-
Re: TouchID & thisDeviceOnly on macOS
eskimo Oct 28, 2016 6:16 AM (in response to jpgoldberg)… it would be nice to know how third party apps may use Touch ID …
If you look at the macOS SDK included with Xcode 8.1 (specifically,
<Security/SecItem.h>
,<Security/SecAccessControl.h>
and<LocalAuthentication/LAContext.h>
) you’ll find that many of the declarations that were previously only available on iOS are now available on macOS. This should allow you to:generate keys on the Secure Enclave using
kSecAttrTokenIDSecureEnclave
use LAContext to manually authenticate
protect secrets in the keychain with
kSecAccessControlTouchIDAny
Let us know if you hit any snags.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: TouchID & thisDeviceOnly on macOS
pfandrade Oct 29, 2016 1:51 PM (in response to eskimo)Hey Quinn,
I'm working on the same problem, and since I don't have one of the new Macbooks yet. I'm testing with saving a keychain item with kSecAccessControlDevicePasscode instead of kSecAccessControlTouchIDAny. Theoretically if I get everything working with kSecAccessControlDevicePasscode then I should be able to just switch that to kSecAccessControlTouchIDAny to use Touch ID.
Now I've encontered something weird... When using using SecItemCopyMatching to check if the keychain item exists, I'm also asked for my password. Even though I'm not requesting any secret data to be returned.
NSDictionary* query = @{ (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"Service", (__bridge id)kSecAttrAccount: @"Account", }; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)(query), NULL);
Once the item is stored, the above code will also ask for the user's password making testing for its existence difficult (to adapt your UI for example). I have very similar code on iOS and it works has expected.
Is this on purpose?
-
Re: TouchID & thisDeviceOnly on macOS
eskimo Oct 31, 2016 5:08 AM (in response to pfandrade)Are you setting
kSecAttrSynchronizable
? Without that the SecItem item API shims you over to the file-based keychain implementation, which is probably not what you want in this sitation.ps If you’re not familiar with the iOS-style vs traditional Mac keychain dichotomy, check out this post, which explains some background to this.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: TouchID & thisDeviceOnly on macOS
paulo_andrade Nov 2, 2016 3:57 AM (in response to eskimo)I am familiar with the iOS style API. That's what I'm using in both iOS and Mac code.
I'm not explicitely setting the kSecAttrSynchronizable because I'm also setting kSecAttrAccessibleWhenUnlockedThisDeviceOnly. I've created radar://29064415
-
-
-
Re: TouchID & thisDeviceOnly on macOS
TapZapp Oct 29, 2016 1:58 PM (in response to eskimo)Is there a recommended way to test TouchID on a Mac that doesn't have it? Sort of like how you can emulate the new Touch Bar?
I'd like to add it to my Mac app.
-
Re: TouchID & thisDeviceOnly on macOS
eskimo Oct 31, 2016 5:21 AM (in response to TapZapp)Is there a recommended way to test TouchID on a Mac that doesn't have it?
Not that I’m aware of. Even if there were, given the sensitive nature of anything to do with Touch ID, I’d be reluctant to ship code for this that hasn’t been tested on real hardware.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: TouchID & thisDeviceOnly on macOS
TapZapp Nov 14, 2016 12:29 AM (in response to eskimo)Agreed. That's why I'm holding off until my new MBP arrives. I'm quite surprised that 1Password has already shipped their update with TouchID support for Mac.
-
-