mysigner 0.1.3 → 0.1.4

data/lib/mysigner/config.rb

@@ -8,11 +8,13 @@ require 'openssl'
 require 'base64'
 require 'json'
 require 'securerandom'
+require 'rbconfig'
 
 module Mysigner
   class Config
     CONFIG_DIR = File.expand_path('~/.mysigner').freeze
     CONFIG_FILE = File.join(CONFIG_DIR, 'config.yml').freeze
+    KEY_FILE = File.join(CONFIG_DIR, '.encryption_key').freeze
     KEYCHAIN_SERVICE = 'com.mysigner.cli'
     KEYCHAIN_ACCOUNT = 'config_encryption_key'
 
@@ -160,6 +162,17 @@ module Mysigner
       @organizations = {}
 
       File.delete(CONFIG_FILE) if exists?
+
+      # On non-macOS the encryption key lives in a file fallback. Wipe it on
+      # logout so a fresh login can mint a new key — otherwise the old key
+      # would silently encrypt a new token that nobody else can decrypt.
+      FileUtils.rm_f(KEY_FILE)
+
+      # Phase 0: logout also purges the keystore cache so a shared machine
+      # doesn't leave prior-user keystore blobs on disk.
+      keystores_dir = File.expand_path('~/.mysigner/keystores')
+      FileUtils.rm_rf(keystores_dir)
+
       true
     rescue StandardError => e
       raise ConfigError, "Failed to clear config: #{e.message}"
@@ -304,16 +317,34 @@ module Mysigner
     end
 
     def get_or_create_encryption_key
-      # Try to get key from keychain
-      key = get_key_from_keychain
+      # macOS Keychain is the preferred key store. On Linux/Windows we fall
+      # back to a 0600 file in the config dir so the encrypted YAML token
+      # is still recoverable across CLI invocations. The fallback is roughly
+      # equivalent in security to the config file itself; for the strongest
+      # posture in CI, prefer the MYSIGNER_API_TOKEN env var path.
+      if macos_keychain?
+        key = get_key_from_keychain
+        return key if key
+
+        new_key = SecureRandom.bytes(32) # 256-bit key
+        store_key_in_keychain(new_key)
+        return new_key
+      end
+
+      key = read_key_from_file
       return key if key
 
-      # Generate new key and store in keychain
+      warn_keychain_unavailable_once
+      ensure_config_dir_exists
       new_key = SecureRandom.bytes(32) # 256-bit key
-      store_key_in_keychain(new_key)
+      write_key_to_file(new_key)
       new_key
     end
 
+    def macos_keychain?
+      RbConfig::CONFIG['host_os'] =~ /darwin/i
+    end
+
     def get_key_from_keychain
       # Use macOS security command to get key from keychain
       cmd = "security find-generic-password -s '#{KEYCHAIN_SERVICE}' -a '#{KEYCHAIN_ACCOUNT}' -w 2>/dev/null"
@@ -342,6 +373,39 @@ module Mysigner
     rescue StandardError => e
       raise ConfigError, "Failed to store encryption key in keychain: #{e.message}"
     end
+
+    def read_key_from_file
+      return nil unless File.exist?(KEY_FILE)
+
+      encoded = File.read(KEY_FILE).strip
+      return nil if encoded.empty?
+
+      Base64.strict_decode64(encoded)
+    rescue StandardError
+      nil
+    end
+
+    def write_key_to_file(key)
+      File.write(KEY_FILE, Base64.strict_encode64(key))
+      File.chmod(0o600, KEY_FILE)
+      true
+    rescue StandardError => e
+      raise ConfigError, "Failed to write encryption key file: #{e.message}"
+    end
+
+    def warn_keychain_unavailable_once
+      return if defined?(@keychain_warning_shown) && @keychain_warning_shown
+
+      @keychain_warning_shown = true
+      return unless $stderr.respond_to?(:tty?) && $stderr.tty?
+
+      warn(<<~MSG)
+        [mysigner] macOS Keychain is unavailable on this platform. Falling
+        back to file-based encryption key at #{KEY_FILE} (mode 0600).
+        For the strongest CI/CD posture, set MYSIGNER_API_TOKEN as an
+        encrypted secret instead — env-var auth never touches the disk.
+      MSG
+    end
   end
 
   class ConfigError < StandardError; end

data/lib/mysigner/export/exporter.rb

@@ -108,9 +108,14 @@ module Mysigner
           '-allowProvisioningUpdates' # Allow Xcode to update profiles if needed
         ].join(' ')
 
-        # Run command and capture output
+        # Run command and capture output. xcodebuild output can contain
+        # non-ASCII bytes (smart quotes in Apple error messages, emoji in
+        # file paths) — force UTF-8 + scrub so `.strip` / `.include?` don't
+        # raise Encoding::CompatibilityError under the default US-ASCII
+        # locale (e.g. on CI runners without LANG set).
         IO.popen(cmd, err: %i[child out]) do |io|
           io.each_line do |line|
+            line = line.force_encoding('UTF-8').scrub
             next if line.strip.empty?
 
             # Show errors and warnings

data/lib/mysigner/signing/gradle_signing_injector.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'tmpdir'
+
+module Mysigner
+  module Signing
+    class GradleSigningInjector
+      # Local variable is `aliasName` (not `keyAlias`) to avoid a Groovy
+      # `with { }` scoping ambiguity: `keyAlias = keyAlias` would resolve the
+      # RHS against the property being set (null at that point), silently
+      # signing with the wrong alias.
+      INIT_SCRIPT = <<~GROOVY
+        allprojects {
+          afterEvaluate { project ->
+            if (!project.hasProperty('android')) return
+            def storePw   = System.getenv('MYSIGNER_STORE_PASSWORD')
+            def keyPw     = System.getenv('MYSIGNER_KEY_PASSWORD')
+            def aliasName = System.getenv('MYSIGNER_KEY_ALIAS')
+            def ksPath    = System.getenv('MYSIGNER_STORE_FILE')
+            if (!storePw || !ksPath) return
+
+            def existing = project.android.signingConfigs.findByName('release')
+            def alreadyConfigured = existing != null && existing.storeFile != null
+            if (alreadyConfigured) {
+              println "MySigner: release signingConfig already set; skipping override."
+              return
+            }
+            project.android.signingConfigs.maybeCreate('release').with {
+              storeFile     = file(ksPath)
+              storePassword = storePw
+              keyAlias      = aliasName
+              keyPassword   = keyPw
+            }
+            project.android.buildTypes.findByName('release')?.signingConfig =
+              project.android.signingConfigs.getByName('release')
+          }
+        }
+      GROOVY
+
+      def initialize
+        @tmpdir = nil
+      end
+
+      def write_init_script!
+        @tmpdir = Dir.mktmpdir('mysigner-signing-')
+        path = File.join(@tmpdir, 'init.gradle')
+        File.write(path, INIT_SCRIPT)
+        path
+      end
+
+      def env_vars(keystore_path:, store_password:, key_password:, key_alias:)
+        {
+          'MYSIGNER_STORE_FILE' => keystore_path,
+          'MYSIGNER_STORE_PASSWORD' => store_password,
+          'MYSIGNER_KEY_PASSWORD' => key_password,
+          'MYSIGNER_KEY_ALIAS' => key_alias
+        }
+      end
+
+      def cleanup!
+        FileUtils.rm_rf(@tmpdir) if @tmpdir && Dir.exist?(@tmpdir)
+        @tmpdir = nil
+      end
+    end
+  end
+end

data/lib/mysigner/signing/keystore_manager.rb

@@ -3,6 +3,7 @@
 require 'English'
 require 'fileutils'
 require 'base64'
+require 'open3'
 
 module Mysigner
   module Signing
@@ -21,11 +22,13 @@ module Mysigner
 
       # List all keystores from API
       # @param android_app_id [Integer, nil] Filter by app ID
-      # @param include_secrets [Boolean] Include passwords in response (only for build operations)
-      def list(android_app_id: nil, include_secrets: false)
+      # @param include_secrets [Boolean] DEPRECATED and silently ignored. Kept
+      #   for signature-compat during the 10.0 transition; will be removed in
+      #   the next release. Passwords are now fetched via #fetch_secrets.
+      def list(android_app_id: nil, include_secrets: nil)
+        _ = include_secrets # intentionally unused — see note above
         params = {}
         params[:android_app_id] = android_app_id if android_app_id
-        params[:include_secrets] = true if include_secrets
 
         response = @client.get(
           "/api/v1/organizations/#{@organization_id}/android_keystores",
@@ -35,12 +38,24 @@ module Mysigner
       end
 
       # Get active keystore for an app (or any active keystore if no app specified)
-      # @param include_secrets [Boolean] Include passwords in response (only for build operations)
-      def active_keystore(android_app_id: nil, include_secrets: false)
-        keystores = list(android_app_id: android_app_id, include_secrets: include_secrets)
+      # @param include_secrets [Boolean] DEPRECATED — see #list.
+      def active_keystore(android_app_id: nil, include_secrets: nil)
+        _ = include_secrets
+        keystores = list(android_app_id: android_app_id)
         keystores.find { |k| k['active'] }
       end
 
+      # Phase 0: narrow audit-logged endpoint that returns the keystore
+      # password + key password + key alias for a single keystore. Replaces
+      # the insecure ?include_secrets=true list flag.
+      # Returns a hash: { 'keystore_password' =>, 'key_password' =>, 'key_alias' => }
+      def fetch_secrets(keystore_id)
+        response = @client.post(
+          "/api/v1/organizations/#{@organization_id}/android_keystores/#{keystore_id}/secrets"
+        )
+        response[:data] || {}
+      end
+
       # Download a keystore from API and save locally
       # Returns: { path: String, password: String, alias: String, key_password: String }
       def download(keystore_id)
@@ -80,28 +95,36 @@ module Mysigner
         }
       end
 
-      # Get or download keystore (uses cached version if available)
+      # Get or download keystore (uses cached version if available and fresh).
+      # Phase 0: cache has a TTL (default 24h, override via
+      # MYSIGNER_KEYSTORE_CACHE_HOURS). Stale files are deleted + re-downloaded.
       def get_or_download(keystore_id)
         keystores = list
         keystore = keystores.find { |k| k['id'].to_s == keystore_id.to_s }
 
         raise KeystoreNotFoundError, "Keystore with ID #{keystore_id} not found" unless keystore
 
-        # Check if already cached locally
         filename = "#{keystore['name'].gsub(/[^a-zA-Z0-9_.-]/, '_')}.jks"
         local_path = File.join(KEYSTORES_DIR, filename)
+        max_age_hours = (ENV['MYSIGNER_KEYSTORE_CACHE_HOURS'] || 24).to_i
 
         if File.exist?(local_path)
-          return {
-            path: local_path,
-            name: keystore['name'],
-            key_alias: keystore['key_alias'],
-            id: keystore['id'],
-            cached: true
-          }
+          age_seconds = Time.now - File.mtime(local_path)
+          if age_seconds < (max_age_hours * 3600)
+            return {
+              path: local_path,
+              name: keystore['name'],
+              key_alias: keystore['key_alias'],
+              id: keystore['id'],
+              cached: true
+            }
+          else
+            # Stale cache — delete and re-download below
+            File.delete(local_path)
+          end
         end
 
-        # Download if not cached
+        # Download if not cached (or stale)
         result = download(keystore_id)
         result[:cached] = false
         result
@@ -183,13 +206,21 @@ module Mysigner
         end
       end
 
-      # Get keystore info using keytool
+      # Get keystore info using keytool.
+      # Phase 0: passes the password via a temp env var consumed by
+      # `-storepass:env` so it's never in argv/ps output.
       def keystore_info(keystore_path, password)
         return nil unless File.exist?(keystore_path)
         return nil unless system('which keytool > /dev/null 2>&1')
 
-        output = `keytool -list -v -keystore #{shell_escape(keystore_path)} -storepass #{shell_escape(password)} 2>&1`
-        return nil unless $CHILD_STATUS.success?
+        env = { 'MYSIGNER_KS_PW' => password.to_s }
+        output, status = Open3.capture2e(
+          env,
+          'keytool', '-list', '-v',
+          '-keystore', keystore_path,
+          '-storepass:env', 'MYSIGNER_KS_PW'
+        )
+        return nil unless status.success?
 
         # Parse output
         info = {}
@@ -223,12 +254,6 @@ module Mysigner
           f.adapter Faraday.default_adapter
         end
       end
-
-      def shell_escape(str)
-        return "''" if str.nil? || str.empty?
-
-        "'#{str.gsub("'", "'\\''")}'"
-      end
     end
   end
 end

data/lib/mysigner/upload/app_store_automation.rb

@@ -13,6 +13,9 @@ module Mysigner
       def initialize(client:, organization_id:, opts: {})
         @client = client
         @organization_id = organization_id
+        # Proper boolean coercion — `!x.nil?` evaluates to `true` for `false`,
+        # which previously caused `wait: false` / `no_submit: false` to be
+        # treated as `true`. Use `!!` to get the actual boolean semantics.
         @wait_enabled = opts.key?(:wait) ? !opts[:wait].nil? : true
 
         poll = opts[:poll_interval] || opts[:poll_seconds]
@@ -24,6 +27,13 @@ module Mysigner
         @timeout = timeout&.positive? ? timeout : DEFAULT_WAIT_TIMEOUT
 
         @no_submit = !opts[:no_submit].nil?
+
+        # Whether to submit by default when NEITHER cli_defaults nor CLI
+        # overrides specify `auto_submit`. `ship`/`submit` pass true (it's
+        # the user's explicit intent). Dashboard `cli_defaults.auto_submit`
+        # still wins if set — we only fall back to this when silent.
+        @default_submit = opts.key?(:default_submit) ? !opts[:default_submit].nil? : false
+
         @now = opts[:now]
       end
 
@@ -317,6 +327,11 @@ module Mysigner
       def should_submit_with_reason(metadata, overrides)
         return [false, nil, '--no-auto-submit flag'] if @no_submit
 
+        # Precedence: explicit CLI flag > dashboard cli_defaults > command default.
+        # The command default is set by `ship appstore` / `submit` (true),
+        # preserving backward-compat when the user runs those commands without
+        # configuring anything. Dashboard `auto_submit: false` now correctly
+        # suppresses submission (previously hard-overridden at the call site).
         if overrides.key?('auto_submit')
           return overrides['auto_submit'] ? [true, 'CLI override',
                                              nil] : [false, nil, 'CLI override disabled auto_submit']
@@ -327,6 +342,8 @@ module Mysigner
                                             nil] : [false, nil, 'Dashboard auto_submit disabled']
         end
 
+        return [true, 'command default', nil] if @default_submit
+
         [false, nil, 'No auto_submit configuration']
       end
 
@@ -353,14 +370,42 @@ module Mysigner
                 "Cannot submit to Apple Store: missing required fields: #{missing_fields.join(', ')}. Please configure these in your My Signer dashboard or provide via --whats-new flag."
         end
 
+        # Primary-locale fields (backward-compatible path): backend will
+        # upsert a single localization for the app's primary locale when
+        # these top-level keys are present.
         payload = {
           whats_new: merged['whats_new'],
           keywords: merged['keywords'],
           marketing_url: merged['marketing_url'],
           promotional_text: merged['promotional_text'],
           support_url: merged['support_url'],
+          description: merged['description'],
           locale: merged['locale']
-        }.compact # Remove nil values
+        }.compact
+
+        # Multi-locale path: if cli_defaults includes a `localizations` array,
+        # forward it so the backend can PATCH/POST each locale on ASC
+        # (appStoreVersionLocalizations) instead of only the primary.
+        if merged['localizations'].is_a?(Array) && merged['localizations'].any?
+          payload[:localizations] = merged['localizations'].map do |loc|
+            next nil unless loc.is_a?(Hash)
+
+            {
+              locale: loc['locale'] || loc[:locale],
+              whats_new: loc['whats_new'] || loc[:whats_new],
+              keywords: loc['keywords'] || loc[:keywords],
+              marketing_url: loc['marketing_url'] || loc[:marketing_url],
+              promotional_text: loc['promotional_text'] || loc[:promotional_text],
+              support_url: loc['support_url'] || loc[:support_url],
+              description: loc['description'] || loc[:description]
+            }.compact
+          end.compact
+        end
+
+        # Phased release: backend flips @version.phased_release_pending and
+        # enqueues PhasedReleaseActivationJob, which POSTs
+        # appStoreVersionPhasedReleases after Apple approves the submission.
+        payload[:phased_release] = true if merged['phased_release']
 
         @client.post(
           "/api/v1/organizations/#{@organization_id}/app_store_versions/#{version_id}/submit",

data/lib/mysigner/upload/asc_rest_uploader.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'digest'
+require 'faraday'
+require 'uri'
+
+module Mysigner
+  module Upload
+    class AscRestUploader
+      # Raised when Apple rejects the /v1/buildUploads POST with a 409
+      # (duplicate CFBundleVersion). Callers should translate this into a
+      # "bump your build number" hint rather than a generic "Unexpected error".
+      class BuildVersionConflictError < StandardError; end
+
+      TERMINAL_APPLE_STATES = %w[COMPLETE FAILED INVALIDATED].freeze
+      POLL_INTERVAL = 10
+      POLL_TIMEOUT  = 600
+      CHUNK_RETRIES = 2
+
+      def initialize(client:, organization_id:, ipa_path:, apple_app_id:,
+                     cf_bundle_version:, cf_bundle_short_version_string:,
+                     platform: 'IOS', poll_interval: POLL_INTERVAL, poll_timeout: POLL_TIMEOUT)
+        @client = client
+        @org_id = organization_id
+        @ipa_path = ipa_path
+        @apple_app_id = apple_app_id
+        @cf_bundle_version = cf_bundle_version
+        @cf_bundle_short_version_string = cf_bundle_short_version_string
+        @platform = platform
+        @poll_interval = poll_interval
+        @poll_timeout = poll_timeout
+      end
+
+      def call
+        begin
+          resp = @client.post(
+            "/api/v1/organizations/#{@org_id}/builds/asc_upload",
+            body: {
+              apple_app_id: @apple_app_id,
+              cf_bundle_version: @cf_bundle_version,
+              cf_bundle_short_version_string: @cf_bundle_short_version_string,
+              platform: @platform,
+              file_name: File.basename(@ipa_path),
+              file_size: File.size(@ipa_path)
+            }
+          )
+        rescue StandardError => e
+          # Apple returns 409 from /v1/buildUploads when a build with the
+          # same CFBundleVersion already exists for this app. Surface a
+          # useful message instead of letting the caller print the raw
+          # "ASC /v1/buildUploads returned 409" string.
+          if e.message =~ /\b(409|buildUploads returned 409|duplicate)/i
+            raise BuildVersionConflictError,
+                  "Apple refused the upload: build #{@cf_bundle_version} already exists for this app (CFBundleVersion must be unique). " \
+                  'Bump CFBundleVersion in your Xcode project and re-archive, then retry.'
+          end
+          raise
+        end
+        data = resp[:data]
+        build_upload_id = data['build_upload_id']
+        ops             = data['upload_operations']
+
+        File.open(@ipa_path, 'rb') do |f|
+          ops.each { |op| put_chunk_with_retry(f, op) }
+        end
+
+        md5 = Digest::MD5.file(@ipa_path).hexdigest
+        sha = Digest::SHA256.file(@ipa_path).hexdigest
+
+        @client.patch(
+          "/api/v1/organizations/#{@org_id}/builds/asc_upload/#{build_upload_id}",
+          body: { uploaded: true, source_file_checksums: { md5: md5, sha256: sha } }
+        )
+
+        final = poll_until_terminal(build_upload_id)
+        { build_upload_id: build_upload_id, final_state: final }
+      end
+
+      private
+
+      def put_chunk_with_retry(file, operation)
+        # Defense-in-depth: Apple's signed URLs are always https. If the
+        # server ever returns an http:// URL, refuse to PUT the chunk — that
+        # would leak the .ipa bytes (and auth headers) in clear text.
+        scheme = URI.parse(operation['url'].to_s).scheme
+        raise "refusing non-https upload URL (scheme=#{scheme.inspect})" unless scheme == 'https'
+
+        file.seek(operation['offset'])
+        bytes = file.read(operation['length'])
+        attempts = 0
+        begin
+          conn = Faraday.new { |f| f.adapter Faraday.default_adapter }
+          resp = conn.public_send(operation['method'].downcase) do |req|
+            req.url operation['url']
+            (operation['requestHeaders'] || []).each { |h| req.headers[h['name']] = h['value'] }
+            req.body = bytes
+          end
+          raise "chunk PUT failed #{resp.status}" unless resp.status.between?(200, 299)
+        rescue StandardError
+          attempts += 1
+          retry if attempts <= CHUNK_RETRIES
+          raise
+        end
+      end
+
+      def poll_until_terminal(build_upload_id)
+        deadline = Time.now + @poll_timeout
+        loop do
+          resp = @client.get("/api/v1/organizations/#{@org_id}/builds/asc_upload/#{build_upload_id}")
+          state = resp[:data]['apple_state']
+          return state if TERMINAL_APPLE_STATES.include?(state)
+          return 'TIMEOUT' if Time.now > deadline
+
+          sleep @poll_interval
+        end
+      end
+    end
+  end
+end