Touch ID support on macOS (Data Protection Keychain)

[alexw23]

Implementation Overview

Refactoring was mostly done upstream, dependent on the following merges:

• (Adding touch ID support (via new data protection keychain) keyring#136)
• (WIP: Added support for biometrics (Touch ID/Face ID) keybase/go-keychain#107)

A new dp-keychain was created as the breaking changes in (keybase/go-keychain#76) made it the existing keychain unsuitable for this implementation. More details can be found in keyring/data_protection_keychain.go.

The file-based keychain used by aws-vault is nearing deprecation, although it will likely remain available for several years. Transitioning to the Data protection keychain is recommended due to its enhanced security.

Key Changes

• Integrated Data protection keychain as a backend option (--backend=dp-keychain).
• Introduced two new flags: --access-control and --access-constraint to manage backend access.
• Added a new copy method for transferring credentials between keychains.
• Reconfigured the build process to bundle the application.

Please review the latest documentation for detailed information on this implementation.

Deployment Structure Changes

The .dmg deployment now includes a embedded.provisionprofile within an app scaffold, changing from a single binary to an app bundle:

aws-vault.app/
└── Contents/
    ├── MacOS/
    │   └── aws-vault
    ├── Info.plist
    ├── embedded.provisionprofile
    └── _CodeSignature/
        └── CodeResources

This modification will require updates to the cask (using both app and binary stanza), I still need to do testing with homebrew to ensure there's no breaking changes.

Also GitHub actions will need the embedded.provisionprofile so this should be added in.

Participation Request

I welcome all testing and feedback on this implementation. As Go is not my primary language I'm open to any improvements. Any further code can be added as pull request against this branch.

Testing Instructions

Method 1: Build it yourself

1. Review Documentation: Begin by reviewing the latest documentation to familiarize yourself with the new features and backend.
2. Setup Development Environment: Follow these instructions for setting up a local development environment. This includes acquiring an Apple Developer ID and configuring the necessary Certificates and Provisioning Profiles. All commands and configurations are detailed in the documentation.
3. Then you can build it as follows:

   $ make app
   $ aws-vault.app/Contents/MacOS/aws-vault --backend=dp-keychain ls
   

Method 2: Pre-built .dmg

1. Download and Extract: Download the unofficial .dmg and extract the aws-vault.app from the .dmg to your preferred directory, such as ~/bin.
2. Execute Commands: Use the new backend with the following shell command:

   $ ~/bin/aws-vault.app/Contents/MacOS/aws-vault --backend=dp-keychain ls

   Utilize the new copy method if you need to transfer credentials between keychains.
3. Simplify Command Usage: Optionally, add the following lines to your ~/.zshrc or ~/.bash_profile:

   $ echo 'alias aws-vault="~/bin/aws-vault.app/Contents/MacOS/aws-vault"' >> ~/.zshrc
   $ echo 'export AWS_VAULT_BACKEND="dp-keychain"' >> ~/.zshrc

   Reload your shell configuration to apply these changes:

   $ source ~/.zshrc

Important: If and when this update is merged and released under the 99designs developer ID, when you use that release you won’t see credentials stored under different developer IDs, including those created under your own or mine. You will need to add these credentials again under the 99designs developer ID to maintain access. The copy method won’t work either.

Known Issues

• Each aws-vault execution will require reauthentication (I.e Touch ID prompt). Generally you can avoid reprompts in an app by using an authentication context (stored in memory). However as aws-vault is not a running background/foreground app it's not possible to do this directly. The only way this could be done is by developing a new background daemon. Ideally this would be built in 99designs/keyring as that currently has the local context.
• Users on macOS Sonoma have encountered some issues with opening app (You can't use this version of the application "aws-vault" with this version of macOS), needs further investigation. Feedback from Sonoma users would be valuable.
• Storing credentials with --access-control=Watch may not produce specific error messages if an Apple Watch is not detected during credential access attempts, instead returning a "credentials not found" message. Ideally you would never use Watch as the primary method anyway, but there's currently no way around this. Will consider adding a message if no credentials are found and using Watch only.