Open ejholmes opened 5 years ago
+1
The go-keychain folks weren't keen on it https://github.com/keybase/go-keychain/issues/11
I actually had #131 in a usable state for quite some time, wouldn't be hard to resurrect, would love some feedback on it.
That seems pretty close to what I'd want for this. This is my own lack of experience with OSX/iOS API's, but it seems like the implementation in https://github.com/99designs/aws-vault/pull/131 doesn't actually tie access to the keychain item to biometrics; the biometrics check is done in Go, rather than setting the access control settings on the keychain item. Would it be better to do something like what's mentioned in https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id?language=objc, so that biometrics are checked by the keychain API's?
Neat, I dimmly recall that I couldn't make that work when I tried a year or so ago, but agree that is a much better way to do it if viable. Will give it a go.
I had a go at it. The issue is that go-keychain is using the old Access API's, and the TouchID stuff lives in the new AccessControl API's. I think it's beyond my Objective-C abilities to reconcile the two in a way that can be upstreamed. If someone with some Objective-C skills wanted to advise, I'll help with the golang side of things.
Farther than I got! Thanks for trying.
Any interest in reviving this? I'd be willing to help with obj-c/cpp side of things.
@eni9889 Check out https://github.com/lox/go-touchid and see if you can make any headway on that side. The golang side we got.
I would LOVE help on this, if someone with obj-c skills wanted to help I'd be super responsive on getting it merged.
+1
+1's won't help, need someone with some objective-c skills I'm afraid.
What needs help on go-touchid
? I know you said Obj-C skills, but ... more details would be useful. It's been a while since I last touched Obj-C, but I'm curious at least. I poked around on the project briefly but I didn't see any issues filed describing where the hangups are.
@lox I'm interesting in getting this in aws-okta and I might have an Objective C buddy we can lean on. Can we see the code you wrote as far as you got?
Also, I opened this https://github.com/keybase/go-keychain/issues/61
Hello, the code found here may be useful: https://github.com/infinum/Locker
Features
- Save data in Keychain.
- Fetch data from Keychain with Biometric ID.
- Delete data from Keychain.
i'm curious to know if there was any progress on this, so we can unlock the keychain with touchid instead password
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Not stale
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I'm still very interested in seeing this happen.
Would be nice this +1
+1 Tired of entering password every time.
No +1s please. PRs welcome
Seems what's challenging is that:
github.com/99designs/keyring
to access the OS keyring in an OS-independent waygithub.com/99designs/keyring
depends on github.com/99designs/go-keychain
to access the Mac OS keychaingithub.com/99designs/go-keychain
is itself a fork of github.com/keybase/go-keychain
So it seems there are two options:
github.com/99designs/go-keychain
, but have it diverge from upstreamgithub.com/keybase/go-keychain
In any case, it does require some Go/Objective-C bindings (probably in keychain.go) to allow specifying a non-default LAContext, through the kSecUseAuthenticationContext
when calling SecAddItem
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Not stale
Not stale. Hoping for this feature to be implemented.
Not stale
In all seriousness, this is the most commented issue (https://github.com/99designs/aws-vault/issues?q=is%3Aissue+is%3Aopen+sort%3Acomments-desc). It's a pity there doesn't appear to be an easy way forward right now.
+1
So it seems there are two options:
- Implement this feature in
github.com/99designs/go-keychain
, but have it diverge from upstream- Talk with Keybase folks and implement this feature in
github.com/keybase/go-keychain
In any case, it does require some Go/Objective-C bindings (probably in keychain.go) to allow specifying a non-default LAContext, through the
kSecUseAuthenticationContext
when callingSecAddItem
What would be required to make this work? Is there an accepted way forward? What conditions would a PR need to meet to be accepted?
Spent some time today looking into this and have nearly got a working prototype. For the most part read/write to keychain on the go-keychain
level.
The main issue is it can't be shipped as a single binary, it needs to be a seperate Mac App (i.e. AWS Vault.app). This is due to the fact that a standalone binary cannot access restricted entitlements, as explained in this article. We require access to com.apple.security.generic-keychain-access
.
Need have a think about how this would work being an open source project and whether 99designs would take control of this, or whether it needs to be a fork.
It's also harder to develop as you need to go build
/codesign
each time you make a change. Otherwise you can't access the keychain.
But overall good news will provide some further updates/code soon.
Update: managed to get a working E2E. It has required a large refactor of 99designs/keyring more than anything. In order to access the keychain using biometrics you can't use the named keychain anymore (i.e. aws-vault.keychain-db).
This comes at a cost of not being able to set a period of time to keep the keychain unlocked. Although it could be done if aws-vault
had a background service/daemon however that's another story right now.
Each exec
command will prompt touchID but it's super quick, so I don't see the issue personally. Compare this to having to enter a password every 15 mins I'd happily take the re-prompts.
Will get the code up in a week (or so). Ideally as an alpha demo version to gain feedback. You would need an Apple Developer ID to test it locally at the moment.
Here's a quick demo:
https://github.com/99designs/aws-vault/assets/1505496/28fd9244-c01c-4a0c-b298-e92533cda426
What a week 😅 I've been hoping for Touch ID support for many years now in aws-vault
and I honestly thought it this was impossible to do. But now, in just a few days I've got a PR up 🎉
If anyone wants to try it out would love to hear your feedback!
Have been using this now for over two months without any issues, so much happier not having to enter password a few times a day.
Would be great to hear if others have also been using it and if there's any feedback?
I'm eager to test it, is there any way to build it locally that doesn't require setting up a full development environment? (and doesn't require pulling unofficial pre-built binaries)
@christophetd unfortunately not. The package needs to be signed using a Apple Developer licence in order to use the features of the secure enclave.
I tried to reach out to @mtibben and never heard back so it's safe to say this package has been mostly abandoned other than a few minor fixes here and there, so on that note I highly doubt this will ever be merged in.
Recent versions of Macbooks include the touch bar, which has TouchID + Secure Enclave. It would be nice if aws-vault supported using biometrics through TouchID, instead of passwords when accessing the keychain.
I believe this would depend on support within keybase/go-keychain first.