Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MacOSCryptoSettings: Disable encryption if keychain entitlement is missing #9679

Merged
merged 2 commits into from
Jun 25, 2024
Merged

MacOSCryptoSettings: Disable encryption if keychain entitlement is missing #9679

merged 2 commits into from
Jun 25, 2024

Conversation

oskirby
Copy link
Collaborator

@oskirby oskirby commented Jun 22, 2024
edited by jira bot
Loading

Description

As noted in the discussion of #9584 we have a need to be a bit smarter in how and when we enable cryposettings on MacOS. Traditionally this was done at compile time by doing a no-op for the getKey() in the dummy builds, but this should really be done by examining the processes' entitlements to know whether the binary can access the encrypted settings. The entitlement that guards this access is the keychain-access-group permission.

Normally, when this entitlement is missing, the user is greeted with a login prompt asking for the user's password before permitting them access to the keychain, which is a minor annoyance for developers. This PR will also make unsigned developer builds fall back to plaintext settings instead of triggering such a prompt.

Reference

JIRA Issue: VPN-5486
Inciting PR: #9584
Discussion: here

Checklist

  • My code follows the style guidelines for this project
  • I have not added any packages that contain high risk or unknown licenses (GPL, LGPL, MPL, etc. consult with DevOps if in question)
  • I have performed a self review of my own code
  • I have commented my code PARTICULARLY in hard to understand areas
  • I have added thorough tests where needed
@oskirby oskirby mentioned this pull request Jun 22, 2024
Merged
5 tasks
@oskirby oskirby marked this pull request as ready for review June 22, 2024 02:11
@oskirby oskirby requested review from mcleinman and strseb June 22, 2024 17:54
@mcleinman
Copy link
Collaborator

This looks good, but just thinking about ways an internal advisary could use this - if a build isn't codesigned, will shipit (or another part of the release process) fail?
@oskirby
Copy link
Collaborator Author

oskirby commented Jun 24, 2024

This looks good, but just thinking about ways an internal advisary could use this - if a build isn't codesigned, will shipit (or another part of the release process) fail?

To the best of my knowledge, the release process doesn't have any checks to ensure that the uploaded artifacts are signed, but users will be presented with errors when trying to install and run unsigned software. However, all of our release tasks depend on signing tasks, so it shouldn't be possible to ship an unsigned build unless we change our taskcluster jobs.
mcleinman
mcleinman approved these changes Jun 24, 2024
View reviewed changes
Copy link
Collaborator

@mcleinman mcleinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
@oskirby oskirby merged commit d7d4436 into main Jun 25, 2024
113 checks passed
@oskirby oskirby deleted the naomi-cryptosettings-macos-check-codesign branch June 25, 2024 05:35
@data-sync-user data-sync-user mentioned this pull request Jun 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@oskirby @mcleinman @strseb