Add verifing component pkg files mechanism.

kenchan0130 · kenchan0130 · commit 78356a2e59b9 · 2018-10-28T21:10:00.000+09:00
diff --git a/lib/xcode/install.rb b/lib/xcode/install.rb
@@ -576,6 +576,7 @@ def apply_variables(template)
   class InstalledXcode
     TEAM_IDENTIFIER = '59GAB85EFG'.freeze
     AUTHORITY = 'Apple Mac OS Application Signing'.freeze
+    COMPONENT_SIGNING_COMMON_NAME = 'Apple Software'.freeze
 
     attr_reader :path
     attr_reader :version
@@ -637,7 +638,7 @@ def install_components
       if Gem::Version.new(version) >= Gem::Version.new('9')
         `sudo #{@path}/Contents/Developer/usr/bin/xcodebuild -runFirstLaunch`
       else
-        Dir.glob("#{@path}/Contents/Resources/Packages/*.pkg").each do |pkg|
+        component_pkg_paths.each do |pkg|
           `sudo installer -pkg #{pkg} -target /`
         end
       end
@@ -655,7 +656,7 @@ def fetch_version
     end
 
     def verify_integrity
-      verify_app_security_assessment && verify_app_cert
+      verify_app_security_assessment && verify_app_cert && verify_components
     end
 
     :private
@@ -684,6 +685,20 @@ def verify_app_cert
       apple_authority_result = cert_info['authority'].include?(AUTHORITY)
       apple_team_identifier_result && apple_authority_result
     end
+
+    def verify_components
+      return true if Gem::Version.new(version) >= Gem::Version.new('9')
+
+      result = component_pkg_paths.map do |pkg|
+        result = `pkgutil --verbose --check-signature #{pkg} | grep 'Status'`
+        result.strip.split(':')[1].strip == "signed #{COMPONENT_SIGNING_COMMON_NAME}"
+      end
+      result.all?
+    end
+
+    def component_pkg_paths
+      @component_paths ||= Dir.glob(File.join(@path, 'Contents/Resources/Packages/*.pkg'))
+    end
   end
 
   # A version of Xcode we fetched from the Apple Developer Portal
