Adding touch ID support (via new data protection keychain)#136
Conversation
SecItemUpdate only accepts the SetData (kSecValueData) param for an update when SetAccessControl (kSecAttrAccessControl) was set on original item.
Also added a check to ensure we are running in a bundled app context.
|
Added to maintained fork: https://github.com/ByteNess/keyring/ |
|
@mihai209 this was merged to maintained fork mentioned ↑ |
|
For anyone following this: this PR was a useful reference when we built Touch ID support in https://github.com/lox/keyring-keychain (a macOS keychain provider for the v2 fork of keyring). Thanks @alexw23. We ended up taking a different route though. The data protection keychain needs entitlements authorised by a provisioning profile, so unsigned or ad-hoc signed Go binaries get errSecMissingEntitlement (-34018), which rules it out for most Go CLIs unless you ship a signed app bundle. Instead we encrypt item data to non-permanent Secure Enclave keys (the same mechanism age-plugin-se uses), with user presence enforced by the Secure Enclave at decrypt time. That works from a plain go build binary with no signing at all, and the ciphertext still lives in the regular file-based keychain. Design notes here if useful: https://github.com/lox/keyring-keychain#design |
This update mainly enables Touch ID support and adds support for data protection keychain.
From this article, macOS has two keychain implementations:
Currently this package is using the (File-based keychain). However eventually, the file-based keychain will be phased out and is unofficially deprecated by Apple.
The new keychain (
data_protection_keychain.go) is mostly copied fromkeychain.go. There were some challenges because keychain.go currently relies on99-designs/go-keychainwhich is quite an old version, and the latest version ofkeybase/go-keychainhas removed support for file-based keychain.Merging
keybase/go-keychainback into 99designs/go-keychain doesn't make sense askeybaseis more actively maintained. I've locked to my current PR of keychain/go-keychain.The existing keychain.go can still be used but should be considered as
FileBasedKeychain. I didn't rename it for compatibility reasons.Testing hasn't been added yet because end-to-end testing the data protection keychain requires a signed macOS app, so we need to figure out how to do that on a CI/CD level.