mysigner 0.1.3 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4297e99c0337f28d14aea62d52242a57db707a59a23ad2d2890271c9759c3ac1
-  data.tar.gz: 56078eddbf0b0a103a27378abcaa8de232774e1185c8b410a19ec9c3160b08ab
+  metadata.gz: f363c20471bed89a90cb71ac4b6762cbeb5f05e3a7a015dd1e6b0f9a31186561
+  data.tar.gz: ea0bebacee050e567361bdd3d0803e74520fefe563ccfbc1bd83f857adc5cecf
 SHA512:
-  metadata.gz: 6ff3e8130cba10fa931e4f89d9de87fb4acafa37203d572f709021534b0a2dce6ae7cdcc26608a641e21835e6808671702ae73b6635f84e5787f302b5b8e92df
-  data.tar.gz: e7ffb3d8fe8b00ca4d3fe179a97d95a37982f67789f17048132d2be18c6eb23ef574e1a20783d72173002c9bd9ee063dec3206219af13dea6769f787f293d5cb
+  metadata.gz: c2bdc172b95d45eec70359764baa3b6783ded9ec59798144521ea57c19e09d616d306ef18501428f568dc44204b950c9cde17b34e436f95c9d9f1d821ed3794a
+  data.tar.gz: 87ee8d47ef06e8b8fb2dbb96676a75e233b183702b3012b9a4864445ff7653100c2166504384c18a7220c4f4ff18f041a94dc2c7f417850eadcfab076f1ca2ce

data/.gitignore

@@ -11,3 +11,7 @@
 
 # rspec failure tracking
 .rspec_status
+
+# macOS
+.DS_Store
+**/.DS_Store

data/.rubocop_todo.yml

@@ -1,12 +1,12 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude`
-# on 2026-03-31 15:30:27 UTC using RuboCop version 1.86.0.
+# on 2026-04-24 18:30:19 UTC using RuboCop version 1.86.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 5
+# Offense count: 7
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: Max, AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, AllowRBSInlineAnnotation, AllowCopDirectives, AllowedPatterns, SplitStrings.
 # URISchemes: http, https
@@ -18,7 +18,18 @@ Layout/LineLength:
     - 'mysigner.gemspec'
     - 'spec/cli/ship_appstore_spec.rb'
 
-# Offense count: 44
+# Offense count: 2
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Lint/NonAtomicFileOperation:
+  Exclude:
+    - 'lib/mysigner/cli/resource_commands.rb'
+
+# Offense count: 12
+Lint/UnreachableCode:
+  Exclude:
+    - 'lib/mysigner/cli/resource_commands.rb'
+
+# Offense count: 45
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes, Max.
 Metrics/AbcSize:
   Exclude:
@@ -30,6 +41,7 @@ Metrics/AbcSize:
     - 'lib/mysigner/cli/validate_commands.rb'
     - 'lib/mysigner/signing/validator.rb'
     - 'lib/mysigner/signing/wizard.rb'
+    - 'lib/mysigner/upload/app_store_automation.rb'
     - 'lib/mysigner/upload/app_store_submission.rb'
 
 # Offense count: 11
@@ -37,8 +49,6 @@ Metrics/AbcSize:
 # AllowedMethods: refine
 Metrics/BlockLength:
   Exclude:
-    - 'spec/**/*'
-    - '*.gemspec'
     - 'lib/mysigner/cli/auth_commands.rb'
     - 'lib/mysigner/cli/build_commands.rb'
     - 'lib/mysigner/cli/diagnostic_commands.rb'
@@ -57,7 +67,7 @@ Metrics/ClassLength:
   Exclude:
     - 'lib/mysigner/signing/wizard.rb'
 
-# Offense count: 25
+# Offense count: 26
 # Configuration parameters: AllowedMethods, AllowedPatterns, Max.
 Metrics/CyclomaticComplexity:
   Exclude:
@@ -68,8 +78,9 @@ Metrics/CyclomaticComplexity:
     - 'lib/mysigner/cli/resource_commands.rb'
     - 'lib/mysigner/cli/validate_commands.rb'
     - 'lib/mysigner/signing/wizard.rb'
+    - 'lib/mysigner/upload/app_store_automation.rb'
 
-# Offense count: 43
+# Offense count: 45
 # Configuration parameters: CountComments, Max, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
   Exclude:
@@ -92,14 +103,16 @@ Metrics/ModuleLength:
     - 'lib/mysigner/cli/diagnostic_commands.rb'
     - 'lib/mysigner/cli/resource_commands.rb'
 
-# Offense count: 2
+# Offense count: 5
 # Configuration parameters: Max, CountKeywordArgs, MaxOptionalParameters.
 Metrics/ParameterLists:
   Exclude:
     - 'lib/mysigner/build/executor.rb'
     - 'lib/mysigner/signing/keystore_manager.rb'
+    - 'lib/mysigner/upload/asc_rest_uploader.rb'
+    - 'lib/mysigner/upload/play_store_uploader.rb'
 
-# Offense count: 26
+# Offense count: 27
 # Configuration parameters: AllowedMethods, AllowedPatterns, Max.
 Metrics/PerceivedComplexity:
   Exclude:
@@ -110,3 +123,4 @@ Metrics/PerceivedComplexity:
     - 'lib/mysigner/cli/resource_commands.rb'
     - 'lib/mysigner/cli/validate_commands.rb'
     - 'lib/mysigner/signing/wizard.rb'
+    - 'lib/mysigner/upload/app_store_automation.rb'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    mysigner (0.1.3)
+    mysigner (0.1.5)
       base64 (~> 0.2)
       faraday (~> 2.14)
       faraday-retry (~> 2.2)

data/README.md

@@ -544,7 +544,7 @@ For questions or issues:
 
 ## License
 
-Copyright 2025 Jurgen Leka
+Copyright 2025 MySigner
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

data/exe/mysigner

@@ -3,4 +3,20 @@
 
 require 'mysigner'
 
-Mysigner::CLI.start(ARGV)
+# Normalize `mysigner <cmd> [args…] --help` → `mysigner help <cmd>`. Thor
+# treats extra positional args as a fatal argument-count error, so without
+# this rewrite users who type `mysigner ship testflight --help` see
+# `ERROR: "mysigner ship" was called with arguments ["testflight", "--help"]`
+# instead of the usage docs. Rewriting at the entry point keeps every
+# subcommand's `--help` behaviour predictable.
+def rewrite_help_flag!(argv)
+  return argv unless argv.any? { |a| ['--help', '-h'].include?(a) }
+
+  # Don't touch `help` itself or `--version` / bare `-v` invocations.
+  first = argv.find { |a| !a.start_with?('-') }
+  return argv if first.nil? || first == 'help'
+
+  ['help', first]
+end
+
+Mysigner::CLI.start(rewrite_help_flag!(ARGV))

data/iOS_App_Store_Profile.mobileprovision

@@ -0,0 +1 @@
+Server error

data/iOS_Distribution_Certificate.cer

@@ -0,0 +1 @@
+Server error

data/lib/mysigner/build/android_executor.rb

@@ -91,11 +91,23 @@ module Mysigner
         # Handle framework-specific pre-build steps
         run_pre_build_steps
 
-        # Build command with signing properties
-        cmd = build_gradle_command(task)
+        # Phase 0: inject signing via Gradle init-script + env vars. Passwords
+        # never appear in argv (no -Pandroid.injected.signing.*=PLAINTEXT).
+        injector = nil
+        if @keystore_path && File.exist?(@keystore_path)
+          require 'mysigner/signing/gradle_signing_injector'
+          injector = Mysigner::Signing::GradleSigningInjector.new
+          @signing_init_script_path = injector.write_init_script!
+        end
 
-        # Execute build
-        execute_with_output(cmd)
+        begin
+          # Build command with signing properties referencing the init script
+          cmd = build_gradle_command(task)
+          execute_with_output(cmd)
+        ensure
+          injector&.cleanup!
+          @signing_init_script_path = nil
+        end
       end
 
       def ensure_java_home!
@@ -233,20 +245,34 @@ module Mysigner
           cmd_parts << '&&'
         end
 
+        # Phase 0: export signing env vars inline so they're only visible to
+        # the child process, not in argv. The Gradle init script below reads
+        # MYSIGNER_STORE_FILE / MYSIGNER_STORE_PASSWORD / MYSIGNER_KEY_ALIAS /
+        # MYSIGNER_KEY_PASSWORD and configures signingConfigs.release.
+        if @keystore_path && File.exist?(@keystore_path) && @signing_init_script_path
+          cmd_parts << "export MYSIGNER_STORE_FILE=#{shell_escape(File.absolute_path(@keystore_path))}"
+          cmd_parts << '&&'
+          cmd_parts << "export MYSIGNER_STORE_PASSWORD=#{shell_escape(@keystore_password)}" if @keystore_password
+          cmd_parts << '&&' if @keystore_password
+          cmd_parts << "export MYSIGNER_KEY_ALIAS=#{shell_escape(@key_alias)}" if @key_alias
+          cmd_parts << '&&' if @key_alias
+          cmd_parts << "export MYSIGNER_KEY_PASSWORD=#{shell_escape(@key_password)}" if @key_password
+          cmd_parts << '&&' if @key_password
+        end
+
         # Change to android directory and run gradle
         cmd_parts << "cd #{shell_escape(android_dir)}"
         cmd_parts << '&&'
         cmd_parts << gradle_cmd
-        cmd_parts << task
 
-        # Add signing properties if provided
-        if @keystore_path && File.exist?(@keystore_path)
-          cmd_parts << "-Pandroid.injected.signing.store.file=#{shell_escape(File.absolute_path(@keystore_path))}"
-          cmd_parts << "-Pandroid.injected.signing.store.password=#{shell_escape(@keystore_password)}" if @keystore_password
-          cmd_parts << "-Pandroid.injected.signing.key.alias=#{shell_escape(@key_alias)}" if @key_alias
-          cmd_parts << "-Pandroid.injected.signing.key.password=#{shell_escape(@key_password)}" if @key_password
+        # Reference the init script (contains the signing-config override)
+        if @signing_init_script_path
+          cmd_parts << '--init-script'
+          cmd_parts << shell_escape(@signing_init_script_path)
         end
 
+        cmd_parts << task
+
         # Add version code override if provided (no file modification needed)
         cmd_parts << "-PversionCode=#{@version_code}" if @version_code
 

data/lib/mysigner/build/executor.rb

@@ -46,7 +46,11 @@ module Mysigner
         # Execute build
         success = execute_with_output(cmd)
 
-        raise BuildError, 'Build failed. Check output above for errors.' unless success
+        unless success
+          msg = +'Build failed.'
+          msg << " Full log: #{@last_build_log}" if @last_build_log
+          raise BuildError, msg
+        end
 
         # Verify archive was created
         raise BuildError, "Build reported success but archive not found at: #{archive_path}" unless File.exist?(archive_path)
@@ -129,40 +133,76 @@ module Mysigner
         puts ''
 
         @build_errors = []
-
-        # Run command and capture output in real-time
-        IO.popen(cmd, err: %i[child out]) do |io|
-          io.each_line do |line|
-            # Filter output to show only important messages
-            next if line.strip.empty?
-
-            # Detect error lines (case-insensitive for error:)
-            # Check for various error patterns including curly quotes from Xcode
-            is_error = line.downcase.include?('error:') ||
-                       line.include?('Provisioning profile') ||
-                       line.include?('Code Sign error') ||
-                       line.include?("doesn't support") ||
-                       line.include?("doesn\u2019t support") ||
-                       line.include?('capability')
-
-            is_warning = line.downcase.include?('warning:')
-
-            # Show and capture errors and warnings
-            if is_error || is_warning
-              puts line
-              @build_errors << line if is_error
-            # Show progress markers
-            elsif line.include?('Building') || line.include?('Compiling') ||
-                  line.include?('Linking') || line.include?('Signing') ||
-                  line.include?('Copying')
-              print '.'
+        @last_build_log = log_path_for_run
+
+        # Capture every line so we can replay it on failure. xcodebuild's
+        # `-quiet` plus our keyword filter happily hides framework-loader
+        # errors, license issues, and anything that doesn't say "error:" —
+        # leaving the user with "Build failed" and nothing actionable. The
+        # log file (and tail dump on failure) keeps the full output recoverable.
+        File.open(@last_build_log, 'w') do |log|
+          # Run command and capture output in real-time
+          IO.popen(cmd, err: %i[child out]) do |io|
+            io.each_line do |line|
+              log.write(line)
+
+              # Filter output to show only important messages
+              next if line.strip.empty?
+
+              # Detect error lines (case-insensitive for error:)
+              # Check for various error patterns including curly quotes from Xcode
+              is_error = line.downcase.include?('error:') ||
+                         line.include?('Provisioning profile') ||
+                         line.include?('Code Sign error') ||
+                         line.include?("doesn't support") ||
+                         line.include?("doesn\u2019t support") ||
+                         line.include?('capability')
+
+              is_warning = line.downcase.include?('warning:')
+
+              # Show and capture errors and warnings
+              if is_error || is_warning
+                puts line
+                @build_errors << line if is_error
+              # Show progress markers
+              elsif line.include?('Building') || line.include?('Compiling') ||
+                    line.include?('Linking') || line.include?('Signing') ||
+                    line.include?('Copying')
+                print '.'
+              end
             end
           end
         end
 
         puts '' # New line after dots
 
-        $CHILD_STATUS.success?
+        success = $CHILD_STATUS.success?
+        dump_log_tail(@last_build_log) unless success
+        success
+      end
+
+      def log_path_for_run
+        log_dir = File.join(@project_info[:directory], 'build')
+        FileUtils.mkdir_p(log_dir)
+        File.join(log_dir, 'last-build.log')
+      end
+
+      def dump_log_tail(path, lines: 80)
+        return unless File.exist?(path)
+
+        tail = File.foreach(path).each_with_object([]) do |line, buf|
+          buf << line
+          buf.shift if buf.size > lines
+        end
+        return if tail.empty?
+
+        puts ''
+        puts '─' * 80
+        puts "Build output (last #{tail.size} lines):"
+        puts '─' * 80
+        puts tail.join
+        puts '─' * 80
+        puts "Full log: #{path}"
       end
     end
   end

data/lib/mysigner/build/parser.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'xcodeproj'
-
 module Mysigner
   module Build
     class Parser
@@ -184,6 +182,8 @@ module Mysigner
       end
 
       def open_project
+        require 'xcodeproj'
+
         if @project_info[:type] == :workspace
           # Workspace contains multiple projects
           # Get the main project (not Pods)

data/lib/mysigner/cleanup/private_keys_purger.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+
+module Mysigner
+  module Cleanup
+    class PrivateKeysPurger
+      LEGACY_DIRS = [
+        '~/.private_keys',
+        '~/.appstoreconnect/private_keys'
+      ].freeze
+
+      def marker_path
+        File.expand_path('~/.mysigner/.private_keys_purged')
+      end
+
+      def call
+        return if ENV['MYSIGNER_USE_LEGACY_ASC'] == '1'
+        return if File.exist?(marker_path)
+
+        LEGACY_DIRS.each do |dir|
+          expanded = File.expand_path(dir)
+          Dir.glob(File.join(expanded, 'AuthKey_*.p8')).each do |path|
+            File.delete(path)
+            warn "mysigner: deleted legacy private key #{path}" if ENV['MYSIGNER_VERBOSE'] == '1'
+          rescue Errno::ENOENT
+            # Raced with another process — already gone.
+          rescue Errno::EACCES, Errno::EPERM => e
+            # Owned by another user. Skip this file but keep going so the
+            # marker still gets written — otherwise the purger retries on
+            # every CLI invocation and keeps failing on the same file.
+            warn "mysigner: could not delete #{path} (#{e.class}); skipping" if ENV['MYSIGNER_VERBOSE'] == '1'
+          end
+        end
+
+        FileUtils.mkdir_p(File.dirname(marker_path))
+        FileUtils.touch(marker_path)
+      end
+    end
+  end
+end

data/lib/mysigner/cli/auth_commands.rb

@@ -5,7 +5,7 @@ module Mysigner
     module AuthCommands
       def self.included(base)
         base.class_eval do
-          desc 'version', 'Show CLI version and system information'
+          desc 'version', 'Show version information'
           def version
             say "My Signer CLI v#{Mysigner::VERSION}", :cyan
             say ''
@@ -13,6 +13,9 @@ module Mysigner
             say "Install:     #{File.expand_path('../../..', __dir__)}", :white
             say "Config:      #{Config::CONFIG_FILE}", :white
             say ''
+            say 'Repository:  https://github.com/mysigner-dev/mysigner-cli', :white
+            say 'Issues:      https://github.com/mysigner-dev/mysigner-cli/issues', :white
+            say ''
             say 'Docs:        https://mysigner.dev/docs/commands', :white
             say 'Support:     https://mysigner.dev/landing#contact', :white
           end
@@ -738,10 +741,14 @@ module Mysigner
             end
           end
 
-          desc 'switch', 'Switch between organizations (for multi-org users)'
+          desc 'switch [ORG_ID]', 'Switch between organizations (for multi-org users)'
           long_desc <<~DESC
             Switch to a different organization.
 
+            Interactive (no argument): prompts you with a numbered list.
+            Non-interactive: pass an organization ID directly, e.g.
+                mysigner switch 7
+
             With organization-specific tokens, you'll need a token for each
             organization you want to access. This command will:
             - Show all organizations you're a member of
@@ -753,7 +760,7 @@ module Mysigner
             Note: You need to be the same user in all organizations. Tokens
             from different user accounts will be rejected.
           DESC
-          def switch
+          def switch(target_org_id = nil)
             config = load_config
             client = create_client(config)
 
@@ -815,20 +822,31 @@ module Mysigner
               say 'Legend: ✓ = Has token | ⚠️  = Needs token', :white
               say ''
 
-              # Let user select
-              org_index = ask("Select organization (1-#{organizations_list.length}, or 'q' to cancel):")
-
-              if org_index.downcase == 'q'
-                say 'Cancelled', :yellow
-                return
-              end
-
-              unless org_index.match(/^\d+$/) && org_index.to_i.between?(1, organizations_list.length)
-                error 'Invalid selection'
-                return
-              end
-
-              selected_org = organizations_list[org_index.to_i - 1]
+              # Non-interactive selection via positional arg (`mysigner switch 7`)
+              selected_org = if target_org_id
+                               match = organizations_list.find { |o| o[:id].to_s == target_org_id.to_s }
+                               unless match
+                                 error "Organization #{target_org_id} not found among your memberships"
+                                 say ''
+                                 say "  Available IDs: #{organizations_list.map { |o| o[:id] }.join(', ')}", :yellow
+                                 exit 1
+                               end
+                               match
+                             else
+                               org_index = ask("Select organization (1-#{organizations_list.length}, or 'q' to cancel):")
+
+                               if org_index.downcase == 'q'
+                                 say 'Cancelled', :yellow
+                                 return
+                               end
+
+                               unless org_index.match(/^\d+$/) && org_index.to_i.between?(1, organizations_list.length)
+                                 error 'Invalid selection'
+                                 return
+                               end
+
+                               organizations_list[org_index.to_i - 1]
+                             end
 
               if selected_org[:id] == config.current_organization_id
                 say ''
@@ -941,8 +959,14 @@ module Mysigner
           end
 
           no_commands do
-            # Helper method for yes/no prompts with Enter defaulting to yes
+            # Helper method for yes/no prompts with Enter defaulting to yes.
+            # Defaults to NO when stdin is not a TTY so automation (CI, pipes)
+            # never silently opts-in to mutating operations.
             def yes_with_default?(statement, color = nil)
+              unless $stdin.tty?
+                say "#{statement} [Y/n] (non-interactive: assuming no)", color
+                return false
+              end
               response = ask("#{statement} [Y/n]", color).to_s.strip.downcase
               response.empty? || response == 'y' || response == 'yes'
             end