mysigner 0.3.4 → 0.3.7

data/lib/mysigner/client.rb

@@ -3,11 +3,45 @@
 require 'faraday'
 require 'faraday/retry'
 require 'json'
+require 'uri'
 
 module Mysigner
   class Client
     attr_reader :api_url, :api_token, :user_email
 
+    # Hosts for which plain http is acceptable (local development). The org
+    # API token must NEVER be sent in cleartext to anything else.
+    LOOPBACK_HOSTS = %w[localhost 127.0.0.1 0.0.0.0 ::1].freeze
+
+    # Refuse to attach the API token to an insecure endpoint. api_url comes
+    # from ~/.mysigner/config.yml or MYSIGNER_API_URL, so without this a
+    # poisoned config/env (or a bare-host URL the normalizer once downgraded
+    # to http://) would ship the Bearer token to an attacker-chosen host in
+    # cleartext. https is always allowed; http only for a loopback dev host.
+    def self.assert_secure_api_url!(url)
+      # A blank/nil URL means "not configured" — let the existing not-logged-in
+      # paths handle that rather than reporting a confusing "insecure" error.
+      return if url.to_s.strip.empty?
+
+      uri = begin
+        URI.parse(url.to_s)
+      rescue URI::InvalidURIError
+        nil
+      end
+
+      return if uri && uri.scheme == 'https'
+
+      # uri.hostname (unlike uri.host) already strips IPv6 brackets, so
+      # http://[::1]:3000 resolves to the loopback host "::1".
+      host = uri&.hostname.to_s.downcase
+      return if uri && uri.scheme == 'http' && LOOPBACK_HOSTS.include?(host)
+
+      raise InsecureUrlError,
+            "Refusing to send your API token over an insecure connection (#{url}). " \
+            'Use an https:// URL — plain http is allowed only for localhost. ' \
+            'Fix your api_url with `mysigner login` or the MYSIGNER_API_URL env var.'
+    end
+
     def initialize(api_url:, api_token:, user_email: nil)
       @api_url = api_url
       @api_token = api_token
@@ -65,7 +99,22 @@ module Mysigner
 
     # Expose connection for direct access (e.g., binary downloads)
     def connection
+      Client.assert_secure_api_url!(@api_url)
       @connection ||= Faraday.new(url: @api_url) do |f|
+        # Fail fast on a stalled connection instead of hanging the CLI
+        # forever. Without these the default adapter applies no timeout, so a
+        # server that accepts the socket but never responds blocks every
+        # command indefinitely and the Faraday::TimeoutError branch below is
+        # effectively unreachable. The read timeout is generous because the
+        # same client streams binary downloads.
+        f.options.timeout = 120
+        f.options.open_timeout = 10
+
+        # Assert TLS verification as an in-code invariant rather than relying
+        # on the adapter default — an adapter swap or stray env OpenSSL config
+        # could otherwise silently weaken it. (No effect on http://localhost.)
+        f.ssl.verify = true
+
         # Request middleware
         f.request :authorization, 'Bearer', @api_token
         f.request :json
@@ -192,6 +241,9 @@ module Mysigner
   class ForbiddenError < ClientError; end
   class NotFoundError < ClientError; end
   class ServerError < ClientError; end
+  # Raised when the API token would be sent over an insecure (non-https,
+  # non-loopback) connection. See Client.assert_secure_api_url!.
+  class InsecureUrlError < ClientError; end
 
   class ValidationError < ClientError
     def initialize(message, details = nil, suggestion: nil, error_code: nil, timestamp: nil)

data/lib/mysigner/config.rb

@@ -212,10 +212,15 @@ module Mysigner
 
       File.delete(CONFIG_FILE) if exists?
 
-      # On non-macOS the encryption key lives in a file fallback. Wipe it on
-      # logout so a fresh login can mint a new key — otherwise the old key
-      # would silently encrypt a new token that nobody else can decrypt.
-      FileUtils.rm_f(KEY_FILE)
+      # Deliberately KEEP the per-machine encryption key (KEY_FILE). On
+      # non-macOS it also wraps any local-only credentials in the file
+      # fallback (~/.mysigner/credentials), which a plain logout KEEPS — only
+      # `mysigner logout --purge` deletes them. Wiping the key here would
+      # leave those kept credentials permanently undecryptable. The key on its
+      # own is a non-secret per-machine value, and the encrypted token it
+      # protected is already gone with CONFIG_FILE above; re-login simply
+      # re-uses it. (--purge removes the credentials themselves, so no orphan
+      # remains in that flow either.)
 
       # Phase 0: logout also purges the keystore cache so a shared machine
       # doesn't leave prior-user keystore blobs on disk.

data/lib/mysigner/export/exporter.rb

@@ -99,6 +99,11 @@ module Mysigner
         FileUtils.mkdir_p(@output_dir)
         puts ''
 
+        # Keep this an argv ARRAY (no .join(' ')). IO.popen(array) execs
+        # xcodebuild directly with no shell, so an archive/output path
+        # containing a space (e.g. ~/My Projects/App.xcarchive) or a shell
+        # metacharacter survives as one literal argument instead of being
+        # split by /bin/sh or interpreted.
         cmd = [
           'xcodebuild',
           '-exportArchive',
@@ -106,7 +111,7 @@ module Mysigner
           '-exportPath', @output_dir,
           '-exportOptionsPlist', options_plist,
           '-allowProvisioningUpdates' # Allow Xcode to update profiles if needed
-        ].join(' ')
+        ]
 
         # Run command and capture output. xcodebuild output can contain
         # non-ASCII bytes (smart quotes in Apple error messages, emoji in

data/lib/mysigner/formatting.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Mysigner
+  # Shared human-readable formatting helpers — single source of truth so the
+  # CLI concern and the upload classes don't each carry their own copy.
+  #
+  # NOTE: format_duration is deliberately NOT here. The CLI concern's
+  # format_duration ("2m 5s" units) and AppStoreAutomation's ("02:05" clock)
+  # are different formats for different displays, not duplicates.
+  module Formatting
+    module_function
+
+    def format_bytes(bytes)
+      if bytes < 1024
+        "#{bytes} B"
+      elsif bytes < 1024 * 1024
+        "#{(bytes / 1024.0).round(1)} KB"
+      else
+        "#{(bytes / (1024.0 * 1024)).round(1)} MB"
+      end
+    end
+  end
+end

data/lib/mysigner/signing/certificate_checker.rb

@@ -74,9 +74,10 @@ module Mysigner
       end
 
       def get_certificate_details(name)
-        # Get certificate in PEM format by name
-        cmd = "security find-certificate -c \"#{name}\" -p"
-        stdout, _, status = Open3.capture3(cmd)
+        # Get certificate in PEM format by name. argv form (no shell) so a
+        # certificate CN containing $(...) / backticks — which a crafted
+        # imported keychain item can carry — is passed literally, not executed.
+        stdout, _, status = Open3.capture3('security', 'find-certificate', '-c', name, '-p')
 
         # If not found, return nil
         return nil if !status.success? || stdout.empty?
@@ -88,9 +89,8 @@ module Mysigner
           temp.write(stdout)
           temp.close
 
-          # Get expiry date using openssl
-          cmd = "openssl x509 -in #{temp.path} -noout -enddate"
-          out, _, stat = Open3.capture3(cmd)
+          # Get expiry date using openssl (argv form, no shell)
+          out, _, stat = Open3.capture3('openssl', 'x509', '-in', temp.path, '-noout', '-enddate')
 
           if stat.success? && out =~ /notAfter=(.+)/
             expiry_str = ::Regexp.last_match(1).strip

data/lib/mysigner/signing/keystore_manager.rb

@@ -244,6 +244,8 @@ module Mysigner
         config = Mysigner::Config.new
         config.load if config.exists?
 
+        # Never attach the API token to a non-https (non-loopback) endpoint.
+        Mysigner::Client.assert_secure_api_url!(config.api_url)
         Faraday.new(url: config.api_url) do |f|
           f.request :authorization, 'Bearer', config.api_token
           f.options.timeout = 60

data/lib/mysigner/signing/wizard.rb

@@ -414,6 +414,8 @@ module Mysigner
           # (the client's get method uses JSON middleware which corrupts binary data)
           download_url = "/api/v1/organizations/#{@organization_id}/profiles/#{profile['id']}/download"
 
+          # Never attach the API token to a non-https (non-loopback) endpoint.
+          Mysigner::Client.assert_secure_api_url!(@client.api_url)
           conn = Faraday.new(url: @client.api_url) do |f|
             f.request :authorization, 'Bearer', @client.api_token
             f.adapter Faraday.default_adapter

data/lib/mysigner/upload/app_store_automation.rb

@@ -150,7 +150,7 @@ module Mysigner
 
           if elapsed >= @timeout
             status[:timed_out] = true
-            puts "\r✗ Timed out after #{format_duration(elapsed)} (use --asc-timeout-seconds to extend)".ljust(90)
+            puts "\r✗ Timed out after #{format_duration(elapsed)} — the build is still processing on Apple's side".ljust(90)
             puts ''
             return [build, status]
           end
@@ -160,6 +160,18 @@ module Mysigner
           $stdout.flush
           sleep @poll_interval
         end
+      rescue Interrupt
+        # Only the polling loop draws the "Waiting …" line, so only it needs the
+        # resume hint; if we weren't actually waiting, let Ctrl-C propagate.
+        raise unless @wait_enabled
+
+        # Ctrl-C during the wait: don't leave a half-drawn "Waiting …" line with
+        # no newline. The build keeps processing on Apple's side — tell the user
+        # how to resume, then exit with the conventional SIGINT code.
+        puts ''
+        puts '⏹  Stopped waiting — your build is still processing on Apple’s side.'
+        puts '   Re-run `mysigner ship appstore --wait` to resume watching.'
+        exit 130
       end
 
       def latest_build(app_id, build_info)

data/lib/mysigner/upload/app_store_submission.rb

@@ -91,18 +91,6 @@ module Mysigner
         nil
       end
 
-      # Fetch release config and extract min_build_number for smart build selection
-      def fetch_release_config
-        metadata = fetch_release_metadata
-        return {} unless metadata
-
-        config = {}
-        config[:min_build_number] = metadata['build_number'].to_i if metadata['build_number']
-        config[:release_type] = metadata['release_type'] if metadata['release_type']
-        config[:earliest_release_date] = metadata['earliest_release_date'] if metadata['earliest_release_date']
-        config
-      end
-
       def merge_metadata(api_metadata)
         api_data = stringify_keys(api_metadata || {})
         overrides = stringify_keys(@metadata_overrides)
@@ -133,8 +121,8 @@ module Mysigner
         puts '💡 Auto-submit enabled' if metadata && metadata['auto_submit']
 
         puts ''
-        puts 'Tip: rerun with --submit-for-review when ready'
-        puts '     Use --wait/--asc-timeout-seconds to control polling'
+        puts 'Tip: `mysigner ship appstore` uploads AND submits for review automatically.'
+        puts '     Pass --no-auto-submit to upload only, or --wait to watch processing.'
         puts ''
       end
 

data/lib/mysigner/upload/asc_rest_uploader.rb

@@ -37,6 +37,7 @@ module Mysigner
       POLL_INTERVAL = 10
       POLL_TIMEOUT  = 600
       CHUNK_RETRIES = 2
+      DIGEST_READ_BYTES = 1024 * 1024 # 1 MiB streaming buffer for the digest pass
 
       APPLE_ASC_BASE = 'https://api.appstoreconnect.apple.com'
 
@@ -66,6 +67,9 @@ module Mysigner
         # args (which preserves the Keychain-only behavior the existing specs
         # pin).
         @asc_creds = asc_creds
+        # Path of a .p8 WE materialized this run (set by ensure_p8_in_apple_dir!),
+        # deleted by cleanup_materialized_p8! after altool. nil = nothing to clean.
+        @materialized_p8_path = nil
       end
 
       def call
@@ -77,8 +81,7 @@ module Mysigner
           ops.each { |op| put_chunk_with_retry(f, op) }
         end
 
-        md5 = Digest::MD5.file(@ipa_path).hexdigest
-        sha = Digest::SHA256.file(@ipa_path).hexdigest
+        md5, sha = compute_file_digests(@ipa_path)
 
         mark_uploaded_via_server(build_upload_id, md5: md5, sha: sha)
 
@@ -88,6 +91,21 @@ module Mysigner
 
       private
 
+      # Compute MD5 + SHA-256 in a SINGLE streamed pass over the IPA. The old
+      # code called Digest::MD5.file then Digest::SHA256.file, reading the whole
+      # (often hundreds-of-MB) file end-to-end twice; this reads it once.
+      def compute_file_digests(path)
+        md5 = Digest::MD5.new
+        sha = Digest::SHA256.new
+        File.open(path, 'rb') do |f|
+          while (chunk = f.read(DIGEST_READ_BYTES))
+            md5.update(chunk)
+            sha.update(chunk)
+          end
+        end
+        [md5.hexdigest, sha.hexdigest]
+      end
+
       # Local-only: shell out to `xcrun altool --upload-app`. altool is
       # Apple's canonical CLI for App Store uploads — it handles the multi-
       # step buildUploads/buildUploadFiles/chunk-PUT/commit dance correctly
@@ -110,6 +128,12 @@ module Mysigner
         return { build_upload_id: nil, final_state: 'COMPLETE' } if status.success?
 
         raise_altool_failure!(stdout_stderr)
+      ensure
+        # Never leave the plaintext ASC private key sitting at Apple's
+        # well-known discovery path after the upload — delete the one WE
+        # materialized this run (cleanup_materialized_p8! is a no-op when the
+        # user already had their own key there).
+        cleanup_materialized_p8!
       end
 
       # `xcrun altool --upload-app --file ... --type ios --apiKey KEY_ID
@@ -148,17 +172,34 @@ module Mysigner
       def ensure_p8_in_apple_dir!(creds)
         FileUtils.mkdir_p(APPLE_PRIVATE_KEYS_DIR, mode: 0o700)
         target = File.join(APPLE_PRIVATE_KEYS_DIR, "AuthKey_#{creds.key_id}.p8")
+        pre_existing = File.exist?(target)
 
-        if File.exist?(target) && File.read(target) == creds.p8_pem
+        if pre_existing && File.read(target) == creds.p8_pem
           File.chmod(0o600, target)
+          # The user already had this exact key here — leave it untouched.
+          @materialized_p8_path = nil
           return target
         end
 
+        # Mark for cleanup BEFORE writing, so a failure between the write and
+        # the chmod still lets the ensure block remove the freshly-written
+        # plaintext key. Only when we created it fresh — if a (different) file
+        # pre-existed we must not delete the key the user manages themselves.
+        @materialized_p8_path = pre_existing ? nil : target
         File.write(target, creds.p8_pem)
         File.chmod(0o600, target)
         target
       end
 
+      # Remove the .p8 we materialized for altool this run, if any. Idempotent
+      # and best-effort (a failure to delete must not mask the upload result).
+      def cleanup_materialized_p8!
+        return unless @materialized_p8_path
+
+        FileUtils.rm_f(@materialized_p8_path)
+        @materialized_p8_path = nil
+      end
+
       # Parse altool's --output-format json blob. The error path is:
       #   { "product-errors": [ { "code": ..., "message": "..." }, ... ] }
       # Any "build version already exists" diagnostic — Apple's ITMS-90... —

data/lib/mysigner/upload/asc_submitter.rb

@@ -379,6 +379,11 @@ module Mysigner
 
       def http_conn
         @http_conn ||= Faraday.new(url: APPLE_ASC_BASE) do |f|
+          # Explicit timeouts so a stalled Apple connection can't hang the
+          # 30-minute poll loop forever (the per-request rescue only fires on
+          # an actual error, not a silent stall).
+          f.options.timeout = 60
+          f.options.open_timeout = 10
           f.adapter Faraday.default_adapter
         end
       end

data/lib/mysigner/upload/play_store_uploader.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'json'
+require 'mysigner/formatting'
 
 module Mysigner
   module Upload
@@ -477,13 +478,7 @@ module Mysigner
       end
 
       def format_bytes(bytes)
-        if bytes < 1024
-          "#{bytes} B"
-        elsif bytes < 1024 * 1024
-          "#{(bytes / 1024.0).round(1)} KB"
-        else
-          "#{(bytes / (1024.0 * 1024)).round(1)} MB"
-        end
+        Mysigner::Formatting.format_bytes(bytes)
       end
     end
   end