Add support for Touch ID as an authentication method in macOS

[jviotti]

From balena-io/etcher#1579.

Not sure what's needed for this, but it'd indeed be very cool if sudo-prompt can support Touch ID authentication on newest MacBooks.

[jorangreef]

Thanks @jviotti I will look into it. Any ideas from your side?

[jviotti]

I have very little macOS programming knowledge, and my MacBook Pro doesn't have Touch ID, but I'll see if I can find something :)

[ryankon]

I've been using Etcher a lot, so I tried to take a closer look at this, and I had a quick question. If I execute the AppleScript directly or if I do the following, I get the Touch ID prompt.

osascript -e 'do shell script "echo foo" with administrator privileges'

Perhaps it has something to do with the applet binary? What is it actually doing?

Thanks!

[jorangreef]

Thanks @ryankon

The applet is just an AppleScript packaged as an app by Xcode.

We moved away from copying the osascript binary since this applet technique lets us set the prompt's icon by changing the applet's icon dynamically.

You can inspect the applet in Xcode: decode the applet base64, unzip, then open Contents/Resources/Scripts in Xcode, which looks like this:

do shell script "./sudo-prompt-script" with administrator privileges

MacOS/sudo-prompt-script then looks like this:

#!/bin/bash
# Set sudo timestamp for subsequent sudo calls if tty_tickets are disabled:
/bin/mkdir -p /var/db/sudo/$USER > /dev/null 2>&1
/usr/bin/touch /var/db/sudo/$USER > /dev/null 2>&1
# AppleScript's "do shell script" may alter stdout line-endings.
# It may also set stdout to stderr if there was a non-zero return code and no stderr.
# We therefore prefer to redirect output streams and capture return code manually:
/bin/bash sudo-prompt-command 1>stdout 2>stderr
/bin/echo $? > code
# Correct ownership of stdout, stderr and code so that user can delete them:
/usr/sbin/chown $USER stdout stderr code
# Always return 0 so that AppleScript does not show error dialog:
exit 0

sudo-prompt-command is written out dynamically.

This might be a red herring but I think I recall that with administrator privileges works slightly differently when executing a native shell command vs executing a compound shell script but I'm not sure if this is accurate.

Perhaps osascript is wired up to show the Touch ID prompt when it sees with administrator privileges but Xcode AppleScript applets are not? Perhaps the applet just needs to be rebuilt on a newer macOS? Could you look into this on your Mac?

[jorangreef]

Perhaps the applet just needs to be rebuilt on a newer macOS? Could you look into this on your Mac?

This might just do the trick.

[ryankon]

Thanks for the detailed response @jorangreef

Unfortunately, I attempted to rebuild the AppleScript app using the latest Xcode (9.2) on MacOS 10.3.3, and it still prompts for a password instead of using Touch ID.

If we want to preserve the prompt customizability, we may have to use the Local Authentication framework instead. I can try to carve out some time in the coming weeks to take a closer look. Thoughts?

[jorangreef]

Sure, thanks @ryankon for trying the rebuild.

It would be great to look into using the Local Authentication framework, especially if we can interact with it from C/C++ with a minimum of anything else. I have tried to keep sudo-prompt free from being a native add-on for convenience. Please let me know what ideas you have or what might work.

[jorangreef]

@ryankon , would you like to try rebuild the AppleScript app again to see if Xcode now prompts with Touch ID?

[jorangreef]

Closing for now, let me know if anything changes with this please.

[Fndroid]

any update for this issue?