yubikey-manager-qt icon indicating copy to clipboard operation
yubikey-manager-qt copied to clipboard

Published 20 hours ago verified publisher icon Yubico

MacOS M1 ARM support

Open MattElek opened this issue 2 years ago • 18 comments

  • YubiKey Manager version: 1.2.4
  • How was it installed?: Homebrew
  • Operating system and version: MacOS 12.0.1
  • YubiKey model and version: YubiKey 5C NFC
  • Feature request summary: Currently, yubikey-manager-qt is only built for MacOS x86, and not MacOS M1 ARM. It would be great to see a build of YubiKey Manager that could run natively on ARM Macs, without the use of Rosetta 2 x86 translation.

Other info

This issue was raised here separately on the wrong repo, I thought I'd create an issue on the correct repo for completion.

MattElek avatar Dec 04 '21 23:12 MattElek

Screen Shot 2021-12-22 at 6 16 14 PM

+1

I was able to get it built and running, but I had to first build qt 5 from source.

nehalvpatel avatar Dec 23 '21 00:12 nehalvpatel

Still no official build available :/

tied avatar Jun 13 '22 21:06 tied

Apple Silicon is already in the middle of its second iteration.. could we expect a native release without Rosetta2? Thank you.

ivwang avatar Feb 16 '23 05:02 ivwang

Apple Silicon is already in the middle of its second iteration.. could we expect a native release without Rosetta2? Thank you.

Running with Rosetta 2 opens Apple Silicon Macs to existing malware built for x86_64. Furthermore, it voids code signature based security mechanism in recent macOS releases.

Due the the nature of Rosetta translation, modification to on-disk binaries becomes again a valid attack vector, it is more desirable that yubikey-manager-qt is not affected to this class of attack.

For more information on security implication regarding Rosetta 2 translation, refer to SentinelOne's report

Thank you

ivwang avatar Feb 22 '23 13:02 ivwang

ykman cli is a temporary rosetta-free option on apple silicon. brew install ykman https://docs.yubico.com/software/yubikey/tools/ykman/

robdew avatar Mar 17 '23 14:03 robdew

Seriously, we are almost 3 years into the transition and still no official arm64 build?

sebdanielsson avatar Mar 28 '23 13:03 sebdanielsson

Ready when you are, Yubico

jdtangney avatar Mar 30 '23 00:03 jdtangney

Wow, it's been almost 2 years since this issue was placed, and still, the official Yubikey Manager App can only be opened with Rosetta on Apple Silicon Macs.. They have lightning port supported YubiKeys and the possibility to secure your AppleID with YubiKeys but don't get it done to release a YubiKey Manager version for M1/M2 MACs... 🙂🙂🙂🙂

2023-07-24_01-20-42

fschlegelone avatar Jul 23 '23 23:07 fschlegelone

It show us how is Yubico Company working with latest technologies. Very bad, with very bad public view. I have not installed rosetta2, i dont want have garbage in my mac (garbage=x86/64 binaries) i look on Rosetta2 as an unsupported platform. Officialy is supported ARM64 - Roseta2 should help with transittion only!!!! (what was happen with rosetta1? - it has been removed by Apple from systems, and removed futher using of rosetta1, then i look on it as unsupported platform, better to not using it). With this rules i have seen how companys on market are dealing with ARM64 support. I can say it loud. Who have not ARM64 build in this time is big market looser. Sorry but is so. You work with security? Huh.... Really? It looks not so...

svitakj avatar Jul 31 '23 08:07 svitakj

Hello,

Any news on the support of Apple ARM64 ?

Thanks

AntoineHus avatar Oct 31 '23 10:10 AntoineHus

I'm afraid we likely won't be targeting Apple Silicon for this tool as we are in the process of transitioning to Yubico Authenticator as a full replacement. The current version of Yubico Authenticator (6.3) runs natively on Apple Silicon and is capable of doing everything this tool does except for Yubico OTP configuration at this time, which is something we're working on addressing. In addition Yubico Authenticator supports multiple connected YubiKeys, configuration over NFC, additional configuration options and more. If possible for your use-case I would recommend transitioning to that tool as a replacement.

dainnilsson avatar Oct 31 '23 12:10 dainnilsson

I'm afraid we likely won't be targeting Apple Silicon for this tool as we are in the process of transitioning to Yubico Authenticator as a full replacement. The current version of Yubico Authenticator (6.3) runs natively on Apple Silicon and is capable of doing everything this tool does except for Yubico OTP configuration at this time, which is something we're working on addressing. In addition Yubico Authenticator supports multiple connected YubiKeys, configuration over NFC, additional configuration options and more. If possible for your use-case I would recommend transitioning to that tool as a replacement.

I tested it today and the button "Setup for macOS" for PIV does not show up on the GUI. I have M2 Pro and upgraded to Sonoma. Yubikey firmware version 5.4.3.

iog-io avatar Jan 04 '24 11:01 iog-io

I tested it today and the button "Setup for macOS" for PIV does not show up on the GUI.

Yes, we've been discussing if this feature is really needed or not. It's relatively easy to accomplish this manually by generating certificates in the Authentication (9a) and Key Management (9d) slots. When removing and inserting the YubiKey again macOS will ask you to pair the inserted SmartCard from a notification. An advantage is that you're in control of what you're generating and can for example decide yourself on expiration date etc. The downside is of course that it might not be completely obvious that you can set it up like this. Hope this helps!

braathen avatar Jan 04 '24 15:01 braathen

Yes, we've been discussing if this feature is really needed or not. It's relatively easy to accomplish this manually by generating certificates in the Authentication (9a) and Key Management (9d) slots. When removing and inserting the YubiKey again macOS will ask you to pair the inserted SmartCard from a notification. An advantage is that you're in control of what you're generating and can for example decide yourself on expiration date etc. The downside is of course that it might not be completely obvious that you can set it up like this. Hope this helps!

It works perfectly. Many thanks.

iog-io avatar Jan 04 '24 17:01 iog-io

So as far as I understood from several postings and the yubico page, the plan is that the Yubikey Manager and the Yubikey Personalization Tool are both getting deprecated sooner or later and that's why there is no priority on working on the mac arm64 support for these 2 tools. The yubico authenticator already runs on arm64 macs and in general, that vision is pretty nice, but let's see how long such a migration will take.. And I guess for the max. 32 OTP Tokens per Yubikey there is no software solution possible because it's hardware related right? okay okay okay. intriguing ^^

fschlegelone avatar Jan 25 '24 02:01 fschlegelone

@fschlegelone you are right that the 32 TOTP's are hardware limited (much to my frustration as I need to carry 3 YubiKeys!).

Where did you see that YubiKey Manager will be deprecated? I believe I read that YubiKey Personalization Tool will be (or already has been) deprecated. But as far as I am aware, there are things that only ykman can do and there is no alternative (please correct me if I'm wrong).

del-leehopper avatar Jan 25 '24 08:01 del-leehopper

To clarify: YubiKey Manager CLI (ykman) has arm64 support on Mac, is actively developed, and there are no plans on deprecating it. YubiKey Manager GUI is however being replaced by Yubico Authenticator, once the remaining missing features have been added to it.

About the 32 account limitation, it is correct that this limitation is in the key itself.

dainnilsson avatar Jan 25 '24 09:01 dainnilsson

@del-leehopper https://github.com/Yubico/yubikey-manager-qt/issues/313#issuecomment-1787169094 Right here in this issue thread 😆

fschlegelone avatar Jan 25 '24 12:01 fschlegelone