[PR #786] [MERGED] fix keychain auth when original .p8 file is removed #786

New issue

Closed

opened 2026-02-26 22:32:33 +03:00 by kerem · 0 comments

kerem commented 2026-02-26 22:32:33 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/786
Author: @rudrankriyam
Created: 2/26/2026
Status: ✅ Merged
Merged: 2/26/2026
Merged by: @rudrankriyam

Base: main ← Head: fix/keychain-review-details-create-auth

---

📝 Commits (4)

• 13abd9f fix keychain auth when original .p8 file is deleted
• a0ffcf4 refactor keychain auth to avoid runtime temp key files
• a6c15c1 fix auth diagnostics for keychain PEM-only credentials
• 38aa534 remove unused exported PEM http-client constructor

📊 Changes

11 files changed (+459 additions, -51 deletions)

View changed files

📝 internal/asc/client_core.go (+20 -2)
➕ internal/asc/client_core_auth_test.go (+55 -0)
📝 internal/auth/doctor.go (+15 -0)
📝 internal/auth/doctor_test.go (+39 -0)
📝 internal/auth/keychain.go (+50 -14)
📝 internal/auth/keychain_test.go (+107 -0)
📝 internal/cli/auth/auth.go (+29 -11)
📝 internal/cli/auth/auth_test.go (+28 -0)
📝 internal/cli/shared/shared.go (+23 -15)
📝 internal/cli/shared/shared_test.go (+92 -9)
📝 internal/config/config.go (+1 -0)

📄 Description

Summary

• store encrypted private key material in keychain credential payloads (keychain mode only) while keeping private_key_path metadata for compatibility
• use an in-memory auth path for keychain-backed credentials by adding asc.NewClientFromPEM(...), so runtime auth no longer materializes temporary key files from keychain data
• align auth diagnostics with runtime behavior: auth status --validate and auth doctor now validate keychain PEM credentials without requiring the original key file path
• backfill legacy keychain entries that only have private_key_path when the source file still exists, and add regression tests for PEM persistence, legacy backfill, deleted-file resolution, and shared auth resolution when only PEM is present

Test plan

• go test ./internal/cli/auth ./internal/auth ./internal/cli/shared ./internal/asc
• make format
• make lint
• ASC_BYPASS_KEYCHAIN=1 make test
• Live repro on local keychain profile:
  • temporarily move original .p8
  • verify localizations list succeeds (auth works)
  • verify review details-create reaches API validation (no private key path error)
  • verify auth status --validate succeeds from keychain PEM with missing original file
  • verify no /tmp/asc-keychain-key-*.p8 files are created
  • restore original .p8

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/786 **Author:** [@rudrankriyam](https://github.com/rudrankriyam) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@rudrankriyam](https://github.com/rudrankriyam) **Base:** `main` ← **Head:** `fix/keychain-review-details-create-auth` --- ### 📝 Commits (4) - [`13abd9f`](https://github.com/rudrankriyam/App-Store-Connect-CLI/commit/13abd9ffad1f1c0270440e1e57e47a334d29b983) fix keychain auth when original .p8 file is deleted - [`a0ffcf4`](https://github.com/rudrankriyam/App-Store-Connect-CLI/commit/a0ffcf443e2a3d4e56960f48ecf9b9dedaef76df) refactor keychain auth to avoid runtime temp key files - [`a6c15c1`](https://github.com/rudrankriyam/App-Store-Connect-CLI/commit/a6c15c1240212623559c517a0665a9cd03488414) fix auth diagnostics for keychain PEM-only credentials - [`38aa534`](https://github.com/rudrankriyam/App-Store-Connect-CLI/commit/38aa534ebe35a2c1cf3922245088b01e3c0179a8) remove unused exported PEM http-client constructor ### 📊 Changes **11 files changed** (+459 additions, -51 deletions) <details> <summary>View changed files</summary> 📝 `internal/asc/client_core.go` (+20 -2) ➕ `internal/asc/client_core_auth_test.go` (+55 -0) 📝 `internal/auth/doctor.go` (+15 -0) 📝 `internal/auth/doctor_test.go` (+39 -0) 📝 `internal/auth/keychain.go` (+50 -14) 📝 `internal/auth/keychain_test.go` (+107 -0) 📝 `internal/cli/auth/auth.go` (+29 -11) 📝 `internal/cli/auth/auth_test.go` (+28 -0) 📝 `internal/cli/shared/shared.go` (+23 -15) 📝 `internal/cli/shared/shared_test.go` (+92 -9) 📝 `internal/config/config.go` (+1 -0) </details> ### 📄 Description ## Summary - store encrypted private key material in keychain credential payloads (keychain mode only) while keeping `private_key_path` metadata for compatibility - use an in-memory auth path for keychain-backed credentials by adding `asc.NewClientFromPEM(...)`, so runtime auth no longer materializes temporary key files from keychain data - align auth diagnostics with runtime behavior: `auth status --validate` and `auth doctor` now validate keychain PEM credentials without requiring the original key file path - backfill legacy keychain entries that only have `private_key_path` when the source file still exists, and add regression tests for PEM persistence, legacy backfill, deleted-file resolution, and shared auth resolution when only PEM is present ## Test plan - [x] `go test ./internal/cli/auth ./internal/auth ./internal/cli/shared ./internal/asc` - [x] `make format` - [x] `make lint` - [x] `ASC_BYPASS_KEYCHAIN=1 make test` - [x] Live repro on local keychain profile: - temporarily move original `.p8` - verify `localizations list` succeeds (auth works) - verify `review details-create` reaches API validation (no private key path error) - verify `auth status --validate` succeeds from keychain PEM with missing original file - verify no `/tmp/asc-keychain-key-*.p8` files are created - restore original `.p8` --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-02-26 22:32:33 +03:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#786

No description provided.