chore: fingerprint signing secrets for cross-repo comparison

.github/workflows/fingerprint-signing-secrets.yml

@@ -0,0 +1,79 @@
+name: Fingerprint Signing Secrets
+
+# Debug-only workflow. Prints a salted SHA-256 fingerprint + byte length
+# for the mac signing + notarize secrets so the values can be compared
+# byte-for-byte against another repo's equivalents without ever revealing
+# the secret bytes themselves.
+#
+# How comparison works:
+#   1. Dispatch this workflow here AND the equivalent workflow on the other
+#      repo (same salt, same algorithm).
+#   2. Compare the `len=` and `sha256=` columns side-by-side.
+#      - Same len + same sha256 → byte-identical secret values.
+#      - Same len + different sha256 → same length but different bytes
+#        (different account / different password / typo).
+#      - Different len → almost certainly a whitespace / newline issue
+#        on one side.
+#
+# The salt is a fixed public constant (not a secret). Same salt on both
+# sides → same hash for the same input. Different salt → different hash.
+# Don't change the salt or the comparison breaks.
+
+on:
+  workflow_dispatch:
+
+jobs:
+  fingerprint:
+    name: Fingerprint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      # Logical name → secret reference. These are the dev repo's names.
+      # The equivalent workflow on prod should set the same logical-name
+      # env vars pointing at whatever prod stores them under (e.g.
+      # secrets.APPLE_ID instead of secrets.BSTACK_APPLE_ID).
+      APPLE_ID: ${{ secrets.BSTACK_APPLE_ID }}
+      APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.BSTACK_APPLE_APP_SPECIFIC_PASSWORD }}
+      MAC_CERTS: ${{ secrets.BSTACK_MAC_CERTS }}
+      MAC_CERTS_PASSWORD: ${{ secrets.BSTACK_MAC_CERTS_PASSWORD }}
+    steps:
+      - name: Hash secrets
+        shell: bash
+        run: |
+          set -eu
+          # Public, fixed salt. Must be IDENTICAL across all repos doing the
+          # comparison or the hashes won't line up. Bump only if you want to
+          # invalidate prior fingerprints (then bump on the other repo too).
+          SALT='requestly-signing-secret-fingerprint-v1'
+
+          fingerprint () {
+            local logical_name="$1"
+            local value="$2"
+            if [ -z "$value" ]; then
+              printf '  %-30s  <empty — secret not set or expanded to empty>\n' "$logical_name"
+              return
+            fi
+            local len hash
+            # printf '%s' deliberately omits a trailing newline so the hash
+            # reflects exactly the bytes GitHub stored — no shell-added \n.
+            len=$(printf '%s' "$value" | wc -c | tr -d ' ')
+            hash=$(printf '%s%s' "$SALT" "$value" | sha256sum | cut -d' ' -f1)
+            printf '  %-30s  len=%-6s  sha256=%s\n' "$logical_name" "$len" "$hash"
+          }
+
+          {
+            echo "## Signing Secret Fingerprints"
+            echo ""
+            echo "- **Repo:** \`${{ github.repository }}\`"
+            echo "- **Branch:** \`${{ github.ref_name }}\`"
+            echo "- **Commit:** \`${{ github.sha }}\`"
+            echo "- **Salt:** \`$SALT\`"
+            echo ""
+            echo '```'
+            fingerprint "APPLE_ID"                    "$APPLE_ID"
+            fingerprint "APPLE_APP_SPECIFIC_PASSWORD" "$APPLE_APP_SPECIFIC_PASSWORD"
+            fingerprint "MAC_CERTS"                   "$MAC_CERTS"
+            fingerprint "MAC_CERTS_PASSWORD"          "$MAC_CERTS_PASSWORD"
+            echo '```'
+          } | tee -a "$GITHUB_STEP_SUMMARY"