Class: Fastlane::Actions::VerifyXcodeAction

Inherits:
Fastlane::Action show all
Defined in:
fastlane/lib/fastlane/actions/verify_xcode.rb

Constant Summary

Constants inherited from Fastlane::Action

Fastlane::Action::AVAILABLE_CATEGORIES, Fastlane::Action::RETURN_TYPES

Documentation collapse

Class Method Summary collapse

Methods inherited from Fastlane::Action

action_name, author, deprecated_notes, lane_context, method_missing, other_action, output, return_type, return_value, sample_return_value, shell_out_should_use_bundle_exec?, step_text

Class Method Details

.authorsObject


139
140
141
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 139

def self.authors
  ["KrauseFx"]
end

.available_optionsObject


125
126
127
128
129
130
131
132
133
134
135
136
137
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 125

def self.available_options
  [
    FastlaneCore::ConfigItem.new(key: :xcode_path,
                                 env_name: "FL_VERIFY_XCODE_XCODE_PATH",
                                 description: "The path to the Xcode installation to test",
                                 code_gen_sensitive: true,
                                 default_value: File.expand_path('../../', FastlaneCore::Helper.xcode_path),
                                 default_value_dynamic: true,
                                 verify_block: proc do |value|
                                   UI.user_error!("Couldn't find Xcode at path '#{value}'") unless File.exist?(value)
                                 end)
  ]
end

.categoryObject


154
155
156
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 154

def self.category
  :building
end

.descriptionObject


117
118
119
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 117

def self.description
  "Verifies that the Xcode installation is properly signed by Apple"
end

.detailsObject


121
122
123
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 121

def self.details
  "This action was implemented after the recent Xcode attack to make sure you're not using a [hacked Xcode installation](http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/)."
end

.example_codeObject


147
148
149
150
151
152
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 147

def self.example_code
  [
    'verify_xcode',
    'verify_xcode(xcode_path: "/Applications/Xcode.app")'
  ]
end

.is_supported?(platform) ⇒ Boolean

Returns:


143
144
145
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 143

def self.is_supported?(platform)
  [:ios, :mac].include?(platform)
end

.run(params) ⇒ Object


9
10
11
12
13
14
15
16
17
18
19
20
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 9

def self.run(params)
  UI.message("Verifying your Xcode installation at path '#{params[:xcode_path]}'...")

  # Check 1/2
  verify_codesign(params)

  # Check 2/2
  # More information https://developer.apple.com/news/?id=09222015a
  verify_gatekeeper(params)

  true
end

.show_and_raise_error(error, xcode_path) ⇒ Object


103
104
105
106
107
108
109
110
111
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 103

def self.show_and_raise_error(error, xcode_path)
  UI.error("Attention: Your Xcode Installation could not be verified.")
  UI.error("If you believe that your Xcode is valid, please submit an issue on GitHub")
  if error
    UI.error("The following information couldn't be found:")
    UI.error(error)
  end
  UI.user_error!("The Xcode installation at path '#{xcode_path}' could not be verified.")
end

.verify(command: nil, must_includes: nil, params: nil) ⇒ Object


87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 87

def self.verify(command: nil, must_includes: nil, params: nil)
  output = Actions.sh(command)

  errors = []
  must_includes.each do |current|
    next if output.include?(current)
    errors << current
  end

  if errors.count > 0
    show_and_raise_error(errors.join("\n"), params[:xcode_path])
  end

  return output
end

.verify_codesign(params) ⇒ Object


22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 22

def self.verify_codesign(params)
  UI.message("Verifying Xcode was signed by Apple Inc.")

  codesign_output = Actions.sh("codesign --display --verbose=4 #{params[:xcode_path].shellescape}")

  # If the returned codesign info contains all entries for any one of these sets, we'll consider it valid
  accepted_codesign_detail_sets = [
    [ # Found on App Store installed Xcode installations
      "Identifier=com.apple.dt.Xcode",
      "Authority=Apple Mac OS Application Signing",
      "Authority=Apple Worldwide Developer Relations Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=59GAB85EFG"
    ],
    [ # Found on App Store installed Xcode installations post-Xcode 11.3
      "Identifier=com.apple.dt.Xcode",
      "Authority=Apple Mac OS Application Signing",
      "Authority=Apple Worldwide Developer Relations Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=APPLECOMPUTER"
    ],
    [ # Found on Xcode installations (pre-Xcode 8) downloaded from developer.apple.com
      "Identifier=com.apple.dt.Xcode",
      "Authority=Software Signing",
      "Authority=Apple Code Signing Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=not set"
    ],
    [ # Found on Xcode installations (post-Xcode 8) downloaded from developer.apple.com
      "Identifier=com.apple.dt.Xcode",
      "Authority=Software Signing",
      "Authority=Apple Code Signing Certification Authority",
      "Authority=Apple Root CA",
      "TeamIdentifier=59GAB85EFG"
    ]
  ]

  # Map the accepted details sets into an equal number of sets collecting the details for which
  # the output of codesign did not have matches
  missing_details_sets = accepted_codesign_detail_sets.map do |accepted_details_set|
    accepted_details_set.reject { |detail| codesign_output.include?(detail) }
  end

  # If any of the sets is empty, it means that all details were matched, and the check is successful
  show_and_raise_error(nil, params[:xcode_path]) unless missing_details_sets.any?(&:empty?)

  UI.success("Successfully verified the code signature ✅")
end

.verify_gatekeeper(params) ⇒ Object


71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'fastlane/lib/fastlane/actions/verify_xcode.rb', line 71

def self.verify_gatekeeper(params)
  UI.message("Verifying Xcode using GateKeeper...")
  UI.message("This will take up to a few minutes, now is a great time to go for a coffee ☕...")

  command = "/usr/sbin/spctl --assess --verbose #{params[:xcode_path].shellescape}"
  must_includes = ['accepted']

  output = verify(command: command, must_includes: must_includes, params: params)

  if output.include?("source=Mac App Store") || output.include?("source=Apple") || output.include?("source=Apple System")
    UI.success("Successfully verified Xcode installation at path '#{params[:xcode_path]}' 🎧")
  else
    show_and_raise_error("Invalid Download Source of Xcode: #{output}", params[:xcode_path])
  end
end