Support for new SecAccessControlCreateFlags in VALSecureEnclaveValet #48
Comments
|
Is this so you can do the finger-print-only TouchID? I had a PR in to do this, but no response from the Sqare folk, and I didn't do a good job of it (will revisit it) |
|
I was just about to @ the projects main owner, but its YOU! Are you taking PR's, assuming I do a better job than the last one @dfed ? |
|
Hey @nicwise. Sorry for the delay on the last PR! The email notification came in while I was OOO and I failed to circle back once I made it back to the office. The point of this issue is to support all |
|
Oh hey, you closed your PR. Interesting re surfacing that the enrolled fingerprint changed. Not sure I agree that that's terribly important to do within Valet since it's easy to detect that case using your own code (you could write a pref when you write the secret. If you can't access the secret under that config but can access the keychain, then it means the fingerprints enrolled have changed). I'm going to investigate handling the creation of the specific |
|
I'm working on this on the branch federman/secaccesscontrolflags |
|
The flag idea is good, but at the moment you can't tell the difference between "Cancel" and "No fingerprints". So if the user has set something up (flag: yes), and changes a finger print (stringForKey returns NO always) we can't tell if they hit cancel or just tried to TID in. Unless the flag has the same "invalidate if the TID print list changes", but I thought that needed a TID prompt to be used. BTW: http://fastchicken.co.nz/2016/01/08/valet-keychain-done-right/ - tho we've had to roll it out for TouchID. It's still in for general Keychain access, so the SFHF has largely been replaced, which was the point. |
|
Ahh makes sense! I'll see how I can surface that difference. |
|
Even just surfacing the last osstatus would do. Might be generally useful.
|
|
I'm pretty strongly opposed to surfacing the OSStatus. You should never need to read a system header to understand what Valet is doing. I'll see how I can surface this. Gimme a few. |
|
Wait, can't you just use |
|
except if it's a TID-protected item. containsObjectForKey will throw up the TID UI :) I agree, tho, OSStatus should be hidden. But... sometimes it'd be nice to know what happened. Hence why I pulled my PR: I've still not come up with a good solution. |
|
No it won't throw up the TID UI. Check it out ;). The internals of |
|
OK, I'll try it again. Might have been 'cos I was passing in a prompt.... |
|
Sounds good. Let me know what you find! If I've got a bug I'd be happy to fix it :) |
|
Those changes look and work really nicely, @dfed - thanks! Just need to work out the cancel vrs fingerprints-changed issue. Will put thinking hat on while uploading builds (slowly) |
|
awesome. despite my doubting, we can use |
|
Great! That's what I'd expect. Hoping to get #66 merged this week. Just need another set of eyeballs |
|
Sounds good. I'm going to try it in our app with just pulling the code in - but not committing it, as I'm happy to wait for the proper master-branch'ed Pod version :) |
|
This is now available in v2.1.0 |
I want VALSecureEnclaveValet to support taking arbitrary
SecAccessControlCreateFlagsin the initializer. Currently onlykSecAccessControlUserPresenceis supported.The text was updated successfully, but these errors were encountered: