Skip to content

Comments

Add verification of Xcode.app#312

Merged
kenchan0130 merged 3 commits intoxcpretty:masterfrom
kenchan0130:hard_verify_xcode
Dec 14, 2018
Merged

Add verification of Xcode.app#312
kenchan0130 merged 3 commits intoxcpretty:masterfrom
kenchan0130:hard_verify_xcode

Conversation

@kenchan0130
Copy link
Collaborator

  • Verify authority of first signing chain
  • Verify team identifier

related #298

Copy link
Member

@KrauseFx KrauseFx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, great idea to add this to xcode-install directly. Few questions before we can merge

  1. Have you tested this locally end to end to install a new version of Xcode?
  2. We will need a flag to skip the verification, as maybe it will cause issues with some setups. I'm ok with having it be an environment variable
  3. The dependency to fastlane felt off at first, but I guess since we're using spaceship already to communicate with , we should be good. No action needed

Thanks for working on this 👍

* Verify authority of first signing chain
* Verify team identifier
@kenchan0130
Copy link
Collaborator Author

I was not running the test locally.
Therefore, I pushed again with appropriate modification.

require 'xcode/install/version'
require 'shellwords'
require 'open3'
require 'fileutils'
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this because this require is duplicated.

def verify_cert(path)
cert_info = Fastlane::Actions::VerifyBuildAction.gather_cert_info(path)
apple_team_identifier_result = cert_info['team_identifier'] == '59GAB85EFG'
apple_authority_result = cert_info['authority'].include?('Apple Mac OS Application Signing')
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Team identifier and authority are constants.

I am concerned whether they can be hard-coded into these line.

Copy link
Collaborator Author

@kenchan0130 kenchan0130 Oct 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reread the existing code again.

class InstalledXcode
  TEAM_IDENTIFIER = '59GAB85EFG'
  AUTHORITY = 'Apple Mac OS Application Signing'

  def verify_integrity
    verify_app_security_assessment && verify_app_cert
  end

  private

  def verify_app_security_assessment
    puts `/usr/sbin/spctl --assess --verbose=4 --type execute #{@path}`
    $?.exitstatus.zero?
  end

  def verify_app_cert
      cert_info = Fastlane::Actions::VerifyBuildAction.gather_cert_info(@path)
      apple_team_identifier_result = cert_info['team_identifier'] == TEAM_IDENTIFIER
      apple_authority_result = cert_info['authority'].include?(AUTHORITY)
      apple_team_identifier_result && apple_authority_result
  end
end

How about aggregating verification methods into InstalledXcode class like this?

In another PR, I am assuming to be able to add a validation method on components (pkg) in this class.

Copy link
Collaborator Author

@kenchan0130 kenchan0130 Oct 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to fix (ead4020).

@kenchan0130
Copy link
Collaborator Author

@KrauseFx ping. How is this going?

@KrauseFx
Copy link
Member

Hey @kenchan0130, what do you need from my side?

@kenchan0130
Copy link
Collaborator Author

@KrauseFx Hi,
I expect you to review my patches which are fab68c5 and fab68c5.
Please check them.

@kenchan0130
Copy link
Collaborator Author

@KrauseFx Thank you for your review!
I'll merge this PR.

@kenchan0130 kenchan0130 merged commit 93cb365 into xcpretty:master Dec 14, 2018
@kenchan0130 kenchan0130 deleted the hard_verify_xcode branch December 14, 2018 11:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants