mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-28 11:43:33 +00:00
196 lines
6.6 KiB
Bash
Executable File
196 lines
6.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
usage() {
|
|
cat <<'EOF'
|
|
Usage:
|
|
scripts/ios-validate-app-store-ipa.sh --ipa apps/ios/build/app-store/OpenClaw-<version>.ipa
|
|
|
|
Validates the exported iOS App Store IPA before App Store Connect upload.
|
|
EOF
|
|
}
|
|
|
|
IPA_PATH=""
|
|
EXPECTED_TEAM_ID="FWJYW4S8P8"
|
|
EXPECTED_BUNDLE_ID="ai.openclawfoundation.app"
|
|
EXPECTED_PROFILE_NAME="OpenClaw App Store ai.openclawfoundation.app"
|
|
EXPECTED_APP_GROUP="group.ai.openclawfoundation.app.shared"
|
|
EXPECTED_PUSH_MODE="appStore"
|
|
|
|
PLIST_BUDDY_BIN="${IOS_VALIDATE_PLIST_BUDDY_BIN:-/usr/libexec/PlistBuddy}"
|
|
CODESIGN_BIN="${IOS_VALIDATE_CODESIGN_BIN:-codesign}"
|
|
SECURITY_BIN="${IOS_VALIDATE_SECURITY_BIN:-security}"
|
|
UNZIP_BIN="${IOS_VALIDATE_UNZIP_BIN:-unzip}"
|
|
|
|
require_option_value() {
|
|
local option="$1"
|
|
local value="${2-}"
|
|
|
|
if [[ -z "${value}" || "${value}" == --* ]]; then
|
|
echo "Missing value for ${option}." >&2
|
|
usage >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--ipa)
|
|
require_option_value "$1" "${2-}"
|
|
IPA_PATH="$2"
|
|
shift 2
|
|
;;
|
|
-h|--help)
|
|
usage
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo "Unknown argument: $1" >&2
|
|
usage >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ -z "${IPA_PATH}" ]]; then
|
|
echo "Missing required --ipa." >&2
|
|
usage >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ! -f "${IPA_PATH}" ]]; then
|
|
echo "IPA not found: ${IPA_PATH}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
tmp_dir="$(mktemp -d -t openclaw-ios-ipa.XXXXXX)"
|
|
trap 'rm -rf "${tmp_dir}"' EXIT
|
|
|
|
"${UNZIP_BIN}" -q "${IPA_PATH}" -d "${tmp_dir}"
|
|
|
|
payload_dir="${tmp_dir}/Payload"
|
|
if [[ ! -d "${payload_dir}" ]]; then
|
|
echo "Invalid IPA: missing Payload directory." >&2
|
|
exit 1
|
|
fi
|
|
|
|
app_paths=()
|
|
while IFS= read -r app_bundle; do
|
|
app_paths+=("${app_bundle}")
|
|
done < <(find "${payload_dir}" -maxdepth 1 -type d -name "*.app" | sort)
|
|
if [[ "${#app_paths[@]}" -ne 1 ]]; then
|
|
echo "Invalid IPA: expected exactly one app bundle in Payload, found ${#app_paths[@]}." >&2
|
|
exit 1
|
|
fi
|
|
|
|
app_path="${app_paths[0]}"
|
|
info_plist="${app_path}/Info.plist"
|
|
embedded_profile="${app_path}/embedded.mobileprovision"
|
|
entitlements_plist="${tmp_dir}/entitlements.plist"
|
|
profile_plist="${tmp_dir}/profile.plist"
|
|
|
|
if [[ ! -f "${info_plist}" ]]; then
|
|
echo "Invalid IPA: missing app Info.plist." >&2
|
|
exit 1
|
|
fi
|
|
if [[ ! -f "${embedded_profile}" ]]; then
|
|
echo "Invalid IPA: missing embedded.mobileprovision." >&2
|
|
exit 1
|
|
fi
|
|
|
|
plist_value() {
|
|
local plist="$1"
|
|
local key_path="$2"
|
|
"${PLIST_BUDDY_BIN}" -c "Print:${key_path}" "${plist}" 2>/dev/null || true
|
|
}
|
|
|
|
plist_has_key() {
|
|
local plist="$1"
|
|
local key_path="$2"
|
|
"${PLIST_BUDDY_BIN}" -c "Print:${key_path}" "${plist}" >/dev/null 2>&1
|
|
}
|
|
|
|
assert_plist_string() {
|
|
local plist="$1"
|
|
local key_path="$2"
|
|
local expected="$3"
|
|
local label="$4"
|
|
local actual
|
|
actual="$(plist_value "${plist}" "${key_path}")"
|
|
if [[ "${actual}" != "${expected}" ]]; then
|
|
echo "Invalid IPA: ${label}; expected ${expected}, got ${actual:-missing}." >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
assert_plist_key_absent() {
|
|
local plist="$1"
|
|
local key_path="$2"
|
|
local label="$3"
|
|
if plist_has_key "${plist}" "${key_path}"; then
|
|
echo "Invalid IPA: ${label} must not be present in App Store builds." >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
assert_plist_array_contains() {
|
|
local plist="$1"
|
|
local key_path="$2"
|
|
local expected="$3"
|
|
local label="$4"
|
|
local raw
|
|
raw="$(plist_value "${plist}" "${key_path}")"
|
|
if ! printf '%s\n' "${raw}" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | grep -Fxq "${expected}"; then
|
|
echo "Invalid IPA: ${label}; expected ${expected} in ${key_path}." >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
assert_plist_empty_or_absent() {
|
|
local plist="$1"
|
|
local key_path="$2"
|
|
local label="$3"
|
|
local actual
|
|
actual="$(plist_value "${plist}" "${key_path}")"
|
|
if [[ -n "${actual}" ]]; then
|
|
echo "Invalid IPA: ${label} must be empty for App Store builds; got ${actual}." >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
assert_plist_string "${info_plist}" "CFBundleIdentifier" "${EXPECTED_BUNDLE_ID}" "bundle identifier mismatch"
|
|
assert_plist_string "${info_plist}" "OpenClawPushMode" "${EXPECTED_PUSH_MODE}" "push mode mismatch"
|
|
assert_plist_empty_or_absent "${info_plist}" "OpenClawPushRelayBaseURL" "push relay URL override"
|
|
assert_plist_key_absent "${info_plist}" "OpenClawPushTransport" "legacy push transport"
|
|
assert_plist_key_absent "${info_plist}" "OpenClawPushDistribution" "legacy push distribution"
|
|
assert_plist_key_absent "${info_plist}" "OpenClawPushAPNsEnvironment" "legacy APNs environment"
|
|
assert_plist_key_absent "${info_plist}" "OpenClawPushRelayProfile" "legacy relay profile"
|
|
assert_plist_key_absent "${info_plist}" "OpenClawPushProofPolicy" "legacy proof policy"
|
|
|
|
if ! "${CODESIGN_BIN}" -d --entitlements :- "${app_path}" >"${entitlements_plist}" 2>"${tmp_dir}/codesign.err"; then
|
|
detail="$(<"${tmp_dir}/codesign.err")"
|
|
echo "Invalid IPA: failed to read signed entitlements${detail:+: ${detail}}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
assert_plist_string "${entitlements_plist}" "application-identifier" "${EXPECTED_TEAM_ID}.${EXPECTED_BUNDLE_ID}" "signed application identifier mismatch"
|
|
assert_plist_string "${entitlements_plist}" "com.apple.developer.team-identifier" "${EXPECTED_TEAM_ID}" "signed team identifier mismatch"
|
|
assert_plist_string "${entitlements_plist}" "aps-environment" "production" "signed APNs entitlement mismatch"
|
|
assert_plist_string "${entitlements_plist}" "com.apple.developer.devicecheck.appattest-environment" "production" "signed App Attest entitlement mismatch"
|
|
assert_plist_array_contains "${entitlements_plist}" "com.apple.security.application-groups" "${EXPECTED_APP_GROUP}" "signed App Group entitlement mismatch"
|
|
|
|
if ! "${SECURITY_BIN}" cms -D -i "${embedded_profile}" >"${profile_plist}" 2>"${tmp_dir}/security.err"; then
|
|
detail="$(<"${tmp_dir}/security.err")"
|
|
echo "Invalid IPA: failed to decode embedded provisioning profile${detail:+: ${detail}}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
assert_plist_string "${profile_plist}" "Name" "${EXPECTED_PROFILE_NAME}" "embedded profile name mismatch"
|
|
assert_plist_array_contains "${profile_plist}" "TeamIdentifier" "${EXPECTED_TEAM_ID}" "embedded profile team mismatch"
|
|
assert_plist_string "${profile_plist}" "Entitlements:application-identifier" "${EXPECTED_TEAM_ID}.${EXPECTED_BUNDLE_ID}" "embedded profile application identifier mismatch"
|
|
assert_plist_string "${profile_plist}" "Entitlements:aps-environment" "production" "embedded profile APNs entitlement mismatch"
|
|
assert_plist_array_contains "${profile_plist}" "Entitlements:com.apple.developer.devicecheck.appattest-environment" "production" "embedded profile App Attest entitlement mismatch"
|
|
assert_plist_array_contains "${profile_plist}" "Entitlements:com.apple.security.application-groups" "${EXPECTED_APP_GROUP}" "embedded profile App Group entitlement mismatch"
|
|
|
|
echo "Validated iOS App Store IPA: ${IPA_PATH}"
|