Skip to content

docs: retire fix-macos.md; fold findings into THREAT_MODEL#67

Merged
jgowdy-godaddy merged 1 commit intomainfrom
docs/retire-fix-macos
Apr 17, 2026
Merged

docs: retire fix-macos.md; fold findings into THREAT_MODEL#67
jgowdy-godaddy merged 1 commit intomainfrom
docs/retire-fix-macos

Conversation

@jgowdy-godaddy
Copy link
Copy Markdown
Contributor

@jgowdy-godaddy jgowdy-godaddy commented Apr 17, 2026

Summary

fix-macos.md has served its purpose:

  • Steps 1–6 (Path 2: AES-GCM-wrapped .handle + Keychain-held wrapping key) shipped in apple: AES-GCM-wrap the SE dataRepresentation under a Keychain key #65.
  • Steps 7–8 (Path 1: entitled SecKeyCreateRandomKey with kSecAttrTokenIDSecureEnclave) are blocked, not deferred work. keychain-access-groups is an AMFI-restricted entitlement requiring a provisioning profile — unavailable to Homebrew / cargo install distribution (AMFI kills the binary with error -413 even with a valid Apple Development cert and no matching profile).

This PR:

  • Deletes fix-macos.md.
  • Expands the "macOS Keychain prompts" note in THREAT_MODEL.md with the still-useful content from the plan doc:
    • Full prompt-behavior matrix (ad-hoc vs self-signed vs trusted-cert × first-run / rebuild / different path).
    • Deny / Always Allow / upgrade-transition behavior.
    • -34018 finding explaining why the legacy keychain is used.
    • Explicit note that the entitled SE path is blocked on provisioning.

Test plan

  • Docs-only change, no code touched
  • No other file references fix-macos.md

@jgowdy
Retire fix-macos.md; fold findings into THREAT_MODEL
2e714f9 
fix-macos.md's implementation plan is complete:
- Steps 1-6 (Path 2: AES-GCM-wrapped .handle + keychain-held wrapping key)
  are shipped in PR #65.
- Steps 7-8 (Path 1: entitled SecKeyCreateRandomKey with
  kSecAttrTokenIDSecureEnclave) are blocked on a provisioning profile, not
  deferred work. The required keychain-access-groups entitlement is
  AMFI-restricted and unavailable to Homebrew / cargo-install distribution,
  so these steps will not land under the current distribution model.

The still-useful content from the plan doc has been migrated into
THREAT_MODEL's macOS platform-specific notes:
- Full prompt-behavior matrix (ad-hoc vs self-signed vs trusted-cert,
  first run / rebuild / different path)
- Deny / Always Allow / upgrade-transition behavior
- -34018 finding explaining why the legacy keychain is used
- Explicit note that the entitled SE path is blocked on provisioning

fix-macos.md is deleted.
@jgowdy-godaddy jgowdy-godaddy merged commit 162ed26 into main Apr 17, 2026
3 checks passed
jgowdy-godaddy pushed a commit that referenced this pull request Apr 17, 2026
@jgowdy
Merge main into docs/design-cleanup
27ce688 
Resolves conflicts where origin/main's #66/#67 docs PRs touched the same
DESIGN.md/THREAT_MODEL.md regions I rewrote for the hardening pass. Our
side supersedes — the new sections already include all of main's
refinements plus the envelope, HMAC sidecar, Windows mitigations,
SecretRead, env-scrub, bridge mutex, and Authenticode notes.

fix-macos.md: accept main's deletion (#67 folded the findings into
THREAT_MODEL.md).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jgowdy-godaddy @jgowdy