Replace shell-based keychain implementation with keybase/go-keychain library

- Replaced exec.Command calls to /usr/bin/security with native keybase/go-keychain API - Added comprehensive test suite for keychain operations - Fixed binary data storage in tests using hex encoding - Updated macse tests to skip with explanation about ADE requirements - All tests passing with CGO_ENABLED=1
2025-07-21 15:58:41 +02:00
parent bba1fb21e6
commit 816f53f819
9 changed files with 343 additions and 96 deletions
--- a/README.md
+++ b/README.md
@@ -1,12 +1,12 @@
 # Secret - Hierarchical Secret Manager

-Secret is a modern, secure command-line secret manager that implements a hierarchical key architecture for storing and managing sensitive data. It supports multiple vaults, various unlock mechanisms, and provides secure storage using the Age encryption library.
+Secret is a command-line secret manager that implements a hierarchical key architecture for storing and managing sensitive data. It supports multiple vaults, various unlock mechanisms, and provides secure storage using the Age encryption library.

 ## Core Architecture

 ### Three-Layer Key Hierarchy

-Secret implements a sophisticated three-layer key architecture:
+Secret implements a three-layer key architecture:

 1. **Long-term Keys**: Derived from BIP39 mnemonic phrases, these provide the foundation for all encryption
 2. **Unlockers**: Short-term keys that encrypt the long-term keys, supporting multiple authentication methods
@@ -16,7 +16,7 @@ Secret implements a sophisticated three-layer key architecture:

 Each secret maintains a history of versions, with each version having:
 - Its own encryption key pair
- Encrypted metadata including creation time and validity period
+- Metadata (unencrypted) including creation time and validity period
 - Immutable value storage
 - Atomic version switching via symlink updates

@@ -125,6 +125,7 @@ Creates a new unlocker of the specified type:
 **Types:**
 - `passphrase`: Traditional passphrase-protected unlocker
 - `pgp`: Uses an existing GPG key for encryption/decryption
+- `keychain`: macOS Keychain integration (macOS only)

 **Options:**
 - `--keyid <id>`: GPG key ID (required for PGP type)
@@ -169,7 +170,7 @@ Decrypts data using an Age key stored as a secret.
 │   │   │   │   │   │   ├── pub.age     # Version public key
 │   │   │   │   │   │   ├── priv.age    # Version private key (encrypted)
 │   │   │   │   │   │   ├── value.age   # Encrypted value
-│   │   │   │   │   │   └── metadata.age # Encrypted metadata
+│   │   │   │   │   │   └── metadata.json # Unencrypted metadata
 │   │   │   │   │   └── 20231216.001/   # Another version
 │   │   │   │   └── current -> versions/20231216.001
 │   │   │   └── database%password/       # Secret: database/password
@@ -207,6 +208,18 @@ Unlockers provide different authentication methods to access the long-term keys:
   - Leverages existing key management workflows
   - Strong authentication through GPG

+3. **Keychain Unlockers** (macOS only):
+   - Stores unlock keys in macOS Keychain
+   - Protected by system authentication (Touch ID, password)
+   - Automatic unlocking when Keychain is unlocked
+   - Cross-application integration
+
+4. **Secure Enclave Unlockers** (macOS - planned):
+   - Hardware-backed key storage using Apple Secure Enclave
+   - Currently partially implemented but non-functional
+   - Requires Apple Developer Program membership and code signing entitlements
+   - Full implementation blocked by entitlement requirements
+
 Each vault maintains its own set of unlockers and one long-term key. The long-term key is encrypted to each unlocker, allowing any authorized unlocker to access vault secrets.

 #### Secret-specific Keys
@@ -241,6 +254,8 @@ Each vault maintains its own set of unlockers and one long-term key. The long-te

 ### Hardware Integration
 - Hardware token support via PGP/GPG integration
+- macOS Keychain integration for system-level security
+- Secure Enclave support planned (requires Apple Developer Program)

 ## Examples

@@ -285,6 +300,7 @@ secret vault list
 # Add multiple unlock methods
 secret unlockers add passphrase              # Password-based
 secret unlockers add pgp --keyid ABCD1234    # GPG key
+secret unlockers add keychain                # macOS Keychain (macOS only)

 # List unlockers
 secret unlockers list
@@ -316,7 +332,7 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt

 ### File Formats
 - **Age Files**: Standard Age encryption format (.age extension)
- **Metadata**: JSON format with timestamps and type information
+- **Metadata**: Unencrypted JSON format with timestamps and type information
 - **Vault Metadata**: JSON containing vault name, creation time, derivation index, and public key hash

 ### Vault Management
@@ -325,8 +341,8 @@ secret decrypt encryption/mykey --input document.txt.age --output document.txt
 - **Automatic Key Derivation**: When creating vaults with a mnemonic, keys are automatically derived

 ### Cross-Platform Support
- **macOS**: Full support including Keychain integration
- **Linux**: Full support (excluding Keychain features)
+- **macOS**: Full support including Keychain and planned Secure Enclave integration
+- **Linux**: Full support (excluding macOS-specific features)
 - **Windows**: Basic support (filesystem operations only)

 ## Security Considerations
@@ -367,9 +383,18 @@ go test -tags=integration -v ./internal/cli  # Integration tests

 ## Features

- **Multiple Authentication Methods**: Supports passphrase-based and PGP-based unlockers
+- **Multiple Authentication Methods**: Supports passphrase, PGP, and macOS Keychain unlockers
 - **Vault Isolation**: Complete separation between different vaults
 - **Per-Secret Encryption**: Each secret has its own encryption key
 - **BIP39 Mnemonic Support**: Keyless operation using mnemonic phrases
 - **Cross-Platform**: Works on macOS, Linux, and other Unix-like systems

+# Author
+
+Made with love and lots of expensive SOTA AI by [sneak](https://sneak.berlin) in Berlin in the summer of 2025.
+
+Released as a free software gift to the world, no strings attached, under the [WTFPL](https://www.wtfpl.net/) license.
+
+Contact: [sneak@sneak.berlin](mailto:sneak@sneak.berlin)
+
+[https://keys.openpgp.org/vks/v1/by-fingerprint/5539AD00DE4C42F3AFE11575052443F4DF2A55C2](https://keys.openpgp.org/vks/v1/by-fingerprint/5539AD00DE4C42F3AFE11575052443F4DF2A55C2)