sneak/secret
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c526b68f58
secret/PROVISIONING_GUIDE.md

182 lines
5.5 KiB
Markdown
Raw Blame History

# Provisioning Profile Setup for macOS Biometric Authentication
## Prerequisites
1. Apple Developer Account (paid membership required)
2. macOS development machine
3. Xcode installed (for code signing tools)
## Step 1: Log into Apple Developer Portal
1. Go to [developer.apple.com](https://developer.apple.com)
2. Sign in with your Apple Developer account
3. Navigate to "Certificates, Identifiers & Profiles"
## Step 2: Create App ID
1. Click "Identifiers" in the sidebar
2. Click the "+" button to create a new identifier
3. Select "App IDs" and click "Continue"
4. Choose "App" (not App Clip) and click "Continue"
5. Fill in the details:
- **Description**: `Secret Manager macOS App`
- **Bundle ID**: Select "Explicit" and enter `berlin.sneak.pkg.secret`
6. In the "Capabilities" section, enable:
- **Keychain Sharing** (this is essential for keychain access)
- Leave other capabilities unchecked unless specifically needed
7. Click "Continue" and then "Register"
## Step 3: Create/Verify Development Certificate
1. Click "Certificates" in the sidebar
2. Click the "+" button if you need a new certificate
3. Under "Development", select "Mac Development"
4. Follow the instructions to generate a Certificate Signing Request (CSR):
- Open Keychain Access on your Mac
- Go to Keychain Access → Certificate Assistant → Request a Certificate from a Certificate Authority
- Enter your email address and name
- Select "Saved to disk" and "Let me specify key pair information"
- Click "Continue" and save the CSR file
5. Upload the CSR file and download the certificate
6. Double-click the downloaded certificate to install it in Keychain Access
## Step 4: Register Development Device
1. Click "Devices" in the sidebar
2. Click the "+" button to register a new device
3. Select "macOS" as the platform
4. Get your Mac's hardware UUID:
```bash
system_profiler SPHardwareDataType | grep "Hardware UUID"
```
5. Enter:
- **Device Name**: Your Mac's name (e.g., "John's MacBook Pro")
- **Device ID (UUID)**: The hardware UUID from step 4
6. Click "Continue" and then "Register"
## Step 5: Create Development Provisioning Profile
1. Click "Profiles" in the sidebar
2. Click the "+" button to create a new profile
3. Under "Development", select "Mac App Development"
4. Click "Continue"
5. Select your App ID: `berlin.sneak.pkg.secret`
6. Click "Continue"
7. Select your development certificate
8. Click "Continue"
9. Select your registered Mac device
10. Click "Continue"
11. Enter a profile name: `Secret Manager macOS Development`
12. Click "Generate"
13. Download the provisioning profile
## Step 6: Install Provisioning Profile
1. Double-click the downloaded `.provisionprofile` file to install it
2. Or manually copy it to: `~/Library/MobileDevice/Provisioning Profiles/`
## Step 7: Code Signing Setup
### Option A: Manual Code Signing
Add these flags when building your Go binary:
```bash
# Build the binary
go build -o secret cmd/secret/main.go
# Sign the binary
codesign --sign "Apple Development: YOUR_NAME (TEAM_ID)" \
--entitlements entitlements.plist \
--options runtime \
--force \
./secret
```
### Option B: Using Makefile
Update your Makefile to include code signing:
```makefile
DEVELOPER_ID = "Apple Development: YOUR_NAME (TEAM_ID)"
ENTITLEMENTS = entitlements.plist
secret:
go build -o secret cmd/secret/main.go
codesign --sign $(DEVELOPER_ID) \
--entitlements $(ENTITLEMENTS) \
--options runtime \
--force \
./secret
.PHONY: secret
```
## Step 8: Verify Code Signing
Check that your binary is properly signed:
```bash
# Check code signature
codesign -dv --verbose=4 ./secret
# Check entitlements
codesign -d --entitlements :- ./secret
```
## Step 9: Test Biometric Authentication
Run your app and verify that:
1. Touch ID/Face ID prompts appear when accessing keychain
2. No entitlement errors occur
3. Keychain operations work correctly
## Troubleshooting
### Common Issues:
1. **errSecMissingEntitlement (-34018)**
- Ensure your provisioning profile includes keychain access
- Verify code signing is applied correctly
- Check that bundle ID matches exactly
2. **No biometric prompt appears**
- Verify access control flags in your Security Framework calls
- Ensure device has biometric authentication enabled
- Check system preferences for app permissions
3. **Code signing failures**
- Ensure certificate is installed in Keychain Access
- Verify team ID matches between certificate and provisioning profile
- Check that provisioning profile is installed
### Debug Commands:
```bash
# List installed certificates
security find-identity -v -p codesigning
# List provisioning profiles
ls ~/Library/MobileDevice/Provisioning\ Profiles/
# Check provisioning profile contents
security cms -D -i ~/Library/MobileDevice/Provisioning\ Profiles/YOUR_PROFILE.provisionprofile
```
## Production Distribution
For production distribution, you'll need to:
1. Create a "Developer ID Application" certificate
2. Create a "Developer ID" provisioning profile
3. Notarize your app with Apple
4. Staple the notarization ticket
This allows distribution outside the Mac App Store while maintaining system trust.
## Important Notes
- Keychain access groups are automatically included for explicit App IDs
- Biometric authentication requires proper access controls in your Security Framework calls
- The `com.apple.security.cs.disable-library-validation` entitlement may be needed for Go binaries
- Test thoroughly on a clean system to ensure all entitlements work correctly
Reference in New Issue View Git Blame Copy Permalink