MacOS M1 ARM support

[MattElek]

• YubiKey Manager version: 1.2.4
• How was it installed?: Homebrew
• Operating system and version: MacOS 12.0.1
• YubiKey model and version: YubiKey 5C NFC
• Feature request summary: Currently, yubikey-manager-qt is only built for MacOS x86, and not MacOS M1 ARM. It would be great to see a build of YubiKey Manager that could run natively on ARM Macs, without the use of Rosetta 2 x86 translation.

Other info

This issue was raised here separately on the wrong repo, I thought I'd create an issue on the correct repo for completion.

[nehalvpatel]

+1

I was able to get it built and running, but I had to first build qt 5 from source.

[tied]

Still no official build available :/

[ivwang]

Apple Silicon is already in the middle of its second iteration.. could we expect a native release without Rosetta2? Thank you.

[ivwang]

Apple Silicon is already in the middle of its second iteration.. could we expect a native release without Rosetta2? Thank you.

Running with Rosetta 2 opens Apple Silicon Macs to existing malware built for x86_64. Furthermore, it voids code signature based security mechanism in recent macOS releases.

Due the the nature of Rosetta translation, modification to on-disk binaries becomes again a valid attack vector, it is more desirable that yubikey-manager-qt is not affected to this class of attack.

For more information on security implication regarding Rosetta 2 translation, refer to SentinelOne's report

Thank you

[robdew]

ykman cli is a temporary rosetta-free option on apple silicon. brew install ykman https://docs.yubico.com/software/yubikey/tools/ykman/

[sebdanielsson]

Seriously, we are almost 3 years into the transition and still no official arm64 build?

[jdtangney]

Ready when you are, Yubico

[onexbash]

Wow, it's been almost 2 years since this issue was placed, and still, the official Yubikey Manager App can only be opened with Rosetta on Apple Silicon Macs.. They have lightning port supported YubiKeys and the possibility to secure your AppleID with YubiKeys but don't get it done to release a YubiKey Manager version for M1/M2 MACs... 🙂🙂🙂🙂

[svitakj]

It show us how is Yubico Company working with latest technologies. Very bad, with very bad public view. I have not installed rosetta2, i dont want have garbage in my mac (garbage=x86/64 binaries) i look on Rosetta2 as an unsupported platform. Officialy is supported ARM64 - Roseta2 should help with transittion only!!!! (what was happen with rosetta1? - it has been removed by Apple from systems, and removed futher using of rosetta1, then i look on it as unsupported platform, better to not using it). With this rules i have seen how companys on market are dealing with ARM64 support. I can say it loud. Who have not ARM64 build in this time is big market looser. Sorry but is so. You work with security? Huh.... Really? It looks not so...

[AntoineHus]

Hello,

Any news on the support of Apple ARM64 ?

Thanks

[dainnilsson]

I'm afraid we likely won't be targeting Apple Silicon for this tool as we are in the process of transitioning to Yubico Authenticator as a full replacement. The current version of Yubico Authenticator (6.3) runs natively on Apple Silicon and is capable of doing everything this tool does except for Yubico OTP configuration at this time, which is something we're working on addressing. In addition Yubico Authenticator supports multiple connected YubiKeys, configuration over NFC, additional configuration options and more. If possible for your use-case I would recommend transitioning to that tool as a replacement.

[iog-io]

I'm afraid we likely won't be targeting Apple Silicon for this tool as we are in the process of transitioning to Yubico Authenticator as a full replacement. The current version of Yubico Authenticator (6.3) runs natively on Apple Silicon and is capable of doing everything this tool does except for Yubico OTP configuration at this time, which is something we're working on addressing. In addition Yubico Authenticator supports multiple connected YubiKeys, configuration over NFC, additional configuration options and more. If possible for your use-case I would recommend transitioning to that tool as a replacement.

I tested it today and the button "Setup for macOS" for PIV does not show up on the GUI. I have M2 Pro and upgraded to Sonoma. Yubikey firmware version 5.4.3.

[braathen]

I tested it today and the button "Setup for macOS" for PIV does not show up on the GUI.

Yes, we've been discussing if this feature is really needed or not. It's relatively easy to accomplish this manually by generating certificates in the Authentication (9a) and Key Management (9d) slots. When removing and inserting the YubiKey again macOS will ask you to pair the inserted SmartCard from a notification. An advantage is that you're in control of what you're generating and can for example decide yourself on expiration date etc. The downside is of course that it might not be completely obvious that you can set it up like this. Hope this helps!

[iog-io]

Yes, we've been discussing if this feature is really needed or not. It's relatively easy to accomplish this manually by generating certificates in the Authentication (9a) and Key Management (9d) slots. When removing and inserting the YubiKey again macOS will ask you to pair the inserted SmartCard from a notification. An advantage is that you're in control of what you're generating and can for example decide yourself on expiration date etc. The downside is of course that it might not be completely obvious that you can set it up like this. Hope this helps!

It works perfectly. Many thanks.

[onexbash]

So as far as I understood from several postings and the yubico page, the plan is that the Yubikey Manager and the Yubikey Personalization Tool are both getting deprecated sooner or later and that's why there is no priority on working on the mac arm64 support for these 2 tools. The yubico authenticator already runs on arm64 macs and in general, that vision is pretty nice, but let's see how long such a migration will take.. And I guess for the max. 32 OTP Tokens per Yubikey there is no software solution possible because it's hardware related right? okay okay okay. intriguing ^^

[del-leehopper]

@fschlegelone you are right that the 32 TOTP's are hardware limited (much to my frustration as I need to carry 3 YubiKeys!).

Where did you see that YubiKey Manager will be deprecated? I believe I read that YubiKey Personalization Tool will be (or already has been) deprecated. But as far as I am aware, there are things that only ykman can do and there is no alternative (please correct me if I'm wrong).

[dainnilsson]

To clarify: YubiKey Manager CLI (ykman) has arm64 support on Mac, is actively developed, and there are no plans on deprecating it. YubiKey Manager GUI is however being replaced by Yubico Authenticator, once the remaining missing features have been added to it.

About the 32 account limitation, it is correct that this limitation is in the key itself.

[onexbash]

@del-leehopper https://github.com/Yubico/yubikey-manager-qt/issues/313#issuecomment-1787169094 Right here in this issue thread 😆