docs: update docs regarding @env:AC_PASSWORD

README.md

@@ -148,7 +148,6 @@ bundle_id = "com.mitchellh.example.terraform"
 
 apple_id {
   username = "[email protected]"
-  password = "@env:AC_PASSWORD"
   provider = "UL304B4VGY"
 }
 
@@ -172,7 +171,6 @@ zip {
     "bundle_id" : "com.mitchellh.example.terraform",
     "apple_id": {
         "username" : "[email protected]",
-        "password":  "@env:AC_PASSWORD",
         "provider":  "UL304B4VGY"
     },
     "sign" :{
@@ -207,14 +205,9 @@ Supported configurations:
     * `username` (`string`) - The Apple ID username, typically an email address.
       This will default to the `AC_USERNAME` environment variable if not set.
 
-    * `password` (`string`) - The password for the associated Apple ID. This can be
-      specified directly or using `@keychain:<name>` or `@env:<name>` to avoid
-      putting the plaintext password directly in a configuration file. The `@keychain:<name>`
-      syntax will load the password from the macOS Keychain with the given name.
-      The `@env:<name>` syntax will load the password from the named environmental
-      variable. If this value isn't set, we'll attempt to use the `AC_PASSWORD`
-      environment variable as a default.
-
+    * `password` (`string`) - The password for the associated Apple ID.
+      This will default to the `AC_PASSWORD` environment variable if not set.
+
       **NOTE**: If you have 2FA enabled, the password must be an application password, not
       your normal apple id password. See [Troubleshooting](#troubleshooting) for details.
 
@@ -298,7 +291,6 @@ notarize {
 
 apple_id {
   username = "[email protected]"
-  password = "@env:AC_PASSWORD"
 }
 ```
 
@@ -312,7 +304,6 @@ apple_id {
 
   "apple_id": {
      "username": "[email protected]",
-     "password": "@env:AC_PASSWORD"
   }
 }
 ```

cmd/gon/main.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"flag"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"strings"
 	"sync"
@@ -51,7 +51,7 @@ func realMain() int {
 	args := flags.Args()
 
 	// Build a logger
-	logOut := ioutil.Discard
+	logOut := io.Discard
 	if logLevel != "" {
 		logOut = os.Stderr
 	}
@@ -160,7 +160,8 @@ func realMain() int {
 	}
 
 	if cfg.AppleId.Password == "" {
-		if _, ok := os.LookupEnv("AC_PASSWORD"); !ok {
+		appleIdPassword, ok := os.LookupEnv("AC_PASSWORD")
+		if !ok {
 			color.New(color.Bold, color.FgRed).Fprintf(os.Stdout, "❗️ No apple_id password provided\n")
 			color.New(color.FgRed).Fprintf(os.Stdout,
 				"An Apple ID password (or lookup directive) must be specified in the\n"+
@@ -169,8 +170,9 @@ func realMain() int {
 			return 1
 		}
 
-		cfg.AppleId.Password = "@env:AC_PASSWORD"
+		cfg.AppleId.Password = appleIdPassword
 	}
+
 	if cfg.AppleId.Provider == "" {
 		cfg.AppleId.Provider = os.Getenv("AC_PROVIDER")
 	}

internal/config/config.go

@@ -36,11 +36,8 @@ type AppleId struct {
 	// be read from the environment via AC_USERNAME if not specified via config.
 	Username string `hcl:"username,optional"`
 
-	// Password is the password for your AC account. This also accepts
-	// two additional forms: '@keychain:<name>' which reads the password from
-	// the keychain and '@env:<name>' which reads the password from an
-	// an environmental variable named <name>. If omitted, it has the same effect
-	// as passing '@env:AC_PASSWORD'.
+	// Password associated to your Apple ID. This is required, but will
+	// be read from the environment via AC_PASSWORD if not specified via config.
 	Password string `hcl:"password,optional"`
 
 	// Provider is the AC provider. This is optional and only needs to be

notarize/notarize.go

@@ -19,9 +19,7 @@ type Options struct {
 	// DeveloperId is your Apple Developer Apple ID.
 	DeveloperId string
 
-	// Password is your Apple Connect password. This must be specified.
-	// This also supports `@keychain:<value>` and `@env:<value>` formats to
-	// read from the keychain and environment variables, respectively.
+	// Password is the password associated to your Apple Developer Apple ID.
 	Password string
 
 	// Provider is the Apple Connect provider to use. This is optional