@better-update/cli 0.29.1 → 0.29.2

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.29.1";
+var version = "0.29.2";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -19130,6 +19130,43 @@ const openFromDownload = (args) => {
 //#region src/lib/android-keystore.ts
 const DEFAULT_KEYSTORE_VALIDITY_DAYS = 1e4;
 const renderDistinguishedName = (params) => `CN=${params.commonName}, O=${params.organization}`;
+const FINGERPRINT_PATTERNS = {
+	md5: /MD5:\s*(?<value>[0-9A-F:]+)/iu,
+	sha1: /SHA-?1:\s*(?<value>[0-9A-F:]+)/iu,
+	sha256: /SHA-?256:\s*(?<value>[0-9A-F:]+)/iu
+};
+/**
+* Parse certificate fingerprints out of `keytool -list -v` output. The fingerprint
+* labels (`MD5:`, `SHA1:`, `SHA256:`) are stable across keytool locales — only the
+* surrounding prose is translated — so label-anchored regexes are robust. MD5 is
+* absent on modern JDKs (dropped from `-v` output); that field stays `undefined`.
+* keytool already emits the canonical uppercase, colon-separated form the dashboard
+* displays verbatim, so no normalization is needed.
+*/
+const parseKeystoreFingerprints = (output) => ({
+	md5: output.match(FINGERPRINT_PATTERNS.md5)?.groups?.["value"],
+	sha1: output.match(FINGERPRINT_PATTERNS.sha1)?.groups?.["value"],
+	sha256: output.match(FINGERPRINT_PATTERNS.sha256)?.groups?.["value"]
+});
+/**
+* Run `keytool -list -v` against an on-disk keystore and extract its certificate
+* fingerprints. Only the store password is required to read a certificate. Used at
+* upload/generate time to populate the public, server-visible fingerprint metadata
+* the dashboard renders.
+*/
+const extractKeystoreFingerprints = (params) => Command.string(Command.make("keytool", "-list", "-v", "-keystore", params.keystorePath, "-alias", params.keyAlias, "-storepass", params.storePassword).pipe(Command.env({ LC_ALL: "C" }))).pipe(Effect.mapError((cause) => new BuildFailedError({
+	step: "extract keystore fingerprints",
+	exitCode: 1,
+	message: `keytool -list failed to run (is the JDK installed?): ${String(cause)}`
+})), Effect.flatMap((output) => {
+	const fingerprints = parseKeystoreFingerprints(output);
+	if (fingerprints.sha1 === void 0 && fingerprints.sha256 === void 0) return Effect.fail(new BuildFailedError({
+		step: "extract keystore fingerprints",
+		exitCode: 1,
+		message: "keytool produced no SHA-1/SHA-256 fingerprints — verify the key alias and keystore password"
+	}));
+	return Effect.succeed(fingerprints);
+}));
 const generateAndroidKeystore = (input) => Command.exitCode(Command.make("keytool", "-genkeypair", "-v", "-storetype", "JKS", "-keystore", input.outputPath, "-alias", input.keyAlias, "-keyalg", "RSA", "-keysize", "2048", "-validity", String(input.validityDays ?? DEFAULT_KEYSTORE_VALIDITY_DAYS), "-storepass", input.storePassword, "-keypass", input.keyPassword, "-dname", renderDistinguishedName({
 	commonName: input.commonName,
 	organization: input.organization
@@ -19611,8 +19648,18 @@ const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(funct
 		...compact({ validityDays: input.validityDays })
 	});
 	const bytes = yield* fs.readFile(keystorePath);
+	const fingerprints = yield* extractKeystoreFingerprints({
+		keystorePath,
+		keyAlias: input.keyAlias,
+		storePassword: input.storePassword
+	});
 	const session = yield* openVaultSessionInteractive(api);
-	const metadata = { keyAlias: input.keyAlias };
+	const metadata = compact({
+		keyAlias: input.keyAlias,
+		md5Fingerprint: fingerprints.md5,
+		sha1Fingerprint: fingerprints.sha1,
+		sha256Fingerprint: fingerprints.sha256
+	});
 	const envelope = yield* sealForUpload({
 		session,
 		credentialType: "keystore",
@@ -25904,8 +25951,9 @@ const detectFormat = (bytes) => {
 /**
 * Validate keystore bytes + alias/passwords locally before sealing. Mirrors the
 * old server check: magic-byte format detection + required-field validation.
-* Fingerprints are not derived from the bytes (keytool never surfaced them here
-* either) — they remain optional, user-supplied metadata.
+* Fingerprints cannot be derived from the raw bytes; they are extracted separately
+* via keytool (`extractKeystoreFingerprints` in ./android-keystore) at upload/generate
+* time and attached to the public metadata.
 */
 const validateAndroidKeystore = (params) => Effect.gen(function* () {
 	if (params.bytes.byteLength < 16) return yield* new CredentialValidationError({ message: "Keystore file too small" });
@@ -26135,12 +26183,23 @@ const uploadAndroidKeystore = (api, input, bytes) => Effect.gen(function* () {
 	if (input.password === void 0) return yield* missing("password");
 	if (!input.keyAlias) return yield* missing("key-alias");
 	if (!input.keyPassword) return yield* missing("key-password");
-	const metadata = { keyAlias: (yield* validateAndroidKeystore({
+	const parsed = yield* validateAndroidKeystore({
 		bytes,
 		keyAlias: input.keyAlias,
 		keystorePassword: input.password,
 		keyPassword: input.keyPassword
-	})).keyAlias };
+	});
+	const fingerprints = yield* extractKeystoreFingerprints({
+		keystorePath: input.filePath,
+		keyAlias: parsed.keyAlias,
+		storePassword: input.password
+	});
+	const metadata = compact({
+		keyAlias: parsed.keyAlias,
+		md5Fingerprint: fingerprints.md5,
+		sha1Fingerprint: fingerprints.sha1,
+		sha256Fingerprint: fingerprints.sha256
+	});
 	const envelope = yield* sealForUpload({
 		session: yield* openVaultSessionInteractive(api),
 		credentialType: "keystore",