Class: Fastlane::Actions::VerifyXcodeAction

Inherits:
Fastlane::Action show all
Defined in:
lib/fastlane/actions/verify_xcode.rb

Constant Summary

Constants inherited from Fastlane::Action

Fastlane::Action::AVAILABLE_CATEGORIES

Documentation collapse

Class Method Summary collapse

Methods inherited from Fastlane::Action

action_name, author, lane_context, method_missing, other_action, output, return_value, sample_return_value, sh, step_text

Class Method Details

.authorsObject



134
135
136
# File 'lib/fastlane/actions/verify_xcode.rb', line 134

def self.authors
  ["KrauseFx"]
end

.available_optionsObject



122
123
124
125
126
127
128
129
130
131
132
# File 'lib/fastlane/actions/verify_xcode.rb', line 122

def self.available_options
  [
    FastlaneCore::ConfigItem.new(key: :xcode_path,
                                 env_name: "FL_VERIFY_XCODE_XCODE_PATH",
                                 description: "The path to the Xcode installation to test",
                                 default_value: File.expand_path('../../', FastlaneCore::Helper.xcode_path),
                                 verify_block: proc do |value|
                                   UI.user_error!("Couldn't find Xcode at path '#{value}'") unless File.exist?(value)
                                 end)
  ]
end

.categoryObject



149
150
151
# File 'lib/fastlane/actions/verify_xcode.rb', line 149

def self.category
  :building
end

.descriptionObject



110
111
112
# File 'lib/fastlane/actions/verify_xcode.rb', line 110

def self.description
  "Verifies that the Xcode installation is properly signed by Apple"
end

.detailsObject



114
115
116
117
118
119
120
# File 'lib/fastlane/actions/verify_xcode.rb', line 114

def self.details
  [
    "This action was implemented after the recent Xcode attack to make sure",
    "you're not using a hacked Xcode installation.",
    "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
  ].join("\n")
end

.example_codeObject



142
143
144
145
146
147
# File 'lib/fastlane/actions/verify_xcode.rb', line 142

def self.example_code
  [
    'verify_xcode',
    'verify_xcode(xcode_path: "/Applications/Xcode.app")'
  ]
end

.is_supported?(platform) ⇒ Boolean

Returns:

  • (Boolean)


138
139
140
# File 'lib/fastlane/actions/verify_xcode.rb', line 138

def self.is_supported?(platform)
  [:ios, :mac].include?(platform)
end

.run(params) ⇒ Object



9
10
11
12
13
14
15
16
17
18
19
20
# File 'lib/fastlane/actions/verify_xcode.rb', line 9

def self.run(params)
  UI.message("Verifying your Xcode installation at path '#{params[:xcode_path]}'...")

  # Check 1/2
  verify_codesign(params)

  # Check 2/2
  # More information https://developer.apple.com/news/?id=09222015a
  verify_gatekeeper(params)

  true
end

.show_and_raise_error(error, xcode_path) ⇒ Object



96
97
98
99
100
101
102
103
104
# File 'lib/fastlane/actions/verify_xcode.rb', line 96

def self.show_and_raise_error(error, xcode_path)
  UI.error("Attention: Your Xcode Installation could not be verified.")
  UI.error("If you believe that your Xcode is valid, please submit an issue on GitHub")
  if error
    UI.error("The following information couldn't be found:")
    UI.error(error)
  end
  UI.user_error!("The Xcode installation at path '#{xcode_path}' could not be verified.")
end

.verify(command: nil, must_includes: nil, params: nil) ⇒ Object



80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'lib/fastlane/actions/verify_xcode.rb', line 80

def self.verify(command: nil, must_includes: nil, params: nil)
  output = Actions.sh(command)

  errors = []
  must_includes.each do |current|
    next if output.include?(current)
    errors << current
  end

  if errors.count > 0
    show_and_raise_error(errors.join("\n"), params[:xcode_path])
  end

  return output
end

.verify_codesign(params) ⇒ Object



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# File 'lib/fastlane/actions/verify_xcode.rb', line 22

def self.verify_codesign(params)
  UI.message("Verifying Xcode was signed by Apple Inc.")

  codesign_output = Actions.sh("codesign --display --verbose=4 #{params[:xcode_path].shellescape}")

  # If the returned codesign info contains all entries for any one of these sets, we'll consider it valid
  accepted_codesign_detail_sets = [
    [ # Found on App Store installed Xcode installations
      "Identifier=com.apple.dt.Xcode",
      "Authority=Apple Mac OS Application Signing",
      "Authority=Apple Worldwide Developer Relations Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=59GAB85EFG"
    ],
    [ # Found on Xcode installations (pre-Xcode 8) downloaded from developer.apple.com
      "Identifier=com.apple.dt.Xcode",
      "Authority=Software Signing",
      "Authority=Apple Code Signing Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=not set"
    ],
    [ # Found on Xcode installations (post-Xcode 8) downloaded from developer.apple.com
      "Identifier=com.apple.dt.Xcode",
      "Authority=Software Signing",
      "Authority=Apple Code Signing Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=59GAB85EFG"
    ]
  ]

  # Map the accepted details sets into an equal number of sets collecting the details for which
  # the output of codesign did not have matches
  missing_details_sets = accepted_codesign_detail_sets.map do |accepted_details_set|
    accepted_details_set.reject { |detail| codesign_output.include?(detail) }
  end

  # If any of the sets is empty, it means that all details were matched, and the check is successful
  show_and_raise_error(nil, params[:xcode_path]) unless missing_details_sets.any?(&:empty?)

  UI.success("Successfully verified the code signature ✅")
end

.verify_gatekeeper(params) ⇒ Object



64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# File 'lib/fastlane/actions/verify_xcode.rb', line 64

def self.verify_gatekeeper(params)
  UI.message("Verifying Xcode using GateKeeper...")
  UI.message("This will take up to a few minutes, now is a great time to go for a coffee ☕...")

  command = "/usr/sbin/spctl --assess --verbose #{params[:xcode_path].shellescape}"
  must_includes = ['accepted']

  output = verify(command: command, must_includes: must_includes, params: params)

  if output.include?("source=Mac App Store") or output.include?("source=Apple") or output.include?("source=Apple System")
    UI.success("Successfully verified Xcode installation at path '#{params[:xcode_path]}' 🎧")
  else
    show_and_raise_error("Invalid Download Source of Xcode: #{output}", params[:xcode_path])
  end
end