未完待续

Building a Command-Line Tool to Verify iOS AASAFiles

枯藤昏鸦 — Fri, 20 Feb 2026 06:27:33 +0000

# Building a Command-Line Tool to Verify iOS AASA Files

If you’ve ever set up Universal Links for an iOS application, you know that the Apple App Site Association (AASA) file can sometimes be a headache. Just a single typo, a missing bracket, or a misconfigured HTTP header can break deep linking entirely.

To make this process a bit smoother, I recently built a simple, dependency-free Python tool that verifies AASA files right from the command line.

## What is an AASA File?

The Apple App Site Association (AASA) file is a JSON file that lives on your web server. It establishes a secure connection between your domain and your iOS app, proving to Apple that you own both. When a user clicks a Universal Link (like https://yourdomain.com/path), iOS checks this file to see if the link should open in your app instead of Safari.

For this to work, the AASA file must:
1. Be served over HTTPS with a valid certificate.
2. Be exposed exactly at /.well-known/apple-app-site-association or /apple-app-site-association.
3. Contain valid JSON syntax defining the applinks (and optionally webcredentials or appclips).

If everything is correct, Apple’s CDN will also eventually cache a copy at https://app-site-association.cdn-apple.com/a/v1/[yourdomain.com].

## The Problem: It’s Hard to See Why It Fails

Usually, when deep links stop working, you’re left guessing. Is the file missing? Did the server return the wrong caching headers? Did my JSON syntax break when I updated it?

There are some web-based validators out there, but I wanted something I could run quickly in terminal, integrate into CI/CD pipelines, or just use locally without relying on third-party sites.

## Building verify_aasa.py

I decided to build a simple Python script called verify_aasa.py. The goal was to check the common endpoints where an AASA file might live, fetch it, parse the JSON, and validate its structural integrity.

### 1. Fetching the File

The script checks three distinct locations:

python paths = [ f"https://{domain}/.well-known/apple-app-site-association", f"https://{domain}/apple-app-site-association", f"https://app-site-association.cdn-apple.com/a/v1/{domain}" ]

It iterates through these paths using Python’s built-in urllib.request. If it succeeds in pulling down the valid file, it confirms the HTTP status and notes the Content-Type returned by the server.

*Note: One common hangup is that local Python environments on macOS sometimes struggle with root SSL certificates. To make the tool robust, I added a quick fallback behavior: if the certifi module is available, it uses that for validation; otherwise, it bypasses SSL validation and prints a warning so the user isn’t stuck behind a local configuration error.*

### 2. Validating the JSON

Once it has the file, the next step is parsing it. If the AASA file has trailing commas or weird quotes, json.loads() will throw an error immediately, simulating the confusion iOS might experience.

Assuming it passes the JSON decode, the script validates the structure:

python if 'applinks' in data: applinks = data['applinks'] if 'details' in applinks: for i, app in enumerate(applinks['details']): appID = app.get('appID') appIDs = app.get('appIDs') # Check for modern 'components' or legacy 'paths' # ...

A common issue nowadays is transitioning from the legacy paths routing to the modern components routing, as well as the transition from appID (string) to appIDs (array). The script validates that at least one of these is correctly defined for each block.

It also supports checking for the existence of webcredentials (Shared Web Credentials) and appclips (App Clips configurations).

## Running the Tool

Running the tool is simple:

bash python3 verify_aasa.py apple.com

Which produces an output like this:

Verifying AASA file for domain: apple.com


Checking https://apple.com/.well-known/apple-app-site-association ...

Found AASA file at https://apple.com/.well-known/apple-app-site-association

Content-Type: None
Successfully parsed as JSON.
--- Validating AASA Structure ---

Found 'applinks' key.

Found 'applinks.details' key.
  App 1: appIDs = ['W74U47NE8E.com.apple.store.Jolly']

    Uses modern 'components' routing.
Found 'webcredentials' key.

  Includes 1 app(s) for shared web credentials.
Found 'appclips' key.

  Includes 1 app(s) for App Clips.

Summary: AASA file syntax looks good!

## Wrapping Up

Building this little tool was a great reminder of how useful small, purpose-built CLI utilities can be. No dependencies (unless you want certifi for strict SSL), no web interfaces, just a quick sanity check to ensure iOS will swallow your AASA file correctly.

You can grab the script and use it in your own projects whenever Universal Links start acting up!
https://gist.github.com/darcyliu/0f15d22751829f2fa4f5c811e15b67c8

-EOF-

ssh stuck at expecting SSH2_MSG_KEX_ECDH_REPLY

枯藤昏鸦 — Fri, 25 Jul 2025 21:32:00 +0000

前段时间遇到使用了 WireGuard 的 IP SSH 卡在了 SSH2_MSG_KEX_ECDH_REPLY，使用主机对外的IP又能正常登陆。
debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

一番研究之后发现是 MTU 值偏低导致，在不调整 MTU 的情况下，可以更改 KexAlgorithms 或者 MACs 试试。
ssh root@10.10.10.10 -v -o KexAlgorithms=ecdh-sha2-nistp521 ssh root@10.10.10.10 -v -o MACs=hmac-sha2-256

-EOF-

Building a Command-Line Tool to Verify iOS AASAFiles

macOS 不借助第三方软查看图片是否含有 Alpha 通道

枯藤昏鸦 — Wed, 25 Jun 2025 04:24:14 +0000

方法一：
Using Preview:
1. Open the image in Preview
2. Click Tools > Show Inspector (or press Cmd + I)
3. Click the “i” tab (Information)
4. Look under “More Info” – it will show color space and bits per component

方法二：
Using Terminal:

sips -g format -g pixelWidth -g pixelHeight -g hasAlpha path/to/image.jpg

-EOF-

快速添加public ssh key到服务器

枯藤昏鸦 — Wed, 25 Jun 2025 04:01:49 +0000

登陆服务器，然后执行

mkdir -m 700 ~/.ssh
curl https://github.com/{username}.keys >> ~/.ssh/authorized_keys

-EOF-

PSQL 常用命令

枯藤昏鸦 — Sun, 24 Nov 2024 06:18:01 +0000

创建新的数据库

psql -U postgres -c "CREATE DATABASE $DB_NAME;"

创建新的用户

psql -U postgres -c "CREATE USER $DB_USER WITH PASSWORD '$DB_PASSWORD';"

将新数据库的所有权限授予新用户

psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE $DB_NAME TO $DB_USER;"

删除数据库

psql -U postgres -c "DROP DATABASE IF EXISTS $DB_NAME;"

删除用户

psql -U postgres -c "DROP USER IF EXISTS $DB_USER;"

-EOF-

修复 WordPress 的文件读写权限错误

枯藤昏鸦 — Wed, 31 Jul 2024 17:50:04 +0000

如果在 WordPress Site Health 页面遇到 “Some files are not writable by WordPress”, 可以通过如下的方式解决：
1. 检查 web server 所使用的 user 账号，比如 nginx:

cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

如上 nginx 所使用的 user 为 www-data.
2. 将 WordPress 的文件 Owner 更改成 web server user, 比如：

chown -R www-data:www-data /the/folder/place/the/wordpress/

重新刷新页面即可。
-EOF-

Unix/Linux enable IP forwarding(开启IP包转发)

枯藤昏鸦 — Sat, 30 Dec 2023 23:33:54 +0000

Unix/Linux在默认情况下在网络包转发是处于禁用状态的，在安装了 WireGuard 等网络流量转发软件后，需要开启IP包转发才能正常的处理来自客户的流量转发请求。
以下命令可以查询当前的 ip.forwarding 标记状态, 0表示已禁用，1表示已开启。

sysctl net.inet.ip.forwarding
sysctl net.inet6.ip6.forwarding

我们可以通过设置该值为1开启IP包转发功能。

sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1

-EOF-

修复Nginx + PHP 5xx Error

枯藤昏鸦 — Sat, 30 Dec 2023 00:59:04 +0000

之前时不时会收到 Google Search Console 发来的邮件告知在索引页面的时候遇到了5xx，一直都没有管。直到上周我自己重现了一次才开始重视起来。
Search Console has identified that your site is affected by 1 Page indexing issue(s). The following issues were found on your site.

Top Issues

Server error (5xx)
We recommend that you fix these issues when possible to enable the best experience and coverage in Google Search.
检查日志发现如下内容：
2023/12/12 01:23:45 [error] 2175086#0: *57111 connect() to unix:/run/php-fpm/www.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 192.3.114.12, server: example.com, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/www.sock:", host: "example.com", referrer: "http://example.com/"
于是跑了一遍压力测试，发现将近一半的请求都遇到5xx错误，同时日志中产生如上记录。
wrk -t12 -c400 -d30s https://ioio.name

便因此做了一下研究，主要参考 11: Resource temporarily unavailable, while connecting to upstream + Bad Gateway (Nginx)

通过执行如下命令调整了 net.core.somaxconn 及 net.core.netdev_max_backlog
echo "net.core.somaxconn = 65535" | sudo tee -a /etc/sysctl.conf sudo sysctl -p echo "net.core.netdev_max_backlog = 65535" | sudo tee -a /etc/sysctl.conf sudo sysctl -p

更新nginx配置文件，给 FastCGI service 添加

fastcgi_keep_conn on;

然后重启服务

systemctl restart php-fpm.service
systemctl restart nginx

再次运行压力测试，错误消失。
wrk -t12 -c400 -d30s https://ioio.name Running 30s test @ https://ioio.name 12 threads and 400 connections Thread Stats Avg Stdev Max +/- Stdev Latency 180.51ms 88.60ms 1.91s 89.36% Req/Sec 109.17 32.60 212.00 71.29% 39114 requests in 30.08s, 1.86GB read Socket errors: connect 158, read 0, write 0, timeout 0 Requests/sec: 1300.31 Transfer/sec: 63.29MB
-EOF-

How to Install PostgreSQL on FreeBSD

枯藤昏鸦 — Sat, 18 Nov 2023 21:24:14 +0000

1. Update all available repository and upgrade all packages to the latest

pkg update
pkg upgrade

2. Install PostgreSQL 13

pkg install postgresql13-server postgresql13-client

3. Add the PostgreSQL to the system boot:

sysrc postgresql_enable=yes

4. Initialize the PostgreSQL database

/usr/local/etc/rc.d/postgresql initdb

5. Start the PostgreSQL service and check its status

service postgresql start
service postgresql status

-EOF-

Kubernetes Dashboard Disable Token TTL/Skip Login

枯藤昏鸦 — Mon, 06 Feb 2023 06:51:09 +0000

The default token TTL for Kubernetes Dashboard is 10 minutes, it is inconvenient in a development environment. We can remove this limit by disabling the TTL or enabling the skip login.

1. Inspect the configuration for kubernetes-dashboard
kubectl -n kubernetes-dashboard describe deployments kubernetes-dashboard
You may see --auto-generate-certificates in the **arg** section.

2. Update the configuration to add --token-ttl=0 to disable the session timeout; add -enable-skip-login to enable the skip login button.
kubectl -n kubernetes-dashboard edit deployments kubernetes-dashboard

Args: --auto-generate-certificates --token-ttl=0 --enable-skip-login --enable-insecure-login
-EOF-

未完待续

Building a Command-Line Tool to Verify iOS AASAFiles

ssh stuck at expecting SSH2_MSG_KEX_ECDH_REPLY

Related posts:

macOS 不借助第三方软查看图片是否含有 Alpha 通道

Related posts:

快速添加public ssh key到服务器

Related posts:

PSQL 常用命令

修复 WordPress 的文件读写权限错误

Related posts:

Unix/Linux enable IP forwarding(开启IP包转发)

Related posts:

修复Nginx + PHP 5xx Error

Related posts:

How to Install PostgreSQL on FreeBSD

Related posts:

Kubernetes Dashboard Disable Token TTL/Skip Login

Related posts: