exportation

exportation

CLI tool (and Ruby API) of easy exporting, encrypting, and decrypting of certificates and private keys. It can also add certificates and private keys to an existing or new keychain :grinning:

• Installation
• CLI Commands
• Ruby API
• Fastlane Integration

Important: The export command will take control of your "Keychain Access" app so keep all hands off your computer while that command runs

Example usage (with prompt)

$: exportation export
Name: RokkinCat LLC
Path to save to (default: './'): ./examples
Filename to save as (default: 'export'): dist
Password for private key (default: ''): shhh
Info  Take all hands off your computer! exportation is going to take control of 'Keychain Access'

Why

• Export and encrypt certificates and private keys into repos
  • CI tools (may need these to distrubute builds to Apple TestFlight Beta :apple:)
  • For other developers (for when you are on vacation and they need to make a distribution build :grimacing:)

How

• Makes use of AppleScript to control "Keychain Access"
  • Opens "Keychain Access"
  • Selects "Login" and "Certificates" for the left side
  • Searches for the certificate you are looking for from --name
  • Exports private key
    • Right clicks it and selects export
    • Changes the save path to your current directory (by default) or what was passed in through --path
    • Saves the file to exported.p12
    • Enters a blank password (by default) or what was passed in through --password
    • Saves
  • Exports certificate
    • Right clicks it and selects export
    • Changes the save path to your current directory (by default) or what was passed in through --path
    • Saves the file to exported.cer
    • Saves

Features in progress

• Integrate with fastlane :rocket:

Caveats

• Some phases of the script might run slow due to using AppleScript
  • Initial load may take up to 5ish seconds
  • Waiting for private key password to be entered may take up to 7ish seconds
• May need to give "Accessibility" access to ARDAgent and Terminal

Installation

Install gem

gem install exportation

Give "Accessibility" access

• Open up "Security & Privacy" preferences
• Select "Accessibility"
• Add ARDAgent and Terminal
  • Click "+"
  • Press CMD+SHIFT+G (to go to specific folder)
  • ARDAgent should be under /System/Library/CoreServices/RemoteManagement/
  • Terminal should be under /Applications/Utilities/

You won't need to give Heroes, Script Editor, or Steam permissions for exportation :wink:

CLI Commands

Exportation has three different commands: export, encrypt, and decrypt.

Export from Keychain Access

Be lazy! export uses AppleScript to control the "Keychain Access" app to export a certificate and private to be used for CI (continuous integration) or for other developers.

exportation export --name "Your Company LLC"

Encrypting certificate and private key

Be safe! encrypt does exactly what it says - it encrypts. It uses AES-256 to encrypt your certificate, private keys and provisioning profiles (any file really) to store safely in your repository for CIs or other developers to access. All files will be appened with a .enc extension.

exportation encrypt exported.cer exported.p12 --password dudethis

Decrypting certificate and private key

Be awesome! decrypt decrypts your encrypted files to use on your CI or for other developers to install. BE CAREFUL TO NOT COMMIT THESE BACK INTO YOUR REPO

exportation decrypt exported.cer.enc exported.p12.enc --password dudethis

Ruby API

Exportation::Export

Exportation::Export.new(
  path: "/path/to/export/to",
  filename: "base_exported_file_name", #dist.cer and dist.p12
  name: "YourCompany LLC",
  password: "shhhh"
).run

Exportation::Crypter

Encrypt

Exportation::Crypter.new(
  files: ["dist.cer","dist.p12"],
  password: "shhhh",
  output: "./"
).run :en

Decrypt

Exportation::Crypter.new(
  files: ["dist.cer.enc","dist.p12.enc"],
  password: "shhhh",
  output: "./"
).run :de

Exportation::Keychain

# Create keychain - name of chain, password, output directory
keychain = Exportation::Keychain.find_or_create_keychain('JoshChain', 'joshiscool', './example')

# Get login keychain
keychain = Exportation::Keychain.login_keychain("password")

# Import a certificate into keychain
keychain.import_certificate './example/dist.cer'

# Import a private key into keychain
keychain.import_private_key './example/dist.p12', 'da_password'

# Unlock keychain
keychain.unlock!

# Adds keychain to search list
keychain.add_to_keychain_list!

# Removes keychain from search list
keychain.remove_keychain_from_list!

Fastlane integration

In this fastlane integration, I store my encrypted certificate and private key in the circle directory (because I'm using CircleCI.

The enc_cert_and_key lane runs on my local machine where I will export and encrypt the certificate and private key.

The ci_build can run on my local machine but is meant to run on CircleCI (or TravisCI). This lane decrypts the certifivate and private key from the circle directory and puts the decrypted files in the build/unenc directory.

Exporting and encrypting

This lane exports the certificate and private key by controling keychain access, encrypts the files, and the removes the unencrypted files.

lane :enc_cert_and_key do
  require 'exportation'

  # Runs keychain to export cert and private key
  Exportation::Export.new(
    path: "../circle",
    filename: "dist",
    name: "RokkinCat LLC",
    password: ENV['PKEY_PASSWORD']
  ).run

  # Encrypts cert and private key for repo storage
  Exportation::Crypter.new(
    files: ["../circle/dist.cer", "../circle/dist.p12"],
    password: ENV['ENC_PASSWORD'],
    output: "../circle/"
  ).run :en

  # Removes unencrypted cert and private key
  sh "rm -f ../circle/dist.cer"
  sh "rm -f ../circle/dist.p12"

end

Decrypting and importing

This lane decrypts the certificate and private key, creates the keychain, and imports the certificate and private key into the keychain. It then uses that keychain the xcodebuild action to build an archive of the app.

lane :ci_build do
  require 'exportation'

  enc_password = ENV['ENC_PASSWORD']
  keychain_password = ENV['KEYCHAIN_PASSWORD']
  private_key_password = ENV['PKEY_PASSWORD']

  # Cleaning house and making directories
  sh "rm -rf ../build"
  sh "mkdir ../build"
  sh "mkdir ../build/unenc"

  # Decrypting cert and private key
  Exportation::Crypter.new(
    files: ["../circle/dist.cer.enc", "../circle/dist.p12.enc"],
    password: enc_password,
    output: "../build/unenc/"
  ).run :de

  # Creating keychain to use for xcodebuild
  keychain = Exportation::Keychain.find_or_create_keychain 'ios-build', keychain_password, '../build'

  # Importing the Apple certificate and the uncrypted cert and private key
  keychain.import_certificate '../circle/apple.cer'
  keychain.import_certificate '../build/unenc/dist.cer'
  keychain.import_private_key '../build/unenc/dist.p12', private_key_password

  # Unlocking keychain (defaults to 1 hour) and adds keychain to user search list
  keychain.unlock!
  keychain.add_to_keychain_list!

  # Building archive
  xcodebuild(
    clean: true,
    archive: true,
    archive_path: './build/YourApp.xcarchive',
    workspace: ENV['WORKSPACE'],
    scheme: ENV['SCHEME'],
    configuration: 'Release',
    sdk: 'iphoneos',
    keychain: keychain.path
    )

  # Building IPA
  xcodebuild(
    export_archive: true,
    export_path: './build/YourApp'
    )

  # Send to HockeyApp
  hockey({
    api_token: ENV['HOCKEYAPP_API_TOKEN'],
  })

  # Cleaning house again
  sh "rm -rf ../circle/unenc"
  keychain.remove_keychain_from_list!

end

Using the internals

Compiling and running the AppleScript directly

You shouldn't ever have to do this unless I messed stuff up :)

Compile

osacompile -o applescript/exportation.scpt applescript/exportation.applescript

Run

Always put all for arguments in strings because I don't do AppleScript well :grimacing:

osascript applescript/exportation.scpt "~/directory_you_want_to_export_to/" "dist" "iPhone Distribution: Your Company LLC"  "thepassword"

Author

Josh Holtz, me@joshholtz.com, @joshdholtz

License

exportation is available under the MIT license. See the LICENSE file for more info.