Comment by AceJohnny2

2 days ago

Thanks! In your change https://github.com/tailscale/tailscale/pull/18336 you mention:

> There's also tailscaled-on-macOS, but it won't have a TPM or Keychain bindings anyway.

Do you mean that on macOS, tailscaled does not and has never leveraged equivalent hardware-attestation functionality from the SEP? (Assuming such functionality is available)

8 comments

AceJohnny2

cronos 2 days ago

On macOS we have 3 ways to run Tailscale: https://tailscale.com/kb/1065/macos-variants Two of them have a GUI component and use the Keychain to store their state.

The third one is just the open-source tailscaled binary that you have to compile yourself, and it doesn't talk to the Keychain. It stores a plaintext file on disk like the Linux variant without state encryption. Unlike the GUI variants, this one is not a Swift program that can easily talk to the Keychain API.

cyberax 2 days ago
You don't need Swift to use the Keychain API. It's doable from pure C.
- johncolanduoni 2 days ago
  
  In fact, SecurityFramework doesn’t have a real Swift/Obj-C API. The relevant functions are all direct bindings to C ABIs (just with wrappers around the CoreFoundation types).
  
  1 reply →
- cronos 1 day ago
  
  Good to know, my understanding of the macOS system APIs is fairly limited. I'm sure it's doable, with some elbow grease and CGO. We just haven't prioritized that variant of the client due to relatively low usage.
  
  1 reply →
reader9274 2 days ago
Only one of the ways uses Keychain per that page.
- cronos 1 day ago
  
  Ah, looks like another KB update is needed, thanks for calling it out!