Hacker News new | ask | show | jobs
by AceJohnny2 164 days ago
Thanks! In your change https://github.com/tailscale/tailscale/pull/18336 you mention:

> There's also tailscaled-on-macOS, but it won't have a TPM or Keychain bindings anyway.

Do you mean that on macOS, tailscaled does not and has never leveraged equivalent hardware-attestation functionality from the SEP? (Assuming such functionality is available)
1 comments
cronos 164 days ago
On macOS we have 3 ways to run Tailscale: https://tailscale.com/kb/1065/macos-variants Two of them have a GUI component and use the Keychain to store their state.

The third one is just the open-source tailscaled binary that you have to compile yourself, and it doesn't talk to the Keychain. It stores a plaintext file on disk like the Linux variant without state encryption. Unlike the GUI variants, this one is not a Swift program that can easily talk to the Keychain API.

link
cyberax 164 days ago
You don't need Swift to use the Keychain API. It's doable from pure C.
link
johncolanduoni 164 days ago
In fact, SecurityFramework doesn’t have a real Swift/Obj-C API. The relevant functions are all direct bindings to C ABIs (just with wrappers around the CoreFoundation types).
link
lloeki 164 days ago
> The third one is just the open-source tailscaled binary that you have to compile yourself, and it doesn't talk to the Keychain.

I use this one (via nix-darwin) because it has the nice property of starting as a systemwide daemon outside of any user context, which in turn means that it has no (user) keychain to access (there are some conundrums between accessing such keychains and "GUI" i.e user login being needed, irrespective of C vs Swift or whatever).

Maybe it _could_ store things in the system keychain? But I'm not entirely sure what the gain would be when the intent is to have tailscale access through fully unattended reboots.

link
cronos 164 days ago
Good to know, my understanding of the macOS system APIs is fairly limited. I'm sure it's doable, with some elbow grease and CGO. We just haven't prioritized that variant of the client due to relatively low usage.
link
cyberax 163 days ago
If you want to avoid Cgo, you can use https://github.com/ebitengine/purego or Goffi to call the native functions. It's a bit cursed, but works.
link
reader9274 164 days ago
Only one of the ways uses Keychain per that page.
link
cronos 164 days ago
Ah, looks like another KB update is needed, thanks for calling it out!
link