require 'pp' require 'fuzzy_match' require 'tmpdir' require 'tempfile' require 'fileutils' require 'set' require 'openssl' module Nixenvironment class Archiver ENTITLEMENTS_KEY = "Entitlements" APPLICATION_IDENTIFIER_KEY = "application-identifier" KEYCHAIN_ACCESS_GROUPS_KEY = "keychain-access-groups" PROFILE_TYPE_DEVELOPER = 'developer' PROFILE_TYPE_ADHOC = 'adhoc' PROFILE_TYPE_APPSTORE = 'appstore' AVAILABLE_PROFILE_TYPES = [PROFILE_TYPE_DEVELOPER, PROFILE_TYPE_ADHOC, PROFILE_TYPE_APPSTORE] class ProfileInfo attr_accessor :path, :name, :app_id, :device_count, :expiration_date def initialize(path, name, app_id, device_count, expiration_date) @path = path @name = name @app_id = app_id @device_count = device_count @expiration_date = expiration_date end def to_s "" end end class << self def make_signed_ipa make_ipa(PROFILE_TYPE_DEVELOPER, nil, IPA_PRODUCT_KEY, IPA_BUNDLE_ID_KEY, NAME_FOR_DEPLOYMENT_KEY) end def make_resigned_ipa_for_device make_ipa(PROFILE_TYPE_DEVELOPER, '-Resigned', IPA_PRODUCT_RESIGNED_DEVICE_KEY, IPA_BUNDLE_ID_RESIGNED_DEVICE_KEY, NAME_FOR_DEPLOYMENT_RESIGNED_DEVICE_KEY) end def make_resigned_ipa_for_adhoc make_ipa(PROFILE_TYPE_ADHOC, '-Resigned-AdHoc', IPA_PRODUCT_RESIGNED_ADHOC_KEY, IPA_BUNDLE_ID_RESIGNED_ADHOC_KEY, NAME_FOR_DEPLOYMENT_RESIGNED_ADHOC_KEY) end def make_resigned_ipa_for_appstore make_ipa(PROFILE_TYPE_APPSTORE, '-Resigned-Appstore', IPA_PRODUCT_RESIGNED_APPSTORE_KEY, IPA_BUNDLE_ID_RESIGNED_APPSTORE_KEY, NAME_FOR_DEPLOYMENT_RESIGNED_APPSTORE_KEY) end def make_webgl_zip(build_path) built_products_dir = build_path new_zip_name = "WebGLBuild" new_zip_path = File.join(built_products_dir, new_zip_name) + ZIP_EXT Dir.chdir(built_products_dir) { system("/usr/bin/zip --symlinks --verbose --recurse-paths '#{new_zip_path}' .") } end def make_macos_zip load_last_build_vars = BuildEnvVarsLoader.load_last_build_vars built_products_dir = load_last_build_vars[BUILT_PRODUCTS_DIR_KEY].presence executable_name = load_last_build_vars[EXECUTABLE_NAME_KEY].presence target_name = load_last_build_vars[TARGET_NAME_KEY].presence configuration = load_last_build_vars[CONFIGURATION_KEY].presence app_product = load_last_build_vars[APP_PRODUCT_KEY].presence new_ipa_name = "#{executable_name}-#{target_name}-#{configuration}" new_ipa_path = File.join(built_products_dir, new_ipa_name) + ZIP_EXT puts puts "IPA_PRODUCT = #{new_ipa_path}" puts Dir.mktmpdir do |tmp_dir| dest_app_dir = File.join(tmp_dir, new_ipa_name) dest_app_product = File.join(dest_app_dir, File.basename(app_product)) puts "--> Create '#{dest_app_dir}' ..." Dir.mkdir(dest_app_dir) puts "--> Copy '#{app_product}' into '#{dest_app_product}' ..." FileUtils.cp_r(app_product, dest_app_product) if Dir.exist?(new_ipa_path) puts "--> Remove old '#{new_ipa_path}' ..." FileUtils.rm_rf(new_ipa_path) end puts "--> Zip '#{tmp_dir}' into '#{new_ipa_path}' ..." Dir.chdir(tmp_dir) { system("/usr/bin/zip --symlinks --verbose --recurse-paths '#{new_ipa_path}' .") } end ipa_bundle_id = get_bundle_id(File.join(app_product, 'Contents')) system("echo \"\n #{IPA_PRODUCT_KEY}='#{new_ipa_path}' #{IPA_BUNDLE_ID_KEY}='#{ipa_bundle_id}' #{NAME_FOR_DEPLOYMENT_KEY}='#{configuration}' \" >> #{AUTOGENERATED_LAST_BUILD_VARS}") end private def make_ipa(profile_type, ipa_product_suffix, ipa_product_key, ipa_bundle_id_key, name_for_deployment_key) is_resigned = ipa_product_suffix.present? && ipa_product_suffix.include?('Resigned') is_appstore = ipa_product_suffix.present? && ipa_product_suffix.include?('Appstore') is_adhoc = ipa_product_suffix.present? && ipa_product_suffix.include?('AdHoc') load_last_build_vars = BuildEnvVarsLoader.load_last_build_vars built_products_dir = load_last_build_vars[BUILT_PRODUCTS_DIR_KEY].presence executable_name = load_last_build_vars[EXECUTABLE_NAME_KEY].presence target_name = load_last_build_vars[TARGET_NAME_KEY].presence configuration = load_last_build_vars[CONFIGURATION_KEY].presence app_product = load_last_build_vars[APP_PRODUCT_KEY].presence watchkit_app_relative_product = load_last_build_vars['WATCHKIT_APP_RELATIVE_PRODUCT'].presence watchkit_extension_relative_product = load_last_build_vars['WATCHKIT_EXTENSION_RELATIVE_PRODUCT'].presence widget_relative_product = load_last_build_vars['WIDGET_RELATIVE_PRODUCT'].presence resigned_bundle_id = is_resigned ? load_last_build_vars[RESIGNED_BUNDLE_ID_KEY].presence : nil resigned_watchkit_app_bundle_id = is_resigned ? load_last_build_vars[RESIGNED_WATCHKIT_APP_BUNDLE_ID_KEY].presence : nil resigned_watchkit_extension_bundle_id = is_resigned ? load_last_build_vars[RESIGNED_WATCHKIT_EXTENSION_BUNDLE_ID_KEY].presence : nil resigned_widget_bundle_id = is_resigned ? load_last_build_vars[RESIGNED_WIDGET_BUNDLE_ID_KEY].presence : nil resigned_bundle_name = is_resigned ? load_last_build_vars[RESIGNED_BUNDLE_NAME_KEY].presence : nil resigned_entitlements_path = is_resigned ? load_last_build_vars[RESIGNED_ENTITLEMENTS_PATH_KEY].presence : nil resigned_watchkit_extension_entitlements_path = is_resigned ? load_last_build_vars[RESIGNED_WATCHKIT_EXTENSION_ENTITLEMENTS_PATH_KEY].presence : nil resigned_widget_entitlements_path = is_resigned ? load_last_build_vars[RESIGNED_WIDGET_ENTITLEMENTS_PATH_KEY].presence : nil ipa_product = "#{built_products_dir}/#{executable_name}-#{target_name}-#{configuration}#{ipa_product_suffix}.ipa" puts "#{ipa_product_key} = #{ipa_product}" @valid_keychain_identities_cache = get_valid_keychain_identities resign(app_product, ipa_product, watchkit_app_relative_product, watchkit_extension_relative_product, widget_relative_product, resigned_bundle_id, resigned_watchkit_app_bundle_id, resigned_watchkit_extension_bundle_id, resigned_widget_bundle_id, resigned_bundle_name, resigned_entitlements_path, resigned_watchkit_extension_entitlements_path, resigned_widget_entitlements_path, profile_type, is_appstore) ipa_bundle_id = (is_resigned && resigned_bundle_id.present?) ? resigned_bundle_id : get_bundle_id(app_product) if is_appstore name_for_deployment = 'Appstore' elsif is_adhoc name_for_deployment = 'AdHoc' else name_for_deployment = configuration end system("echo \"\n #{ipa_product_key}='#{ipa_product}' #{ipa_bundle_id_key}='#{ipa_bundle_id}' #{name_for_deployment_key}='#{name_for_deployment}' \" >> #{AUTOGENERATED_LAST_BUILD_VARS}") end # Resigns specified .app product and packages it into .ipa file. Finds best matching provisioning profile based on specified options. # app_product_path => full path to input .app folder # new_ipa_path => full path to output .ipa file # profile_type => type of profile to resign with AVAILABLE_PROFILE_TYPES def resign(app_product_path, new_ipa_path, watchkit_app_relative_product_path = nil, watchkit_extension_relative_product_path = nil, widget_relative_product_path = nil, new_bundle_id = nil, new_watchkit_app_bundle_id = nil, new_watchkit_extension_bundle_id = nil, new_widget_bundle_id = nil, new_bundle_name = nil, new_entitlements_path = nil, new_watchkit_extension_entitlements_path = nil, new_widget_entitlements_path = nil, profile_type = PROFILE_TYPE_DEVELOPER, is_appstore = false) raise "Unknown profile type '#{profile_type}'! Must be from #{AVAILABLE_PROFILE_TYPES}" unless AVAILABLE_PROFILE_TYPES.include?(profile_type) new_bundle_id ||= get_bundle_id(app_product_path) new_bundle_name ||= get_bundle_name(app_product_path) new_watchkit_app_bundle_id ||= get_bundle_id(File.join(app_product_path, watchkit_app_relative_product_path)) if watchkit_app_relative_product_path.present? new_watchkit_extension_bundle_id ||= get_bundle_id(File.join(app_product_path, watchkit_extension_relative_product_path)) if watchkit_extension_relative_product_path.present? new_widget_bundle_id ||= get_bundle_id(File.join(app_product_path, widget_relative_product_path)) if widget_relative_product_path.present? profile_info, identity_name = find_profile_info_and_identity_name(profile_type, new_bundle_id) puts "==> Sign with profile '".bold + profile_info.name.blink.underline + "', identity '" + identity_name.underline + "' ...".bold watchkit_app_profile_info = nil watchkit_app_identity_name = nil watchkit_extension_profile_info = nil watchkit_extension_identity_name = nil widget_profile_info = nil widget_identity_name = nil if watchkit_app_relative_product_path.present? watchkit_app_profile_info, watchkit_app_identity_name = find_profile_info_and_identity_name(profile_type, new_watchkit_app_bundle_id) puts "==> Sign watchkit_app with profile '".bold + watchkit_app_profile_info.name.blink.underline + "', identity '".bold + watchkit_app_identity_name.underline + "' ...".bold end if watchkit_extension_relative_product_path.present? watchkit_extension_profile_info, watchkit_extension_identity_name = find_profile_info_and_identity_name(profile_type, new_watchkit_extension_bundle_id) puts "==> Sign watchkit_extension with profile '".bold + watchkit_extension_profile_info.name.blink.underline + "', identity '".bold + watchkit_extension_identity_name.underline + "' ...".bold end if widget_relative_product_path.present? widget_profile_info, widget_identity_name = find_profile_info_and_identity_name(profile_type, new_widget_bundle_id) puts "==> Sign widget with profile '".bold + widget_profile_info.name.blink.underline + "', identity '".bold + widget_identity_name.underline + "' ...".bold end watchkit_app_profile_path = watchkit_app_profile_info ? watchkit_app_profile_info.path : nil watchkit_extension_profile_path = watchkit_extension_profile_info ? watchkit_extension_profile_info.path : nil widget_profile_path = widget_profile_info ? widget_profile_info.path : nil package_application(app_product_path, watchkit_app_relative_product_path, watchkit_extension_relative_product_path, widget_relative_product_path, new_ipa_path, new_bundle_id, new_watchkit_app_bundle_id, new_watchkit_extension_bundle_id, new_widget_bundle_id, new_bundle_name, new_entitlements_path, new_watchkit_extension_entitlements_path, new_widget_entitlements_path, profile_info.path, identity_name, watchkit_app_profile_path, watchkit_app_identity_name, watchkit_extension_profile_path, watchkit_extension_identity_name, widget_profile_path, widget_identity_name, is_appstore) end def find_profile_info_and_identity_name(profile_type, new_bundle_id) profiles_and_identities = case profile_type when PROFILE_TYPE_DEVELOPER then get_matching_developer_profiles_and_identities(new_bundle_id) when PROFILE_TYPE_ADHOC then get_matching_adhoc_profiles_and_identities(new_bundle_id) when PROFILE_TYPE_APPSTORE then get_matching_appstore_profiles_and_identities(new_bundle_id) else raise "Unknown profile_type '#{profile_type}'!" end raise 'No mathching profiles found, read logs for more info!' if profiles_and_identities.blank? puts_header '--> Matching profiles and identities:' profiles_and_identities.each { |item| pp item.first.to_s, item.last } puts "--> Looking for the best match among found profiles, based on similarity between profile's app id and desired bundle id ..." best_match = find_best_match_for_bundle_id(profiles_and_identities, new_bundle_id) profile_info = best_match.first identity_name = best_match.last puts_header "--> Best match: #{profile_info.to_s}, identity_name='#{identity_name}'" return profile_info, identity_name end def find_best_match_for_bundle_id(profiles_and_identities, new_bundle_id) profiles_and_identities.max_by { |item| app_id_similarity_to_new_bundle_id(item, new_bundle_id) } end def app_id_similarity_to_new_bundle_id(match, new_bundle_id) app_id = match.first.app_id winner, dices_coefficient_similar, _levenshtein_similar = FuzzyMatch.new([new_bundle_id]).find_with_score(app_id) dices_coefficient_similar = 0 if winner.blank? puts "\tsimilarity ratio: '#{new_bundle_id}' <--> '#{app_id}' = #{dices_coefficient_similar}" dices_coefficient_similar end # Re-signs and packages specified app product. # Does NOT check that new bundle id corresponds to profile. # Automatically constructs new entitlements in case they are not specified. # new_entitlements_path, new_watchkit_extension_entitlements_path and new_widget_entitlements_path can be set to None or ''. # In this case the entitlements will be taken from the exisitng product or generated automatically. # If re-signing with a distribution profile and get-task-allow is set to true, the AppStore will reject the submission. # So the function automatically fixes the value of this entitlements field. def package_application(app_product_path, watchkit_app_relative_product_path, watchkit_extension_relative_product_path, widget_relative_product_path, new_ipa_path, new_bundle_id, new_watchkit_app_bundle_id, new_watchkit_extension_bundle_id, new_widget_bundle_id, new_bundle_name, new_entitlements_path, new_watchkit_extension_entitlements_path, new_widget_entitlements_path, profile_path, identity_name, watchkit_app_profile_path, watchkit_app_identity_name, watchkit_extension_profile_path, watchkit_extension_identity_name, widget_profile_path, widget_identity_name, is_appstore) Dir.mktmpdir do |tmp_dir| dest_app_dir = File.join(tmp_dir, "Payload") swift_support_dir = File.join(tmp_dir, "SwiftSupport") dest_app_product_path = File.join(dest_app_dir, File.basename(app_product_path)) frameworks_path = File.join(dest_app_product_path, 'Frameworks') puts "--> Create '#{dest_app_dir}' ..." Dir.mkdir(dest_app_dir) puts "--> Create '#{swift_support_dir}' ..." Dir.mkdir(swift_support_dir) puts "--> Copy '#{app_product_path}' into '#{dest_app_product_path}' ..." FileUtils.cp_r(app_product_path, dest_app_product_path) # Copy Swift Support files if needed if Dir.exist?(frameworks_path) Dir.entries(frameworks_path).reject{ |e| File.directory?(e) || File.extname(e) == '.framework' }.each do |fw| swift_lib = "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/iphoneos/#{fw}" if File.exist?(swift_lib) puts "--> Copy '#{swift_lib}' into '#{swift_support_dir}' ..." FileUtils.cp(swift_lib, swift_support_dir) else puts_warning "There's no #{swift_lib} !!!" end end end set_plist_values_in_app_path(app_product_path, 'Configuration' => 'Appstore') if is_appstore # replace provision, rename bundle_id and bundle_name is_provision_replaced = replace_provision(dest_app_product_path, profile_path) is_bundle_id_or_name_changed = rename_bundle_id_and_name(dest_app_product_path, new_bundle_id, new_bundle_name) # replace provision, rename bundle_id for watchkit app if watchkit_app_relative_product_path.present? dest_watchkit_app_product_path = File.join(dest_app_product_path, watchkit_app_relative_product_path) _is_watchkit_app_provision_replaced = replace_provision(dest_watchkit_app_product_path, watchkit_app_profile_path) _is_watchkit_app_bundle_id_changed = rename_bundle_id(dest_watchkit_app_product_path, new_watchkit_app_bundle_id) end is_watchkit_extension_provision_replaced = nil is_watchkit_extension_bundle_id_changed = nil dest_watchkit_extension_product_path = nil # replace provision, rename bundle_id and bundle_name for watchkit extension if watchkit_extension_relative_product_path.present? dest_watchkit_extension_product_path = File.join(dest_app_product_path, watchkit_extension_relative_product_path) is_watchkit_extension_provision_replaced = replace_provision(dest_watchkit_extension_product_path, watchkit_extension_profile_path) is_watchkit_extension_bundle_id_changed = rename_bundle_id(dest_watchkit_extension_product_path, new_watchkit_extension_bundle_id) end is_widget_provision_replaced = nil is_widget_bundle_id_changed = nil dest_widget_product_path = nil # replace provision, rename bundle_id and bundle_name for widget if widget_relative_product_path.present? dest_widget_product_path = File.join(dest_app_product_path, widget_relative_product_path) is_widget_provision_replaced = replace_provision(dest_widget_product_path, widget_profile_path) is_widget_bundle_id_changed = rename_bundle_id(dest_widget_product_path, new_widget_bundle_id) end # TODO: codesign watchkit app! # codesign watchkit extension if watchkit_extension_relative_product_path.present? codesign(watchkit_extension_identity_name, new_watchkit_extension_entitlements_path, is_watchkit_extension_provision_replaced, is_watchkit_extension_bundle_id_changed, dest_watchkit_extension_product_path, watchkit_extension_profile_path, new_watchkit_extension_bundle_id) end # codesign widget if widget_relative_product_path.present? codesign(widget_identity_name, new_widget_entitlements_path, is_widget_provision_replaced, is_widget_bundle_id_changed, dest_widget_product_path, widget_profile_path, new_widget_bundle_id) end # codesign frameworks if Dir.exist?(frameworks_path) puts_header "--> Codesign frameworks:" Dir.glob(File.join(frameworks_path, '*.framework')) do |framework| if File.exist?(File.join(framework, 'Info.plist')) framework_bundle_id = get_bundle_id(framework) new_framework_bundle_id = "#{new_bundle_id}.#{framework_bundle_id}" puts_header "--> Rename bundle id from '#{framework_bundle_id}' into '#{new_framework_bundle_id} in '#{framework}' Info.plist ..." set_plist_values_in_app_path(framework, 'CFBundleIdentifier' => framework_bundle_id) end codesign_args = ['/usr/bin/codesign', '--force', '--sign', "'#{identity_name}'", "'#{framework}'"] puts_header "--> Codesign framework with params #{codesign_args} ..." system(codesign_args.join(' ')) end end codesign(identity_name, new_entitlements_path, is_provision_replaced, is_bundle_id_or_name_changed, dest_app_product_path, profile_path, new_bundle_id) if Dir.exist?(new_ipa_path) puts "--> Remove old '#{new_ipa_path}' ..." FileUtils.rm_rf(new_ipa_path) end puts "--> Zip '#{tmp_dir}' into '#{new_ipa_path}' ..." Dir.chdir(tmp_dir) { system("/usr/bin/zip --symlinks --verbose --recurse-paths '#{new_ipa_path}' .") } puts end end def codesign(identity_name, new_entitlements_path, is_provision_replaced, is_bundle_id_or_name_changed, dest_app_product_path, profile_path, new_bundle_id) codesign_args = ['/usr/bin/codesign', '--force', '--deep', '--sign', "'#{identity_name}'"] # now let's figure out the entitlements... if new_entitlements_path.present? # a) use explicitly set entitlements puts_header "--> Using explicitly set entitlements from '#{new_entitlements_path}'" # make a copy to not mess up the original file selected_entitlements_path = Tempfile.new('selected_entitlements').path FileUtils.cp(new_entitlements_path, selected_entitlements_path) else should_generate_entitlements_manually = is_provision_replaced || is_bundle_id_or_name_changed unless should_generate_entitlements_manually # b) existing entitlements are OK entitlements_file = get_entitlements_from_app(dest_app_product_path) selected_entitlements_path = entitlements_file.path # leave only plist data in file plist = get_plist_from_file(selected_entitlements_path) plist.save(selected_entitlements_path) puts_header '--> Using existing entitlements' else # c) no entitlements is bad, so we will construct them manually selected_entitlements_path = generate_temp_entitlements_file_from_profile(profile_path, new_bundle_id) puts_header "--> Using automatically generated entitlements from '#{selected_entitlements_path}'" end end # crucial for submission fix_get_task_allow(selected_entitlements_path, identity_name) puts_warning '--> Entitlements:' puts File.read(selected_entitlements_path) codesign_args.concat(['--entitlements', "'#{selected_entitlements_path}'", "'#{dest_app_product_path}'"]) begin puts_header "--> Codesign with params #{codesign_args} ..." raise unless system(codesign_args.join(' ')) ensure puts "--> Remove temp entitlements file '#{selected_entitlements_path}'" FileUtils.rm(selected_entitlements_path) end check_signature(dest_app_product_path) end def check_signature(app_product_path) puts '--> Check signature ...' raise unless system("/usr/bin/codesign --verify --no-strict -vvvv '#{app_product_path}'") end def replace_provision(app_product_path, provision_path) embedded_provision_path = File.join(app_product_path, 'embedded.mobileprovision') is_provision_the_same = FileUtils.cmp(provision_path, embedded_provision_path) unless is_provision_the_same puts "--> Embed profile '#{provision_path}' ..." FileUtils.cp(provision_path, embedded_provision_path) end !is_provision_the_same end def rename_bundle_id_and_name(app_product_path, new_bundle_id, new_bundle_name) is_bundle_id_changed = rename_bundle_id(app_product_path, new_bundle_id) is_bundle_name_changed = rename_bundle_name(app_product_path, new_bundle_name) is_bundle_id_changed || is_bundle_name_changed end def rename_bundle_id(app_product_path, new_bundle_id) original_bundle_id = get_bundle_id(app_product_path) is_bundle_id_changed = false if new_bundle_id == original_bundle_id puts_header "--> Bundle id '#{new_bundle_id}' will not be modified" else puts_header "--> Rename bundle id from '#{original_bundle_id}' into '#{new_bundle_id} in '#{app_product_path}' Info.plist ..." set_plist_values_in_app_path(app_product_path, 'CFBundleIdentifier' => new_bundle_id) is_bundle_id_changed = true end is_bundle_id_changed end def rename_bundle_name(app_product_path, new_bundle_name) original_bundle_name = get_bundle_name(app_product_path) original_bundle_display_name = get_bundle_display_name(app_product_path) is_bundle_name_changed = false if new_bundle_name == original_bundle_name && new_bundle_name == original_bundle_display_name puts_header "--> Bundle name '#{new_bundle_name}' will not be modified" else puts_header "--> Rename bundle name/bundle display name from '#{original_bundle_name}'/'#{original_bundle_display_name}' into '#{new_bundle_name}' in '#{app_product_path}' Info.plist ..." set_plist_values_in_app_path(app_product_path, { 'CFBundleName' => new_bundle_name, 'CFBundleDisplayName' => new_bundle_name } ) is_bundle_name_changed = true end is_bundle_name_changed end def get_bundle_id(app_product_path) plist_value_from_app_path(app_product_path, 'CFBundleIdentifier') end def get_bundle_name(app_product_path) plist_value_from_app_path(app_product_path, 'CFBundleName') end def get_bundle_display_name(app_product_path) plist_value_from_app_path(app_product_path, 'CFBundleDisplayName') end def plist_value_from_app_path(app_product_path, key) info_plist_path = File.join(app_product_path, 'Info.plist') info_plist = Plist.from_file(info_plist_path) info_plist[key] end def set_plist_values_in_app_path(app_product_path, hash) info_plist_path = File.join(app_product_path, 'Info.plist') info_plist = Plist.from_file(info_plist_path) hash.each { |key, value| info_plist[key] = value } info_plist.save end # Returns None if entitlements cannot be read (e.g. when signature is modified), otherwise - temp file with entitlements. # User is responsible for removing temp file. def get_entitlements_from_app(app_product_path) entitlements_file = Tempfile.new('entitlements_file') puts "--> Copy entitlements from '#{app_product_path}' into '#{entitlements_file.path}' ..." codesign_success = system("codesign -d '#{app_product_path}' --entitlements '#{entitlements_file.path}'") unless codesign_success entitlements_file.close entitlements_file.unlink end entitlements_file end def app_id_prefix_from_profile(profile_path) _profile_name, app_id, _certs, _device_count, _expiration_date = parse_profile(profile_path) app_id.partition('.').first end def identity_is_for_development(identity_name) identity_name.start_with?('iPhone Developer') end def identity_is_for_distribution(identity_name) identity_name.start_with?('iPhone Distribution') end # User is responsible for removing temp file. Always sets the same get-task-allow. def generate_temp_entitlements_file_from_profile(profile_path, bundle_id) generated_entitlements_path = Tempfile.new('generated_entitlements').path puts_header "--> Automatically generate new entitlements at '#{generated_entitlements_path}' ..." app_id_prefix = app_id_prefix_from_profile(profile_path) application_identifier = app_id_prefix + "." + bundle_id plist = get_plist_from_file(profile_path) profile_entitlements = plist[ENTITLEMENTS_KEY] profile_entitlements[APPLICATION_IDENTIFIER_KEY] = application_identifier profile_entitlements[KEYCHAIN_ACCESS_GROUPS_KEY][0] = application_identifier entitlements = Plist.from_hash(profile_entitlements) entitlements.save(generated_entitlements_path) puts '--> Lint new entitlements ...' raise unless system("/usr/bin/plutil -lint '#{generated_entitlements_path}'") generated_entitlements_path end def fix_get_task_allow(entitlements_path, identity_name) puts '--> Fix get-task-allow if needed ...' plist = Plist.from_file(entitlements_path) # this entitlements field must be set to False for distribution new_value = !identity_is_for_distribution(identity_name) plist['get-task-allow'] = new_value plist.save puts "--> get-task-allow = #{new_value}" end # Use it to match only developer profiles. def get_matching_developer_profiles_and_identities(new_bundle_id) matches = [] get_matching_profiles_and_identities(new_bundle_id) do |match| identity_name = match[1] if identity_is_for_development(identity_name) matches << match else puts_warning "\t--> Skipping, because looking only for developer profiles" end end matches end # Use it to match only Appstore distribution profiles. def get_matching_appstore_profiles_and_identities(new_bundle_id) matches = [] get_matching_profiles_and_identities(new_bundle_id) do |match| device_count = match.first.device_count identity_name = match.last if !identity_is_for_distribution(identity_name) puts_warning "\t--> Skipping, because looking only for Appstore distribution profiles" elsif device_count > 0 puts_warning "\t--> Skipping, because profile contains devices" else matches << match end end matches end # Use it to match only AdHoc distribution profiles. def get_matching_adhoc_profiles_and_identities(new_bundle_id) matches = [] get_matching_profiles_and_identities(new_bundle_id) do |match| device_count = match.first.device_count identity_name = match.last if !identity_is_for_distribution(identity_name) puts_warning "\t--> Skipping, because looking only for AdHoc distribution profiles" elsif device_count == 0 puts_warning "\t--> Skipping, because profile does not contain devices" else matches << match end end matches end # Generator. Finds matching profile and identity based on specified bundle id. Matches only valid identities. def get_matching_profiles_and_identities(new_bundle_id) profiles_path = File.expand_path('~/Library/MobileDevice/Provisioning Profiles/') puts_bold "--> Scan profiles at '#{profiles_path}' ..." Dir.foreach(profiles_path) do |filename| next if file_is_not_profile(filename) print_underline "Profile '#{filename}', " profile_path = File.join(profiles_path, filename) profile_name, app_id, certs, device_count, expiration_date = parse_profile(profile_path) puts "name = '#{profile_name}', app_id = '#{app_id}', #{device_count} device(s)" + (expiration_date.present? ? ", expires at #{expiration_date}" : '') unless bundle_id_corresponds_to_app_id(new_bundle_id, app_id) puts_warning "\t--> Can't use this profile, because app id '#{app_id}' doesn't allow new bundle id '#{new_bundle_id}'" next end puts_header "\t--> Profile's app id '#{app_id}' allows new bundle id '#{new_bundle_id}'" if expiration_date.present? && expiration_date < Time.now puts_warning "\t--> Can't use this profile, because it has expired at '#{expiration_date}'" next end puts_bold "\t--> Scan certs ..." get_matching_identities_from_certs(certs) do |identity_name| profile_info = ProfileInfo.new(profile_path, profile_name, app_id, device_count, expiration_date) match = [profile_info, identity_name] puts_header "\t--> Match found: #{profile_info.to_s}, identity_name='#{identity_name}'" yield match end end end def file_is_not_profile(filename) File.extname(filename) != '.mobileprovision' end def parse_profile(profile_path) plist = get_plist_from_file(profile_path) profile_name = plist['Name'] app_id = plist[ENTITLEMENTS_KEY][APPLICATION_IDENTIFIER_KEY] certs = plist['DeveloperCertificates'] expiration_date = plist['ExpirationDate'] devices = plist['ProvisionedDevices'] device_count = devices.present? ? devices.size : 0 return profile_name, app_id, certs, device_count, expiration_date end def get_plist_from_file(path) content = File.read(path) plist_start_index = content.index('') + ''.length profile_plist_str = content[plist_start_index...plist_end_index] Plist.from_str(profile_plist_str) end def bundle_id_corresponds_to_app_id(bundle_id, app_id) app_id_without_seed_id = app_id[app_id.index('.') + 1..-1] app_id_without_seed_id_regexp = app_id_without_seed_id.gsub('.', '\.').gsub('*', '.*') bundle_id =~ /#{app_id_without_seed_id_regexp}/ end # Generator. Returns list of valid identities based on the list of embedded certs from the profile file. def get_matching_identities_from_certs(certs) certs.each do |cert| key = OpenSSL::X509::Certificate.new(cert) # key.subject.to_a => [["UID", ..., ...], ["CN", identity_name, ...], ...] identity_name = key.subject.to_a[1][1] print "\tIdentity '#{identity_name}'... " unless identity_is_valid(identity_name) puts_warning 'invalid' next end puts_header 'valid!' yield identity_name end end def identity_is_valid(identity_name) @valid_keychain_identities_cache.include?(identity_name) end def get_valid_keychain_identities() keychain_name = 'XCodeKeys' keychain_path = %x[ security list | grep '#{keychain_name}' | sed 's/\"//g' | xargs ].strip security_report = %x[ '#{IDENTITIESLIST_UTILITY_PATH}' -k '#{keychain_path}' ] entries = security_report.lines.map(&:strip).reject(&:empty?) entries.to_set end def puts_bold(msg) puts msg.bold end def print_underline(msg) print msg.underline end def puts_header(msg) puts_bold msg.blue end def puts_warning(msg) puts_bold msg.yellow end end end end