UNPKG

@capgo/cli

Version:

A CLI to upload to capgo servers

github.com/Cap-go/capgo/tree/main/cli

Cap-go/capgo

235 lines (234 loc) 9.36 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
/** * Generate a JWT for App Store Connect API authentication. * Uses ES256 algorithm with the .p8 private key. */ export declare function generateJwt(keyId: string, issuerId: string, p8Content: string): string; export declare class AppleApiHttpError extends Error { readonly status: number; constructor(status: number, message: string); } /** * Verify the API key works and try to detect the team ID from existing certificates. * Throws on 401/403 with a user-friendly message. */ export declare function verifyApiKey(token: string): Promise<{ valid: true; teamId: string; }>; export interface AscDistributionCert { id: string; name: string; serialNumber: string; expirationDate: string; /** * Base64-encoded DER of the certificate. Populated when {@link listDistributionCerts} * is called with `includeContent: true` — kept optional so existing callers don't pay * the larger payload when they don't need it. */ certificateContent?: string; } /** * Why a local Keychain cert can't be used to ship builds. * * Concrete enumeration so the import-pick-identity UI can render a stable * Reason column and so we can add specific guidance per reason (e.g. * "managed" certs get a "can't sign locally" note, "not-visible" certs get * a "Open Developer Portal to verify" note). */ export type CertAvailabilityReason = 'expired' | 'managed' | 'not-visible' | 'check-failed' | 'no-private-key'; export interface CertAvailability { available: boolean; reason?: CertAvailabilityReason; /** Short human-readable reason for display in the picker. */ reasonText?: string; /** When available — Apple-side cert resource id for downstream API calls. */ appleCertId?: string; } /** * Pure classifier: given a local cert + the result of an Apple-side lookup, * decide whether it's usable for shipping builds and surface a short * reasonText for the picker UI. * * Exported separately from the lookup function so we can unit-test the * decision logic without mocking network calls. Callers compose: * * const certId = await findCertIdBySha1(token, identity.sha1) * .catch(err => { lookupError = err; return null }) * const availability = classifyCertAvailability({ * localExpirationDate: identity.expirationDate, * appleCertId: certId, * lookupError, * }) * * The `expired` and `managed` branches don't need a lookup — they're checked * up-front from local metadata. Callers can pass null `appleCertId` without * having run the lookup at all when those local-side conditions already * disqualify the identity. */ export declare function classifyCertAvailability(args: { localExpirationDate?: string; isManaged?: boolean; appleCertId: string | null; lookupError?: unknown; }): CertAvailability; /** * List all iOS distribution certificates. * * Set `includeContent: true` when you need to compute the cert's SHA1 for * matching against a local Keychain identity ({@link findCertIdBySha1}). */ export declare function listDistributionCerts(token: string, options?: { includeContent?: boolean; }): Promise<AscDistributionCert[]>; /** * Compute the SHA1 hash of an ASC certificate's base64-DER content. Returns * the lowercase 40-char hex string used elsewhere as the canonical identity * key — matches the SHA1 reported by `security find-identity` on macOS. * * SECURITY NOTE on SHA1: this is NOT a security primitive. macOS itself * reports code-signing identities as cert-DER SHA1 (via `security * find-identity`), and we have to use the same hash to look up an Apple-side * cert by its on-Mac counterpart. SHA1 here is a non-secret identifier, not * a message digest protecting any data. CodeQL's "weak cryptographic * algorithm" rule is suppressed for this reason. */ export declare function computeCertSha1(certificateContentBase64: string): string; /** * Match a local Keychain identity (by its SHA1) against an Apple-side * certificate and return the Apple certificate ID needed for profile * creation. Returns null if no Apple-side cert matches the SHA1. */ export declare function findCertIdBySha1(token: string, sha1: string): Promise<string | null>; /** * Like {@link findCertIdBySha1} but returns the full Apple-side cert * record (id + name + expirationDate + serialNumber) when matched. Used * by the eager batch validation so the picker / manual-portal-walkthrough * step can surface concrete disambiguators (expiration date, last few * chars of serial number — both visible in the Apple Developer Portal * when the user clicks into a cert) that help the user pick the right * row when multiple distribution certs are listed for the same team. * * Apple's API does NOT expose a "created by" field on certs (the portal * UI shows it, but `/v1/certificates` doesn't return that column). The * disambiguators we can give are expirationDate + serialNumber. */ export declare function findCertBySha1(token: string, sha1: string): Promise<AscDistributionCert | null>; /** * List all provisioning profiles linked to a specific Apple-side certificate. * Used by the import-flow no-match-recovery menu to surface profiles that * exist on Apple but haven't been downloaded to the user's Mac. */ export interface AscProfileSummary { id: string; name: string; profileType: string; profileContent: string; expirationDate: string; bundleIdentifier: string; } export declare function listProfilesForCert(token: string, certificateId: string): Promise<AscProfileSummary[]>; /** * Revoke (delete) a certificate by ID. */ export declare function revokeCertificate(token: string, certId: string): Promise<void>; /** * Error thrown when certificate limit is reached. * Contains the existing certificates so the UI can ask the user which to revoke. */ export declare class CertificateLimitError extends Error { readonly certificates: AscDistributionCert[]; constructor(certificates: AscDistributionCert[]); } /** * Create a distribution certificate using a CSR. * Returns the certificate ID, base64 DER content, expiration date, and team ID. * * Throws CertificateLimitError if the limit is reached, so the UI can ask * the user which certificate to revoke. */ export declare function createCertificate(token: string, csrPem: string): Promise<{ certificateId: string; certificateContent: string; expirationDate: string; teamId: string; }>; /** * Find an existing bundle ID or register a new one. * Returns the Apple resource ID needed for profile creation. */ export declare function ensureBundleId(token: string, identifier: string): Promise<{ bundleIdResourceId: string; }>; /** * An App Store Connect app record. Used by the iOS app-verification step to * check whether an app exists whose `bundleId` matches the project's Release * `PRODUCT_BUNDLE_IDENTIFIER`. */ export interface AscApp { id: string; bundleId: string; name: string; } /** * Parse a `GET /v1/apps` response into {@link AscApp} records. Tolerant of * missing `data`, missing `attributes`, and missing individual fields — Apple * omits attributes the API key isn't entitled to see rather than nulling them. */ export declare function parseAppsResponse(json: any): AscApp[]; /** * Parse a `GET /v1/bundleIds` response into the list of registered identifier * strings, dropping any falsy entries (missing `attributes`/`identifier`). */ export declare function parseBundleIdsResponse(json: any): string[]; /** * List every App Store Connect app visible to the API key, following * pagination. Uses the existing {@link ascFetch} — no separate fetch path. */ export declare function listApps(token: string): Promise<AscApp[]>; /** * List every registered bundle ID identifier visible to the API key, following * pagination. Uses the existing {@link ascFetch} — no separate fetch path. */ export declare function listBundleIds(token: string): Promise<string[]>; /** * Get the profile name we use for a given appId. */ export declare function getCapgoProfileName(appId: string): string; /** * Find existing provisioning profiles matching our naming convention. * Only returns profiles we created (named "Capgo <appId> AppStore"). */ export declare function findCapgoProfiles(token: string, appId: string): Promise<Array<{ id: string; name: string; profileType: string; }>>; /** * Delete a provisioning profile by ID. */ export declare function deleteProfile(token: string, profileId: string): Promise<void>; /** * Create an App Store provisioning profile linking a certificate and bundle ID. * Returns the base64 mobileprovision content. * * Throws a DuplicateProfileError if duplicate profiles exist, so the caller * can ask the user whether to delete them and retry. */ export declare class DuplicateProfileError extends Error { readonly profiles: Array<{ id: string; name: string; profileType: string; }>; constructor(profiles: Array<{ id: string; name: string; profileType: string; }>); } export declare function createProfile(token: string, bundleIdResourceId: string, certificateId: string, appId: string): Promise<{ profileId: string; profileName: string; profileContent: string; expirationDate: string; }>;