Touch ID support on macOS (Data Protection Keychain) #1243
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implementation Overview
Refactoring was mostly done upstream, dependent on the following merges:
A new
dp-keychain
was created as the breaking changes in (keybase/go-keychain#76) made it the existingkeychain
unsuitable for this implementation. More details can be found in keyring/data_protection_keychain.go.The file-based keychain used by aws-vault is nearing deprecation, although it will likely remain available for several years. Transitioning to the Data protection keychain is recommended due to its enhanced security.
Key Changes
--backend=dp-keychain
).--access-control
and--access-constraint
to manage backend access.copy
method for transferring credentials between keychains.Please review the latest documentation for detailed information on this implementation.
Deployment Structure Changes
The .dmg deployment now includes a
embedded.provisionprofile
within an app scaffold, changing from a single binary to an app bundle:This modification will require updates to the cask (using both app and binary stanza), I still need to do testing with homebrew to ensure there's no breaking changes.
Also GitHub actions will need the embedded.provisionprofile so this should be added in.
Participation Request
I welcome all testing and feedback on this implementation. As Go is not my primary language I'm open to any improvements. Any further code can be added as pull request against this branch.
Testing Instructions
Method 1: Build it yourself
Method 2: Pre-built .dmg
aws-vault.app
from the .dmg to your preferred directory, such as~/bin
.$ ~/bin/aws-vault.app/Contents/MacOS/aws-vault --backend=dp-keychain ls
copy
method if you need to transfer credentials between keychains.~/.zshrc
or~/.bash_profile
:Important: If and when this update is merged and released under the
99designs
developer ID, when you use that release you won’t see credentials stored under different developer IDs, including those created under your own or mine. You will need to add these credentials again under the99designs
developer ID to maintain access. The copy method won’t work either.Known Issues
aws-vault
execution will require reauthentication (I.e Touch ID prompt). Generally you can avoid reprompts in an app by using an authentication context (stored in memory). However as aws-vault is not a running background/foreground app it's not possible to do this directly. The only way this could be done is by developing a new background daemon. Ideally this would be built in 99designs/keyring as that currently has the local context.--access-control=Watch
may not produce specific error messages if an Apple Watch is not detected during credential access attempts, instead returning a "credentials not found" message. Ideally you would never use Watch as the primary method anyway, but there's currently no way around this. Will consider adding a message if no credentials are found and using Watch only.