require "dotenv" require "base64" require "fileutils" require "json" require "net/http" require "open3" require "openssl" require "securerandom" require "shellwords" require "uri" require "yaml" Dotenv.load(File.expand_path("../.env", __dir__)) default_platform(:ios) APP_IDENTIFIER = ENV.fetch("FASTLANE_APP_IDENTIFIER", "net.buzzert.sybil2") TEAM_ID = ENV.fetch("FASTLANE_TEAM_ID", "DQQH5H6GBD") APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828") PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2") PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"] SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"] IOS_ROOT = File.expand_path("..", __dir__) PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj") PROJECT_SPEC = File.join(IOS_ROOT, "project.yml") APP_SPEC = File.join(IOS_ROOT, "Apps/Sybil/project.yml") SIGNING_OUTPUT_DIR = File.join(IOS_ROOT, "build/signing") SCHEME = "Sybil" TARGET = "SybilApp" def present?(value) !value.to_s.strip.empty? end def capture(command) stdout, stderr, status = Open3.capture3(command) return stdout.strip if status.success? UI.user_error!("Command failed: #{command}\n#{stderr.strip}") end def run_silent(*command, error_message:) _stdout, stderr, status = Open3.capture3(*command) return if status.success? UI.user_error!("#{error_message}\n#{stderr.strip}") end def user_keychains capture("security list-keychains -d user").lines.map { |line| line.strip.delete('"') }.reject(&:empty?) end def app_project_settings YAML.safe_load(File.read(APP_SPEC)).fetch("targets").fetch(TARGET).fetch("settings").fetch("base") end def local_marketing_version app_project_settings.fetch("MARKETING_VERSION").to_s end def local_build_number app_project_settings.fetch("CURRENT_PROJECT_VERSION").to_i end def normalize_version_tag(tag) version = tag.to_s.strip.sub(%r{\Arelease/}, "").sub(/\Av/, "") unless version.match?(/\A\d+\.\d+\.\d+\z/) UI.user_error!("Release tag #{tag.inspect} must look like release/v1.10.0") end version end def release_version tag = ENV["SYBIL_VERSION_TAG"] tag = capture("git describe --tags --abbrev=0") unless present?(tag) normalize_version_tag(tag) end def xcode_build_setting(key, value) "#{key}=#{value.to_s.shellescape}" end def env_line(key, value) "#{key}=#{value.to_s.shellescape}" end def base64url(value) Base64.urlsafe_encode64(value).delete("=") end def integer_to_fixed_bytes(integer, length) hex = integer.to_s(16) hex = "0#{hex}" if hex.length.odd? [hex].pack("H*").rjust(length, "\0")[-length, length] end def app_store_connect_private_key key_path = ENV["APP_STORE_CONNECT_API_KEY_PATH"] key_content = ENV["APP_STORE_CONNECT_API_KEY_CONTENT"] pem = if present?(key_path) File.read(key_path) elsif present?(key_content) ENV["APP_STORE_CONNECT_API_KEY_CONTENT_BASE64"].to_s == "true" ? Base64.decode64(key_content) : key_content end UI.user_error!("App Store Connect API key content is required") unless present?(pem) OpenSSL::PKey::EC.new(pem) end def app_store_connect_jwt key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"] issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"] issuer_id = ENV["APP_STORE_CONNECT_API_KEY_ISSUER_ID"] unless present?(issuer_id) UI.user_error!("App Store Connect API key id and issuer id are required") unless present?(key_id) && present?(issuer_id) header = { alg: "ES256", kid: key_id, typ: "JWT" } payload = { iss: issuer_id, iat: Time.now.to_i, exp: Time.now.to_i + 600, aud: "appstoreconnect-v1" } unsigned = [base64url(header.to_json), base64url(payload.to_json)].join(".") asn1_signature = app_store_connect_private_key.dsa_sign_asn1(OpenSSL::Digest::SHA256.digest(unsigned)) signature_sequence = OpenSSL::ASN1.decode(asn1_signature) raw_signature = signature_sequence.value.map { |part| integer_to_fixed_bytes(part.value, 32) }.join [unsigned, base64url(raw_signature)].join(".") end def app_store_connect_request(method, path, payload = nil) uri = URI("https://api.appstoreconnect.apple.com#{path}") request_class = Net::HTTP.const_get(method.to_s.capitalize) request = request_class.new(uri) request["Authorization"] = "Bearer #{app_store_connect_jwt}" if payload request["Content-Type"] = "application/json" request.body = payload.to_json end response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http| http.request(request) } return {} if response.is_a?(Net::HTTPSuccess) && response.body.to_s.empty? return JSON.parse(response.body) if response.is_a?(Net::HTTPSuccess) UI.user_error!("App Store Connect API request failed: #{method.to_s.upcase} #{path}\n#{response.body}") end def bundle_id_resource_id response = app_store_connect_request( :get, "/v1/bundleIds?filter[identifier]=#{URI.encode_www_form_component(APP_IDENTIFIER)}&limit=1" ) id = response.fetch("data", []).first&.fetch("id", nil) UI.user_error!("Could not find App Store Connect bundle id resource for #{APP_IDENTIFIER}") unless present?(id) id end def recreate_app_store_profile(certificate_id) existing = app_store_connect_request( :get, "/v1/profiles?filter[name]=#{URI.encode_www_form_component(PROFILE_SPECIFIER)}&limit=200" ) existing.fetch("data", []).each do |profile| app_store_connect_request(:delete, "/v1/profiles/#{profile.fetch("id")}") end payload = { data: { type: "profiles", attributes: { name: PROFILE_SPECIFIER, profileType: "IOS_APP_STORE" }, relationships: { bundleId: { data: { type: "bundleIds", id: bundle_id_resource_id } }, certificates: { data: [{ type: "certificates", id: certificate_id }] } } } } response = app_store_connect_request(:post, "/v1/profiles", payload) profile_content = response.dig("data", "attributes", "profileContent") UI.user_error!("App Store Connect profile response did not include profileContent") unless present?(profile_content) profile_path = File.join(SIGNING_OUTPUT_DIR, "Sybil_AppStore_CI.mobileprovision") File.binwrite(profile_path, Base64.decode64(profile_content)) install_dir = File.expand_path("~/Library/MobileDevice/Provisioning Profiles") FileUtils.mkdir_p(install_dir) FileUtils.cp(profile_path, File.join(install_dir, "Sybil_AppStore_CI.mobileprovision")) profile_path end def app_store_connect_key_options key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"] issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"] issuer_id = ENV["APP_STORE_CONNECT_API_KEY_ISSUER_ID"] unless present?(issuer_id) return nil unless present?(key_id) && present?(issuer_id) key_path = ENV["APP_STORE_CONNECT_API_KEY_PATH"] key_content = ENV["APP_STORE_CONNECT_API_KEY_CONTENT"] if present?(key_path) { key_id: key_id, issuer_id: issuer_id, key_filepath: key_path } elsif present?(key_content) { key_id: key_id, issuer_id: issuer_id, key_content: key_content, is_key_content_base64: ENV["APP_STORE_CONNECT_API_KEY_CONTENT_BASE64"].to_s == "true" } end end platform :ios do private_lane :load_app_store_connect_api_key do options = app_store_connect_key_options UI.user_error!("App Store Connect API key is required") unless options app_store_connect_api_key(options) end desc "Show the version Fastlane will stamp into the next TestFlight archive" lane :version do UI.message("Git tag version: #{release_version}") UI.message("Checked-in app version: #{local_marketing_version}") UI.message("Checked-in build number: #{local_build_number}") end desc "Create CI signing certificate/profile and write ignored secret material under build/signing" lane :create_ci_signing do api_key = load_app_store_connect_api_key FileUtils.rm_rf(SIGNING_OUTPUT_DIR) FileUtils.mkdir_p(SIGNING_OUTPUT_DIR) cert_id = ENV["SYBIL_SIGNING_CERTIFICATE_ID"].to_s keychain_path = nil keychain_password = nil p12_path = File.join(SIGNING_OUTPUT_DIR, "appstore-signing.p12") p12_password = ENV["SYBIL_CI_P12_PASSWORD"].to_s if p12_password.empty? p12_password = SecureRandom.base64(24) UI.important("Generated a p12 password for CI secrets.") end begin if present?(cert_id) UI.message("Using existing signing certificate id #{cert_id}") export_keychain = ENV["SYBIL_SIGNING_KEYCHAIN"].to_s export_keychain = File.expand_path("~/Library/Keychains/login.keychain-db") unless present?(export_keychain) run_silent( "security", "export", "-k", export_keychain, "-t", "identities", "-f", "pkcs12", "-P", p12_password, "-o", p12_path, error_message: "Could not export the local CI signing identity" ) else keychain_path = File.join(SIGNING_OUTPUT_DIR, "sybil_ci_signing.keychain-db") keychain_password = SecureRandom.base64(24) run_silent( "security", "create-keychain", "-p", keychain_password, keychain_path, error_message: "Could not create temporary signing keychain" ) run_silent( "security", "set-keychain-settings", "-lut", "21600", keychain_path, error_message: "Could not configure temporary signing keychain" ) run_silent( "security", "unlock-keychain", "-p", keychain_password, keychain_path, error_message: "Could not unlock temporary signing keychain" ) run_silent( "security", "list-keychains", "-d", "user", "-s", keychain_path, *user_keychains, error_message: "Could not add temporary signing keychain to the user search list" ) cert( api_key: api_key, development: false, force: true, generate_apple_certs: true, keychain_password: keychain_password, keychain_path: keychain_path, output_path: SIGNING_OUTPUT_DIR, platform: "ios" ) cert_id = lane_context[SharedValues::CERT_CERTIFICATE_ID] UI.user_error!("Could not resolve generated certificate id") unless present?(cert_id) run_silent( "security", "export", "-k", keychain_path, "-t", "identities", "-f", "pkcs12", "-P", p12_password, "-o", p12_path, error_message: "Could not export the generated CI signing identity" ) end UI.user_error!("Could not find exported p12 at #{p12_path}") unless File.exist?(p12_path) profile_path = recreate_app_store_profile(cert_id) UI.user_error!("Could not resolve generated provisioning profile path") unless present?(profile_path) && File.exist?(profile_path) secrets_path = File.join(SIGNING_OUTPUT_DIR, "ci-secrets.env") File.write( secrets_path, [ env_line("APPSTORE_CERTIFICATES_FILE_BASE64", Base64.strict_encode64(File.binread(p12_path))), env_line("APPSTORE_CERTIFICATES_PASSWORD", p12_password), env_line("APPSTORE_PROVISIONING_PROFILE_BASE64", Base64.strict_encode64(File.binread(profile_path))), env_line("SYBIL_PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER) ].join("\n") + "\n" ) ensure system("security", "delete-keychain", keychain_path, out: File::NULL, err: File::NULL) if present?(keychain_path) && File.exist?(keychain_path) end UI.success("Created CI signing files in #{SIGNING_OUTPUT_DIR}") UI.important("Add the values from #{secrets_path} as repository secrets.") end desc "Build Sybil and upload it to TestFlight" lane :beta do version = release_version build_number = ENV["SYBIL_BUILD_NUMBER"].to_s api_key = load_app_store_connect_api_key unless present?(build_number) build_number = (local_build_number + 1).to_s begin latest = latest_testflight_build_number( app_identifier: APP_IDENTIFIER, version: version, api_key: api_key, initial_build_number: local_build_number ).to_i build_number = [latest + 1, local_build_number + 1].max.to_s rescue StandardError => e UI.important("Could not look up TestFlight build number: #{e.message}") UI.important("Using checked-in build number + 1: #{build_number}") end end UI.user_error!("Build number must be a positive integer") unless build_number.match?(/\A[1-9]\d*\z/) sh("xcodegen --spec #{PROJECT_SPEC.shellescape}") xcode_args = [ xcode_build_setting("MARKETING_VERSION", version), xcode_build_setting("CURRENT_PROJECT_VERSION", build_number), xcode_build_setting("CODE_SIGN_STYLE", "Manual"), xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID), xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER), xcode_build_setting("CODE_SIGN_IDENTITY", SIGNING_CERTIFICATE_NAME) ] if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"]) xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}") end xcode_args = xcode_args.join(" ") ipa_path = build_app( project: PROJECT_FILE, scheme: SCHEME, clean: true, sdk: "iphoneos", export_method: "app-store", output_directory: File.join(IOS_ROOT, "build/fastlane"), output_name: "Sybil-#{version}-#{build_number}.ipa", xcargs: xcode_args, export_options: { method: "app-store", destination: "export", signingStyle: "manual", provisioningProfiles: { APP_IDENTIFIER => PROFILE_SPECIFIER }, signingCertificate: SIGNING_CERTIFICATE_NAME, teamID: TEAM_ID, manageAppVersionAndBuildNumber: false, uploadSymbols: true, stripSwiftSymbols: true } ) ipa_path ||= lane_context[SharedValues::IPA_OUTPUT_PATH] UI.user_error!("IPA export failed; no IPA path was returned") unless present?(ipa_path) && File.exist?(ipa_path) upload_to_testflight( api_key: api_key, app_identifier: APP_IDENTIFIER, ipa: ipa_path, skip_waiting_for_build_processing: true ) end end