_message = extract_error_from_output(output)
@@ -151,14 +175,14 @@ module Mysigner
           '-f', @ipa_path,
           '-apiKey', @api_key,
           '-apiIssuer', @api_issuer,
-          '-t', 'Signiant'  # Transport mode
+          '-t', 'Signiant' # Transport mode
         ].join(' ')
-        
+
         output = `#{cmd} 2>&1`
-        success = $?.success?
-        
+        success = $CHILD_STATUS.success?
+
         if success
-          puts "✓ Validation passed (iTMSTransporter)"
+          puts '✓ Validation passed (iTMSTransporter)'
           { success: true }
         else
           error_message = extract_error_from_output(output)
@@ -168,24 +192,24 @@ module Mysigner
       end
 
       def upload_ipa
-        puts ""
-        puts "☁️  Uploading to App Store Connect..."
-        puts ""
-        
+        puts ''
+        puts '☁️  Uploading to App Store Connect...'
+        puts ''
+
         # Try altool first, fall back to iTMSTransporter
         if altool_available?
           upload_with_altool
         elsif @transporter_path
           upload_with_transporter
         else
-          raise UploadError, "No upload tool available. Please ensure Xcode is installed."
+          raise UploadError, 'No upload tool available. Please ensure Xcode is installed.'
         end
       end
 
       def upload_with_altool
-        puts "Using: xcrun altool"
-        puts ""
-        
+        puts 'Using: xcrun altool'
+        puts ''
+
         cmd = [
           'xcrun', 'altool',
           '--upload-app',
@@ -194,40 +218,38 @@ module Mysigner
           '--apiKey', @api_key,
           '--apiIssuer', @api_issuer
         ].join(' ')
-        
+
         # Capture full output for error detection
         output = []
         has_errors = false
-        
+
         # Run with live output
-        IO.popen(cmd, err: [:child, :out]) do |io|
+        IO.popen(cmd, err: %i[child out]) do |io|
           io.each_line do |line|
             output << line
             next if line.strip.empty?
-            
+
             # Detect errors
-            if line.include?('ERROR') || line.include?('UPLOAD FAILED')
-              has_errors = true
-            end
-            
+            has_errors = true if line.include?('ERROR') || line.include?('UPLOAD FAILED')
+
             # Show progress indicators
-            if line.include?('Uploading') || line.include?('Processing') || 
+            if line.include?('Uploading') || line.include?('Processing') ||
                line.include?('Verifying') || line.include?('Package')
               print '.'
             elsif line.include?('error') || line.include?('ERROR')
-              puts ""
+              puts ''
               puts line
             elsif line.include?('SUCCESS') || line.include?('No errors')
-              puts ""
+              puts ''
               puts line
             end
           end
         end
-        
-        puts "" # New line after progress dots
-        
+
+        puts '' # New line after progress dots
+
         # Check both exit code and output for errors
-        if $?.success? && !has_errors
+        if $CHILD_STATUS.success? && !has_errors
           { success: true }
         else
           error_msg = extract_error_from_output(output.join("\n"))
@@ -236,9 +258,9 @@ module Mysigner
       end
 
       def upload_with_transporter
-        puts "Using: iTMSTransporter (future-proof)"
-        puts ""
-        
+        puts 'Using: iTMSTransporter (future-proof)'
+        puts ''
+
         # iTMSTransporter upload mode
         # According to https://help.apple.com/itc/transporteruserguide/en.lproj/static.html
         cmd = [
@@ -247,34 +269,34 @@ module Mysigner
           '-f', @ipa_path,
           '-apiKey', @api_key,
           '-apiIssuer', @api_issuer,
-          '-t', 'Signiant'  # Transport mode (can also use 'Aspera' or 'DAV')
+          '-t', 'Signiant' # Transport mode (can also use 'Aspera' or 'DAV')
         ].join(' ')
-        
+
         # Capture output
         output = []
-        
-        IO.popen(cmd, err: [:child, :out]) do |io|
+
+        IO.popen(cmd, err: %i[child out]) do |io|
           io.each_line do |line|
             output << line
             next if line.strip.empty?
-            
+
             # Show progress
-            if line.include?('Uploading') || line.include?('Processing') || 
+            if line.include?('Uploading') || line.include?('Processing') ||
                line.include?('Verifying')
               print '.'
             elsif line.include?('ERROR')
-              puts ""
+              puts ''
               puts line
             elsif line.include?('SUCCESS')
-              puts ""
+              puts ''
               puts line
             end
           end
         end
-        
-        puts ""
-        
-        if $?.success?
+
+        puts ''
+
+        if $CHILD_STATUS.success?
           { success: true }
         else
           error_msg = extract_error_from_output(output.join("\n"))
@@ -292,13 +314,13 @@ module Mysigner
         error_lines = output.lines.select do |l|
           l.include?('ERROR') || l.include?('error') || l.include?('Invalid')
         end
-        
+
         if error_lines.any?
           # Clean up and join error messages
           cleaned_errors = error_lines.map(&:strip)
-                    .reject { |l| l.empty? || l.start_with?('code :') || l.start_with?('iris-code') }
-                    .join("\n")
-          
+                                      .reject { |l| l.empty? || l.start_with?('code :') || l.start_with?('iris-code') }
+                                      .join("\n")
+
           # Add helpful context for common errors
           if output.include?('Cannot determine the Apple ID from Bundle ID')
             cleaned_errors += "\n\n💡 This usually means:\n"
@@ -318,44 +340,44 @@ module Mysigner
             cleaned_errors += "   3. Add icon images for all required sizes\n"
             cleaned_errors += "   4. Or use a tool like https://appicon.co to generate all sizes\n"
           end
-          
+
           cleaned_errors
         else
-          "Unknown error"
+          'Unknown error'
         end
       end
 
       def say_uploading
-        puts "☁️  Uploading to TestFlight..."
-        puts ""
+        puts '☁️  Uploading to TestFlight...'
+        puts ''
         puts "IPA:        #{File.basename(@ipa_path)}"
         puts "Size:       #{format_bytes(File.size(@ipa_path))}"
-        
+
         # Show which tool will be used
         if altool_available?
-          puts "Tool:       xcrun altool"
+          puts 'Tool:       xcrun altool'
         elsif @transporter_path
-          puts "Tool:       iTMSTransporter (future-proof)"
+          puts 'Tool:       iTMSTransporter (future-proof)'
         else
-          puts "Tool:       Auto-detect"
+          puts 'Tool:       Auto-detect'
         end
-        puts ""
+        puts ''
       end
 
       def say_success
-        puts ""
-        puts "=" * 80
-        puts "✓ Upload succeeded!"
-        puts "=" * 80
-        puts ""
-        puts "🎉 Your build is now processing in App Store Connect"
-        puts ""
+        puts ''
+        puts '=' * 80
+        puts '✓ Upload succeeded!'
+        puts '=' * 80
+        puts ''
+        puts '🎉 Your build is now processing in App Store Connect'
+        puts ''
       end
 
       def say_waiting_for_processing
-        puts "⏳ Waiting for App Store Connect to process the build..."
-        puts "This may take 5-15 minutes..."
-        puts ""
+        puts '⏳ Waiting for App Store Connect to process the build...'
+        puts 'This may take 5-15 minutes...'
+        puts ''
       end
 
       def format_bytes(bytes)
@@ -370,4 +392,3 @@ module Mysigner
     end
   end
 end
-

data/lib/mysigner/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Mysigner
-  VERSION = "0.1.2"
+  VERSION = '0.1.4'
 end

data/lib/mysigner.rb

@@ -1,15 +1,17 @@
+# frozen_string_literal: true
+
 module Mysigner
   class Error < StandardError; end
 end
 
-require "mysigner/version"
-require "mysigner/config"
-require "mysigner/client"
-require "mysigner/build/detector"
-require "mysigner/build/parser"
-require "mysigner/build/configurator"
-require "mysigner/build/executor"
-require "mysigner/signing/validator"
-require "mysigner/export/exporter"
-require "mysigner/upload/uploader"
-require "mysigner/cli"
+require 'mysigner/version'
+require 'mysigner/config'
+require 'mysigner/client'
+require 'mysigner/build/detector'
+require 'mysigner/build/parser'
+require 'mysigner/build/configurator'
+require 'mysigner/build/executor'
+require 'mysigner/signing/validator'
+require 'mysigner/export/exporter'
+require 'mysigner/upload/uploader'
+require 'mysigner/cli'

data/mysigner.gemspec

@@ -1,32 +1,34 @@
+# frozen_string_literal: true
 
-lib = File.expand_path("../lib", __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "mysigner/version"
+require 'mysigner/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "mysigner"
+  spec.name          = 'mysigner'
   spec.version       = Mysigner::VERSION
-  spec.authors       = ["Jurgen Leka"]
-  spec.email         = ["lekacoding@gmail.com"]
+  spec.authors       = ['Jurgen Leka']
+  spec.email         = ['lekacoding@gmail.com']
 
-  spec.summary       = %q{CLI tool for iOS and Android code signing automation via My Signer API}
-  spec.description   = %q{Command-line interface for managing iOS certificates, devices, provisioning profiles, and Android keystores. Build, sign, and upload to App Store Connect and Google Play with simple commands like 'mysigner ship testflight' and 'mysigner ship internal --platform android'.}
-  spec.homepage      = "https://mysigner.dev"
-  spec.license       = "Apache-2.0"
+  spec.summary       = 'CLI tool for iOS and Android code signing automation via My Signer API'
+  spec.description   = "Command-line interface for managing iOS certificates, devices, provisioning profiles, and Android keystores. Build, sign, and upload to App Store Connect and Google Play with simple commands like 'mysigner ship testflight' and 'mysigner ship internal --platform android'."
+  spec.homepage      = 'https://mysigner.dev'
+  spec.license       = 'Apache-2.0'
 
-  spec.required_ruby_version = ">= 3.2.0"
+  spec.required_ruby_version = '>= 3.2.0'
 
   # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
   # to allow pushing to a single host or delete this section to allow pushing to any host.
   if spec.respond_to?(:metadata)
-    spec.metadata["allowed_push_host"] = "https://rubygems.org"
+    spec.metadata['allowed_push_host'] = 'https://rubygems.org'
 
-    spec.metadata["homepage_uri"] = spec.homepage
-    spec.metadata["changelog_uri"] = "https://mysigner.dev/docs/changelog"
-    spec.metadata["documentation_uri"] = "https://mysigner.dev/docs/commands"
+    spec.metadata['homepage_uri'] = spec.homepage
+    spec.metadata['changelog_uri'] = 'https://mysigner.dev/docs/changelog'
+    spec.metadata['documentation_uri'] = 'https://mysigner.dev/docs/commands'
+    spec.metadata['rubygems_mfa_required'] = 'true'
   else
-    raise "RubyGems 2.0 or newer is required to protect against " \
-      "public gem pushes."
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+          'public gem pushes.'
   end
 
   spec.post_install_message = <<~MSG
@@ -50,29 +52,30 @@ Gem::Specification.new do |spec|
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  spec.bindir        = "exe"
+  spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
   # Runtime dependencies
-  spec.add_runtime_dependency "thor", "~> 1.4"
-  spec.add_runtime_dependency "faraday", "~> 2.14"
-  spec.add_runtime_dependency "faraday-retry", "~> 2.2"
-  spec.add_runtime_dependency "reline", "~> 0.5"
-  spec.add_runtime_dependency "base64", "~> 0.2"
-  spec.add_runtime_dependency "xcodeproj", "~> 1.27"
-  spec.add_runtime_dependency "plist", "~> 3.7"
-  
+  spec.add_dependency 'base64', '~> 0.2'
+  spec.add_dependency 'faraday', '~> 2.14'
+  spec.add_dependency 'faraday-retry', '~> 2.2'
+  spec.add_dependency 'plist', '~> 3.7'
+  spec.add_dependency 'reline', '~> 0.5'
+  spec.add_dependency 'thor', '~> 1.4'
+  spec.add_dependency 'xcodeproj', '~> 1.27'
+
   # Android/Google Play dependencies
-  spec.add_runtime_dependency "google-apis-androidpublisher_v3", "~> 0.54"
-  spec.add_runtime_dependency "googleauth", "~> 1.11"
+  spec.add_dependency 'google-apis-androidpublisher_v3', '~> 0.54'
+  spec.add_dependency 'googleauth', '~> 1.11'
 
   # Development dependencies
-  spec.add_development_dependency "bundler", "~> 2.5"
-  spec.add_development_dependency "rake", "~> 13.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency "webmock", "~> 3.24"
+  spec.add_development_dependency 'bundler', '~> 2.5'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop', '~> 1.79'
+  spec.add_development_dependency 'webmock', '~> 3.24'
 end