Class: Pindo::CertHelper

Inherits:

Object

• Object
• Pindo::CertHelper

Defined in:

lib/pindo/module/cert/cert_helper.rb

Constant Summary

@@password_cache =

密码缓存，避免重复获取相同URL的密码

{}

Class Method Summary

• .clean_git_certs(apple_id:, pindo_dir:, deploy_cert_giturl:, dev_cert_giturl:, demo_apple_id:) ⇒ Object

  清理 Git 仓库中的证书.

• .clean_local_certs ⇒ Object

  清理本地证书 删除系统中所有的 Apple Development 和 Apple Distribution 证书 清理 Provisioning Profiles 文件夹.

• .clear_password_cache ⇒ Object

  清除密码缓存.

• .clear_password_cache_for_url(cert_url) ⇒ Object

  清除特定URL的密码缓存.

• .get_cached_password(cert_url) ⇒ Object

  获取密码的辅助方法，使用缓存避免重复获取.

• .get_cert_info(cer_certificate) ⇒ Object
• .install_certs(cert_url: nil, certs_dir: nil, cert_type: nil, platform_type: nil) ⇒ Object
• .install_provisionfiles(cert_url: nil, certs_dir: nil, bundle_id_map: nil, cert_type: nil, platform_type: nil) ⇒ Object
• .is_cert_valid?(cer_certificate_path) ⇒ Boolean
• .isMac? ⇒ Boolean
• .select_cert_or_key(paths:) ⇒ Object

Class Method Details

.clean_git_certs(apple_id:, pindo_dir:, deploy_cert_giturl:, dev_cert_giturl:, demo_apple_id:) ⇒ Object

清理 Git 仓库中的证书

Parameters:

• apple_id (String) —

  Apple ID

• pindo_dir (String) —

  Pindo 目录路径

• deploy_cert_giturl (String) —

  部署证书 Git URL

• dev_cert_giturl (String) —

  开发证书 Git URL

• demo_apple_id (String) —

  Demo Apple ID

# File 'lib/pindo/module/cert/cert_helper.rb', line 25

def clean_git_certs(apple_id:, pindo_dir:, deploy_cert_giturl:, dev_cert_giturl:, demo_apple_id:)
  require_relative '../../base/git_handler'

  # 确定使用哪个 Git URL
  git_url = apple_id.eql?(demo_apple_id) ? dev_cert_giturl : deploy_cert_giturl

  puts "正在清理 Git 仓库中的证书..."
  puts "Apple ID: #{apple_id}"
  puts "Git URL: #{git_url}"

  # 克隆或更新证书仓库
  cert_repo_dir = Pindo::GitHandler.getcode_to_dir(
    reponame: Pindo::GitHandler.get_repo_base_name(repo_url: git_url),
    remote_url: git_url,
    path: pindo_dir,
    new_branch: apple_id
  )

  # 删除 certs 和 profiles 目录
  certs_dir = File.join(cert_repo_dir, "certs")
  profiles_dir = File.join(cert_repo_dir, "profiles")

  FileUtils.rm_rf(certs_dir) if File.exist?(certs_dir)
  FileUtils.rm_rf(profiles_dir) if File.exist?(profiles_dir)

  puts "✓ 已删除 certs 和 profiles 目录"

  # 提交并推送到远程仓库
  Pindo::GitHandler.prepare_gitenv()
  Pindo::GitHandler.git_addpush_repo(path: cert_repo_dir, message: "remove #{apple_id} certs")

  puts "✓ Git 仓库证书清理完成"
end

.clean_local_certs ⇒ Object

清理本地证书删除系统中所有的 Apple Development 和 Apple Distribution 证书清理 Provisioning Profiles 文件夹

# File 'lib/pindo/module/cert/cert_helper.rb', line 62

def clean_local_certs
  puts "正在清理本地证书..."

  # 获取所有代码签名证书
  output, _ = Open3.capture2('security find-identity -p codesigning')
  identity_ids_0 = []
  identity_ids_1 = output.split("\n").map { |line| line.split(' ')[1] if line.include?('Apple Development') }.compact
  identity_ids_2 = output.split("\n").map { |line| line.split(' ')[1] if line.include?('Apple Distribution') }.compact
  identity_ids = identity_ids_0 + identity_ids_1 + identity_ids_2
  identity_ids = identity_ids.uniq

  puts "找到 #{identity_ids.size} 个证书:"
  puts identity_ids

  # 删除证书
  identity_ids.each do |identity_id|
    system "security delete-certificate -Z #{identity_id}"
  end

  # 清理 Provisioning Profiles
  profile_file_dir = File.expand_path("~/Library/MobileDevice")
  profile_file_path = File.join(profile_file_dir, "Provisioning Profiles")
  if File.exist?(profile_file_path)
    FileUtils.rm_rf(profile_file_path)
    puts "✓ 已清理 Provisioning Profiles 文件夹"
  end

  puts "✓ 本地证书清理完成"
end

.clear_password_cache ⇒ Object

清除密码缓存

# File 'lib/pindo/module/cert/cert_helper.rb', line 104

def clear_password_cache
  @@password_cache.clear
end

.clear_password_cache_for_url(cert_url) ⇒ Object

清除特定URL的密码缓存

# File 'lib/pindo/module/cert/cert_helper.rb', line 109

def clear_password_cache_for_url(cert_url)
  @@password_cache.delete(cert_url)
end

.get_cached_password(cert_url) ⇒ Object

获取密码的辅助方法，使用缓存避免重复获取

# File 'lib/pindo/module/cert/cert_helper.rb', line 92

def get_cached_password(cert_url)
  unless @@password_cache[cert_url]
    puts "\e[33m[DEBUG] 密码缓存中未找到，从Keychain获取: #{cert_url}\e[0m" if ENV['PINDO_DEBUG']
    @@password_cache[cert_url] = AESHelper.fetch_password(keychain_name: cert_url)
    puts "\e[32m[DEBUG] 密码已缓存: #{cert_url}\e[0m" if ENV['PINDO_DEBUG']
  else
    puts "\e[32m[DEBUG] 从密码缓存获取: #{cert_url}\e[0m" if ENV['PINDO_DEBUG']
  end
  @@password_cache[cert_url]
end

.get_cert_info(cer_certificate) ⇒ Object

# File 'lib/pindo/module/cert/cert_helper.rb', line 113

def get_cert_info(cer_certificate)
  # can receive a certificate path or the file data
  begin
    if File.exist?(cer_certificate)
      cer_certificate = File.binread(cer_certificate)
    end
  rescue ArgumentError
    # cert strings have null bytes; suppressing output
  end

  cert = OpenSSL::X509::Certificate.new(cer_certificate)

  # openssl output:
  # subject= /UID={User ID}/CN={Certificate Name}/OU={Certificate User}/O={Organisation}/C={Country}
  cert_info = cert.subject.to_s.gsub(/\s*subject=\s*/, "").tr("/", "\n")
  out_array = cert_info.split("\n")
  openssl_keys_to_readable_keys = {
    'UID' => 'User ID',
    'CN' => 'Common Name',
    'OU' => 'Organisation Unit',
    'O' => 'Organisation',
    'C' => 'Country',
    'notBefore' => 'Start Datetime',
    'notAfter' => 'End Datetime'
  }

  return out_array.map { |x| x.split(/=+/) if x.include?("=") }
                    .compact
                    .map { |k, v| [openssl_keys_to_readable_keys.fetch(k, k), v] }
                    .push([openssl_keys_to_readable_keys.fetch("notBefore"), cert.not_before])
                    .push([openssl_keys_to_readable_keys.fetch("notAfter"), cert.not_after])
rescue => ex
  raise Informative, "get_cert_info: #{ex}"
  return {}
end

.install_certs(cert_url: nil, certs_dir: nil, cert_type: nil, platform_type: nil) ⇒ Object

# File 'lib/pindo/module/cert/cert_helper.rb', line 164

def install_certs(cert_url:nil, certs_dir:nil, cert_type:nil, platform_type:nil)

  cert_git_dir = cert_type.downcase
  if platform_type.downcase.eql?("macos")
    if cert_type.downcase.include?("development")
      cert_git_dir = "development"
    elsif cert_type.downcase.eql?("appstore")
      cert_git_dir = "distribution"
    else
      cert_git_dir = "developer_id_application"
    end
  else
    if !cert_type.downcase.include?("development")
      cert_git_dir = "distribution"
    end
  end

  certs = Dir[File.join(certs_dir, "certs", cert_git_dir.to_s, "*.cer")]
  keys = Dir[File.join(certs_dir, "certs", cert_git_dir.to_s, "*.p12")]

  if certs.count == 0 || keys.count == 0
    raise Informative, "No certificates found in #{certs_dir}"
  else
    output_dir = Dir.mktmpdir

    decrypt_password = CertHelper.get_cached_password(cert_url)
    Funlog.instance.fancyinfo_start("正在安装证书...")

    cert_path = AESHelper.decrypt_specific_file(src_file: certs.first, password:decrypt_password, output_dir: output_dir)
    if cert_path.nil? || cert_path.empty? || !File.exist?(cert_path)
      AESHelper.delete_password(keychain_name:cert_url)
      # 清除内存中的密码缓存，避免重复使用错误密码
      @@password_cache.delete(cert_url)
      raise Informative, "证书解析失败，密码错误！"
    end

    key_path = AESHelper.decrypt_specific_file(src_file: keys.first, password:decrypt_password, output_dir: output_dir)
    if key_path.nil? || key_path.empty? || !File.exist?(key_path)
      AESHelper.delete_password(keychain_name:cert_url)
      # 清除内存中的密码缓存，避免重复使用错误密码
      @@password_cache.delete(cert_url)
      raise Informative, "证书解析失败，密码错误！"
    end

    unless is_cert_valid?(cert_path)
      raise Informative, "证书已经过期，请重新生产新证书!"
    end


    if isMac?

      keychain_name = "login.keychain"
      if FastlaneCore::CertChecker.installed?(cert_path, in_keychain: nil)
        Funlog.instance.fancyinfo_success("证书#{File.basename(cert_path)}已安装，无需重复安装!")
      else

        cert_password = Pindoconfig.instance.cert_key_password
        keychain = 'login.keychain'
        keychain_path = FastlaneCore::Helper.keychain_path(keychain)

        KeychainHelper.import_file(cert_path, keychain_path, keychain_password: cert_password, certificate_password:'' )
        KeychainHelper.import_file(key_path, keychain_path, keychain_password: cert_password, certificate_password: '')

        Funlog.instance.fancyinfo_success("证书'#{File.basename(cert_path)}'安装完成！")

      end
    else
      Funlog.instance.fancyinfo_error("非Mac电脑不支持安装证书!")
    end

  end
end

.install_provisionfiles(cert_url: nil, certs_dir: nil, bundle_id_map: nil, cert_type: nil, platform_type: nil) ⇒ Object

# File 'lib/pindo/module/cert/cert_helper.rb', line 237

def install_provisionfiles(cert_url:nil, certs_dir:nil, bundle_id_map:nil, cert_type:nil, platform_type:nil)

  cert_sub_dir = cert_type.downcase
  provision_start_name = "Development"
  provision_extension_name = ".mobileprovision"

  if platform_type.downcase.include?("macos")
    provision_extension_name = ".provisionprofile"

    if cert_type.downcase.include?("development")
      provision_start_name = "Development"
      cert_sub_dir = cert_type.downcase
    elsif cert_type.downcase.eql?("appstore")
      provision_start_name = "AppStore"
      cert_sub_dir = "appstore"
    else
      provision_start_name = "Direct"
      cert_sub_dir = "developer_id"
    end
  else
    provision_extension_name = ".mobileprovision"
    if cert_type.downcase.include?("development")
      provision_start_name = "Development"
      cert_sub_dir = cert_type.downcase
    elsif cert_type.downcase.include?("adhoc")
      provision_start_name = "AdHoc"
      cert_sub_dir = "adhoc"
    else
      provision_start_name = "AppStore"
      cert_sub_dir = "appstore"
    end
  end

  Funlog.instance.fancyinfo_start("正在安装#{provision_start_name}  #{platform_type} Provisioning Profiles...")

  un_exist_files = []
  provisioning_info_array = []

  # 在循环外获取密码，避免重复添加到Keychain
  decrypt_password = CertHelper.get_cached_password(cert_url)

  bundle_id_map.each do |type, bundle_id_temp|
    profile_filename = File.join(certs_dir, "profiles", cert_sub_dir, [provision_start_name.to_s, bundle_id_temp].join('_') + provision_extension_name)
    unless File.exist?(profile_filename)
      un_exist_files << profile_filename
      next
    end
    # puts "正在安装 #{bundle_id_temp}..."
    output_dir = Dir.mktmpdir
    file_decrypt = AESHelper.decrypt_specific_file(src_file: profile_filename, password:decrypt_password, output_dir: output_dir)
    destpath = Provisioninghelper.install(file_decrypt)
    parsed_data = Provisioninghelper.parse(destpath)

    provisioning_info = {}
    provisioning_info['type'] = type
    provisioning_info['bundle_id'] = bundle_id_temp
    provisioning_info['profile_name'] = parsed_data['Name']
    provisioning_info['profile_path'] = destpath

    cert_info = get_cert_info(parsed_data["DeveloperCertificates"].first.string).to_h
    provisioning_info['signing_identity'] = cert_info["Common Name"]
    provisioning_info['team_id'] = parsed_data["TeamIdentifier"].first

    # puts JSON.pretty_generate(provisioning_info)
    provisioning_info_array << provisioning_info
  end

  Funlog.instance.fancyinfo_success("#{provision_start_name} #{platform_type} Provisioning Profiles文件安装完成！")

  if un_exist_files.size > 0
    Funlog.instance.fancyinfo_error("证书 #{provision_start_name}  #{platform_type} Provisioning Profiles文件不存在！")
    raise Informative, "The following profiles do not exist: #{un_exist_files.join(', ')}"
  end

  return provisioning_info_array
end

.is_cert_valid?(cer_certificate_path) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pindo/module/cert/cert_helper.rb', line 154

def is_cert_valid?(cer_certificate_path)
  cert = OpenSSL::X509::Certificate.new(File.binread(cer_certificate_path))
  now = Time.now.utc
  return (now <=> cert.not_after) == -1
end

.isMac? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pindo/module/cert/cert_helper.rb', line 160

def isMac?
  (/darwin/ =~ RUBY_PLATFORM) != nil
end

.select_cert_or_key(paths:) ⇒ Object

# File 'lib/pindo/module/cert/cert_helper.rb', line 149

def select_cert_or_key(paths:)
  cert_id_path = ENV['MATCH_CERTIFICATE_ID'] ? paths.find { |path| path.include?(ENV['MATCH_CERTIFICATE_ID']) } : nil
  cert_id_path || paths.last
end