Adds support for smartcard identities #1181
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
thiagohmcruz
force-pushed
the
thiago/read-smartcard-identities
branch
from
25830b6 to
aade1ea
Compare
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
thiagohmcruz
force-pushed
the
thiago/read-smartcard-identities
branch
from
aade1ea to
6cfb372
Compare
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
|
Just an FYI, we can't really review the change until the CLA is signed |
Yep! Dealing with this internally, I believe the setup is done I might have to re-open the PR though (not 100% sure I'll ask). Working on making this reviewable as we speak. |
|
@googlebot I signed it! |
|
One thing we probably will want to establish is if this constrains macOS versions that could be supported. Do we care about supporting anything older than Mojave (10.14) or Catalina (10.15), for example? That might help inform the logic in what's being searched for in the |
@timsutton wouldn't be enough to fallback to empty array when searching for Not sure how I would go about checking what is available in each OS version, is there an easy way to do that that I'm not aware of? |
Yes, that seems like just a good defense anyway. I did just check a 10.14 system and these two keys are there as well (full output here.) The code works there as well, just returning an empty Another bit of context I'd forgotten to add in this PR is that persistent tokens (as would be used in Signing Manager or other apps providing a token via an app extension) only showed up in 10.15.4. Prior to then it could have only been possible using physically-insertable smartcards, or that's my understanding anyway. |
thiagohmcruz
force-pushed
the
thiago/read-smartcard-identities
branch
from
122d201 to
2b78ab2
Compare
|
@brentleyjones sorry about the direct ping! Just wanted to check if you know who I should bug to get some reviews? |
| ], inputstr=cert, raise_on_failure=True) | ||
| subject = subject.strip().split('/') | ||
| cert_cn = [f for f in subject if "CN=" in f][0] | ||
| cert_cn = cert_cn.replace("CN=", "") |
There was a problem hiding this comment.
is it possible this could be None ?
There was a problem hiding this comment.
I guess we should assume it's possible. I'll add the check instead of accessing [0] here and make it return None. Tested locally and is all good since at the call site the comparison is if identity == common_name:
| if len(tokens) == 0: | ||
| return [] | ||
|
|
||
| tokens = tokens[0].get("_items", None) |
There was a problem hiding this comment.
is only checking the first match an issue?
There was a problem hiding this comment.
From the output it's not an issue, all tokens will be located under _items
| xml = plistlib.loads(str.encode(xml)) | ||
| if len(xml) == 0: | ||
| return [] | ||
| xml = xml[0].get("_items", None) |
There was a problem hiding this comment.
do we need to consider all entries in here?
There was a problem hiding this comment.
This is the top level _items that contains all the info we need. I think it's safe to ignore the rest for the purpose of this function
thiagohmcruz
force-pushed
the
thiago/read-smartcard-identities
branch
from
2b78ab2 to
7458aaa
Compare
|
@segiddins should be good to |
?
|
@brentleyjones, @keith mind taking a look? Let me know if there's anything else you think I should be addressing here 🙏 |
thiagohmcruz
force-pushed
the
thiago/read-smartcard-identities
branch
from
7458aaa to
79798c4
Compare
@jerrymarino will work on bumping |
|
Thanks @thiagohmcruz! |
|
Thx you all for the feedback here! |
|
@thiagohmcruz ok that sounds good to me. If we're blocked on the rules_swift PRs I'll ready a PR to get rid of the fork. |
Resolves #1180
So signed builds are possible when using CryptoTokenKit based solutions to store signing identities (e.g. Signing Manager). When storing identities that way
security find-identitywon't be able to find them.The proposal in this PR is to append to the current list of
SHA1the values for thesmartcardidentities found on the system. Please see detailed explanation in the linked issue #1180 for whysystem_profiler SPSmartCardsDataType -xmlis possibly a good solution here.I'm also 100% open to changing the approach if you spot any issues with this implementation!
Note that the behaviour triggered by setting the
--ios_signing_cert_nameflag continues to exist: try to find a signing identity by name and return it'sSHA1or return allSHA1found if the flag is not provided.