No password prompt when lid closed

jorgelbg / pinentry-touchid

Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from the macOS keychain.

Apache License 2.0

521 stars 23 forks source link

No password prompt when lid closed #15

Open obi12341 opened 2 years ago

obi12341 commented 2 years ago

I would expect pinentry just passthrough the call to pinentry-mac, if laptop lid is closed, but instead it fails the hard way:

/opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
2021/12/15 05:39:17 pinentry-touchid does not support devices without a Touch ID sensor!

I use the Macbook Air M1 which has touchid

Model Identifier: MacBookAir10,1

troyanov commented 2 years ago

I just hit the same issue and was able to add a fallback scenario when pinentry-mac is called.

It worked for me and in case you want to try it out please check https://github.com/jorgelbg/pinentry-touchid/pull/21

# build a new binary with fallback support
go build -o pinentry-touchid-with-fallback main.go

Don't forget to set a proper path to a new binary in ~/.gnupg/gpg-agent.conf and execute gpgconf --kill gpg-agent

lgarron commented 2 years ago

Any chance of a workaround or a config option to sensor.IsTouchIDAvailable() to force a Touch ID prompt even when the lid is closed?

I have an M1 MBP and use Touch ID with the lid closed (using the new external keyboard with Touch ID) almost all the time. A password fallback kind of negates the whole point of using pinentry-touchid for me. 😔

jorgelbg commented 2 years ago

@lgarron Yep, this is definitively a use case that I want to support.

I haven't been able to find any API changes required for supporting the Magic Keyboard with Touch ID so far. We do not execute any additional checks beyond testing if the LAPolicyDeviceOwnerAuthenticationWithBiometrics can be evaluated. My expectation/understanding was that the external Touch ID would behave exactly as the built in one (which doesn't seem to be the case 🤔).

troyanov commented 2 years ago

Oh, I wanted to check what Apple would say about it and seems that @jorgelbg already did it :) https://developer.apple.com/forums/thread/711838

Seems to be a bug related to LAContext API

jorgelbg commented 1 year ago

I finally got my hands on an external keyboard with Touch ID for testing this properly. Sadly I'm not able to reproduce the issue:

https://user-images.githubusercontent.com/1291846/187300210-b4255633-bb1e-41bb-ba7e-29c0023d5341.mp4

as shown in the video, I'm using the command:

$ ioreg -r -k AppleClamshellState -d 4 | grep AppleClamshellState  | head -1

to verify that the lid is actually closed, after that calling:

$ echo 1234 | /usr/local/bin/gpg -as -

as a simple test case successfully call pinentry-touchid and the unlocking works via the external Touch ID sensor.

For reference I'm testing on a 16" MacBook Pro with an Apple M1 Pro running macOS Monterey v12.5 (21G72). I'm also running the latest version of pinentry-touchid installed via home-brew (which still contains the same call to sensor.IsTouchIDAvailable() with the fallback to pinentry-mac).

@lgarron can you provide any additional details about your issue or give it a try to the latest version?