Add verification of Xcode.app#312
Conversation
There was a problem hiding this comment.
This looks good, great idea to add this to xcode-install directly. Few questions before we can merge
- Have you tested this locally end to end to install a new version of Xcode?
- We will need a flag to skip the verification, as maybe it will cause issues with some setups. I'm ok with having it be an environment variable
- The dependency to fastlane felt off at first, but I guess since we're using spaceship already to communicate with , we should be good. No action needed
Thanks for working on this 👍
* Verify authority of first signing chain * Verify team identifier
kenchan0130
force-pushed
the
hard_verify_xcode
branch
from
6892299 to
ee505b4
Compare
|
I was not running the test locally. |
| require 'xcode/install/version' | ||
| require 'shellwords' | ||
| require 'open3' | ||
| require 'fileutils' |
There was a problem hiding this comment.
I removed this because this require is duplicated.
lib/xcode/install.rb
Outdated
| def verify_cert(path) | ||
| cert_info = Fastlane::Actions::VerifyBuildAction.gather_cert_info(path) | ||
| apple_team_identifier_result = cert_info['team_identifier'] == '59GAB85EFG' | ||
| apple_authority_result = cert_info['authority'].include?('Apple Mac OS Application Signing') |
There was a problem hiding this comment.
Team identifier and authority are constants.
I am concerned whether they can be hard-coded into these line.
There was a problem hiding this comment.
I reread the existing code again.
class InstalledXcode
TEAM_IDENTIFIER = '59GAB85EFG'
AUTHORITY = 'Apple Mac OS Application Signing'
def verify_integrity
verify_app_security_assessment && verify_app_cert
end
private
def verify_app_security_assessment
puts `/usr/sbin/spctl --assess --verbose=4 --type execute #{@path}`
$?.exitstatus.zero?
end
def verify_app_cert
cert_info = Fastlane::Actions::VerifyBuildAction.gather_cert_info(@path)
apple_team_identifier_result = cert_info['team_identifier'] == TEAM_IDENTIFIER
apple_authority_result = cert_info['authority'].include?(AUTHORITY)
apple_team_identifier_result && apple_authority_result
end
endHow about aggregating verification methods into InstalledXcode class like this?
In another PR, I am assuming to be able to add a validation method on components (pkg) in this class.
kenchan0130
force-pushed
the
hard_verify_xcode
branch
from
adfa400 to
ead4020
Compare
kenchan0130
force-pushed
the
hard_verify_xcode
branch
from
c01935a to
fab68c5
Compare
|
@KrauseFx ping. How is this going? |
|
Hey @kenchan0130, what do you need from my side? |
|
@KrauseFx Thank you for your review! |
2 participants
related #298