Class: Fastlane::Actions::VerifyXcodeAction

Inherits:
Fastlane::Action show all
Defined in:
fastlane/lib/fastlane/actions/verify_xcode.rb

Constant Summary

Constants inherited from Fastlane::Action

Fastlane::Action::AVAILABLE_CATEGORIES, Fastlane::Action::RETURN_TYPES

Documentation collapse

Class Method Summary collapse

Methods inherited from Fastlane::Action

action_name, author, deprecated_notes, lane_context, method_missing, other_action, output, return_type, return_value, sample_return_value, shell_out_should_use_bundle_exec?, step_text

Class Method Details

.authorsObject


132
133
134
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 132

def self.authors
  ["KrauseFx"]
end

.available_optionsObject


118
119
120
121
122
123
124
125
126
127
128
129
130
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 118

def self.available_options
  [
    FastlaneCore::ConfigItem.new(key: :xcode_path,
                                 env_name: "FL_VERIFY_XCODE_XCODE_PATH",
                                 description: "The path to the Xcode installation to test",
                                 code_gen_sensitive: true,
                                 default_value: File.expand_path('../../', FastlaneCore::Helper.xcode_path),
                                 default_value_dynamic: true,
                                 verify_block: proc do |value|
                                   UI.user_error!("Couldn't find Xcode at path '#{value}'") unless File.exist?(value)
                                 end)
  ]
end

.categoryObject


147
148
149
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 147

def self.category
  :building
end

.descriptionObject


110
111
112
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 110

def self.description
  "Verifies that the Xcode installation is properly signed by Apple"
end

.detailsObject


114
115
116
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 114

def self.details
  "This action was implemented after the recent Xcode attack to make sure you're not using a [hacked Xcode installation](http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/)."
end

.example_codeObject


140
141
142
143
144
145
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 140

def self.example_code
  [
    'verify_xcode',
    'verify_xcode(xcode_path: "/Applications/Xcode.app")'
  ]
end

.is_supported?(platform) ⇒ Boolean

Returns:


136
137
138
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 136

def self.is_supported?(platform)
  [:ios, :mac].include?(platform)
end

.run(params) ⇒ Object


9
10
11
12
13
14
15
16
17
18
19
20
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 9

def self.run(params)
  UI.message("Verifying your Xcode installation at path '#{params[:xcode_path]}'...")

  # Check 1/2
  verify_codesign(params)

  # Check 2/2
  # More information https://developer.apple.com/news/?id=09222015a
  verify_gatekeeper(params)

  true
end

.show_and_raise_error(error, xcode_path) ⇒ Object


96
97
98
99
100
101
102
103
104
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 96

def self.show_and_raise_error(error, xcode_path)
  UI.error("Attention: Your Xcode Installation could not be verified.")
  UI.error("If you believe that your Xcode is valid, please submit an issue on GitHub")
  if error
    UI.error("The following information couldn't be found:")
    UI.error(error)
  end
  UI.user_error!("The Xcode installation at path '#{xcode_path}' could not be verified.")
end

.verify(command: nil, must_includes: nil, params: nil) ⇒ Object


80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 80

def self.verify(command: nil, must_includes: nil, params: nil)
  output = Actions.sh(command)

  errors = []
  must_includes.each do |current|
    next if output.include?(current)
    errors << current
  end

  if errors.count > 0
    show_and_raise_error(errors.join("\n"), params[:xcode_path])
  end

  return output
end

.verify_codesign(params) ⇒ Object


22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 22

def self.verify_codesign(params)
  UI.message("Verifying Xcode was signed by Apple Inc.")

  codesign_output = Actions.sh("codesign --display --verbose=4 #{params[:xcode_path].shellescape}")

  # If the returned codesign info contains all entries for any one of these sets, we'll consider it valid
  accepted_codesign_detail_sets = [
    [ # Found on App Store installed Xcode installations
      "Identifier=com.apple.dt.Xcode",
      "Authority=Apple Mac OS Application Signing",
      "Authority=Apple Worldwide Developer Relations Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=59GAB85EFG"
    ],
    [ # Found on Xcode installations (pre-Xcode 8) downloaded from developer.apple.com
      "Identifier=com.apple.dt.Xcode",
      "Authority=Software Signing",
      "Authority=Apple Code Signing Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=not set"
    ],
    [ # Found on Xcode installations (post-Xcode 8) downloaded from developer.apple.com
      "Identifier=com.apple.dt.Xcode",
      "Authority=Software Signing",
      "Authority=Apple Code Signing Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=59GAB85EFG"
    ]
  ]

  # Map the accepted details sets into an equal number of sets collecting the details for which
  # the output of codesign did not have matches
  missing_details_sets = accepted_codesign_detail_sets.map do |accepted_details_set|
    accepted_details_set.reject { |detail| codesign_output.include?(detail) }
  end

  # If any of the sets is empty, it means that all details were matched, and the check is successful
  show_and_raise_error(nil, params[:xcode_path]) unless missing_details_sets.any?(&:empty?)

  UI.success("Successfully verified the code signature ✅")
end

.verify_gatekeeper(params) ⇒ Object


64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 64

def self.verify_gatekeeper(params)
  UI.message("Verifying Xcode using GateKeeper...")
  UI.message("This will take up to a few minutes, now is a great time to go for a coffee ☕...")

  command = "/usr/sbin/spctl --assess --verbose #{params[:xcode_path].shellescape}"
  must_includes = ['accepted']

  output = verify(command: command, must_includes: must_includes, params: params)

  if output.include?("source=Mac App Store") || output.include?("source=Apple") || output.include?("source=Apple System")
    UI.success("Successfully verified Xcode installation at path '#{params[:xcode_path]}' 🎧")
  else
    show_and_raise_error("Invalid Download Source of Xcode: #{output}", params[:xcode_path])
  end
end