@daemux/store-automator 0.10.93 → 0.10.94

package/templates/scripts/ci/ios-native/creds_store.py

@@ -0,0 +1,328 @@
+#!/usr/bin/env python3
+"""
+Persistent cache for the Apple Distribution cert + per-bundle provisioning
+profiles, stored under the workspace's ``creds/`` directory.
+
+CI no longer regenerates a fresh cert and N profiles on every run. Apple
+caps each team at 2 distribution certs and 7-day-rolling profile churn
+triggers throttling, so re-using the same identity across runs is the
+only sane long-term strategy. We keep:
+
+  creds/
+    cert.p12                       PKCS12 with cert + private key
+    cert.meta.json                 {cert_id, not_after, p12_password,
+                                    created_at}
+    profiles.manifest.json         {cert_id, profiles:[
+                                      {bundle_id, name, uuid, filename,
+                                       expiration}]}
+    profiles/<uuid>.mobileprovision  one per signable bundle
+
+Reuse rules (encoded in :func:`load_cached_cert` and
+:func:`find_reusable_profile`):
+
+  * Cert is reusable iff cert.p12 exists, decrypts with the stored
+    password, NotAfter is more than 30 days away, AND
+    GET /certificates/{cert_id} returns 200 (Apple hasn't revoked it).
+  * Profile is reusable iff the cert is reusable AND the manifest entry
+    has matching cert_id AND expiration is more than 30 days away AND
+    the .mobileprovision file is on disk.
+
+Anything outside reuse triggers regen + cache replacement (atomic).
+
+`p12_password` stays ``"ci"`` deliberately. Encryption-at-rest of the
+PKCS12 is decorative when the ``.p8`` ASC API key sits next to it in
+plaintext — anyone who can read one can read the other. The repo MUST
+stay private; the cert lives there for warm-cache reasons, not secrecy.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+from dataclasses import dataclass
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from typing import Any
+
+from asc_common import request
+from cryptography import x509
+from cryptography.hazmat.primitives.serialization import pkcs12
+
+
+# Auto-renew when the cert (or any profile) is within this many days of
+# expiring. Apple distribution certs are valid for 1 year and profiles
+# for 1 year, so 30 days is plenty of headroom for CI to roll.
+RENEW_THRESHOLD_DAYS = 30
+
+# Surface a non-fatal warning when the cert is within this many days of
+# expiry but not yet inside the auto-renew window. Gives operators
+# visibility before the renew actually fires.
+WARN_THRESHOLD_DAYS = 60
+
+# DESIGN DECISION (intentional, not a bug):
+# P12 password is a hardcoded literal because encryption-at-rest is
+# decorative in this storage model: the .p12 lives next to the .p8 ASC
+# API key in the same private repo. Both are private keys; protecting one
+# with a sourced password while the other sits in plaintext alongside
+# adds bug surface (password drift between meta.json and actual encryption)
+# without raising the security floor. If this storage model changes (e.g.
+# .p8 moves to GH Secrets), revisit and source this from a secret too.
+P12_PASSWORD = "ci"
+
+# File-name layout under creds/. Centralised so callers never compute
+# their own paths and the layout stays a single fact in one place.
+_CERT_P12 = "cert.p12"
+_CERT_META = "cert.meta.json"
+_MANIFEST = "profiles.manifest.json"
+_PROFILES_SUBDIR = "profiles"
+
+
+@dataclass
+class CachedCert:
+    cert_id: str
+    not_after: datetime
+    p12_bytes: bytes
+    password: str
+
+
+@dataclass
+class ProfileEntry:
+    bundle_id: str
+    name: str
+    uuid: str
+    filename: str
+    expiration: datetime
+
+
+# --------------------------------------------------------------------------- #
+# Internal helpers (atomic IO + datetime parsing)                             #
+# --------------------------------------------------------------------------- #
+
+def _atomic_write(path: Path, data: bytes) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    tmp = path.with_suffix(path.suffix + ".tmp")
+    tmp.write_bytes(data)
+    os.replace(tmp, path)
+
+
+def _parse_iso(value: str) -> datetime:
+    """Parse an ISO-8601 datetime; tolerate trailing 'Z' for UTC."""
+    if value.endswith("Z"):
+        value = value[:-1] + "+00:00"
+    parsed = datetime.fromisoformat(value)
+    if parsed.tzinfo is None:
+        parsed = parsed.replace(tzinfo=timezone.utc)
+    return parsed
+
+
+def _now_utc() -> datetime:
+    return datetime.now(timezone.utc)
+
+
+# --------------------------------------------------------------------------- #
+# Path computations (pure)                                                    #
+# --------------------------------------------------------------------------- #
+
+def profile_path(creds_dir: Path, uuid: str) -> Path:
+    """Return the on-disk path for a cached profile by UUID (pure)."""
+    return creds_dir / _PROFILES_SUBDIR / f"{uuid}.mobileprovision"
+
+
+# --------------------------------------------------------------------------- #
+# Cert cache                                                                  #
+# --------------------------------------------------------------------------- #
+
+def load_cached_cert(creds_dir: Path) -> CachedCert | None:
+    """Return the cached cert iff p12 + meta exist and decrypt cleanly.
+
+    Returns ``None`` (and logs a ``::warning::``) on any of:
+      * missing p12 or meta file
+      * meta JSON corrupt / missing required keys
+      * p12 fails to decrypt with the stored password
+      * cert NotAfter is within RENEW_THRESHOLD_DAYS
+
+    A returned :class:`CachedCert` is NOT yet validated against Apple —
+    the caller must still confirm the cert id is alive via
+    :func:`verify_cert_alive`.
+    """
+    p12 = creds_dir / _CERT_P12
+    meta = creds_dir / _CERT_META
+    if not p12.exists() or not meta.exists():
+        return None
+
+    try:
+        meta_raw = json.loads(meta.read_text())
+        cert_id = meta_raw["cert_id"]
+        not_after = _parse_iso(meta_raw["not_after"])
+        password = meta_raw.get("p12_password") or P12_PASSWORD
+    except (OSError, ValueError, KeyError) as exc:
+        print(f"::warning::cert.meta.json unreadable ({exc}); regenerating cert")
+        return None
+
+    p12_bytes = p12.read_bytes()
+    try:
+        pkcs12.load_key_and_certificates(p12_bytes, password.encode())
+    except (ValueError, TypeError) as exc:
+        print(f"::warning::cert.p12 decrypt failed ({exc}); regenerating cert")
+        return None
+
+    deadline = _now_utc() + timedelta(days=RENEW_THRESHOLD_DAYS)
+    if not_after <= deadline:
+        print(
+            f"::warning::Cached cert {cert_id} expires {not_after.isoformat()} "
+            f"(within {RENEW_THRESHOLD_DAYS}d); regenerating"
+        )
+        return None
+
+    return CachedCert(
+        cert_id=cert_id,
+        not_after=not_after,
+        p12_bytes=p12_bytes,
+        password=password,
+    )
+
+
+def verify_cert_alive(token: str, cert_id: str) -> bool:
+    """Return True iff GET /certificates/{cert_id} returns 200.
+
+    A 404 means Apple revoked it (manually or via the cap-rotation done
+    by ``oldest_distribution_cert_id``); any other non-200 is treated
+    conservatively as not-alive so we regenerate.
+    """
+    resp = request(
+        "GET",
+        f"/certificates/{cert_id}",
+        token,
+        allow_status={404},
+    )
+    return resp.status_code == 200
+
+
+def write_cert_bundle(
+    creds_dir: Path,
+    cert_id: str,
+    p12_bytes: bytes,
+    password: str,
+    not_after: datetime,
+) -> None:
+    """Persist the cert bundle atomically (p12 + meta)."""
+    creds_dir.mkdir(parents=True, exist_ok=True)
+    _atomic_write(creds_dir / _CERT_P12, p12_bytes)
+    meta = {
+        "cert_id": cert_id,
+        "not_after": not_after.astimezone(timezone.utc).isoformat(),
+        # Password persisted alongside the cert it unlocks — see DESIGN
+        # DECISION block at P12_PASSWORD definition above for the
+        # rationale (encryption-at-rest is decorative when the .p8 lives
+        # in plaintext alongside in the same private repo).
+        "p12_password": password,
+        "created_at": _now_utc().isoformat(),
+    }
+    _atomic_write(creds_dir / _CERT_META, json.dumps(meta, indent=2).encode())
+
+
+# --------------------------------------------------------------------------- #
+# Profile manifest                                                            #
+# --------------------------------------------------------------------------- #
+
+def load_profile_manifest(creds_dir: Path) -> dict:
+    """Return the parsed manifest, or an empty skeleton if missing/corrupt."""
+    path = creds_dir / _MANIFEST
+    if not path.exists():
+        return {"cert_id": None, "profiles": []}
+    try:
+        data = json.loads(path.read_text())
+    except (OSError, ValueError) as exc:
+        print(f"::warning::profiles.manifest.json unreadable ({exc}); resetting")
+        return {"cert_id": None, "profiles": []}
+    data.setdefault("cert_id", None)
+    data.setdefault("profiles", [])
+    return data
+
+
+def write_profile_manifest(creds_dir: Path, manifest: dict) -> None:
+    """Persist the manifest atomically with profiles sorted by bundle_id."""
+    sorted_profiles = sorted(
+        manifest.get("profiles", []),
+        key=lambda entry: entry.get("bundle_id", ""),
+    )
+    payload = {
+        "cert_id": manifest.get("cert_id"),
+        "profiles": sorted_profiles,
+    }
+    _atomic_write(
+        creds_dir / _MANIFEST, json.dumps(payload, indent=2).encode()
+    )
+
+
+def find_reusable_profile(
+    manifest: dict,
+    bundle_id: str,
+    cert_id: str,
+    creds_dir: Path,
+) -> ProfileEntry | None:
+    """Return a reusable :class:`ProfileEntry` for ``bundle_id`` or None.
+
+    Reusable requires: manifest cert_id matches current cert_id, an
+    entry exists for the bundle, expiration is past the renew
+    threshold, and the .mobileprovision file is on disk.
+    """
+    if manifest.get("cert_id") != cert_id:
+        return None
+    deadline = _now_utc() + timedelta(days=RENEW_THRESHOLD_DAYS)
+    for raw in manifest.get("profiles", []):
+        if raw.get("bundle_id") != bundle_id:
+            continue
+        try:
+            expiration = _parse_iso(raw["expiration"])
+            uuid = raw["uuid"]
+        except (KeyError, ValueError):
+            return None
+        if expiration <= deadline:
+            return None
+        if not profile_path(creds_dir, uuid).exists():
+            return None
+        return ProfileEntry(
+            bundle_id=bundle_id,
+            name=raw.get("name", ""),
+            uuid=uuid,
+            filename=raw.get("filename", f"{uuid}.mobileprovision"),
+            expiration=expiration,
+        )
+    return None
+
+
+# --------------------------------------------------------------------------- #
+# Cache invalidation + cross-module utilities                                 #
+# --------------------------------------------------------------------------- #
+
+def invalidate_cache(creds_dir: Path) -> None:
+    """Remove all cache artifacts under ``creds_dir`` (best-effort)."""
+    for name in (_CERT_P12, _CERT_META, _MANIFEST):
+        (creds_dir / name).unlink(missing_ok=True)
+    pdir = creds_dir / _PROFILES_SUBDIR
+    if pdir.is_dir():
+        for entry in pdir.iterdir():
+            if entry.suffix == ".mobileprovision":
+                entry.unlink(missing_ok=True)
+    print(f"Invalidated signing cache under {creds_dir}")
+
+
+def write_cached_profile(creds_dir: Path, uuid: str, profile_der: bytes) -> None:
+    """Persist a fresh .mobileprovision atomically under ``profiles/``."""
+    _atomic_write(profile_path(creds_dir, uuid), profile_der)
+
+
+def cert_not_after_from_der(cert_der: bytes) -> datetime:
+    """Extract NotAfter from a DER-encoded certificate, normalised to UTC.
+
+    Prefers ``not_valid_after_utc`` (cryptography >= 42); falls back to
+    the deprecated naive-UTC ``not_valid_after`` for older runtimes. Also
+    used by the prepare_signing entrypoint to decide T-60d warnings on
+    cached certs without re-loading the PKCS12.
+    """
+    cert = x509.load_der_x509_certificate(cert_der)
+    try:
+        return cert.not_valid_after_utc
+    except AttributeError:
+        return cert.not_valid_after.replace(tzinfo=timezone.utc)

package/templates/scripts/ci/ios-native/keychain.py

@@ -0,0 +1,103 @@
+#!/usr/bin/env python3
+"""
+Throwaway-keychain provisioning for codesign / xcodebuild on a CI runner.
+
+Creates a temporary keychain in ``$RUNNER_TEMP``, imports a PKCS12 cert
+into it, and prepends it to the user's keychain search list so
+``codesign`` and ``xcodebuild`` find the identity at archive time. The
+keychain is purposely short-lived (default 6h auto-lock) and disposable
+— each CI run re-creates it from scratch.
+
+The keychain password (``"ci"``) is intentionally hardcoded: the
+keychain never leaves the runner (it lives in ``$RUNNER_TEMP`` which
+GitHub deletes when the job ends), so encrypting it with a sourced
+password adds bug surface (drift between import + unlock calls) without
+raising the security floor. This is distinct from the persisted P12
+password documented in ``creds_store.P12_PASSWORD``.
+"""
+
+from __future__ import annotations
+
+import os
+import subprocess
+from pathlib import Path
+
+
+_KEYCHAIN_FILENAME = "ci.keychain-db"
+_KEYCHAIN_PASS = "ci"
+
+
+def _create_keychain(keychain_path: str, keychain_pass: str) -> None:
+    subprocess.run(
+        ["security", "delete-keychain", keychain_path],
+        check=False,
+        capture_output=True,
+    )
+    subprocess.check_call(
+        ["security", "create-keychain", "-p", keychain_pass, keychain_path]
+    )
+    subprocess.check_call(
+        ["security", "set-keychain-settings", "-lut", "21600", keychain_path]
+    )
+    subprocess.check_call(
+        ["security", "unlock-keychain", "-p", keychain_pass, keychain_path]
+    )
+
+
+def _import_p12(
+    keychain_path: str, keychain_pass: str, p12_path: Path, p12_pass: str
+) -> None:
+    subprocess.check_call(
+        [
+            "security", "import", str(p12_path),
+            "-P", p12_pass,
+            "-A",
+            "-t", "cert",
+            "-f", "pkcs12",
+            "-k", keychain_path,
+        ]
+    )
+    subprocess.check_call(
+        [
+            "security", "set-key-partition-list",
+            "-S", "apple-tool:,apple:,codesign:",
+            "-s",
+            "-k", keychain_pass,
+            keychain_path,
+        ]
+    )
+
+
+def _prepend_to_user_search_list(keychain_path: str) -> None:
+    existing = subprocess.check_output(
+        ["security", "list-keychains", "-d", "user"]
+    ).decode()
+    existing_list = [
+        line.strip().strip('"')
+        for line in existing.splitlines()
+        if line.strip()
+    ]
+    new_list = [keychain_path] + [
+        k for k in existing_list if k != keychain_path
+    ]
+    subprocess.check_call(
+        ["security", "list-keychains", "-d", "user", "-s", *new_list]
+    )
+    subprocess.check_call(
+        ["security", "default-keychain", "-s", keychain_path]
+    )
+
+
+def setup_keychain(p12_path: Path, p12_pass: str, runner_temp: str) -> str:
+    """Create + populate the throwaway CI keychain; return its path.
+
+    ``runner_temp`` is the GitHub Actions temp directory (``$RUNNER_TEMP``);
+    the keychain lives there so it auto-cleans when the job finishes.
+    Returns the keychain path so callers can reference it for diagnostics.
+    """
+    keychain_path = os.path.join(runner_temp, _KEYCHAIN_FILENAME)
+    _create_keychain(keychain_path, _KEYCHAIN_PASS)
+    _import_p12(keychain_path, _KEYCHAIN_PASS, p12_path, p12_pass)
+    _prepend_to_user_search_list(keychain_path)
+    print(f"Keychain ready: {keychain_path}")
+    return keychain_path