[fastlane_core] install all Apple WWDR Intermediate Certificates #20537
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
| certs.include?(certificate_hash) | ||
| def self.install_missing_wwdr_certificates | ||
| # Install all Worldwide Developer Relations Intermediate Certificates listed here: https://www.apple.com/certificateauthority/ | ||
| missing = ['Apple Worldwide Developer Relations', 'Apple Certification Authority', 'G3', 'G4', 'G5', 'G6'] - installed_wwdr_certificates |
There was a problem hiding this comment.
Can the names of the certificates go into a constant at the top of the file?
| response = Helper.backticks("security find-certificate -a -c '#{certificate_name}' -Z #{keychain.shellescape} | grep ^SHA-256", print: FastlaneCore::Globals.verbose?) | ||
| # Get 'organisational unit' of the installed WWDRCA certificates | ||
| installed_certs.map do |pem| | ||
| OpenSSL::X509::Certificate.new(pem).subject.to_a.find { |part| part[0] == 'OU' }[1] |
There was a problem hiding this comment.
I love how Apple inconsistently uses which field they put what information in 😅 I wonder if it would make more sense to look at the SHA of the certificates though, since that should always be consistent... so even if Apple releases a G7 tomorrow that uses Apple Certification Authority as the OU, this code would continue to work as expected.
There was a problem hiding this comment.
Addressed in 6c5d2b9
| certificate_name = "Apple Worldwide Developer Relations Certification Authority" | ||
| certificate_hash = "SHA-256 hash: BDD4ED6E74691F0C2BFD01BE0296197AF1379E0418E2D300EFA9C3BEF642CA30" | ||
| def self.installed_wwdr_certificates | ||
| certificate_name = "Apple Worldwide Developer Relations" |
There was a problem hiding this comment.
Same here IMO (re: constant name)
|
@crazytonyli happy to merge this, I agree about the constants suggestion. Do you want to do that in this PR or should I merge it now and you can do it as a follow-up refactor? |
joshdholtz
changed the title
| WWDRCA_CERTIFICATES = [ | ||
| { | ||
| alias: 'G1', | ||
| sha256: 'ce057691d730f89ca25e916f7335f4c8a15713dcd273a658c024023f8eb809c2', | ||
| url: 'https://developer.apple.com/certificationauthority/AppleWWDRCA.cer' | ||
| }, | ||
| { | ||
| alias: 'G2', | ||
| sha256: '9ed4b3b88c6a339cf1387895bda9ca6ea31a6b5ce9edf7511845923b0c8ac94c', | ||
| url: 'https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer' | ||
| }, | ||
| { | ||
| alias: 'G3', | ||
| sha256: 'dcf21878c77f4198e4b4614f03d696d89c66c66008d4244e1b99161aac91601f', | ||
| url: 'https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer' | ||
| }, | ||
| { | ||
| alias: 'G4', | ||
| sha256: 'ea4757885538dd8cb59ff4556f676087d83c85e70902c122e42c0808b5bce14c', | ||
| url: 'https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer' | ||
| }, | ||
| { | ||
| alias: 'G5', | ||
| sha256: '53fd008278e5a595fe1e908ae9c5e5675f26243264a5a6438c023e3ce2870760', | ||
| url: 'https://www.apple.com/certificateauthority/AppleWWDRCAG5.cer' | ||
| }, | ||
| { | ||
| alias: 'G6', | ||
| sha256: 'bdd4ed6e74691f0c2bfd01be0296197af1379e0418e2d300efa9c3bef642ca30', | ||
| url: 'https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer' | ||
| } | ||
| ] |
|
Niiiiice |
|
Beautiful!! |
There was a problem hiding this comment.
Congratulations! 🎉 This was released as part of fastlane 2.209.1 🚀
Checklist
bundle exec rspecfrom the root directory to see all new and existing tests passbundle exec rubocop -ato ensure the code style is validci/circlecibuilds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
Resolves #20509
Description
Short summary: install all Apple WWDR "Intermediate Certificates", rather than only a specific one which is "G6" currently.
#20448 changed which WWDRCA certificates that fastlane installs. As you can see in this diff, fastlane used to install "G1" and "G3" certificates (these names are taken from https://www.apple.com/certificateauthority/), but now fastlane (2.208.0 to be specific) only installs "G6". This change caused a code signing issue in the app I work on. I reported this regression in #20509 (Initially I incorrectly suspected that the cause was the certificates installation keychain which was also changed in the PR mentioned before).
After some investigation, I found the root cause is missing the right WWDRCA certificate—simply changing G6 to G3 worked in my case.
I don't really know how Xcode's CodeSign looks up the certificates, I also don't know whether installing another certificate works for all cases (maybe in some other case, Xcode wants G2? I don't know...). But installing all "Intermediate Certificates" that are listed on this Apple website shouldn't be harmful. And that's what I've implemented in this PR. This PR doesn't introduce breaking changes—G6 certificate is still installed, along with a bunch of other similar certificates.
Testing Steps
Pull down this PR code, navigate to the project directory, run below command, all WWDRCA certificates should be installed to the default keychain.