github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9b8e4d17640407e6a99ef679a4ff991c7f6884db
firezone/swift/apple
History
Jamil ac608d560a refactor(apple): Migrate firezone-id file to keychain (#7464) 
Unlike the App extension which runs as the user, the system extension
introduced in macOS client 1.4.0 runs as `root` and thus cannot read the
App Group container directory for the GUI process. However, both
processes can read and write to the shared Keychain, which is how we
pass the token between the two processes already.

This PR does two things:

1. Tries to read an existing `firezone-id` from the pre-1.4.0 App Group
container upon app launch. This needs to be done from the GUI process.
If found, it stores it in the Keychain.
1. Refactors the `firezone-id` to be stored in the Keychain instead of a
plaintext file going forward.

The Keychain API is also cleaned up and abstracted to be more ergonomic
to use for both Token and Firezone ID storage purposes.
2024-12-09 03:17:46 +00:00
..
Firezone
refactor(apple): Migrate firezone-id file to keychain (#7464)
2024-12-09 03:17:46 +00:00
Firezone.xcodeproj
chore: bump client versions to 1.4.0 (#7092)
2024-12-04 19:48:51 +00:00
FirezoneKit
refactor(apple): Migrate firezone-id file to keychain (#7464)
2024-12-09 03:17:46 +00:00
FirezoneNetworkExtension
refactor(apple): Migrate firezone-id file to keychain (#7464)
2024-12-09 03:17:46 +00:00
.gitignore
Refactor xcconfig structure (#2333)
2023-10-16 19:02:12 +00:00
.swiftformat
Bring in apple client into monorepo (#1737)
2023-07-07 10:37:24 -07:00
cleanup.sh
Integrate connlib build into apple build (#1759)
2023-07-13 05:23:24 +00:00
copy_generated_connlib_files.sh
chore(ci): enforce shellscript formatting and style (#3679)
2024-02-21 01:01:32 +00:00
LICENSE
chore: Update copyright date (#4044)
2024-03-08 01:55:27 +00:00
lint.sh
chore(ci): enforce shellscript formatting and style (#3679)
2024-02-21 01:01:32 +00:00
Makefile
Bring in apple client into monorepo (#1737)
2023-07-07 10:37:24 -07:00
PrivacyInfo.xcprivacy
chore(connlib): Add PrivacyManifest (#4400)
2024-03-29 23:28:36 -07:00
README.md
refactor(apple/macos): Use System Extension packaging mode for macOS Network Extension (#7344)
2024-12-04 05:34:25 +00:00

README.md

Firezone Apple Client

Firezone clients for macOS and iOS.

Pre-requisites

  1. Rust: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
  2. Request your Firezone email added to our Apple Developer Account
  3. Open Xcode, go to Settings -> Account and log in.

If you're working on the macOS client, you'll need to disable SIP and enable system extension development mode:

  1. Follow these instructions to disable SIP.
  2. After that's complete, turn on system extension development mode:
systemextensionsctl developer on

This will prevent macOS from blocking the Network Extension from loading due to notarization or filepath restrictions.

Be sure to re-enable SIP to test the app in a production-like environment.

You may consider using a macOS VM (such as Parallels Desktop) to develop the macOS client, as it's easier to disable SIP, take snapshots, and muck around with your system configuration without risking your main machine.

Building

  1. Add required Rust targets:

    Ensure you've activated the correct toolchain version for your local environment with rustup default <toolchain> (find this from /rust/rust-toolchain.toml file), then run:

    rustup target add aarch64-apple-ios aarch64-apple-darwin x86_64-apple-darwin

  2. Clone this repo:

    git clone https://github.com/firezone/firezone

  3. cd to the Apple clients code

    cd swift/apple

  4. Copy an appropriate xcconfig:

If building for Development, the debug.xcconfig should work out-of-the-box.

cp Firezone/xcconfig/debug.xcconfig Firezone/xcconfig/config.xcconfig
vim Firezone/xcconfig/config.xcconfig
  1. Open project in Xcode:
open Firezone.xcodeproj
  1. Build and run the Firezone target.

Debugging

This Network Extension debugging guide is a great resource to use as a starting point.

Debugging on iOS simulator

Network Extensions can't be debugged in the iOS simulator, so you'll need a physical iOS device to develop the iOS build on.

NetworkExtension not loading (macOS)

If the tunnel fails to come up after signing in, it can be for a large number of reasons. Here are some of the more common ones:

Try clearing your LaunchAgent db:

/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -delete

Note: You MUST reboot after doing this!

Outdated version of NetworkExtension loading

If you're making changes to the Network Extension and it doesn't seem to be reflected when you run/debug, it could be that PluginKit is still launching your old NetworkExtension. Try this to remove it:

pluginkit -v -m -D -i <bundle-id>
pluginkit -a <path>
pluginkit -r <path>

Cleaning up

Occasionally you might encounter strange issues where it seems like the artifacts being debugged don't match the code, among other things. In these cases it's good to clean up using one of the methods below.

Resetting Xcode package cache

Removes cached packages, built extensions, etc.

rm -rf ~/Library/Developer/Xcode/DerivedData

Removing build artifacts

To cleanup Swift build objects:

cd swift/apple
./cleanup.sh

To cleanup both Swift and Rust build objects:

cd swift/apple
./cleanup.sh all

Wiping connlib log directory

rm -rf $HOME/Library/Group\ Containers/47R2M6779T.dev.firezone.firezone/Library/Caches/logs/connlib

Clearing the Keychain item

Sometimes it's helpful to be able to test how the app behaves when the keychain item is missing. You can remove the keychain item with the following command:

security delete-generic-password -s "dev.firezone.firezone"

Generating new signing certificates and provisioning profiles

Certs are only good for a year, then you need to generate new ones. Since we use GitHub CI, we have to use manually-managed signing and provisioning. Here's how you populate the required GitHub secrets.

Note: Be sure to enter these variables for Dependabot as well, otherwise its CI runs will fail.

Certificates

You first need two certs: The build / signing cert (Apple Distribution) and the installer cert (Mac Installer Distribution). You can generate these in the Apple Developer portal.

These are the secrets in GH actions:

APPLE_BUILD_CERTIFICATE_BASE64
APPLE_BUILD_CERTIFICATE_P12_PASSWORD
APPLE_MAC_INSTALLER_CERTIFICATE_BASE64
APPLE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD

How to do it:

  1. Go to Apple Developer
  2. Click the "+" button to generate a new distribution certificate for App Store
  3. It will ask for a CSR. Open Keychain Access, go to Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority and follow the prompts. Make sure to select "save to disk" to save the CSR.
  4. Upload the CSR to Apple Developer. Download the resulting certificate. Double-click to install it in Keychain Access.
  5. Right-click the cert in Keychain access. Export the certificate, choose p12 file. Make sure to set a password -- this is the APPLE_BUILD_CERTIFICATE_P12_PASSWORD.
  6. Convert the p12 file to base64: 
    cat cert.p12 | base64
  7. Save the base64 output as APPLE_BUILD_CERTIFICATE_BASE64.

Repeat the steps above but choose "Mac Installer certificate" instead of "distribution certificate" in step 2, and save the resulting base64 and password as APPLE_MAC_INSTALLER_CERTIFICATE_BASE64 and APPLE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD.

Provisioning profiles

APPLE_IOS_APP_PROVISIONING_PROFILE
APPLE_IOS_NE_PROVISIONING_PROFILE
APPLE_MACOS_APP_PROVISIONING_PROFILE
APPLE_MACOS_NE_PROVISIONING_PROFILE
  1. Go to Apple Developer
  2. Click the "+" button to generate a new provisioning profile for App Store
  3. Select the appropriate app ID and distribution certificate you just created. You'll need a provisioning profile for each app and network extension, so 4 total (mac app, mac network extension, ios app, ios network extension).
  4. Download the resulting provisioning profiles.
  5. Encode to base64 and save each using the secrets names above:
cat profile.mobileprovision | base64
  1. Now, you need to update the XCConfig to use these. Edit Firezone/xcconfig/release.xcconfig and update the provisioning profile UUIDs. The UUID can be found by grepping for them in the provisioning profile files themselves, or just opening them in a text editor and looking halfway down the file.
  2. Now, for iOS only, you need to edit Firezone/ExportOptions.plist and update the provisioning profile UUIDs there as well.

Runner keychain password

This can be randomly generated. It's only used ephemerally to load the secrets into the runner's keychain for the build.

APPLE_RUNNER_KEYCHAIN_PASSWORD
Reference in New Issue View Git Blame Copy Permalink