99designs · lox · Aug 5, 2017 · Aug 5, 2017 · Aug 8, 2017 · Aug 8, 2017
diff --git a/.travis.yml b/.travis.yml
@@ -1,5 +1,6 @@
 language: go
 
+osx_image: xcode8.3
 install: ./scripts/ci_install.sh
 
 go:

diff --git a/Makefile b/Makefile
@@ -30,7 +30,7 @@ $(BIN)-windows-386.exe: $(SRC)
 	GOOS=windows GOARCH=386 go build -o $@ -ldflags="$(FLAGS)" .
 
 release: $(BIN)-linux-amd64 $(BIN)-darwin-amd64 $(BIN)-windows-386.exe
-	codesign -s $(CERT) $(BIN)-darwin-amd64
+	codesign -s "$(CERT)" $(BIN)-darwin-amd64
 
 clean:
 	rm -f $(BIN)-*-*
diff --git a/README.md b/README.md
@@ -110,6 +110,19 @@ Developed with golang, to install run:
 go get github.com/99designs/aws-vault
 ```
 
+## Self-signing your binary
+
+Binaries that call Keychain need to be signed, otherwise they always show the "allow access" prompt. Releases are signed by 99designs certificates, but if you are actively developing and want to mimic the behaviour of a signed release you can generate a self-signed code signing certificate.
+
+Check out Apple's guide on it [here](http://web.archive.org/web/20090119080759/http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Procedures/chapter_3_section_2.html), or find it in `Keychain Access > Certificate Assistant > Create Certificate > Code Signing Certificate`.  
+
+You can then sign your binary like this:
+
+```bash
+make build
+codesign -s "Name of my certificate" ./aws-vault
+```
+
 ## References and Inspiration
 
  * https://github.com/pda/aws-keychain

diff --git a/cli/exec.go b/cli/exec.go
@@ -112,6 +112,7 @@ func ExecCommand(app *kingpin.Application, input ExecCommandInput) {
 	val, err := creds.Get()
 	if err != nil {
 		app.Fatalf(vault.FormatCredentialError(input.Profile, profiles, err))
+		return
 	}
 
 	if input.StartServer {

diff --git a/cli/global.go b/cli/global.go
@@ -26,6 +26,7 @@ var GlobalFlags struct {
 	Debug        bool
 	Backend      string
 	PromptDriver string
+	Biometrics   bool
 }
 
 func ConfigureGlobals(app *kingpin.Application) {
@@ -42,17 +43,23 @@ func ConfigureGlobals(app *kingpin.Application) {
 		OverrideDefaultFromEnvar("AWS_VAULT_PROMPT").
 		EnumVar(&GlobalFlags.PromptDriver, promptsAvailable...)
 
+	app.Flag("biometrics", "Use biometric authentication if supported").
+		OverrideDefaultFromEnvar("AWS_VAULT_BIOMETRICS").
+		BoolVar(&GlobalFlags.Biometrics)
+
 	app.PreAction(func(c *kingpin.ParseContext) (err error) {
 		if !GlobalFlags.Debug {
 			log.SetOutput(ioutil.Discard)
 		}
 		if keyringImpl == nil {
 			keyringImpl, err = keyring.Open(KeyringName, GlobalFlags.Backend)
 		}
+		if globals.Biometrics {
+			keyring.Config.UseBiometrics = true
+		}
 		if awsConfigFile == nil {
 			awsConfigFile, err = vault.NewConfigFromEnv()
 		}
 		return err
 	})
-
 }
diff --git a/vendor/github.com/99designs/keyring/keychain.go b/vendor/github.com/99designs/keyring/keychain.go
diff --git a/vendor/github.com/99designs/keyring/keyring.go b/vendor/github.com/99designs/keyring/keyring.go
diff --git a/vendor/github.com/lox/go-touchid/README.md b/vendor/github.com/lox/go-touchid/README.md
diff --git a/vendor/github.com/lox/go-touchid/touchid.go b/vendor/github.com/lox/go-touchid/touchid.go
diff --git a/vendor/vendor.json b/vendor/vendor.json
@@ -257,6 +257,12 @@
 			"revision": "efeae48c0b272ac15a6c0b53129285b2b0ed828d",
 			"revisionTime": "2017-08-10T04:31:23Z"
 		},
+		{
+			"checksumSHA1": "kEyCzFEzVLWWRauNn0Nzxg2pg6Q=",
+			"path": "github.com/lox/go-touchid",
+			"revision": "619cc8e578d0ef916aa29c806117c370f9d621cb",
+			"revisionTime": "2017-07-12T10:52:33Z"
+		},
 		{
 			"checksumSHA1": "AXacfEchaUqT5RGmPmMXsOWRhv8=",
 			"path": "github.com/mitchellh/go-homedir",