Carthage access private prebuilt framework files

Created on 23 Mar 2018 · 8Comments · Source: Carthage/Carthage

carthage install method: [ x] .pkg, [ ] homebrew, [ ] source
which carthage:0.29.0
carthage version:
xcodebuild -version:
Are you using --no-build?
Are you using --no-use-binaries?
Are you using --use-submodules?
Are you using --cache-builds?
Are you using --new-resolver?

I'm using multiple versions of a prebuilt framework and I would like to be able to limit access to those depending on the user.
The framework files are in their respective private repository, the binary json is publicly available.

Does Carthage offer any way to get past authentication? I'm using BitBucket cloud and this would be very helpful. Other than that I'd have do create some strange URLs so noone can guess them, but this is obviously nothing else than an ugly workaround.

I found that there were already similar questions here #1525

enhancement question

Source

binloan

All 8 comments

Carthage does not support any authentication for binary downloads.

mdiep on 23 Mar 2018

@binloan but it could, PR's welcome!

tmspzz on 23 Mar 2018

@blender I definitely would need that. I don't like the idea of obfuscating URLs just for the sake of access control. Can you maybe generally add the enhancement request tag?

For commercial purposes such access control features are required. For short term do you have any recommendations?

binloan on 23 Mar 2018

You can try this if it helps you:

Build, store where you want, download https://github.com/blender/Rome/

tmspzz on 23 Mar 2018

❤1

@blender thank you. Looks interesting. I sure will give it a try.

I'll take a look into making a PR. However I'm not familiar with the Carthage code. As far as I see it should be possible that Carthage is either forwarding the OAuth request or that it allows using ssh for prebuilt binary URLs.

binloan on 23 Mar 2018

You don't need to fear the code base. You don't need to be an FRP expert.

Here's what I advise you to do:

Make a proposal detailing the steps of the enhancement. see for example: https://github.com/Carthage/Carthage/pull/2360#issuecomment-369279533
Wait for comments and approval
Go ahead with a PR, hack, submit, fix, repeat

It will be in master sooner than you think 💯

tmspzz on 23 Mar 2018

👍1

@blender Thanks for your advice. I will do so.

binloan on 23 Mar 2018

I found a solution to my problem which in my opinion is elegant enough and (currently) does not require any changes in Carthage.

You need to setup a file server to use HTTP Basic Auth. Then in your Cartfile you define the access inside the .json url after the RFC7617 standard. If you keep the pre-compiled framework files on the same directory as the .json the authentication credentials are saved as long as the session is active and you can download the binaries.

This is in my opinion elegant enough for my needs. Surely, access with SSH keys or comparable methods would be safer, but it is only to restrict individual access and not to have a secure access control.

Important to note is that the Swift URL object currently supports this behaviour, but in future it might be not working anymore since it was deprecated in RFC3986. Maybe adding additional fields to the Cartfile which provide username and password could make this future proof.

I would do so with a PR, but I first want to know if this method makes sense in respect to the Carthage roadmap. Any comments would be appreciated.

binloan on 13 Nov 2018

Was this page helpful?

0 / 5 - 0 ratings