@daemux/store-automator 0.10.93 → 0.10.95

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -2,51 +2,47 @@
 """
 Prepare iOS code signing on a fresh CI runner (manual-signing variant).
 
-Steps:
-
-  1. Generate an RSA private key + CSR.
-  2. Create a new Apple Distribution certificate from the CSR; if the per-team
-     cap is hit (409), revoke the oldest existing DISTRIBUTION cert and retry.
-  3. Discover every signable native target in the Xcode project (main app +
-     extensions like Network Extensions, Widgets, WatchKit apps). SwiftPM
-     resource bundles are skipped — they can't be signed manually.
-  4. Register each bundle ID on App Store Connect if missing.
-  5. Create one IOS_APP_STORE provisioning profile per bundle ID, named
-     ``CI-<bundle_id>``, linked to the new cert (deleting any stale profile
-     with the same name so the reference matches the fresh cert).
-  6. Install every profile into ``~/Library/MobileDevice/Provisioning Profiles/``.
-  7. Patch the pbxproj in place so each signable target's build settings
-     select manual signing + the matching CI profile. SwiftPM targets are
-     left alone — they keep their default automatic (no-sign) config.
-  8. Import cert + private key into a temporary keychain placed at the head of
-     the user search list so codesign / xcodebuild can find it.
-
-Environment inputs:
-  ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH - App Store Connect API key trio
-  PROJECT                                 - Xcode project path (.xcodeproj)
-  TEAM_ID                                 - Apple developer team identifier
-                                            (optional; derived from the
-                                            installed provisioning profile
-                                            when empty)
-  RUNNER_TEMP                             - GitHub Actions temp dir
-
-Writes nothing to stdout that would leak secrets.
+Caching: the Apple Distribution cert + per-bundle provisioning profiles
+live under the workspace's ``creds/`` directory and are reused across
+runs. See ``creds_store.py`` for the on-disk layout and reuse rules.
+This script orchestrates the load-or-regen flow:
+
+  1. Try to reuse the cached cert (decrypts + NotAfter > 30d +
+     ``GET /certificates/{cert_id}`` = 200).
+  2. On miss, invalidate the cache and create a fresh cert via
+     ``cert_factory`` (handling Apple's per-team cap of 2 by revoking
+     the OLDEST existing one).
+  3. Hand the cert id + cache_hit flag to ``provision_all_bundles``,
+     which decides per-bundle whether to reuse a cached profile or
+     create a new one and updates the manifest.
+  4. Orphan profiles (manifest entries for bundles no longer in the
+     target list) get GC'd from disk + manifest.
+  5. After successful prep the workspace ``creds/`` tree is dirty with
+     any refreshed artifacts; ``action.yml`` commits the diff back when
+     the run is on the default branch.
+
+Sibling modules: ``cert_factory`` (key+CSR+ASC POST), ``keychain``
+(throwaway runner keychain), ``profile_manager`` (per-bundle profile
+lifecycle), ``profile_io`` (CMS decode), ``creds_store`` (on-disk cache).
+
+Env inputs: ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH (key trio), PROJECT
+(.xcodeproj), TEAM_ID (optional; derived from profile plist when empty),
+RUNNER_TEMP, CREDS_DIR (optional override; defaults to
+``$GITHUB_WORKSPACE/creds``). Writes nothing to stdout that would leak
+secrets.
 """
 
 from __future__ import annotations
 
-import base64
 import json
 import os
-import subprocess
+from datetime import datetime, timedelta, timezone
 from pathlib import Path
 
-from asc_common import get_json, make_jwt, request
-from cryptography import x509
-from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.hazmat.primitives.serialization import pkcs12
-from cryptography.x509.oid import NameOID
+import cert_factory
+import creds_store
+from asc_common import make_jwt
+from keychain import setup_keychain
 from pbxproj_editor import discover_signable_targets, patch_project_signing
 from profile_manager import provision_all_bundles
 
@@ -59,215 +55,121 @@ def env(name: str) -> str:
 
 
 def optional_env(name: str) -> str:
-    return os.environ.get(name, "") or ""
-
-
-def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes]:
-    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
-    csr = (
-        x509.CertificateSigningRequestBuilder()
-        .subject_name(
-            x509.Name(
-                [
-                    x509.NameAttribute(NameOID.COMMON_NAME, "Daemux CI"),
-                    x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
-                ]
-            )
-        )
-        .sign(private_key, hashes.SHA256())
-    )
-    csr_pem = csr.public_bytes(serialization.Encoding.PEM)
-    csr_payload = b"".join(
-        line for line in csr_pem.splitlines() if not line.startswith(b"-----")
-    )
-    return private_key, csr_payload
-
-
-def oldest_distribution_cert_id(token: str) -> str | None:
-    """Return the DISTRIBUTION cert with the EARLIEST expiration date.
+    return os.environ.get(name, "")
 
-    Apple's per-team distribution-cert cap is 2. When CI hits the cap we
-    must revoke one to make room for a fresh cert. We deliberately pick
-    the OLDEST cert (earliest expirationDate) because:
 
-      * Each CI run signs an IPA, uploads it to ASC, and that build then
-        spends minutes-to-hours in App Store Connect's processing
-        pipeline. Processing re-validates the binary's leaf cert against
-        Apple's current cert state. A revoked cert during processing
-        produces ITMS-90035 ("invalid signature ... signed with an ad-hoc
-        certificate, not a distribution certificate") and rejects the
-        build that was already accepted at upload time.
+def _load_or_create_cert(
+    token: str, creds_dir: Path
+) -> tuple[str, bytes, str, bool]:
+    """Return ``(cert_id, p12_bytes, password, cache_hit)``.
 
-      * The NEWEST cert is, by construction, the one that signed the most
-        recent build — i.e. the build that is right now in ASC processing
-        and most exposed to the revocation race. Revoking it (the prior
-        behavior) reliably broke the build the previous CI run produced.
-
-      * The OLDEST cert is the one most likely to be from a build whose
-        ASC processing has long since completed (each CI run only adds
-        builds; processing finishes in minutes). Revoking it is the
-        safest choice.
+    Cache hit when the on-disk cert decrypts, NotAfter > 30d away, and
+    Apple confirms the cert id is still alive. On miss the cache is
+    invalidated, a new cert is created (handling Apple's per-team cap),
+    and the cache is repopulated atomically.
     """
-    data = get_json(
-        "/certificates",
-        token,
-        params={
-            "limit": "200",
-            "sort": "-id",
-            "filter[certificateType]": "DISTRIBUTION",
-        },
-    )
-    oldest_id = None
-    oldest_exp: str | None = None
-    for cert in data.get("data", []):
-        attrs = cert.get("attributes") or {}
-        exp = attrs.get("expirationDate") or ""
-        if not exp:
-            continue
-        if oldest_exp is None or exp < oldest_exp:
-            oldest_exp = exp
-            oldest_id = cert["id"]
-    return oldest_id
-
-
-def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
-    body = {
-        "data": {
-            "type": "certificates",
-            "attributes": {
-                "csrContent": csr_b64,
-                "certificateType": "DISTRIBUTION",
-            },
-        }
-    }
-    resp = request(
-        "POST", "/certificates", token, json_body=body, allow_status={409}
-    )
-    if resp.status_code == 409:
-        # Revoke the OLDEST cert, NOT the newest. The newest cert signed
-        # the previous build that may still be in ASC processing — revoking
-        # it during processing yields ITMS-90035 on the prior build.
-        # See oldest_distribution_cert_id() for the full rationale.
-        print("Distribution cert cap hit; revoking oldest existing cert")
-        target = oldest_distribution_cert_id(token)
-        if not target:
-            raise SystemExit(
-                "409 from cert create but no existing DISTRIBUTION cert "
-                "found to revoke"
+    cached = creds_store.load_cached_cert(creds_dir)
+    if cached and creds_store.verify_cert_alive(token, cached.cert_id):
+        print(
+            f"Reusing cached distribution cert {cached.cert_id} "
+            f"(NotAfter {cached.not_after.isoformat()})"
+        )
+        # Warn when inside T-60d..T-30d so operators see renewal is pending
+        # but auto-renew has not yet fired.
+        now = datetime.now(timezone.utc)
+        renew_at = now + timedelta(days=creds_store.RENEW_THRESHOLD_DAYS)
+        warn_at = now + timedelta(days=creds_store.WARN_THRESHOLD_DAYS)
+        if renew_at < cached.not_after <= warn_at:
+            print(
+                f"::warning::Cert {cached.cert_id} expires in "
+                f"{(cached.not_after - now).days}d; auto-renew fires at "
+                f"{creds_store.RENEW_THRESHOLD_DAYS}d remaining."
             )
-        request("DELETE", f"/certificates/{target}", token)
-        resp = request("POST", "/certificates", token, json_body=body)
-    data = resp.json()["data"]
-    cert_id = data["id"]
-    cert_der = base64.b64decode(data["attributes"]["certificateContent"])
-    print(f"Created DISTRIBUTION cert {cert_id}")
-    return cert_id, cert_der
-
-
-def write_p12(
-    private_key: rsa.RSAPrivateKey, cert_der: bytes, out_path: Path, passwd: str
-) -> None:
-    cert = x509.load_der_x509_certificate(cert_der)
-    p12 = pkcs12.serialize_key_and_certificates(
-        name=b"Daemux CI",
-        key=private_key,
-        cert=cert,
-        cas=None,
-        encryption_algorithm=serialization.BestAvailableEncryption(
-            passwd.encode()
-        ),
-    )
-    out_path.write_bytes(p12)
+        return cached.cert_id, cached.p12_bytes, cached.password, True
 
+    if cached:
+        print(
+            f"Cached cert {cached.cert_id} no longer alive on Apple; "
+            "invalidating cache and regenerating"
+        )
+    creds_store.invalidate_cache(creds_dir)
 
-def _create_keychain(keychain_path: str, keychain_pass: str) -> None:
-    subprocess.run(
-        ["security", "delete-keychain", keychain_path],
-        check=False,
-        capture_output=True,
-    )
-    subprocess.check_call(
-        ["security", "create-keychain", "-p", keychain_pass, keychain_path]
+    private_key, csr_b64 = cert_factory.generate_key_and_csr()
+    cert_id, cert_der = cert_factory.create_distribution_cert(
+        token, csr_b64.decode()
     )
-    subprocess.check_call(
-        ["security", "set-keychain-settings", "-lut", "21600", keychain_path]
-    )
-    subprocess.check_call(
-        ["security", "unlock-keychain", "-p", keychain_pass, keychain_path]
+    password = creds_store.P12_PASSWORD
+    p12_bytes = cert_factory.serialize_p12(private_key, cert_der, password)
+    not_after = creds_store.cert_not_after_from_der(cert_der)
+    creds_store.write_cert_bundle(
+        creds_dir, cert_id, p12_bytes, password, not_after
     )
+    print(f"Persisted fresh cert bundle to {creds_dir}")
+    return cert_id, p12_bytes, password, False
 
 
-def _import_p12(
-    keychain_path: str, keychain_pass: str, p12_path: Path, p12_pass: str
-) -> None:
-    subprocess.check_call(
-        [
-            "security", "import", str(p12_path),
-            "-P", p12_pass,
-            "-A",
-            "-t", "cert",
-            "-f", "pkcs12",
-            "-k", keychain_path,
-        ]
-    )
-    subprocess.check_call(
-        [
-            "security", "set-key-partition-list",
-            "-S", "apple-tool:,apple:,codesign:",
-            "-s",
-            "-k", keychain_pass,
-            keychain_path,
-        ]
-    )
+def _resolve_creds_dir() -> Path:
+    """Return the workspace creds/ root, honoring the CREDS_DIR override."""
+    override = optional_env("CREDS_DIR")
+    if override:
+        return Path(override)
+    workspace = optional_env("GITHUB_WORKSPACE") or os.getcwd()
+    return Path(workspace) / "creds"
 
 
-def _prepend_to_user_search_list(keychain_path: str) -> None:
-    existing = subprocess.check_output(
-        ["security", "list-keychains", "-d", "user"]
-    ).decode()
-    existing_list = [
-        line.strip().strip('"')
-        for line in existing.splitlines()
-        if line.strip()
-    ]
-    new_list = [keychain_path] + [
-        k for k in existing_list if k != keychain_path
-    ]
-    subprocess.check_call(
-        ["security", "list-keychains", "-d", "user", "-s", *new_list]
-    )
-    subprocess.check_call(
-        ["security", "default-keychain", "-s", keychain_path]
-    )
+def _resolve_pbx_team(effective_team: str, configured_team: str) -> str:
+    """Pick the team Xcode must see and warn on mismatch with config.
 
+    The ASC API key is bound to a single developer team. Every profile
+    it issues lives in THAT team, so Xcode's ``DEVELOPMENT_TEAM`` must
+    match it exactly — otherwise the profile can't be matched to the
+    target at archive time. If the ci.config.yaml team differs, warn
+    and use the profile's team as the source of truth.
+    """
+    pbx_team = effective_team or configured_team
+    if not pbx_team:
+        raise SystemExit(
+            "Unable to determine Apple developer team. The installed "
+            "provisioning profile did not expose a TeamIdentifier and no "
+            "TEAM_ID was provided. Set `app.team_id` in ci.config.yaml. "
+            "Find your team id at https://developer.apple.com/account -> "
+            "Membership (look for 'Team ID')."
+        )
+    if effective_team and configured_team and effective_team != configured_team:
+        print(
+            f"::warning::Config team {configured_team} differs from ASC API "
+            f"key's team {effective_team}; patching pbxproj with "
+            f"{effective_team} (the team that actually issued the "
+            "provisioning profiles)."
+        )
+    return pbx_team
 
-def setup_keychain(p12_path: Path, p12_pass: str) -> str:
-    keychain_path = os.path.join(env("RUNNER_TEMP"), "ci.keychain-db")
-    keychain_pass = "ci"
-    _create_keychain(keychain_path, keychain_pass)
-    _import_p12(keychain_path, keychain_pass, p12_path, p12_pass)
-    _prepend_to_user_search_list(keychain_path)
-    print(f"Keychain ready: {keychain_path}")
-    return keychain_path
 
+def _write_signing_map(
+    runner_temp: str, pbx_team: str, mappings: list
+) -> None:
+    """Persist mapping for the downstream Export IPA step.
+
+    ``ExportOptions.plist`` needs a ``provisioningProfiles`` dict and
+    the effective team that issued the profiles.
+    """
+    map_path = Path(runner_temp) / "signing_map.json"
+    map_path.write_text(
+        json.dumps(
+            {
+                "team_id": pbx_team,
+                "profiles": {bid: pname for bid, pname, _ in mappings},
+            },
+            indent=2,
+        )
+    )
+    print(f"Wrote signing map to {map_path}")
 
-def main() -> None:
-    key_id = env("ASC_KEY_ID")
-    issuer_id = env("ASC_ISSUER_ID")
-    asc_key_path = env("ASC_KEY_PATH")
-    runner_temp = env("RUNNER_TEMP")
-    # TEAM_ID is optional: the ASC API key is bound to one developer team,
-    # and every profile it issues inherits that team. provision_all_bundles
-    # returns that ``effective_team`` read straight from the installed
-    # profile's plist — which is the authoritative value Xcode will look
-    # for in DEVELOPMENT_TEAM. Upstream (read_config.py) also tries to
-    # derive team_id via GET-only ASC endpoints and pass it here as a
-    # convenience for logging and xcconfig patching.
-    team_id = optional_env("TEAM_ID")
 
+def _resolve_project_path() -> str:
+    """Return the .xcodeproj path; reject WORKSPACE-only mode loudly."""
     project = optional_env("PROJECT")
-    workspace = optional_env("WORKSPACE")
-    if workspace and not project:
+    if optional_env("WORKSPACE") and not project:
         raise SystemExit(
             "prepare_signing: WORKSPACE-only mode is not supported; the "
             "underlying .xcodeproj must be passed via PROJECT so we can "
@@ -275,64 +177,46 @@ def main() -> None:
         )
     if not project:
         raise SystemExit("prepare_signing: PROJECT env var is required")
+    return project
 
-    token = make_jwt(key_id, issuer_id, asc_key_path)
+
+def main() -> None:
+    runner_temp = env("RUNNER_TEMP")
+    # TEAM_ID is optional — provision_all_bundles returns the effective
+    # team from the installed profile's plist; see _resolve_pbx_team.
+    team_id = optional_env("TEAM_ID")
+    project = _resolve_project_path()
+    token = make_jwt(env("ASC_KEY_ID"), env("ASC_ISSUER_ID"), env("ASC_KEY_PATH"))
+    creds_dir = _resolve_creds_dir()
 
     targets = discover_signable_targets(project)
     bundle_ids = sorted({t["bundle_id"] for t in targets})
     print(f"Signable targets ({len(targets)}):")
     for t in targets:
-        print(f"  - {t['name']} -> {t['bundle_id']} ({len(t['config_ids'])} configs)")
-
-    private_key, csr_b64 = generate_key_and_csr()
-    cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
+        print(
+            f"  - {t['name']} -> {t['bundle_id']} "
+            f"({len(t['config_ids'])} configs)"
+        )
 
-    mappings, effective_team = provision_all_bundles(token, bundle_ids, cert_id)
+    cert_id, p12_bytes, p12_pass, cache_hit = _load_or_create_cert(
+        token, creds_dir
+    )
+    mappings, effective_team = provision_all_bundles(
+        token, bundle_ids, cert_id, creds_dir=creds_dir, cache_hit=cache_hit
+    )
     print("Profile map:")
     for bid, pname, uuid in mappings:
         print(f"  {bid} -> {pname} ({uuid})")
 
-    # The ASC API key is bound to a single developer team. Every profile it
-    # issues lives in THAT team, so Xcode's DEVELOPMENT_TEAM setting must
-    # match it exactly — otherwise the profile can't be matched to the
-    # target at archive time. If the ci.config.yaml team differs, warn and
-    # use the profile's team as the source of truth.
-    pbx_team = effective_team or team_id
-    if not pbx_team:
-        raise SystemExit(
-            "Unable to determine Apple developer team. The installed "
-            "provisioning profile did not expose a TeamIdentifier and no "
-            "TEAM_ID was provided. Set `app.team_id` in ci.config.yaml. "
-            "Find your team id at https://developer.apple.com/account -> "
-            "Membership (look for 'Team ID')."
-        )
-    if effective_team and team_id and effective_team != team_id:
-        print(
-            f"::warning::Config team {team_id} differs from ASC API key's "
-            f"team {effective_team}; patching pbxproj with {effective_team} "
-            "(the team that actually issued the provisioning profiles)."
-        )
+    pbx_team = _resolve_pbx_team(effective_team, team_id)
     patch_project_signing(project, targets, pbx_team)
+    _write_signing_map(runner_temp, pbx_team, mappings)
 
-    # Persist mapping for downstream Export IPA step (ExportOptions.plist
-    # provisioningProfiles dict). Store the effective team alongside so
-    # Export uses the same team Apple assigned to the profiles.
-    map_path = Path(runner_temp) / "signing_map.json"
-    map_path.write_text(
-        json.dumps(
-            {
-                "team_id": pbx_team,
-                "profiles": {bid: pname for bid, pname, _ in mappings},
-            },
-            indent=2,
-        )
-    )
-    print(f"Wrote signing map to {map_path}")
-
-    p12_pass = "ci"
+    # Stage p12 in $RUNNER_TEMP for the keychain importer (the cache copy
+    # under creds/cert.p12 stays untouched as the source of truth).
     p12_path = Path(runner_temp) / "cert.p12"
-    write_p12(private_key, cert_der, p12_path, p12_pass)
-    setup_keychain(p12_path, p12_pass)
+    p12_path.write_bytes(p12_bytes)
+    setup_keychain(p12_path, p12_pass, runner_temp)
 
 
 if __name__ == "__main__":

package/templates/scripts/ci/ios-native/profile_io.py

@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+"""
+On-disk + plist-decode helpers for ``.mobileprovision`` files.
+
+Split from ``profile_manager.py`` so the ASC-API-facing module stays
+focused on lifecycle (create / delete / install) and this module owns
+the file-format gymnastics (CMS envelope decode via ``security cms -D``,
+plist date normalisation).
+
+Nothing in this module talks to App Store Connect. Callers pass raw DER
+bytes and receive parsed Python primitives.
+"""
+
+from __future__ import annotations
+
+import plistlib
+import subprocess
+from datetime import datetime, timezone
+from pathlib import Path
+
+
+# Apple guarantees ``ExpirationDate`` in every issued profile; if it is
+# missing or non-datetime the profile is malformed — treat as already-
+# expired so callers never reuse it.
+_EXPIRED_SENTINEL = datetime(1970, 1, 1, tzinfo=timezone.utc)
+
+
+def decode_profile_plist(profile_der: bytes, scratch_dir: Path) -> dict:
+    """Run ``security cms -D`` against ``profile_der`` and parse the plist.
+
+    The decoded payload's only authoritative source is the macOS
+    ``security`` binary; ``plistlib`` alone can't parse the CMS envelope.
+    ``scratch_dir`` is used for a temporary file (``security`` only
+    accepts file paths, not stdin); it is created if missing.
+
+    May raise ``subprocess.CalledProcessError`` (decode failure),
+    ``ValueError`` (plist parse failure), or ``OSError`` (filesystem
+    failure). Callers that want graceful cache fallback must catch.
+    """
+    scratch_dir.mkdir(parents=True, exist_ok=True)
+    tmp_path = scratch_dir / "tmp.mobileprovision"
+    tmp_path.write_bytes(profile_der)
+    try:
+        decoded = subprocess.check_output(
+            ["security", "cms", "-D", "-i", str(tmp_path)]
+        )
+    finally:
+        tmp_path.unlink(missing_ok=True)
+    return plistlib.loads(decoded)
+
+
+def ensure_utc(value) -> datetime:
+    """Normalise a plist datetime to a UTC-aware ``datetime``.
+
+    Plist dates parsed by ``plistlib`` come back as naive UTC; explicitly
+    attach ``timezone.utc`` so downstream comparisons stay timezone-safe.
+    Anything that is not a ``datetime`` returns the expired sentinel so
+    a malformed profile is never treated as reusable.
+    """
+    if not isinstance(value, datetime):
+        return _EXPIRED_SENTINEL
+    if value.tzinfo is None:
+        return value.replace(tzinfo=timezone.utc)
+    return value.astimezone(timezone.utc)