This commit is contained in:
Dain Nilsson 2022-05-09 14:46:48 +02:00
commit d82a8b58b7
No known key found for this signature in database
GPG Key ID: F04367096FBA95E8
31 changed files with 92 additions and 88 deletions

View File

@ -36,8 +36,8 @@ jobs:
flutter test
flutter analyze
- name: Install ykman
run: ./build-ykman.sh
- name: Build the Helper
run: ./build-helper.sh
- name: Build the app
run: flutter build linux

View File

@ -34,8 +34,8 @@ jobs:
flutter test
flutter analyze
- name: Install ykman
run: ./build-ykman.sh
- name: Build the Helper
run: ./build-helper.sh
- name: Build the app
run: flutter build macos

View File

@ -32,8 +32,8 @@ jobs:
flutter test
flutter analyze
- name: Install ykman
run: .\build-ykman.bat
- name: Build the Helper
run: .\build-helper.bat
- name: Build the app
run: flutter build windows
@ -44,9 +44,9 @@ jobs:
- name: Move .dll files
run: |
$dest = "build\windows\runner\Release"
cp $dest\ykman-rpc\MSVCP140.dll $dest\
cp $dest\ykman-rpc\VCRUNTIME140.dll $dest\
cp $dest\ykman-rpc\VCRUNTIME140_1.dll $dest\
cp $dest\helper\MSVCP140.dll $dest\
cp $dest\helper\VCRUNTIME140.dll $dest\
cp $dest\helper\VCRUNTIME140_1.dll $dest\
- name: Create an unsigned .msi installer package

View File

@ -7,20 +7,20 @@ https://flutter.dev/desktop
Development has been done using the "Install from git" method of installing the
SDK, from the "beta" channel.
You will also need to provide a compiled version of ykman-rpc, as described in
You will also need to provide a compiled version of the Helper, as described in
the next section.
=== Building ykman-rpc
=== Building the Yubico Authenticator Helper
Requirements: Python >= 3.8 and Poetry.
The GUI requires a compiled version of ykman-rpc to run, which is built from
the sources in ykman-rpc/ in this repository. This needs to be build prior to
running `flutter build` or `flutter run`, by running `build-ykman.sh` (or
`build-ykman.bat` on Windows).
The GUI requires a compiled version of Helper to run, which is built from the
sources in helper/ in this repository. This needs to be build prior to running
`flutter build` or `flutter run`, by running `build-helper.sh` (or
`build-helper.bat` on Windows).
NOTE: You will need to re-run `ykman-build.sh` if changes have been made to
ykman-rpc's code, or if `flutter clean` has been run.
NOTE: You will need to re-run `ykman-helper.sh` if changes have been made to
Helper's code, or if `flutter clean` has been run.
=== Running the app

10
build-helper.bat Normal file
View File

@ -0,0 +1,10 @@
@echo off
echo Building authenticator-helper for Windows...
cd helper
poetry install
rmdir /s /q ..\build\windows\helper
poetry run pyinstaller authenticator-helper.spec --distpath ..\build\windows
cd ..
echo All done, output in build/windows/

View File

@ -15,22 +15,22 @@ case "$(uname)" in
OS="windows";;
esac
echo "Building ykman-rpc for $OS..."
echo "Building authenticator-helper for $OS..."
OUTPUT="build/$OS"
cd ykman-rpc
cd helper
poetry install
rm -rf ../$OUTPUT/ykman-rpc
poetry run pyinstaller ykman-rpc.spec --distpath ../$OUTPUT
rm -rf ../$OUTPUT/helper
poetry run pyinstaller authenticator-helper.spec --distpath ../$OUTPUT
cd ..
# Fixup permissions (should probably be more strict)
find $OUTPUT/ykman-rpc -type f -exec chmod a-x {} +
chmod a+x $OUTPUT/ykman-rpc/ykman-rpc
find $OUTPUT/helper -type f -exec chmod a-x {} +
chmod a+x $OUTPUT/helper/authenticator-helper
# Adhoc sign executable (MacOS)
if [ "$OS" = "macos" ]; then
codesign -f --timestamp --entitlements macos/ykman.entitlements --sign - $OUTPUT/ykman-rpc/ykman-rpc
codesign -f --timestamp --entitlements macos/helper.entitlements --sign - $OUTPUT/helper/authenticator-helper
fi
echo "All done, output in $OUTPUT/"

View File

@ -1,10 +0,0 @@
@echo off
echo Building ykman-rpc for Windows...
cd ykman-rpc
poetry install
rmdir /s /q ..\build\windows\ykman-rpc
poetry run pyinstaller ykman-rpc.spec --distpath ..\build\windows
cd ..
echo All done, output in build/windows/

View File

@ -1,7 +1,7 @@
== Packaging for MacOS
Building the ykman CLI locally will result in an adhoc-signed build, which
works for local development, but not for distribution. Before distributing it
needs to be re-signed. Build the CLI by running `build-ykman.sh`, see the main
Building the Helper locally will result in an adhoc-signed build, which works
for local development, but not for distribution. Before distributing it needs
to be re-signed. Build the Helper by running `build-helper.sh`, see the main
README for details.
To distribute the app you will need the Yubico MacOS signing key. The method of
@ -14,22 +14,22 @@ To distribute the app outside of the App Store, we need to sign it and Notarize
it. For Notarization to work, we must enable "hardened runtime" by setting the
`--options runtime` when signing.
==== Signing the ykman CLI
==== Signing the Yubico Authenticator Helper
The following commands can be done to re-sign the files using the Yubico
signing key:
# Sign the main binary, with the entitlements:
codesign -f --timestamp --options runtime --entitlements macos/ykman.entitlements --sign 'Application' build/macos/ykman-rpc/ykman-rpc
codesign -f --timestamp --options runtime --entitlements macos/helper.entitlements --sign 'Application' build/macos/helper/authenticator-helper
# Sign the dylib and so files, without entitlements:
codesign -f --timestamp --options runtime --sign 'Application' $(find build/macos/ykman-rpc/ -name "*.dylib" -o -name "*.so")
codesign -f --timestamp --options runtime --sign 'Application' $(find build/macos/helper/ -name "*.dylib" -o -name "*.so")
# Sign the Python binary (if it exists), without entitlements:
codesign -f --timestamp --options runtime --sign 'Application' build/macos/ykman-rpc/Python
codesign -f --timestamp --options runtime --sign 'Application' build/macos/helper/Python
==== Signing the GUI
After signing the CLI, make a release build of the GUI and then re-sign it with
the Yubico key:
After signing the Helper, make a release build of the GUI and then re-sign it
with the Yubico key:
codesign --timestamp --options runtime --sign 'Application' --entitlements macos/Runner/Release.entitlements --deep "build/macos/Build/Products/Release/Yubico Authenticator.app"
@ -71,19 +71,19 @@ Choose the folder you just created.
=== Signing for the App Store
All binaries must have sandbox enabled for the Apple App Store, but the ykman
All binaries must have sandbox enabled for the Apple App Store, but the Helper
binary doesn't work when sandboxed AND hardened. Luckily, App Store binaries do
not need to be hardened. Thus, we need to sign the ykman executable with
not need to be hardened. Thus, we need to sign the Helper executable with
sandbox enabled, but NOT as a hardened build. The App Store build also uses a
different code signing key than the standalone distribution.
==== Signing the ykman CLI
Follow the same steps as for "standalone", with the exception of signing the `ykman` binary:
==== Signing the Yubico Authenticator Helper
Follow the same steps as for "standalone", with the exception of signing the `authenticator-helper` binary:
# Sign the main binary, with sandbox enabled, without hardened runtime:
codesign -f --timestamp --entitlements macos/ykman-sandbox.entitlements --sign 'Application' build/macos/ykman/ykman
codesign -f --timestamp --entitlements macos/helper-sandbox.entitlements --sign 'Application' build/macos/helper/authenticator-helper
NOTE: This sandboxed ykman will not run on its own, it has to be run as a
NOTE: This sandboxed Helper will not run on its own, it has to be run as a
subprocess to the main application.
Once you have the signed .app, (no Notarization required) build the package for AppStore submission:

View File

@ -1,6 +1,6 @@
#!/usr/bin/env python3
from rpc import run_rpc_pipes, run_rpc_socket
from helper import run_rpc_pipes, run_rpc_socket
import socket
import sys

View File

@ -5,7 +5,7 @@ block_cipher = None
a = Analysis(
["ykman-rpc.py"],
["authenticator-helper.py"],
pathex=[],
binaries=[],
datas=[],
@ -26,14 +26,14 @@ exe = EXE(
a.scripts,
[],
exclude_binaries=True,
name="ykman-rpc",
name="authenticator-helper",
icon="NONE",
debug=False,
bootloader_ignore_signals=False,
strip=False,
upx=True,
console=True,
manifest="ykman-rpc.exe.manifest",
manifest="authenticator-helper.exe.manifest",
version="version_info.txt",
disable_windowed_traceback=False,
target_arch=None,
@ -48,5 +48,5 @@ coll = COLLECT(
strip=False,
upx=True,
upx_exclude=[],
name="ykman-rpc",
name="helper",
)

View File

@ -1,8 +1,12 @@
[tool.poetry]
name = "ykman-rpc"
name = "authenticator-helper"
version = "0.1.0"
description = "Yubico Authenticator helper app"
description = "Yubico Authenticator Helper"
authors = ["Dain Nilsson <dain@yubico.com>"]
packages = [
{ include = "helper" },
]
[tool.poetry.dependencies]
python = "^3.8"

View File

@ -228,22 +228,22 @@ def log_stderr(stderr):
@click.command()
@click.argument("executable", nargs=-1)
def shell(executable):
"""A basic shell for interacting with the ykman rpc."""
rpc = subprocess.Popen( # nosec
executable or [sys.executable, "ykman-rpc.py"],
"""A basic shell for interacting with the Yubico Authenticator Helper."""
helper = subprocess.Popen( # nosec
executable or [sys.executable, "authenticator-helper.py"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
encoding="utf8",
)
Thread(daemon=True, target=log_stderr, args=(rpc.stderr,)).start()
Thread(daemon=True, target=log_stderr, args=(helper.stderr,)).start()
click.echo("Shell starting...")
shell = RpcShell(rpc.stdin, cast(IO[str], rpc.stdout))
shell = RpcShell(helper.stdin, cast(IO[str], helper.stdout))
shell.cmdloop()
click.echo("Stopping...")
rpc.communicate()
helper.communicate()
if __name__ == "__main__":

View File

@ -30,11 +30,11 @@ VSVersionInfo(
StringTable(
'040904b0',
[StringStruct('CompanyName', 'Yubico'),
StringStruct('FileDescription', 'YubiKey Manager RPC'),
StringStruct('FileDescription', 'Yubico Authenticator Helper'),
StringStruct('FileVersion', '4.1.0.0'),
StringStruct('LegalCopyright', 'Copyright (c) 2021 Yubico AB'),
StringStruct('OriginalFilename', 'ykman-rpc.exe'),
StringStruct('ProductName', 'YubiKey Manager'),
StringStruct('LegalCopyright', 'Copyright (c) 2022 Yubico AB'),
StringStruct('OriginalFilename', 'authenticator-helper.exe'),
StringStruct('ProductName', 'Yubico Authenticator'),
StringStruct('ProductVersion', '4.1.0.0')])
]),
VarFileInfo([VarStruct('Translation', [1033, 1200])])

View File

@ -59,10 +59,10 @@ Future<Widget> initialize(List<String> argv) async {
}
}));
// Either use the _YKMAN_EXE environment variable, or look relative to executable.
var exe = Platform.environment['_YKMAN_PATH'];
// Either use the _HELPER_PATH environment variable, or look relative to executable.
var exe = Platform.environment['_HELPER_PATH'];
if (exe?.isEmpty ?? true) {
var relativePath = 'ykman-rpc/ykman-rpc';
var relativePath = 'helper/authenticator-helper';
if (Platform.isMacOS) {
relativePath = '../Resources/' + relativePath;
} else if (Platform.isWindows) {
@ -73,10 +73,10 @@ Future<Widget> initialize(List<String> argv) async {
.toFilePath();
}
_log.info('Starting subprocess: $exe');
_log.info('Starting Helper subprocess: $exe');
final rpc = RpcSession(exe!);
await rpc.initialize();
_log.info('ykman-rpc process started', exe);
_log.info('Helper process started', exe);
rpc.setLogLevel(Logger.root.level);
return ProviderScope(

View File

@ -10,7 +10,7 @@ import 'package:yubico_authenticator/app/logging.dart';
import '../app/models.dart';
import 'models.dart';
final _log = Logger('rpc');
final _log = Logger('helper');
class Signaler {
final _send = StreamController<String>();
@ -92,7 +92,7 @@ class RpcSession {
static void _logEntry(String entry) {
try {
final record = jsonDecode(entry);
Logger('rpc.${record['name']}').log(
Logger('helper.${record['name']}').log(
_py2level[record['level']] ?? Level.INFO,
record['message'],
record['exc_text'],
@ -105,7 +105,7 @@ class RpcSession {
Future<void> initialize() async {
final process = await Process.start(executable, []);
_log.debug('RPC process started');
_log.debug('Helper process started');
process.stderr
.transform(const Utf8Decoder())
.transform(const LineSplitter())
@ -133,7 +133,7 @@ class RpcSession {
// Bind to random port
final server = await ServerSocket.bind(InternetAddress.loopbackIPv4, 0);
final port = server.port;
_log.debug('Listening for RPC connection on $port');
_log.debug('Listening for Helper connection on $port');
// Launch the elevated process
final process =
@ -150,15 +150,15 @@ class RpcSession {
.transform(const Utf8Decoder())
.transform(const LineSplitter())
.join('\n');
_log.warning('Failed to elevate RPC process', error);
_log.warning('Failed to elevate the Helper process', error);
return false;
}
_log.debug('Elevated RPC process started');
_log.debug('Elevated Helper process started');
// Accept only a single connection
final client = await server.first;
await server.close();
_log.debug('Client connected: $client');
_log.debug('Helper connected: $client');
// Stop the old subprocess.
try {
@ -174,12 +174,12 @@ class RpcSession {
// The nonce needs to be received first.
if (!authenticated) {
if (nonce == line) {
_log.debug('Client authenticated with correct nonce');
_log.debug('Helper authenticated with correct nonce');
authenticated = true;
completer.complete();
return '';
} else {
_log.warning('Client used WRONG NONCE: $line');
_log.warning('Helper used WRONG NONCE: $line');
client.close();
completer.completeError(Exception('Invalid nonce'));
throw Exception('Invalid nonce');

View File

@ -115,5 +115,5 @@ if(NOT CMAKE_BUILD_TYPE MATCHES "Debug")
COMPONENT Runtime)
endif()
# Copy the ykman RPC
install(DIRECTORY "../build/linux/ykman-rpc" DESTINATION "${BUILD_BUNDLE_DIR}" USE_SOURCE_PERMISSIONS)
# Copy the Helper
install(DIRECTORY "../build/linux/helper" DESTINATION "${BUILD_BUNDLE_DIR}" USE_SOURCE_PERMISSIONS)

View File

@ -26,7 +26,7 @@
33CC10F32044A3C60003C045 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 33CC10F22044A3C60003C045 /* Assets.xcassets */; };
33CC10F62044A3C60003C045 /* MainMenu.xib in Resources */ = {isa = PBXBuildFile; fileRef = 33CC10F42044A3C60003C045 /* MainMenu.xib */; };
33CC11132044BFA00003C045 /* MainFlutterWindow.swift in Sources */ = {isa = PBXBuildFile; fileRef = 33CC11122044BFA00003C045 /* MainFlutterWindow.swift */; };
A549BDAB2747CBBE0016F37D /* ykman-rpc in Resources */ = {isa = PBXBuildFile; fileRef = A549BDAA2747CBBE0016F37D /* ykman-rpc */; };
A5DD3DBC2825505C001ACA3A /* helper in Resources */ = {isa = PBXBuildFile; fileRef = A5DD3DBB2825505C001ACA3A /* helper */; };
CCE73883AA6E76B42D34D392 /* Pods_Runner.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E5437883A25FD13EEA6A730E /* Pods_Runner.framework */; };
/* End PBXBuildFile section */
@ -71,7 +71,7 @@
6EAF9B998D311C2D6DD1409C /* Pods-Runner.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Runner.debug.xcconfig"; path = "Target Support Files/Pods-Runner/Pods-Runner.debug.xcconfig"; sourceTree = "<group>"; };
7AFA3C8E1D35360C0083082E /* Release.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = Release.xcconfig; sourceTree = "<group>"; };
9740EEB21CF90195004384FC /* Debug.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = Debug.xcconfig; sourceTree = "<group>"; };
A549BDAA2747CBBE0016F37D /* ykman-rpc */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "ykman-rpc"; path = "../build/macos/ykman-rpc"; sourceTree = "<group>"; };
A5DD3DBB2825505C001ACA3A /* helper */ = {isa = PBXFileReference; lastKnownFileType = folder; name = helper; path = ../build/macos/helper; sourceTree = "<group>"; };
E5437883A25FD13EEA6A730E /* Pods_Runner.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_Runner.framework; sourceTree = BUILT_PRODUCTS_DIR; };
F18D61C5361D1EF615E824EE /* Pods-Runner.profile.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Runner.profile.xcconfig"; path = "Target Support Files/Pods-Runner/Pods-Runner.profile.xcconfig"; sourceTree = "<group>"; };
FFD2BDD751CD366AEDC4D417 /* Pods-Runner.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Runner.release.xcconfig"; path = "Target Support Files/Pods-Runner/Pods-Runner.release.xcconfig"; sourceTree = "<group>"; };
@ -122,7 +122,7 @@
33CC11242044D66E0003C045 /* Resources */ = {
isa = PBXGroup;
children = (
A549BDAA2747CBBE0016F37D /* ykman-rpc */,
A5DD3DBB2825505C001ACA3A /* helper */,
33CC10F22044A3C60003C045 /* Assets.xcassets */,
33CC10F42044A3C60003C045 /* MainMenu.xib */,
33CC10F72044A3C60003C045 /* Info.plist */,
@ -248,8 +248,8 @@
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
A549BDAB2747CBBE0016F37D /* ykman-rpc in Resources */,
33CC10F32044A3C60003C045 /* Assets.xcassets in Resources */,
A5DD3DBC2825505C001ACA3A /* helper in Resources */,
33CC10F62044A3C60003C045 /* MainMenu.xib in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;

View File

@ -17,5 +17,5 @@ target_include_directories(${BINARY_NAME} PRIVATE "${CMAKE_SOURCE_DIR}")
add_dependencies(${BINARY_NAME} flutter_assemble)
# This can probably be done in a cleaner way.
file(COPY "../../build/windows/ykman-rpc" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/Release")
file(COPY "../../build/windows/ykman-rpc" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/Debug")
file(COPY "../../build/windows/helper" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/Release")
file(COPY "../../build/windows/helper" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/Debug")