The file-based keychain used by aws-vault is nearing deprecation, although it will likely remain available for several years. Transitioning to the Data protection keychain is recommended due to its enhanced security.
This modification will require updates to the cask (using both app and binary stanza), I still need to do testing with homebrew to ensure there's no breaking changes.
Also GitHub actions will need the embedded.provisionprofile so this should be added in.
Participation Request
I welcome all testing and feedback on this implementation. As Go is not my primary language I'm open to any improvements. Any further code can be added as pull request against this branch.
Testing Instructions
Method 1: Build it yourself
Review Documentation: Begin by reviewing the latest documentation to familiarize yourself with the new features and backend.
Setup Development Environment: Follow these instructions for setting up a local development environment. This includes acquiring an Apple Developer ID and configuring the necessary Certificates and Provisioning Profiles. All commands and configurations are detailed in the documentation.
Then you can build it as follows:
$ make app
$ aws-vault.app/Contents/MacOS/aws-vault --backend=dp-keychain ls
Method 2: Pre-built .dmg
Download and Extract: Download the unofficial .dmg and extract the aws-vault.app from the .dmg to your preferred directory, such as ~/bin.
Execute Commands: Use the new backend with the following shell command:
$ ~/bin/aws-vault.app/Contents/MacOS/aws-vault --backend=dp-keychain ls
Utilize the new copy method if you need to transfer credentials between keychains.
Simplify Command Usage: Optionally, add the following lines to your ~/.zshrc or ~/.bash_profile:
Reload your shell configuration to apply these changes:
$ source ~/.zshrc
Important: If and when this update is merged and released under the 99designs developer ID, when you use that release you won’t see credentials stored under different developer IDs, including those created under your own or mine. You will need to add these credentials again under the 99designs developer ID to maintain access. The copy method won’t work either.
Known Issues
Each aws-vault execution will require reauthentication (I.e Touch ID prompt). Generally you can avoid reprompts in an app by using an authentication context (stored in memory). However as aws-vault is not a running background/foreground app it's not possible to do this directly. The only way this could be done is by developing a new background daemon. Ideally this would be built in 99designs/keyring as that currently has the local context.
Users on macOS Sonoma have encountered some issues with opening app (You can't use this version of the application "aws-vault" with this version of macOS), needs further investigation. Feedback from Sonoma users would be valuable.
Storing credentials with --access-control=Watch may not produce specific error messages if an Apple Watch is not detected during credential access attempts, instead returning a "credentials not found" message. Ideally you would never use Watch as the primary method anyway, but there's currently no way around this. Will consider adding a message if no credentials are found and using Watch only.
Implementation Overview
Refactoring was mostly done upstream, dependent on the following merges:
A new
dp-keychainwas created as the breaking changes in (https://github.com/keybase/go-keychain/pull/76) made it the existingkeychainunsuitable for this implementation. More details can be found in keyring/data_protection_keychain.go.The file-based keychain used by aws-vault is nearing deprecation, although it will likely remain available for several years. Transitioning to the Data protection keychain is recommended due to its enhanced security.
Key Changes
--backend=dp-keychain).--access-controland--access-constraintto manage backend access.copymethod for transferring credentials between keychains.Please review the latest documentation for detailed information on this implementation.
Deployment Structure Changes
The .dmg deployment now includes a
embedded.provisionprofilewithin an app scaffold, changing from a single binary to an app bundle:This modification will require updates to the cask (using both app and binary stanza), I still need to do testing with homebrew to ensure there's no breaking changes.
Also GitHub actions will need the embedded.provisionprofile so this should be added in.
Participation Request
I welcome all testing and feedback on this implementation. As Go is not my primary language I'm open to any improvements. Any further code can be added as pull request against this branch.
Testing Instructions
Method 1: Build it yourself
Method 2: Pre-built .dmg
aws-vault.appfrom the .dmg to your preferred directory, such as~/bin.Utilize the new
copymethod if you need to transfer credentials between keychains.~/.zshrcor~/.bash_profile:Reload your shell configuration to apply these changes:
Important: If and when this update is merged and released under the
99designsdeveloper ID, when you use that release you won’t see credentials stored under different developer IDs, including those created under your own or mine. You will need to add these credentials again under the99designsdeveloper ID to maintain access. The copy method won’t work either.Known Issues
aws-vaultexecution will require reauthentication (I.e Touch ID prompt). Generally you can avoid reprompts in an app by using an authentication context (stored in memory). However as aws-vault is not a running background/foreground app it's not possible to do this directly. The only way this could be done is by developing a new background daemon. Ideally this would be built in 99designs/keyring as that currently has the local context.--access-control=Watchmay not produce specific error messages if an Apple Watch is not detected during credential access attempts, instead returning a "credentials not found" message. Ideally you would never use Watch as the primary method anyway, but there's currently no way around this. Will consider adding a message if no credentials are found and using Watch only.