April 4, 2023
Guardsquare iXGuard enables developers to protect their iOS applications and libraries from reverse engineering and tampering.
Protection takes place at the compilation stage, this is why our users often integrate this step into their Continuous Integration (CI) system.
Usually automating this step is as simple as running one operating system command to launch iXGuard. However, cloud-based CI systems often offer short-lived build nodes that start from a clean slate. All dependencies like libraries and tools have to be downloaded and installed using a scripted action.
Since version 4.6.x iXGuard is available for automated download through the Guardsquare CLI tool.
Read on to learn how to solve this problem and have your cloud CI setup up and running.
TL;DR - how to automatically download iXGuard
Prepare
Step 1. Generate a new SSH keypair-
- Use
ssh-keygento generate a new key pair, and then add it to thessh-agent:eval "$(ssh-agent -s)" ssh-add --apple-use-keychain ~/.ssh/<your-key-file-name>
- Use
-
- Note that to be able to register your SSH key you will need to have the Manage Automation permission. If you do not have this permission, your Guardsquare Portal team manager can assign it to you.
Step 3. Get Guardsquare CLI-
-
curl https://downloads.guardsquare.com/cli/latest_macos_amd64 -sL | tar -x && sudo mv -i guardsquare /usr/local/bin/
-
Download
- After your environment is prepared, simply run the following command to download iXGuard:
guardsquare --ssh-agent download ixguard -o ixguard.pkg- Install iXGuard using the standard installer command:
sudo installer -pkg ixguard.pkgAutomated, scriptable, secure
Our goal was making the automated setup of the CI build nodes as easy as possible, and at the same time keep access to Guardsquare tools strictly on a need-to-use basis.
Our ideal solution would be:
- Fast
- Fully scriptable
- Secure
Fast downloads
In the future we expect that our customers’ use of cloud CI systems will only increase. This in turn will increase the load on the download infrastructure.
We solved this problem by hosting the files on a scalable performant cloud object storage located at the infrastructure of a global cloud vendor. This way Guardsquare never becomes a bottleneck for the customers’ CI process and is able to provide excellent speed for everyone.
Scriptable downloads
We had to make sure that every step of the process (except the initial setup) can run automatically using a command-line script.
The most critical step in the process is getting a secure link and downloading the correct version of iXGuard. To automate this step better we have implemented Guardsquare CLI. You can get the single-binary cli from Guardsquare servers using a simple curl command.
Guardsquare download CLI command supports semver version string, for example this command will download iXGuard version 4.6:
guardsquare --ssh-agent download ixguard@4.6 -o ixguard.pkgThe -o switch provides an option to give a predefined name to the downloaded file, so that it can later be installed with aninstaller action.
Secure download
To make the downloads secure we chose the SSH key-based authentication mechanism. This authentication schema should be familiar to you from GitHub, Azure DevOps, and many other services.
Simply register your SSH key on Guardsquare portal and your CLI will authenticate automatically.
License
To run iXGuard on your cloud CI build node you will need to install the correct license.
In preparation, download the license file manually from Guardsquare portal. Use your CI secrets manager to provision the license file on the build nodes. For example, for Microsoft Azure use the Secure files feature.
Example: GitHub Action Workflow to install iXGuard
Pre-requisite: Setup a GitHub repository secret to store your SSH_PRIVATE_KEY which matches the public key you uploaded to the Guardsquare Customer Portal
# Workflow script to download and install iXGuard into an actions Node
on:
workflow_dispatch:
jobs:
install_ixguard:
runs-on: macos-latest
steps:
- uses: actions/checkout@v3
# Make sure the @v0.7.0 matches the current version of the action
- run: curl https://downloads.guardsquare.com/cli/latest_macos_amd64 -sL | tar -x && sudo mv -i guardsquare /usr/local/bin/
- uses: webfactory/ssh-agent@v0.7.0
with:
ssh-private-key: $
# download the Guardsquare CLI
- run: guardsquare --ssh-agent download ixguard -o ixguard.pkg
- run: sudo installer -pkg ixguard.pkg -target /
Conclusion
Cloud CI systems provide reliable and scalable service to continuously build, scan, test, and deploy your applications. From now on, you can easily set up your cloud CI to protect your iOS application or SDK with Guardsquare.
