$30 off During Our Annual Pro Sale. View Details »

Licensing and Distributing a Paid Ruby CLI on macOS

Licensing and Distributing a Paid Ruby CLI on macOS

A talk I gave at Rocky Mountain Ruby in Boulder, Colorado on October 6, 2023. I took the audience through my journey figuring out how to enforce licenses and limitations for my Ruby on Mac product, and how to generate a self-contained Ruby binary.

A blog post version of the talk will be coming soon on the Ruby on Mac blog, and the video should be available by the end of October.

Moncef Belyamani

October 10, 2023
Tweet

More Decks by Moncef Belyamani

Other Decks in Programming

Transcript

  1. Moncef Belyamani / rubyonmac.dev / @monfresh
    Licensing and
    Distributing a Paid Ruby
    CLI on macOS
    Rocky Mountain Ruby / October 6, 2023

    View Slide

  2. Moncef Belyamani
    @monfresh
    monfresh.com
    rubyonmac.dev

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. I spent hours trying to get Jekyll to work
    on my new M2 Mac. Every time I thought
    I had it something else would break.
    Scott Lewis

    View Slide

  7. If only I could get those 10 hours back
    from the last few days spent trying to get
    2.6.10 installed on this MacBook Air M1.
    Dan Weaver

    View Slide

  8. I spent around 3 days trying to solve issues
    on a Rails app. I looked and tried and
    retried so many possible solutions from so
    many sources on the web... but nothing
    was working.
    Monica Randriamialy

    View Slide

  9. I spent probably 4 hours trying to do
    exactly same setup as before and it
    never worked.
    Anton Podviaznikov

    View Slide

  10. View Slide

  11. • Xcode/Command Line Tools version

    • macOS version

    • Intel vs Apple Silicon

    • Installing things with and without Rosetta at the same time

    • The desired Ruby version

    • The current active Ruby version

    • The version manager used

    • Which OpenSSL versions are installed and which one you're trying to compile with

    • Missing, miscon
    fi
    gured, and outdated dev tools

    • PATH issues

    • Setting ENV vars and other compilation settings globally in shell startup
    fi
    le
    What can affect Ruby installation?

    View Slide

  12. LDFLAGS


    CPPFLAGS


    RUBY_CFLAGS


    PKG_CONFIG_PATH


    --with-openssl-dir


    -Wno-error=implicit-function-declaration


    View Slide

  13. View Slide

  14. The script was such a life saver. Finally
    got my Flutter project working on my


    laptop after literally one year!
    Nicole Manson

    View Slide

  15. This script is truly a lifesaver! I couldn't
    get any version managers to work
    properly.
    Gelo Rosel

    View Slide

  16. You are a lifesaver, I was struggling
    with installing rails on my m1 MBP


    and your script saved all the hassle.
    Abdullah Ashraf

    View Slide

  17. Your script was a lifesaver, thank you
    so much, I am incredibly grateful for
    your work.
    Justin Festa

    View Slide

  18. • Painless Ruby dev setup in 15 minutes or less

    • Works with all version managers

    • Installs Ruby faster than any other version manager (2x as fast as
    rbenv/asdf)

    • Easily install Ruby versions as old as 2.1

    • Set up a new Mac in minutes with all your dev tools, Mac apps,
    fonts, Git preferences, macOS preferences, and GitHub repos.

    • Reset mode backs up and cleans up your dev setup in 1 minute
    rubyonmac.dev
    Ruby on Mac

    View Slide

  19. • Prime customers: 1 year of updates, 1 Mac at a time
    Gotta Have Limits

    View Slide

  20. View Slide

  21. • Prime customers: 1 year of updates, 1 Mac at a time

    • Use Ruby for license veri
    fi
    cation code

    • License-related code can't be easily bypassed by customer

    • Scripts need to be able to run on a brand new Mac with no dev
    tools

    • Customer can reliably activate and deactivate Macs
    Gotta Have Limits

    View Slide

  22. 💰
    👤

    View Slide

  23. View Slide

  24. github.com/neurobin/shc

    View Slide

  25. test.sh shc test.sh.x.c ./test

    View Slide

  26. View Slide

  27. View Slide

  28. View Slide

  29. View Slide

  30. View Slide

  31. View Slide

  32. github.com/jruby/warbler

    View Slide

  33. github.com/phusion/
    traveling-ruby

    View Slide

  34. github.com/pmq20/ruby-packer

    View Slide

  35. • Supplies a patched Ruby

    • Compiles that Ruby locally (with native extensions)

    • Packs it into a squashfs archive

    • Ruby is patched to look inside the squashfs and the
    real
    fi
    lesystem
    How ruby-packer works

    View Slide

  36. 👍 single file, works with all native
    extensions

    View Slide

  37. 👎 no cross-packaging support

    View Slide

  38. View Slide

  39. github.com/ericbeland/
    ruby-packer

    View Slide

  40. github.com/motor-admin/
    ruby-packer

    View Slide

  41. View Slide

  42. View Slide

  43. View Slide

  44. View Slide

  45. unable to find ecdh parameters

    View Slide

  46. View Slide

  47. View Slide

  48. View Slide

  49. View Slide

  50. HOLD UP

    View Slide

  51. WAIT A
    MINUTE

    View Slide

  52. rubyc --openssl-dir=/opt/homebrew/etc/[email protected]

    View Slide

  53. rom script -m reset

    View Slide

  54. certificate verify failed (OpenSSL::SSL::SSLError)

    View Slide

  55. ➜ ls -la /opt/homebrew/etc/[email protected]


    total 0


    drwxr-xr-x@ 3 moncef admin 96B Sep 12 10:59 ./


    drwxrwxr-x@ 16 moncef admin 512B Sep 12 10:59 ../


    lrwxr-xr-x@ 1 moncef admin 42B Sep 12 10:59
    cert.pem@ -> /opt/homebrew/etc/ca-certificates/cert.pem

    View Slide

  56. ➜ openssl version -a


    LibreSSL 3.3.6


    built on: date not available


    platform: information not available


    options: bn(64,64) rc4(ptr,int) des(idx,cisc,16,int)
    blowfish(idx)


    compiler: information not available


    OPENSSLDIR: "/private/etc/ssl"

    View Slide

  57. rubyc --openssl-dir=/private/etc/ssl test.rb -o test

    View Slide

  58. 🎉

    View Slide

  59. bundle exec rake rubyc

    View Slide

  60. rubyc --openssl-dir=/private/etc/ssl test.rb -o test

    View Slide

  61. View Slide

  62. View Slide

  63. • Sign up for Apple Developer Program ($99/year)
    Gotta Be Legit

    View Slide

  64. View Slide

  65. • https://developer.apple.com/documentation/devicecheck
    One, Two, One, Two
    DeviceCheck

    View Slide

  66. View Slide

  67. View Slide

  68. View Slide

  69. import DeviceCheck


    public func getDeviceToken(completion: @escaping (String?) -> ()) {


    let currentDevice = DCDevice.current


    if currentDevice.isSupported


    {


    currentDevice.generateToken(completionHandler: { (data, error) in


    if let tokenData = data {


    let tokenString = tokenData.base64EncodedString()


    print("Device token generated 🎉")


    completion(tokenString)


    } else {


    print("Error generating token: \(error!.localizedDescription)")


    }


    })


    } else {


    print("Device is not supported") // Simulators or etc.


    }


    }

    View Slide

  70. getDeviceToken { deviceToken in


    var request = URLRequest(url: "http://localhost:3000/test")


    request.httpMethod = "POST"




    // Header


    request.setValue(deviceToken, forHTTPHeaderField: "Device-Token")




    // Body


    request.setValue("application/json; charset=utf-8", forHTTPHeaderField: "Content-Type")


    let json = ["device_token": deviceToken] as [String : Any]


    let jsonData = try! JSONSerialization.data(withJSONObject: json)


    request.httpBody = jsonData as Data




    // Send it to server


    let downloadTask = URLSession.shared.dataTask(with: request, completionHandler: { data,
    response, error in


    ...


    })


    }

    View Slide

  71. HOLD UP

    View Slide

  72. WAIT A
    MINUTE

    View Slide

  73. ??

    View Slide

  74. View Slide

  75. View Slide

  76. View Slide

  77. View Slide

  78. let homeDirectory = NSHomeDirectory()




    let fileURL = URL(fileURLWithPath: "\(homeDirectory)/token.txt"


    if let data = token.data(using: .utf8) {


    do {


    try data.write(to: fileURL)


    } catch {


    print("Error writing token to the file: \(error)")


    }


    }

    View Slide

  79. DeviceCheck Token ✅

    View Slide

  80. Ruby script binary ✅

    View Slide

  81. Bash script binary ✅

    View Slide

  82. if ! ./verify_license; then


    exit


    fi

    View Slide

  83. codesign --timestamp \


    --options=runtime \


    -s "5NB2AVZQPV" \


    -v verify_license

    View Slide

  84. codesign --display --verbose=1 verify_license

    View Slide

  85. Executable=/Users/moncef/projects/rubyonmac-prime/verify_license


    Identifier=verify_license


    Format=Mach-O thin (arm64)


    Signature size=8981


    Timestamp=Sep 9, 2023 at 16:52:16


    Info.plist=not bound


    TeamIdentifier=5NB2AVZQPV


    Runtime Version=13.3.0


    Sealed Resources=none


    View Slide

  86. require 'json'


    result = `git for-each-ref --sort=-creatordate --format='%
    (creatordate:short) | %(contents)' refs/tags`


    tags = result.split("\n\n")


    versions = tags.each_with_object([]) do |tag, array|


    date = tag.split(" | ").first


    version = tag.split("Release ")[1]


    array.push({date:, version:})


    end


    File.write("prime-versions.json", JSON.generate(versions))


    View Slide

  87. View Slide

  88. codesign \


    --timestamp \


    --options=runtime \


    -s "5NB2AVZQPV" \


    --prefix="com.rubyonmac.2.0.22." \


    -v verify_license

    View Slide

  89. Executable=/Users/moncef/projects/rubyonmac-prime/verify_license


    Identifier=com.rubyonmac.2.0.22.verify_license


    Format=Mach-O thin (arm64)


    Signature size=8981


    Timestamp=Sep 9, 2023 at 16:52:16


    Info.plist=not bound


    TeamIdentifier=5NB2AVZQPV


    Runtime Version=13.3.0


    Sealed Resources=none


    View Slide

  90. View Slide

  91. View Slide

  92. View Slide

  93. View Slide

  94. View Slide

  95. View Slide

  96. View Slide

  97. View Slide

  98. View Slide

  99. View Slide

  100. View Slide

  101. View Slide

  102. View Slide

  103. View Slide

  104. 💰
    👤

    View Slide

  105. View Slide

  106. Customer.exists?(email:)

    View Slide

  107. Customer.find_by(email:).present?

    View Slide

  108. Customer.where(email:).reload.present?

    View Slide

  109. Customer.uncached { Customer.where(email:).to_a.present? }

    View Slide

  110. • Generate the license

    • Store it in S3 with ActiveStorage

    • Respond to Paddle with plain text containing link to the license

    • Paddle emails customer
    Go With the Flow

    View Slide

  111. • Customer downloads license and latest Ruby on Mac release

    • Customer runs .pkg installer

    • Installer puts ROM Token Generator macOS app in /Applications

    • Installer unzips rubyonmac folder
    Go With the Flow

    View Slide

  112. • Customer runs Bash script

    • Bash script checks that license veri
    fi
    cation binary exists and that it's
    signed by me

    • License is decrypted and email and product are extracted

    • ROM Token Generator app is opened in the background

    • Token gets saved to a
    fi
    le
    Go With the Flow

    View Slide

  113. • Token is read from the
    fi
    le and stored in a variable

    • Token Generator app is quit

    • Script sends token, email, and product to the Rails app

    • Rails app performs validations
    Go With the Flow

    View Slide

  114. • Send request to Apple's "query_two_bits" endpoint

    • "Failed to
    fi
    nd bit state" means ROM has not yet been run on this Mac

    • Send request to "update_two_bits" endpoint to set bit0 and bit1

    • If device already activated, Apple returns current bit0 and bit1 values
    Go With the Flow

    View Slide

  115. • Verify current version was released before license expiration

    • Bash script can continue

    • License veri
    fi
    cation takes ~1 second
    Go With the Flow

    View Slide

  116. View Slide

  117. • MacBook Pro with Touch Bar (2016 and 2017) and Apple T1 Chip

    • Intel-based Mac computers with Apple T2 Security Chip

    • Mac computers with Apple silicon
    Secure Enclave

    View Slide

  118. Copying latest Ruby on Mac files...


    cp: rom_arm64: No such file or directory

    View Slide

  119. View Slide

  120. Copying latest Ruby on Mac files...


    The rom-prime_arm64 file is missing!


    You are most likely running SentinelOne, which removed the file.


    Ruby on Mac Prime is not compatible with SentinelOne.


    Only the Ultimate version is.


    Please upgrade to Ruby on Mac Ultimate with coupon code FOOBAR:


    https://www.rubyonmac.dev/pricing


    If you're not running SentinelOne, please report this issue to
    [email protected]

    View Slide

  121. • Testing
    Ruby Rewrite Benefits

    View Slide

  122. • Testing

    • User Experience
    Ruby Rewrite Benefits

    View Slide

  123. • Testing

    • User Experience

    • Future Proof
    Ruby Rewrite Benefits

    View Slide

  124. Thank You!
    And a Gift
    5⃣ RMR50


    4⃣ RMR40


    3⃣ RMR30


    2⃣ RMR20


    1⃣ RMR10


    rubyonmac.dev/pricing

    View Slide