Add verifing component pkg files mechanism.

xcpretty · Nov 1, 2018 · b579212 · b579212
1 parent fab68c5
commit b579212
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/lib/xcode/install.rb b/lib/xcode/install.rb
@@ -576,6 +576,7 @@ def apply_variables(template)
   class InstalledXcode
     TEAM_IDENTIFIER = '59GAB85EFG'.freeze
     AUTHORITY = 'Apple Mac OS Application Signing'.freeze
+    COMPONENT_SIGNING_COMMON_NAME = 'Apple Software'.freeze
 
     attr_reader :path
     attr_reader :version
@@ -637,7 +638,7 @@ def install_components
       if Gem::Version.new(version) >= Gem::Version.new('9')
         `sudo #{@path}/Contents/Developer/usr/bin/xcodebuild -runFirstLaunch`
       else
-        Dir.glob("#{@path}/Contents/Resources/Packages/*.pkg").each do |pkg|
+        component_pkg_paths.each do |pkg|
           `sudo installer -pkg #{pkg} -target /`
         end
       end
@@ -655,7 +656,7 @@ def fetch_version
     end
 
     def verify_integrity
-      verify_app_security_assessment && verify_app_cert
+      verify_app_security_assessment && verify_app_cert && verify_components
     end
 
     :private
@@ -684,6 +685,20 @@ def verify_app_cert
       apple_authority_result = cert_info['authority'].include?(AUTHORITY)
       apple_team_identifier_result && apple_authority_result
     end
+
+    def verify_components
+      return true if Gem::Version.new(version) >= Gem::Version.new('9')
+
+      result = component_pkg_paths.map do |pkg|
+        result = `pkgutil --verbose --check-signature #{pkg} | grep 'Status'`
+        result.strip.split(':')[1].strip == "signed #{COMPONENT_SIGNING_COMMON_NAME}"
+      end
+      result.all?
+    end
+
+    def component_pkg_paths
+      @component_pkg_paths ||= Dir.glob(File.join(@path, 'Contents/Resources/Packages/*.pkg'))
+    end
   end
 
   # A version of Xcode we fetched from the Apple Developer Portal