Mac Support

[timkeeler]

Has anyone been successful in building this on OSX? I receive the following error:

Great project btw!

>go get -u github.com/maximbaz/yubikey-touch-detector
# github.com/maximbaz/yubikey-touch-detector/detector
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/gpg.go:19:50: undefined: notify.InOpen
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/gpg.go:19:65: undefined: notify.InDeleteSelf
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/gpg.go:19:86: undefined: notify.InMoveSelf
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/gpg.go:33:9: undefined: notify.InOpen
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/u2f.go:24:54: undefined: notify.InOpen
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/u2f.go:24:69: undefined: notify.InCloseWrite
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/u2f.go:24:90: undefined: notify.InCloseNowrite
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/u2f.go:24:113: undefined: notify.InDeleteSelf
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/u2f.go:24:134: undefined: notify.InMoveSelf
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/u2f.go:38:9: undefined: notify.InOpen
../../../golang/src/github.com/maximbaz/yubikey-touch-detector/detector/u2f.go:38:9: too many errors

[maximbaz]

Hey! I've just checked, it seems it isn't possible to make this tool work on OSX 😞

The reason is, gpg and u2f detectors highly depend on inotify events (e.g. when "u2fAuthPending" file is opened, yubikey begins to wait for you to touch the button, but then the file is closed, yubikey stops waiting for the touch). Problem is, these events are only available on Linux, and although the library I use is cross-platform, on OSX it only emits a small subset of events (Create | Remove | Write | Rename), so on OSX it is impossible to see when a file is just opened or closed.

If you have time to play around, I encourage you to try to see if you will be able to make this tool work by only using those events (e.g. replace all occurrences of Linux-specific events like this with cross-platform event (Create | Remove | Write | Rename) and see if this tool is able to detect when Yubikey is waiting for a touch), but I'm pretty sure I have explored that in the past and that didn't work 😞

I'll close the issue, but feel free to ask questions, and as I said, if you manage to get something working, create a PR and I'll test it on Linux 😉

[timkeeler]

Thanks - the info is much appreciated!!

[simpsora]

I've run into this problem as well, and looked at a number of solutions. Unfortunately, neither of the native Mac/BSD facilities for filesystem events (fsevents and kqueue) provide events for files being opened. There is a way to get these events, using the kauth system, but it can only be accessed using a kernel extension, which requires a hard-to-get Apple Developer ID certificate with kext support.

macOS Catalina (10.15) ships with something new called Endpoint Security Framework, and it provides file open events (see example). Hopefully that might provide a way forward here :)

[maximbaz]

nice findings! If you have a chance to play around and test whether endpoint security framework can indeed capture the moment when yubikey is waiting for a touch on say gpg operation, I highly encourage you to do it! 😉 I don't have a Mac to confirm, but if you say it works and it doesn't break Linux support, I will merge :)

[ysc3839]

I'm testing on Windows and found gpg would Create, Write then Remove a file pubring.k__.

(The DirWatcher is from here)
Does gpg do the same operations on Linux?

Also there's S.scdaemon in $GNUPGHOME, maybe we can use the same way in ssh.go.

[olebedev]

This one is still actual for me. @maximbaz we can make it work?

[maximbaz]

The problem is that nobody knows how to make it work... As said previously, I'll gladly merge if anyone finds a solution and it doesn't break Linux support 😉

[noperator]

I found some macOS log events that appear to be associated with various applications that require YubiKey touch: https://github.com/noperator/dotfiles/blob/a7ddfa91eb1ec6443deb0b5133051cb4b927ef63/LaunchAgents/yklogs.sh#L9-L13

When waiting for FIDO2 touch, we'll see this message logged once (where the hex client ID will vary):

kernel: (IOHIDFamily) IOHIDLibUserClient:0x100543841 startQueue

When waiting for OpenPGP touch, we'll see this message logged repeatedly:

usbsmartcardreaderd: [com.apple.CryptoTokenKit:ccid] Time extension received

I'm successfully using this to alert me in macOS Notification Center that I need to touch the YubiKey.

[maximbaz]

Whoa, impressive findings! Congrats on making that work!

How interested would you be in integrating that into this project? I'm happy to assist but as I don't use macOS I'll rely on the community to confirm that it works. Happy to assist with e.g. making this project compile on mac, which I imagine would require extracting some pieces in separate files and making them conditional (if linux use that file, if mac use that other file - we do that for *bsd already).

Will reopen issue, even if you are not interested in contributing this, someone else might be able to build upon your work.

Thanks again for sharing this!

[noperator]

No problem. I've been needing this on macOS for years and finally spent an afternoon digging into it :) I'm mildly interested in integrating the technique into this project and will report back here if I start working on it.

[noperator]

Created a very simple CLI tool for macOS: https://github.com/noperator/yknotify

Works like this:

𝄢 yknotify
{"ts":"2025-02-12T20:09:03Z","type":"FIDO2"}
{"ts":"2025-02-12T20:09:14Z","type":"OpenPGP"}

Gonna use it for a while and make sure the technique is reliable before attempting to integrate here.