- Replace panic() calls in seunlocker_stub.go with error returns,
following the existing keychainunlocker_stub.go pattern
- Fix hardcoded derivation index 0 in getLongTermKeyForSE: now reads
vault metadata to use the correct DerivationIndex (matching
getLongTermPrivateKey in keychainunlocker.go)
- Add tests for SE unlocker exports in secret package (both darwin
and non-darwin stub tests)
- Update README to reflect SE implementation: remove 'planned' labels,
update Apple Developer Program references, add secure-enclave to
unlocker type lists and examples
- Run go fmt on files with import ordering issues
Adds a new "secure-enclave" unlocker type that stores the vault's
long-term private key encrypted by a non-exportable P-256 key held
in the Secure Enclave hardware. Decryption (ECDH) is performed
inside the SE; the key never leaves the hardware.
Uses CryptoTokenKit identities created via sc_auth, which allows
SE access from unsigned binaries without Apple Developer Program
membership. ECIES (X963SHA256 + AES-GCM) handles encryption and
decryption through Security.framework.
New package internal/macse/ provides the CGo bridge to
Security.framework for SE key creation, ECIES encrypt/decrypt,
and key deletion. The SE unlocker directly encrypts the vault
long-term key (no intermediate age keypair).
Adds a new "secure-enclave" unlocker type that stores the vault's
long-term private key encrypted by a non-exportable P-256 key held
in the Secure Enclave hardware. Decryption (ECDH) is performed
inside the SE; the key never leaves the hardware.
Uses CryptoTokenKit identities created via sc_auth, which allows
SE access from unsigned binaries without Apple Developer Program
membership. ECIES (X963SHA256 + AES-GCM) handles encryption and
decryption through Security.framework.
New package internal/macse/ provides the CGo bridge to
Security.framework for SE key creation, ECIES encrypt/decrypt,
and key deletion. The SE unlocker directly encrypts the vault
long-term key (no intermediate age keypair).
