Encrypt/decrypt command

[fortmarek]

Short description 📝

This PR is part of signing feature described here. In this PR I want to tackle two steps: encryption and decryption, to be exact implementing two commands: tuist signing encrypt and tuist signing decrypt

Solution 📦

The basic logic for these commands is actually quite trivial: find master.key in Tuist/Signing directory and encrypt all the files in that directory and its subdirectories. The same process but vice versa is applied for decryption.

I also needed to add some additional logic to support subcommands which SPM's parser does not out of the box.

Implementation 👩‍💻👨‍💻

When implementing this, I first used Apple's swift-crypto but unfortunately that requires macOS Catalina. I resorted to using CryptoSwift as a well-known alternative. We thought about using openssl and that'd create unnecessary overhead IMHO.

• Encrypt command
• Decrypt command
• Tests

[ollieatkinson]

When running locally I was not sure if it worked, I did not get any feedback. Can you add some logging?

I agree with your implementation of CryptoSwift however OpenSSL would have not created overhead, we would likely either rely on the c-library or to shell out to the command line both of which are fairly trivial for what we need to do.

It's really nice to see where Tuist is going with these capabilities, it's removing some of the complexity we have to deal with. At the moment we use fastlane and match to manage the certificates, we can take some inspiration from those tools about furthering the capabilities of this.

Great work @fortmarek

[ollieatkinson]

parser is an instance on CommandRegistry, I'm not sure what the benefit of returning it here is?

[fortmarek]

SigningCommand returns a custom parser to make it easier to parse subcommands, I'll try to revisit it if we can make it work without creating a new one

[fortmarek]

Unfortunately, I could not do it -> the reason is because here I need to trigger a command which is found by subparser. subparser can be only one word, thus I need a custom parser that is tuist signing and then I can successfully find the subcommand.

I am not happy with this extra logic, but we should start using the new Swift argument parser sooner than later which supports subcommands out of the box, so maybe perfecting the mechanism might be lost work, so I'd prefer keeping it as it is.

[ollieatkinson]

Why do we need to ask all commands for their subcommand?

[fortmarek]

I did not want to check here just for SigningCommand, though it would be possible

[ollieatkinson]

This usage text is incorrect, how about:

The path to the folder containing the encrypted certificates

[pepicrft]

Copy & pasting programming

[fortmarek]

Busted 🚓 👮

[ollieatkinson]

Can we provide more information to the end-user about why the encryption failed? This might help when debugging issues related to signing.

[pepicrft]

Agree. We should make it easier for users to understand what's happening and for us to help them debug the issues.

[fortmarek]

I have tried my best to describe what might have gone wrong

[ollieatkinson]

It would be better to crash/throw here then to generate a zero iv

[fortmarek]

Agreed 👍

[ollieatkinson]

This is where you could pass the result, so we can print it out to the end-user. The error code might be good enough, but KeychainAccess went one step further and provided a description for each message - I will leave it up to you to consider.

[fortmarek]

I am trying to parse the error and if that fails, I print out the error code

[ollieatkinson]

It might be a good idea to introduce some logging so that the user gets some feedback as the work for encrypt/decrypt is going on. You can introduce debug messages for more detailed logs which only get printed when --verbose is passed to any of the commands - this will help users of Tuist to debug what is wrong.

[fortmarek]

You're definitely right, I have not got used to using it just yet, but I definitely should since it might be crucial for us and for the end user!

[ollieatkinson]

is it worth creating a constant for this, since it's used in two places and is critical to the algorithm

[fortmarek]

Done 👍

[ollieatkinson]

This project does not generate by default, there's an extra )

$ /usr/bin/xcrun swiftc --driver-mode=swift -suppress-warnings -I /Users/oliver/Library/Developer/Xcode/DerivedData/tuist-edomxougefoacwakknnztphpgmtm/Build/Products/Debug -L /Users/oliver/Library/Developer/Xcode/DerivedData/tuist-edomxougefoacwakknnztphpgmtm/Build/Products/Debug -F /Users/oliver/Library/Developer/Xcode/DerivedData/tuist-edomxougefoacwakknnztphpgmtm/Build/Products/Debug -lProjectDescription /Users/oliver/Development/Tuist/fixtures/ios_app_with_signing/Project.swift --tuist-dump
/Users/oliver/Development/Tuist/fixtures/ios_app_with_signing/Project.swift:11:51: error: expected ',' separator
                                 dependencies: []))
                                                  ^
                                                  ,
/Users/oliver/Development/Tuist/fixtures/ios_app_with_signing/Project.swift:11:51: error: expected expression in container literal
                                 dependencies: []))
                                                  ^

[fortmarek]

Oops, forgot to check, good catch 👍 This should have a fixture test sooner than later to catch these as soon as possible

[pepicrft]

What are you eating lately @fortmarek 😜, you are full-speed shipping lots of great features nicely implemented. One scenario that popped in my mind and that it'd be great to handle is the following:

As a user, I generate and place the certificates and profiles under Tuist/Signing, and when I run encrypt, there's no master.key. I think in that case we should generate a random one and use that to encrypt the files.

Also, the other scenario that I'm thinking about is. What if I want to "vendor" some of the profiles and certificates that are already in my system. Where are the profiles? How do I take the certificate from my keychain? We could provide the following command:

tuist signing vendor

The command would run only if the user is running Tuist in a interactive shell and would do the following:

• Get the list of signing certificates and ask the user for which ones they'd like to vendor.
• Get the list of profiles and ask the user for which ones they'd like to vendor.
• Place them under Tuist/Signing and encrypt them.
• 🤯

[pepicrft]

Copy & pasting programming

[pepicrft]

What about removing .shared from RootDirectoryLocator. In hindsight, I think it was a good idea introducing that there because that class holds state, and that might introduce side effects to both the code and the tests.

[pepicrft]

Agree. We should make it easier for users to understand what's happening and for us to help them debug the issues.

[pepicrft]

What is root directory?

[fortmarek]

Changed to signingDirectory as that makes more sense in this context

[pepicrft]

I'd start by only encrypting/decrypting files under Signing. We want to be conventional about the structure of the directory and how the certificates and profiles are named and structure. If we follow the following convention there's no need to support subdirectories recursively:

Signing/
  Debug.cert.enc
  Release.cert.enc
  MyApp.Debug.mobileprovision.enc
  MyWatchApp.Debug.mobileprovision.enc
  master.key

Actually... after giving it another thought, I think we master.key can be under Tuist. That way we can use the key in the future to encrypt/decrypt other things. Something along the lines of:

master.key
Signing/
  Debug.cert.enc
  Release.cert.enc
  MyApp.Debug.mobileprovision.enc
  MyWatchApp.Debug.mobileprovision.enc

[fortmarek]

Extract master.key and stopped parsing the subdirectories, your points make sense to me 👍

[fortmarek]

Thanks @ollie and @pepibumur for the comprehensive reviews! I hope I have resolved most of the points you have raised.

As for the feature suggestions of autogeneration of master key and tuist vendor (which sounds super exciting!) I have added them to the list here and we can discuss them there/in a different PR if that's OK with you.

I am stoked about what's next, the next PR for signing should be the most interesting one since it's where the logic of implementing signing comes in 👀

[codecov]

Codecov Report

Merging #1127 into master will not change coverage by %.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #1127   +/-   ##
=======================================
  Coverage   76.88%   76.88%           
=======================================
  Files         273      273           
  Lines        9620     9620           
=======================================
  Hits         7396     7396           
  Misses       2224     2224           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 58f8107...58f8107. Read the comment docs.

[pepicrft]

Should we expand this a bit?:

A set of commands for signing-related operations. 

[fortmarek]

Good thinking, will do 👍

[pepicrft]

I'd implement all the cases. That way, if someone adds a new case in the future, they'll forced to think about the type.

[fortmarek]

This just declares what the ErrorType of SigningCipher is, I suppose a switch does not make sense in this case.

[pepicrft]

Right, but as a developers we need to think about what type of error we are throwing. If we don't use a switch clause and rather always return the same value, when I add a new value I won't be prompted to think about the type of error of the new case.

var type: ErrorType {
  switch self {
    ...
  } 
}

[fortmarek]

Oh sorry, you're definitely right, I kind of did not realize it makes sense to have different ErrorType for individual error cases 👍

[pepicrft]

Can users do something to mitigate this issue? If so, what about including those steps here?

[fortmarek]

This error should never occur - and honestly, if it does, I am not sure how I'd fix it 😞

[pepicrft]

That's fine! If this error is very unlikely, we don't need to put a lot of effort into figuring out how to handle it. If it turns out to be more likely, then it's worth the investigation. Thanks for clarifying it!

[pepicrft]

I'd require the key to be at /Tuist/master.key

[pepicrft]

@fortmarek I think this PR is in a good shape for a first iteration. There are some bits that I'd try to polish before making it official:

• If master.key doesn't exist, we should create a random key automatically and let the users know.
• I'd extend the init template to generate a random key when running tuist init.
• I'd add the unencrypted files under the Tuist/Signing directory to the .gitignore file generated when running tuist init. I'd also add the master.key to the .gitignore.
• What about deleting unencrypted files after encrypting them? I'd default to that and give developers the option to specify whether they don't want those files to be deleted: tuist signing encrypt --keep-files. I think it's good to default to deletion for safety reasons.
• On CI we should read the master key from a environment variable, TUIST_MASTER_KEY

[fortmarek]

@pepibumur Thanks for your points! I agree that it needs some polish, before advertising I'd like to tackle how to use files in Signing directory in your Xcode project after which it will be a killer feature!

I agree with most of your points. Currently, the files are unencrypted in-place - that means we don't create new ones (so no files can be deleted either) - but I can see now that this might not be the ideal behavior since you could very easily mistakenly push unencrypted files to the remote repo. Would it make sense to encrypt files with .encrypted extension? That way everything in Signing directory can be in .gitignore with the exception of files with the aforementioned .encrypted extension.

But I'd still like to make the appropriate changes you suggested later - I think there might be more things that will need to be changed when I start working on integration with tuist generate anyway (but we'll see).