Replace/fork security gem with a more suitable alternative for fastlane

[lacostej]

The security gem used primarily for interaction with the Mac keychain is not maintained.

The gem has a few limitations that we want to fix (fastlane-community/security#4, fastlane-community/security#5). There are also lots of places where actions interact with the security program and could benefit from a supporting layer in fastlane.

This issue describes an approach to solve this problem.

Proposal

The first step is to fork the gem and remove all functions not used within fastlane. We aim at keeping a similar API for the remaining implementation in order to use migration if any external action depending on it want to use it.

The second step [optional] is to add features to the new API to help implementing functionality. A nice functionality might be to provide proper error handling (see fastlane-community/security#5 as example of extra information available).

Analysis:

gem usage

The gem is required in 2 places

• credentials_manager/lib/credentials_manager/account_manager.rb
• match/lib/match/encrypt.rb

API usage

As of 2018-01-19, fastlane only uses the following methods: Security::InternetPassword.find|add|delete

(identified running git grep Security::)

Direct calls to security program

$ git grep \'/usr/bin/security  | grep -v spec\/

$ git grep \"/usr/bin/security  | grep -v spec\/

$ git grep \'security  | grep -v spec\/
credentials_manager/lib/credentials_manager/account_manager.rb:require 'security'
fastlane.gemspec:  spec.add_dependency('security', '= 0.1.3') # macOS Keychain manager, a dead project, no updates expected
fastlane_core/lib/fastlane_core/keychain_importer.rb:      if Helper.backticks('security -h | grep set-key-partition-list', print: false).length > 0
match/lib/match/encrypt.rb:    require 'security'

git grep "\"security" | grep -v spec\/ | grep -v securityCode 
fastlane/lib/fastlane/actions/create_keychain.rb:        commands << Fastlane::Actions.sh("security create-keychain -p #{escaped_password} #{keychain_path}", log: false)
fastlane/lib/fastlane/actions/create_keychain.rb:            Actions.lane_context[Actions::SharedValues::ORIGINAL_DEFAULT_KEYCHAIN] = Fastlane::Actions.sh("security default-keychain", log: false).strip
fastlane/lib/fastlane/actions/create_keychain.rb:          commands << Fastlane::Actions.sh("security default-keychain -s #{keychain_path}", log: false)
fastlane/lib/fastlane/actions/create_keychain.rb:        commands << Fastlane::Actions.sh("security unlock-keychain -p #{escaped_password} #{keychain_path}", log: false) if params[:unlock]
fastlane/lib/fastlane/actions/create_keychain.rb:        command = "security set-keychain-settings"
fastlane/lib/fastlane/actions/create_keychain.rb:          keychains = Action.sh("security list-keychains -d user").shellsplit
fastlane/lib/fastlane/actions/create_keychain.rb:          commands << Fastlane::Actions.sh("security list-keychains -s #{keychains.shelljoin}", log: false)
fastlane/lib/fastlane/actions/delete_keychain.rb:        Fastlane::Actions.sh("security default-keychain -s #{original}", log: false) unless original.nil?
fastlane/lib/fastlane/actions/delete_keychain.rb:        Fastlane::Actions.sh("security delete-keychain #{keychain_path.shellescape}", log: false)
fastlane/lib/fastlane/actions/unlock_keychain.rb:        commands << Fastlane::Actions.sh("security unlock-keychain -p #{escaped_password} #{escaped_path}", log: false)
fastlane/lib/fastlane/actions/unlock_keychain.rb:        commands << Fastlane::Actions.sh("security set-keychain-settings #{escaped_path}", log: false)
fastlane/lib/fastlane/actions/unlock_keychain.rb:        keychains = Fastlane::Actions.sh("security list-keychains -d user", log: false).shellsplit
fastlane/lib/fastlane/actions/unlock_keychain.rb:          Fastlane::Actions.sh("security list-keychains -s #{keychains.shelljoin}", log: false)
fastlane/lib/fastlane/actions/unlock_keychain.rb:        Actions.lane_context[Actions::SharedValues::ORIGINAL_DEFAULT_KEYCHAIN] = Fastlane::Actions.sh("security default-keychain", log: false).strip
fastlane/lib/fastlane/actions/unlock_keychain.rb:        Fastlane::Actions.sh("security list-keychains -s #{escaped_path}", log: false)
fastlane/lib/fastlane/actions/unlock_keychain.rb:        Fastlane::Actions.sh("security default-keychain -s #{escaped_path}", log: false)
fastlane_core/lib/fastlane_core/cert_checker.rb:      response = Helper.backticks("security find-certificate -c '#{certificate_name}' #{keychain.shellescape}", print: FastlaneCore::Globals.verbose?)
fastlane_core/lib/fastlane_core/cert_checker.rb:        "security list-keychains -d user",
fastlane_core/lib/fastlane_core/cert_checker.rb:        "security default-keychain -d user"
fastlane_core/lib/fastlane_core/keychain_importer.rb:      command = "security import #{path.shellescape} -k '#{keychain_path.shellescape}'"
fastlane_core/lib/fastlane_core/keychain_importer.rb:        command = "security set-key-partition-list"

NOTES

• this only looked at actions bundled within fastlane. We should look at popular external actions to identify their needs in the same way.
• there are other gems available to implement keychain integration
• we could also consider implementing a cross-platform abstraction to support other types of keyrings.

[fastlane-bot]

It seems like you have not included the output of fastlane env

To make it easier for us help you resolve this issue, please update the issue to include the output of fastlane env 👍

[janpio]

Are there other users of this gem that would benefit from a maintained version as well or just fastlane?

[lacostej]

@janpio It all depends on tight the integration with fastlane we want. Example: with the UI and executor part of it.

[niezbop]

I just took a look at this issue, and went to see the reverse dependencies of security on ruby gems.

https://rubygems.org/gems/security/reverse_dependencies
Reverse dependency sorted by downloads (the comment on each of the gem is what I understood of it and may not be 100% accurate)

• fastlane
• credentials_manager # fastlane
• match # fastlane
• krausefx-shenzhen # See shenzen
• shenzen # [nomad/shenzen] fastlane-like, not maintained as much, links towards fastlane
• cupertino # [nomad/cupertino] obsolete, not supported by recent ios provisioning portal
• xcode-installer # obsolete and no longer supported
• atlantispro # Crashlytics/TestFlight, not updated since February 2, 2015
• u3d # Unity CLI, maintained by fastlane contributors, used for credentials management
• github_bus_factor # Github stats, used to store credentials
• download-profiles # Based on cupertino, see cupertino
• google-api_client-keychain_store # not updated since March 9, 2015
• shenzen_fir # see shenzen
• mycosmos # repository no longer available, last update February 3, 2014

So it looks like the only real use of this gem besides fastlane and fastlane-related projects is credential storage in github_bus_factor and u3d. The first, github_bus_factor seems not to be maintained for a couple of years, the latter, u3d is maintained by @lacostej and myself but we use it only in a very limited fashion and we could implement that manually if need be, or stay with the security gem as is now.

So @janpio right now I see no other users of the gem that could benefit from a maintained version!

[KrauseFx]

All the non-fastlane gems from fastlane we can ignore, like match or credentials_manager, they're not used any more

[janpio]

Perfect, so it makes total sense what @lacostej suggested.

[fastlane-bot]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

[joshdholtz]

This definitely think this needs to get done at some point! I created an issue that was caused by this gem a few months back - #10746

[fastlane-bot]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

[fastlane-bot]

This issue will be auto-closed because there hasn't been any activity for a few months. Feel free to open a new one if you still experience this problem 👍

[fastlane-bot]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

[fastlane-bot]

This issue will be auto-closed because there hasn't been any activity for a few months. Feel free to open a new one if you still experience this problem 👍