Fix cross-platform build issues and security vulnerabilities

- Add build tags to keychain implementation files (Darwin-only) - Create stub implementations for non-Darwin platforms that panic - Conditionally show keychain support in help text based on platform - Platform check in UnlockersAdd prevents keychain usage on non-Darwin - Verified GPG operations already protected against command injection via validateGPGKeyID() and proper exec.Command argument passing - Keychain operations use go-keychain library, no shell commands The application now builds and runs on Linux/non-Darwin platforms with keychain functionality properly isolated to macOS only.
2025-07-21 22:05:23 +02:00
parent 7af1e6efa8
commit a09fa89f30
4 changed files with 193 additions and 2 deletions
--- a/internal/secret/keychainunlocker.go
+++ b/internal/secret/keychainunlocker.go
@@ -1,3 +1,6 @@
+//go:build darwin
+// +build darwin
+
 package secret

 import (
--- a/internal/secret/keychainunlocker_stub.go
+++ b/internal/secret/keychainunlocker_stub.go
@@ -0,0 +1,69 @@
+//go:build !darwin
+// +build !darwin
+
+package secret
+
+import (
+	"fmt"
+
+	"filippo.io/age"
+	"github.com/spf13/afero"
+)
+
+// KeychainUnlockerMetadata is a stub for non-Darwin platforms
+type KeychainUnlockerMetadata struct {
+	UnlockerMetadata
+	KeychainItemName string `json:"keychainItemName"`
+}
+
+// KeychainUnlocker is a stub for non-Darwin platforms
+type KeychainUnlocker struct {
+	Directory string
+	Metadata  UnlockerMetadata
+	fs        afero.Fs
+}
+
+// GetIdentity panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetType panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetType() string {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetMetadata panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetMetadata() UnlockerMetadata {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetDirectory panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetDirectory() string {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetID returns the unlocker ID
+func (k *KeychainUnlocker) GetID() string {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// GetKeychainItemName panics on non-Darwin platforms
+func (k *KeychainUnlocker) GetKeychainItemName() (string, error) {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// Remove panics on non-Darwin platforms
+func (k *KeychainUnlocker) Remove() error {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// NewKeychainUnlocker panics on non-Darwin platforms
+func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
+	panic("keychain unlockers are only supported on macOS")
+}
+
+// CreateKeychainUnlocker panics on non-Darwin platforms
+func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
+	panic("keychain unlockers are only supported on macOS")
+}