Lines 1-57javascript
1import{a as m,h as V}from"./chunk-S64YFTRR.js";import{log as o,spinner as Ae,text as q,password as ve,select as ne,confirm as dt,isCancel as T,cancel as H,intro as Dt,outro as Jt,note as ct}from"@clack/prompts";import{log as N,spinner as Ie,text as Q,select as le,isCancel as Y,cancel as L,note as we,confirm as Ke}from"@clack/prompts";import F from"chalk";import{spawnSync as fe}from"child_process";import E from"fs";import U from"path";import Ge from"os";import ye from"fs";var At=["react-native","expo","flutter"],Zn="react-native",He=e=>{if(typeof e!="string")return;let t=e.trim();return t.lengt ...
2Apple Team ID is required to fetch certificates.`)),ie.info(ae.dim("You can find this at: https://developer.apple.com/account -> Membership Details"));let e=await bt({message:"Enter your 10-character Apple Team ID:",placeholder:"e.g. SA56KTS33U",validate:t=>/^[A-Z0-9]{10}$/i.test(t.trim())?void 0:"Team ID must be exactly 10 letters/numbers"});return Ve(e)?(We("Operation cancelled"),null):{id:e.trim().toUpperCase()}}function Tt(e){let t=[e.id,e.type].filter(Boolean);return t.length>0?t.join(" \xB7 "):void 0}async function Ft(e,t){if(!e.config)return!1;if(e.persistConfig)return!0;if(!e.promptToP ...
HighChild Process
Package source references child process execution.
dist/chunk-ZPETQEMG.jsView on unpkg · L1 3${r.stderr||""}`);if(g.length>0)return Te(t,g,"Select the App Store Connect provider for this API key:");N.warn(F.yellow(`Could not list App Store Connect providers: ${r.stderr||"Unknown error"}`));return}let s=(r.stdout||"").match(new RegExp(`${m.
6`+(n==="ios"?`2. Generate an "App Store Connect API Key" with ${F.bold("Admin")} role.
73. Download the ${F.bold(".p8")} file.`:`2. Create a "Service Account", generate a ${F.bold("JSON")} key.
83. Download the ${F.bold(".json")} file.`),"Guided Setup"),t.start("Scanning for downloaded keys...");let C=Yt(n);if(t.stop(C.length>0?`Detected ${C.length} potential key(s)`:"No keys detected automatically"),C.length>0){let p=await le({message:"Found these potential keys. Use one of them?",options:[...C.map(A=>({value:A.path,label:`${U.basename(A.path)} (${A.location})`})),{value:"manual",label:"Enter path manually..."}]});if(Y(p)){L("Operation cancelled");return}p!=="manual"&&(l=p)}if(!l){let p=await Q({message:`Paste the path to your ${n==="ios"?".p8":".json"} file:`,validate:A=>E.existsSyn ...
9${C}`);if(b.length>0){n.stop("Select App Store Connect team"),we(`Apple Developer Team IDs look like ${F.bold(i)}.
10App Store Connect API keys use a numeric provider/team ID instead.`,"Team ID mismatch");let D=await Te(t,b,"Select the App Store Connect provider for this API key:");if(!D)return;f=D,r=D.id,n.start("Creating API Key with selected App Store Connect team..."),g=I(r),u=g.stdout||"",C=g.stderr||""}}if(C&&(
11`).forEach(b=>{b.trim()&&N.info(F.dim(`[Ruby] ${b.trim()}`))}),g.status!==0){n.stop("Failed"),N.error(`Magic creation failed: ${C}`);return}let p=u.match(new RegExp
12 ${F.cyan("https://appstoreconnect.apple.com/access/integrations/api")}
14It looks like: ${F.dim("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")}`,"One More Thing");let b=await Q({message:"Enter your App Store Connect Issuer ID:",validate:D=>D.trim().length>0?void 0:"Issuer ID is required"});if(Y(b)){L("Operation cancelled.");return}$=b.trim
16 1. Open: ${F.cyan("https://appstoreconnect.apple.com/access/integrations/api")}
17 2. Find Key ID: ${F.green(v)}
18 3. Click ${F.bold("Download API Key")} (only available once)
19 4. Drag & drop the downloaded .p8 file below`,"Manual Step Required");let b=await Q({message:"Path to the downloaded .p8 file (drag & drop here):",validate:D=>E.existsSync(D)?void 0:"File not found"});if(Y(b)){L("Operation cancelled. Credential ID was registered but key content is missing.");return}await Fe(e,b,"ios",$,v,t.ios?.bundleIdentifier||"*",{...
20${c.stderr||""}`);if(p.length>0){n.stop("Select App Store Connect team");let A=await le({message:"Select the App Store Connect team to list API keys:",options:p.map(v=>({value:v.id,label:v.name,hint:v.id}))});if(Y(A)){L("Operation cancelled");return}r=A,n.start("Fetching existing API Keys..."),c=l(r)}}if(c.status!==0){n.stop("Failed"),N.error(`Listing failed: ${c.stderr}`);return}let f=c.stdout.match(new RegExp(`${m.jsonStartMarker}(.*)${m.jsonEndMarker}`));if(!f){n.stop("Parse Error");return}let I=JSON.parse(f[1]);if(n.stop(`Found ${I.length} keys`),I.length===0){N.info("No API Keys found on ...
21`).split(/\r?\n/).map(n=>n.trim()).filter(Boolean);return t.length>0?t.slice(-8).join(`
22`):void 0}function Ot(e,t,n){let a=M(e,t,{env:n,encoding:"utf-8"});if(!(a.error||a.status!==0))return(a.stdout||a.stderr||"").trim()||void 0}function Kt(e,
23`)};let a=process.env.HOME||Ce.homedir(),i=process.env.FASTLANE_GEM_HOME||w.join(a,".local/share/fastlane/3.4.0"),r=w.join(i,"bin");y.mkdirSync(r,{recursive:!0}),o.info(d.dim("fastlane not found. Installing fastlane into the local Mach cache..."));let s=M("gem",["install","fastlane","--no-document","--install-dir",i,"--bindir",r],{env:{...e,GEM_HOME:i,GEM_PATH:[i,e.GEM_PATH].filter(Boolean).join(":")},encoding:"utf-8"});if(s.error||s.status!==0){let l=et(s.stdout,s.stderr);return o.warn(d.yellow("Automatic fastlane install failed.")),l&&o.warn(d.dim(l)),{ok:!1,detail:[n?`Detected Ruby: ${n}`:v ...
24`)||void 0}}return o.success(d.green("\u2713 fastlane installed into the local Mach cache.")),{ok:!0}}function jt(){return!process.env.CI&&process.stdin.isTTY&&process.stdout.isTTY}function Qt(e){let t=M("brew",["--version"],{env:e,encoding:"utf-8"});if(t.error||t.status
25${i.detail}`:void 0,"Try running manually: brew install fastlane","Then run mach credentials again."].filter(Boolean).join(`
26`))}throw new Error(["fastlane is required for iOS certificate/profile sync, but it was not found on PATH.",n.detail?`Automatic install failed:
27${n.detail}`:void 0,"Recommended fix: brew install fastlane","Alternative: install Ruby 3.x, then run: gem install fastlane --no-document","Then run mach credentials again."].filter(Boolean).join(`
28`))}var P=e=>{if(typeof e!="string")return;let t=e.trim();return t.length>0?t:void 0},_e=e=>P(e.password)||P(e.p12Password)||P(e.certificatePassword)||P(e.meta?.password)||P(e.meta?.p12Password)||P(e.meta?.certificatePassword),ut=e=>P(e.keystorePassword)||P(e.storePassword)||P(e.meta?.keystorePassword)||P(e.meta?.storePassword),gt=e=>P(e.keyPassword)||P(e.meta?.keyPassword),tn=e=>P(e.alias)||P(e.meta?.alias),tt=e=>e.credentialId||e.id,nt=e=>e.bundleId||e.bundleIdentifier||e.meta?.bundleId||e.meta?.bundleIdentifier,it=e=>e.distributionType||e.meta?.distributionType,at=e=>!!_e(e)||!!ut(e)||!!gt( ...
30`,"utf8")),r.writeZip(a),a},mt=e=>{let t=e.toLowerCase();return t==="production"||t==="prod"||t.includes("store")||t.endsWith("-production")||t.endsWith("-prod")},on=e=>{let t=e.toLowerCase();return t==="staging"||t==="stage"||t.includes("preview")||t.includes("adhoc")||t.includes("ad-hoc")||t.endsWith("-staging")||t.endsWith("-stage")},ln=(e,t)=>{let n=re(e,t)||{},a=ee(n.distribution),i=ee(n.iosExportMethod||n.ios?.exportMethod),r=ee(n.environment);return i==="app-store"||a==="store"?"store":i==="development"||a==="development"?"development":i==="ad-hoc"||i==="adhoc"||a==="ad-hoc
31`).map(G=>G.trim()).filter(G=>G.length>0),te].join(" ");O(`security list-keychains -d user -s ${S}`)}}catch(R){o.warn(d.dim("Keychain setup warning (non-critical): "+R.message))}let z,ce;try{let W=((await V.get(`/credentials/${e}`)).data.credentials||[]).find(S=>S.type==="asc_api_key"&&S.issuerId);if(W){let S=await V.get(`/credentials/${W.credentialId}/download`,{params:{projectId:e,format:"raw"}});if(S.data.downloadUrl){let B=await(await import("axios")).default.get(S.data.downloadUrl,{responseType:"arraybuffer"}),K=w.join(Ce.tmpdir(),`mach-asc-${Date.now()}`);y.mkdirSync(K,{recursive:!0}),u= ...
HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/chunk-ZPETQEMG.jsView on unpkg · L15 32\u26A0\uFE0F Force flag detected: Hard resetting ${i} certificates...`)),o.info(d.dim("Detected decryption failure loop. Clearing remote storage directly to allow fresh generation.")),o.info(d.cyan(`Current MATCH_PASSWORD: ${A}`)),o.info(d.dim(`Cleaning match storage for Team ID: ${h}...`));try{(await V.post("/credentials/clean-match-storage",{projectId:e,teamId:h,storagePrefix:D})).data.status==="success"&&o.success(d.green
33Certificate sync failed. Attempting to create App ID and retry...`));try{O(`${_.shellCommand} produce --app_identifier "${t}" --app_name "${t}" --skip_itc`,{stdio:"inherit",env:j}),o.success(d.green("\u2713 App ID created successfully")),o.info(d.blue("Retrying certificate sync...")),S=M(W,{shell:!0,cwd:process.cwd(),env:j,stdio:"inherit",encoding:"utf-8"})}catch{}if(S.status!==0)throw new Error("fastlane match failed")}}catch(R){o.warn(d.yellow(`
34Sync failed. This often happens if the encryption passphrase (MATCH_PASSWORD) is incorrect or session expired.`)),o.info(d.cyan(`Failed MATCH_PASSWORD was: ${A}`));let W=await ne({message:"What would you like to do?",options:[{value:"retry_password",label:"Retry with a different MATCH_PASSWORD",hint:"Manually enter the decryption passphrase"},{value:"check_portal",label:"Check Apple Portal (Resolve certificate limits)",hint:"See if you have too many certificates"},{value:"manual",label:"Fallback to manual upload",hint:"Provide .p12 and .mobileprovision files"},{value:"cancel",label:"Cancel",hi ...
35You are overriding the dashboard passphrase for this session.`));let S=await ve({message:"Enter the correct MATCH_PASSWORD for this project:"});if(S&&!T(S)){A=S,o.info(d.blue("Retrying with provided passphrase...")),o.info(d.cyan(`New MATCH_PASSWORD: ${A}`));let G={...j,MATCH_PASSWORD:A};if(M
36${S.trim()}`)),O(`security export -k "${W}" -t identities -f pkcs12 -o "${ue}" -P ""`,{stdio:"ignore"});try{let G=O(`openssl pkcs12 -in "${ue}" -nokeys -passin pass: -legacy 2>/dev/null || openssl pkcs12 -in "${ue}" -nokeys -passin pass: 2>/dev/null`,{encoding:"utf-8"});if(!G.includes(h))throw new Error(`Exported P12 does not contain identity for team ${h
37Manual Upload Mode`)),o.info("Please provide your certificate and provisioning profile:");let i=await q({message:"Path to .p12 certificate file:",validate:l=>y.existsSync(l)?void 0:"File not found"});T(i)&&(H("Operation cancelled"),process.exit(0));let r=await q({message:"Path to .mobileprovision file:",validate:l=>y.existsSync(l)?void 0:"File not found"
38`),te=rt(x,`${w.basename(x,w.extname(x))}-passwords.txt`,Z);J=w.join("credentials",n,p.distributionType,w.basename(te))}}if(n==="android")p.type==="android_keystore"&&(u.android.keystore={keystorePath:D,keystorePassword:k.keystorePassword,keyAlias:k.alias,keyPassword:k.keyPassword},J&&(u.android.keystore.keystoreArchivePath=J));else if(n==="ios"){let X=p.distributionType==="store"?"production":p.distributionType==="adhoc"?"staging":"development";u.ios[X]||(u.ios[X]={}),p.type==="ios_cert"?(u.ios[X].certificatePath=D,u.ios[X].certificatePassword=_,J&&(u.ios[X].certificateArchivePath=J)):p.type= ...
39lane :${m.fastlanePrefix}_list_certs do
43 Spaceship::Portal.login(ENV['FASTLANE_USER'])
44 Spaceship::Portal.select_team(team_id: ENV['FASTLANE_TEAM_ID'])
45 output = Spaceship::Portal.certificate.all.select { |c|
46 if "${a}" == "development"
47 c.type_display_id.downcase.include?("development")
49 c.type_display_id.downcase.include?("distribution") || c.type_display_id.downcase.include?("production")
51 }.map { |c| { id: c.id, name: c.name, expires: c.expires.strftime('%Y-%m-%d'), type: c.type_display_id } }
52 puts "${m.jsonStartMarker}" + output.to_json + "${m.jsonEndMarker}"
54 $stderr.puts "ERROR: #{e.message}"
57end`,r=w.join(Ce.tmpdir(),`/tmp/${m.nameLower}-list-certs-${Date.now()}`),s=w.join(r,"fastlane"),l=w.join(s,"Fastfile");try{y.existsSync(s)||y.mkdirSync(s,{recursive:!0
Long lines were clipped for display.