macOS 10.15 Catalina: Yubikey slots not populating

[doits]

Since upgrading to 10.15 catalina beta I cannot unlock my database which is secured with yubikey challenge response: the yubikey is not detected.

Expected Behavior

Unlock database with yubikey

Current Behavior

Yubikey is not detected:

I tried restarting everything, no change :-(

Otherwise yubikey works as expected (eg. with gpg), so currently only keepassxc cannot access it.

Debug Info

KeePassXC - Version 2.4.3
Revision: 5d6ef0c

Qt 5.12.3
Debugging mode is disabled.

Operating system: macOS 10.15
CPU architecture: x86_64
Kernel: darwin 19.0.0

Enabled extensions:

• Auto-Type
• Browser-Integration
• SSH-Agent
• KeeShare (signed and unsigned sharing)
• YubiKey
• TouchID

Cryptographic libraries:
libgcrypt 1.8.4

[droidmonkey]

Does it work with the Yubikey Personalization tool?

[doits]

good catch, no, it doesn't. It says "unkown error occured" when I attach the yubikey.

[droidmonkey]

Then this would be an error at the OS level or an incompatibility with yubikey itself. Recommend reporting the bug over on their repository: https://github.com/Yubico/yubikey-personalization-gui

[doits]

👍 reported at Yubico/yubikey-personalization-gui#87

[doits]

One more hint though: Using it in browsers for 2fa authentication or as a gpg smartcard for signing/encrypting e-mails still works though, so it is not completely broken. But looks like the functionality used in keepassxc and personalization tool is.

[doits]

I made it working again by going to system settings --> security --> privacy --> input monitoring and manually adding keepassxc.app there. Looks like this permission should be requested by keepassxc when launching and/or trying to access yubikeys.

[droidmonkey]

Yes looks like Catalina is introducing new privacy features that require additional approvals. Unfortunately they don't seem to be documented yet or it is non-intuitive when I read the apple developer documentation.

[doits]

@thobryan using Beta 10.15 (19A546d) and it works like this for me:

[droidmonkey]

macOS likes to "forget" permissions you gave an app but still show that you gave them. I've run into this with AutoType as well.

For this issue, is there a new entitlement we should be asking for?

[kanutope]

Upgraded from 10.14.6 today to 10.15.1 - had KeePassXC upgraded to 2.5.0 - created manually 'input monitoring' entries for both KeePassXC and YubiKey Personalization Tool - it works smoothly. Thanks @droidmonkey

[droidmonkey]

I need to figure out how to trigger the permission request for input monitoring

[499602D2]

I'm on a machine stuck on High Sierra and I've had this issue ever since I got my YubiKey, so around version 2.3.4, and I was unable to fix the issue with the privacy settings mentioned above, as High Sierra lacks all of it.

However, I did some Googling around, and it seems that this issue is somehow triggered if "Secure Keyboard Entry" is enabled in Terminal's settings – I disabled it, and my key started to immediately work in KeepassXC, alongside with ykinfo -a producing actual output instead of USB error: kIOReturnSuccess, even when not run as sudo.

This thread is relevant: Yubico/yubikey-personalization#34

[famx-droid]

I'am on a machine stuck with High Sierra (10.13.6) and have same problem as well. Disabling the "Secure Keyboard Entry" in the Terminal settings works for me fine (KeePassXC 2.5.1).
Citation from Apple support page says:

Before you turn on secure keyboard entry, make sure other apps don’t require keystrokes from Terminal.

Thanks for the hint @499602D2 ! This does not solve the real problem, but for now a good workaround.

[onlykey]

I can verify that adding to security -> privacy -> input monitoring also works for OnlyKey. Is it possible for future release to automatically request adding KeePassXC to input monitoring? I think it already requests to automatically be added to accessibility.

[droidmonkey]

I'll need a link to the documentation to do that. I find Apple's documentation to be the absolute worst.

[onlykey]

@droidmonkey Did a little digging into it and I am thinking that Mac released 10.15 without a way yet for apps to request this, or at least its not documented yet:
https://forums.developer.apple.com/thread/124368
https://developer.apple.com/documentation/bundleresources/information_property_list/protected_resources

EDIT - Did a little more digging, still no luck. Looks like others have this issue too - https://discussions.apple.com/thread/250754222
When you look at the privacy options in Xcode there is no option for input monitoring:

[MarSalfer]

Workaround Generally: Add ("+" or drag and drop) KeePassXC.app into "System Settings --> Security --> Privacy --> Input Monitoring".

Workaround when the above won't work as no list appears: Populate Input Monitoring with another app first.

1. Start an app that requests Input Monitoring permissions, e.g. CheatSheet. The Input Monitoring window will be opened and populated with this one app plus a "+" and a drag-drop functionality.
2. Add or drag-drop KeePassXC into the Input Monitoring list.
3. (optionally) remove the other app again.

[tswestendorp]

I've tried all the possible workarounds to get my OnlyKey working. KeePassXC is added to input monitoring and version 2.6.1, re-added is a couple of times as well, but still slots aren't populated.

Just a minute ago I found errors some errors caused by KeePassXC in my Console:

error	09:10:05.384303+0200	KeePassXC	IOConnectCallMethod(kIOHIDLibUserClientOpen):e00002c5
error	09:10:06.407640+0200	KeePassXC	IOConnectCallMethod(kIOHIDLibUserClientOpen):e00002c5
error	09:10:07.318337+0200	KeePassXC	IOConnectCallMethod(kIOHIDLibUserClientOpen):e00002c5
error	09:10:07.983491+0200	KeePassXC	IOConnectCallMethod(kIOHIDLibUserClientOpen):e00002c5

These errors occur when hitting 'Refresh' next to the slots. Anybody got an idea what might be happening here?

cc @onlykey

[droidmonkey]

@phoerious what version of ykpers are you deploying with the macos build?

[phoerious]

Can't check right now, but it should be the latest one from homebrew.

[onlykey]

@tswestendorp Mac OS requires restart of app to have the privacy change take effect. I think in some cases it may require a reboot though, any luck after reboot?

[tswestendorp]

@tswestendorp Mac OS requires restart of app to have the privacy change take effect. I think in some cases it may require a reboot though, any luck after reboot?

Unfortunately not 😕

[repetitioestmaterstudiorum]

I'am on a machine stuck with High Sierra (10.13.6) and have same problem as well. Disabling the "Secure Keyboard Entry" in the Terminal settings works for me fine (KeePassXC 2.5.1).
Citation from Apple support page says:

Before you turn on secure keyboard entry, make sure other apps don’t require keystrokes from Terminal.

Thanks for the hint @499602D2 ! This does not solve the real problem, but for now a good workaround.

This was the solution for me too!

[droidmonkey]

I am closing this issue since it's not on us.