Max Goedjen
Max Goedjen
Oh interesting, didn't realize yubikey-agent wasn't their app (but instead by our friend @FiloSottile) – I'll have to play with that when I have a test key handy.
Definitely could be the policies. Peeking in the source, I don't see anything that should make it incompatible, I'll have to try it out a bit more.
@dlgoodr I just use their tool (I think this is the latest one? They have a few https://www.yubico.com/support/download/yubikey-personalization-tools/). So long as you use the right key type there (ec) then...
I spent a tiny bit of time debugging this and afaict just sometimes the way the key gets set up by `yubikey-setup` doesn't report as a PIV token to macOS....
Seems fairly consistent: If I erase the key -> setup from clean state with yubikey-agent, `TKTokenWatcher` doesn't see the key. If I erase the key -> set up a key...
Hm that's odd. Just to cover bases, try rebooting yet? Not ideal but sometimes macOS gets a bit confused and launchd starts having issues.
Is the intent to actually _deny_ those requests the ability to sign? Or just to not trigger a notification?
@zviratko how do you see that working? Would it be like included with the signature or something?
🤔 is there any way to link a key to the attestation though? ie what's to stop me from making Key A in Secretive, copying an attestation blob from Secretive,...
[at least from my reading of the attestation docs, it doesn't look like there's any way to entangle that with an input payload at all]