before enabling Secure Enclave wallet require code be signed with a certificate #419
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On ARM macOS, every application must be signed. And Apple really means that: when you
cc hello.c -o hellothe linker adds an "ad-hoc" code signature to the output (this is not to be confused with Ad Hoc Distribution Profiles; something else entirely in the Apple code signing space).When the Secure Enclave wallet code starts up (which is included in every macOS build), it performs a simple check to see if the executable is signed before granting access to the Secure Enclave wallet (an application needs to be signed to have proper entitlements to access the Secure Enclave). Well, this ad-hoc code signature is indeed a code signature so this check passes and shows the Secure Enclave wallet in keosd even when you can't use it (because an ad-hoc signature isn't going to have the proper entitlements).
Extend the check a little further to check that the executable isn't just signed but that the code signature is made with a valid certificate. Apple states
(emphasis mine), and indeed in my testing this simple change worked as expected: ad-hoc signed applications will not pass this new check but even a self signed developer application (the "lowest tier" of signed applications that can get Secure Enclave access) passed this check.
Also add Mac Studio ids to the whitelist since I'm still unaware how to query for Secure Enclave support. (I did no recent research though)
Of course, our Secure Enclave support feels more like a tech demo as a signed keosd has never been shipped by B1 nor ENF, and signing it yourself requires considerable knowledge. But it's not really getting in the way at the moment so might as well leave it in for now.