Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Touch ID support on macOS (Data Protection Keychain) #1243

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

alexw23
Copy link

@alexw23 alexw23 commented May 7, 2024

Implementation Overview

Refactoring was mostly done upstream, dependent on the following merges:

A new dp-keychain was created as the breaking changes in (keybase/go-keychain#76) made it the existing keychain unsuitable for this implementation. More details can be found in keyring/data_protection_keychain.go.

The file-based keychain used by aws-vault is nearing deprecation, although it will likely remain available for several years. Transitioning to the Data protection keychain is recommended due to its enhanced security.

Key Changes

Please review the latest documentation for detailed information on this implementation.

Deployment Structure Changes

The .dmg deployment now includes a embedded.provisionprofile within an app scaffold, changing from a single binary to an app bundle:

aws-vault.app/
└── Contents/
    ├── MacOS/
    │   └── aws-vault
    ├── Info.plist
    ├── embedded.provisionprofile
    └── _CodeSignature/
        └── CodeResources

This modification will require updates to the cask (using both app and binary stanza), I still need to do testing with homebrew to ensure there's no breaking changes.

Also GitHub actions will need the embedded.provisionprofile so this should be added in.

Participation Request

I welcome all testing and feedback on this implementation. As Go is not my primary language I'm open to any improvements. Any further code can be added as pull request against this branch.

Testing Instructions

Method 1: Build it yourself

  1. Review Documentation: Begin by reviewing the latest documentation to familiarize yourself with the new features and backend.
  2. Setup Development Environment: Follow these instructions for setting up a local development environment. This includes acquiring an Apple Developer ID and configuring the necessary Certificates and Provisioning Profiles. All commands and configurations are detailed in the documentation.
  3. Then you can build it as follows:
    $ make app
    $ aws-vault.app/Contents/MacOS/aws-vault --backend=dp-keychain ls
    

Method 2: Pre-built .dmg

  1. Download and Extract: Download the unofficial .dmg and extract the aws-vault.app from the .dmg to your preferred directory, such as ~/bin.
  2. Execute Commands: Use the new backend with the following shell command:
    $ ~/bin/aws-vault.app/Contents/MacOS/aws-vault --backend=dp-keychain ls
    Utilize the new copy method if you need to transfer credentials between keychains.
  3. Simplify Command Usage: Optionally, add the following lines to your ~/.zshrc or ~/.bash_profile:
    $ echo 'alias aws-vault="~/bin/aws-vault.app/Contents/MacOS/aws-vault"' >> ~/.zshrc
    $ echo 'export AWS_VAULT_BACKEND="dp-keychain"' >> ~/.zshrc
    Reload your shell configuration to apply these changes:
    $ source ~/.zshrc

Important: If and when this update is merged and released under the 99designs developer ID, when you use that release you won’t see credentials stored under different developer IDs, including those created under your own or mine. You will need to add these credentials again under the 99designs developer ID to maintain access. The copy method won’t work either.

Known Issues

  • Each aws-vault execution will require reauthentication (I.e Touch ID prompt). Generally you can avoid reprompts in an app by using an authentication context (stored in memory). However as aws-vault is not a running background/foreground app it's not possible to do this directly. The only way this could be done is by developing a new background daemon. Ideally this would be built in 99designs/keyring as that currently has the local context.
  • Users on macOS Sonoma have encountered some issues with opening app (You can't use this version of the application "aws-vault" with this version of macOS), needs further investigation. Feedback from Sonoma users would be valuable.
  • Storing credentials with --access-control=Watch may not produce specific error messages if an Apple Watch is not detected during credential access attempts, instead returning a "credentials not found" message. Ideally you would never use Watch as the primary method anyway, but there's currently no way around this. Will consider adding a message if no credentials are found and using Watch only.

@alexw23 alexw23 mentioned this pull request May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant