Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arm64 binary does not detect Mac OS keychain #758

Closed
ajardan opened this issue Mar 25, 2021 · 7 comments · Fixed by #760
Closed

arm64 binary does not detect Mac OS keychain #758

ajardan opened this issue Mar 25, 2021 · 7 comments · Fixed by #760

Comments

@ajardan
Copy link

ajardan commented Mar 25, 2021

  • [*] I am using the latest release of AWS Vault
  • [*] I have provided my .aws/config (redacted if necessary)
  • [*] I have provided the debug output using aws-vault --debug (redacted if necessary)

I upgraded was-vault today, and brew installed the arm64 binary (yay!), but seems like it does not work:

$ file aws-vault
aws-vault: Mach-O 64-bit executable arm64
$ aws-vault list
aws-vault: error: Specified keyring backend not available, try --help
$ aws-vault help 2>&1| grep backend
  --backend=pass             Secret backend to use [pass file]

The x86_64 binary still works fine:

$ file aws-vault_amd64
aws-vault_amd64: Mach-O 64-bit executable x86_64
$ aws-vault_amd64 list
Profile                  Credentials              Sessions
=======                  ===========              ========
profname                   profname                   -

AWS config:

[profile profname]
region = us-east-1
credential_source = Environment

Debug:

$ aws-vault list --debug
2021/03/25 15:16:29 aws-vault v6.3.0
2021/03/25 15:16:29 [keyring] Considering backends: [pass]
2021/03/25 15:16:29 [keyring] Failed backend pass: The pass program is not available
aws-vault: error: Specified keyring backend not available, try --help
@ajardan ajardan changed the title M1 binary does not detect Mac OS keychain arm64 binary does not detect Mac OS keychain Mar 25, 2021
@elyalvarado
Copy link

I can confirm the same behaviour on a MacBook Pro M1, using aws-vault v6.3.0

@bazbremner
Copy link
Contributor

bazbremner commented Mar 25, 2021
edited
Loading

I've also been bitten by the original issue.

However: I cloned the repo, built both master and v6.3.0 and the resultant binary seems functional:

$ git checkout v6.3.0
Note: switching to 'v6.3.0'.
...
HEAD is now at 33255ec Update dmg script to report errors when encountered
$ make aws-vault-darwin-arm64
GOOS=darwin GOARCH=arm64 go build -ldflags="-X main.Version=v6.3.0" -trimpath -o aws-vault-darwin-arm64 .
$ ./aws-vault-darwin-arm64 --debug
2021/03/25 17:24:08 aws-vault v6.3.0
usage: aws-vault [<flags>] <command> [<args> ...]

A vault for securely storing and accessing AWS credentials in development environments.

Flags:
  --help                     Show context-sensitive help (also try --help-long and --help-man).
  --version                  Show application version.
  --debug                    Show debugging output
  --backend=keychain         Secret backend to use [keychain pass file] ($AWS_VAULT_BACKEND)
  --prompt=terminal          Prompt driver to use [kdialog osascript pass terminal ykman zenity] ($AWS_VAULT_PROMPT)
  --keychain="aws-vault"     Name of macOS keychain to use, if it doesn't exist it will be created ($AWS_VAULT_KEYCHAIN_NAME)
  --secret-service-collection="awsvault"
                             Name of secret-service collection to use, if it doesn't exist it will be created ($AWS_VAULT_SECRET_SERVICE_COLLECTION_NAME)
  --pass-dir=PASS-DIR        Pass password store directory ($AWS_VAULT_PASS_PASSWORD_STORE_DIR)
  --pass-cmd=PASS-CMD        Name of the pass executable ($AWS_VAULT_PASS_CMD)
  --pass-prefix=PASS-PREFIX  Prefix to prepend to the item path stored in pass ($AWS_VAULT_PASS_PREFIX)
...

Obviously this is a handy workaround, and suggests there's nothing wrong with the code, but I've not worked out why the released binaries (in my case via homebrew) are missing keychain support.

@mtibben
Copy link
Member

mtibben commented Mar 25, 2021

Interesting... perhaps because I'm cross-compiling?

@bazbremner
Copy link
Contributor

Yup, that looks like that's it. I cross-compiled v6.3.0 and master for arm64 on an Intel MBP running Catalina, copied the binary over to an M1 Mac Mini (on Big Sur, of course) and...no keychain included in backends.

$ ./aws-vault-darwin-arm64 --debug
2021/03/25 23:26:08 aws-vault v6.3.0
usage: aws-vault [<flags>] <command> [<args> ...]

A vault for securely storing and accessing AWS credentials in development environments.

Flags:
  --help                     Show context-sensitive help (also try --help-long and --help-man).
  --version                  Show application version.
  --debug                    Show debugging output
  --backend=pass             Secret backend to use [pass file] ($AWS_VAULT_BACKEND)
  --prompt=terminal          Prompt driver to use [kdialog osascript pass terminal ykman zenity] ($AWS_VAULT_PROMPT)
  --keychain="aws-vault"     Name of macOS keychain to use, if it doesn't exist it will be created ($AWS_VAULT_KEYCHAIN_NAME)
  --secret-service-collection="awsvault"
                             Name of secret-service collection to use, if it doesn't exist it will be created ($AWS_VAULT_SECRET_SERVICE_COLLECTION_NAME)
  --pass-dir=PASS-DIR        Pass password store directory ($AWS_VAULT_PASS_PASSWORD_STORE_DIR)
  --pass-cmd=PASS-CMD        Name of the pass executable ($AWS_VAULT_PASS_CMD)
  --pass-prefix=PASS-PREFIX  Prefix to prepend to the item path stored in pass ($AWS_VAULT_PASS_PREFIX)
...

Now, the fun bit will be working out why.

@mtibben
Copy link
Member

mtibben commented Mar 25, 2021

it might be this 99designs/keyring@756c48d

bazbremner added a commit to bazbremner/aws-vault that referenced this issue Mar 26, 2021
@bazbremner
Set flags to cross-compile darwin/arm64 on darwin/amd64 and vice versa
845039b 
This is an attempt to fix a lack of keychain support in darwin/arm64
binaries that have been cross-compiled on other platforms as described
in 99designs#758 and hinted at in
the linked
99designs/keyring@756c48d

Given the keychain support from keyring[1] is provided by cgo, and CGO
is disabled by default in cross-compilation, we need to enable that,
and deal with dev tooling/libraries.

I dug this solution from the Go issues, specifically
golang/go#44112

Be warned, I am not familiar with the ins and outs of Go compilation,
especially when it comes to cross-compilation of CGO code, but at
least in this case, this change allows for a functional cross-compiled
binary.

I fully expect that attempting to cross-compile darwin/arm64 on
anything other than darwin/amd64 (or the opposite way around) is going
to end badly.

[1] https://github.com/99designs/keyring
bazbremner added a commit to bazbremner/aws-vault that referenced this issue Mar 26, 2021
@bazbremner
Set flags to cross-compile darwin/arm64 on darwin/amd64 and vice versa
e141e71 
This is an attempt to fix a lack of keychain support in darwin/arm64
binaries that have been cross-compiled on other platforms as described
in 99designs#758 and hinted at in
the linked
99designs/keyring@756c48d

Given the keychain support from keyring[1] is provided by cgo, and CGO
is disabled by default in cross-compilation, we need to enable that,
and deal with dev tooling/libraries.

I dug this solution from the Go issues, specifically
golang/go#44112

Be warned, I am not familiar with the ins and outs of Go compilation,
especially when it comes to cross-compilation of CGO code, but at
least in this case, this change allows for a functional cross-compiled
binary.

I fully expect that attempting to cross-compile darwin/arm64 on
anything other than darwin/amd64 (or the opposite way around) is going
to end badly.

[1] https://github.com/99designs/keyring
@bazbremner bazbremner mentioned this issue Mar 26, 2021
Merged
@bazbremner
Copy link
Contributor

#760 appears to Work For Me™, but as mentioned on the PR, it definitely needs eyes from someone with more of an idea of Go generally, Go/CGO cross-compilation and perhaps most importantly the release process for aws-vault.

@ajardan
Copy link
Author

ajardan commented Mar 30, 2021

@bazbremner thank you for the quick fix !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set flags to cross-compile darwin/arm64 on darwin/amd64 and vice versa bazbremner/aws-vault
4 participants
@bazbremner @ajardan @elyalvarado @mtibben