Add Apple Watch support to quick unlock

* Allow using a paired Apple Watch to authenticate to the secrets store in addition to TouchID. * Closes #5337
2025-04-03 20:47:37 +03:00 · 2020-10-08 11:37:50 +02:00 · 2020-10-08 11:37:50 +02:00 · 34ed63f495
commit 34ed63f495
parent 0c6587b5b7
1 changed files with 34 additions and 7 deletions
--- a/src/touchid/TouchID.mm
+++ b/src/touchid/TouchID.mm
@ -94,10 +94,20 @@ bool TouchID::storeKey(const QString& databasePath, const QByteArray& passwordKe

    // prepare adding secure entry to the macOS KeyChain
    CFErrorRef error = NULL;
-    SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
-                                                                    kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
-                                                                    kSecAccessControlTouchIDCurrentSet, // depr: kSecAccessControlBiometryCurrentSet,
-                                                                    &error);
+    SecAccessControlRef sacObject;
+    if (@available(macOS 10.15, *)) {
+        // kSecAccessControlWatch is only available for macOS 10.15 and later
+        sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
+                                                    kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+                                                    kSecAccessControlOr | kSecAccessControlBiometryCurrentSet | kSecAccessControlWatch,
+                                                    &error);
+    } else {
+        sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
+                                                    kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+                                                    kSecAccessControlTouchIDCurrentSet, // depr: kSecAccessControlBiometryCurrentSet,
+                                                    &error);
+    }
+

    if (sacObject == NULL || error != NULL) {
        NSError* e = (__bridge NSError*) error;
@ -216,12 +226,21 @@ bool TouchID::getKey(const QString& databasePath, QByteArray& passwordKey) const
 bool TouchID::isAvailable()
 {
    // cache result
-    if (this->m_available != TOUCHID_UNDEFINED)
+    if (this->m_available != TOUCHID_UNDEFINED) {
        return (this->m_available == TOUCHID_AVAILABLE);
+    }

    @try {
        LAContext* context = [[LAContext alloc] init];
-        bool canAuthenticate = [context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:nil];
+
+        LAPolicy policyCode;
+        if (@available(macOS 10.15, *)) {
+            policyCode = LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch;
+        } else {
+            policyCode = LAPolicyDeviceOwnerAuthenticationWithBiometrics;
+        }
+
+        bool canAuthenticate = [context canEvaluatePolicy:policyCode error:nil];
        [context release];
        this->m_available = canAuthenticate ? TOUCHID_AVAILABLE : TOUCHID_NOT_AVAILABLE;
        return canAuthenticate;
@ -253,7 +272,15 @@ bool TouchID::authenticate(const QString& message) const
        LAContext* context = [[LAContext alloc] init];
        __block TouchIDResult result = kTouchIDResultNone;
        NSString* authMessage = msg.toNSString(); // autoreleased
-        [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
+
+        LAPolicy policyCode;
+        if (@available(macOS 10.15, *)) {
+            policyCode = LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch;
+        } else {
+            policyCode = LAPolicyDeviceOwnerAuthenticationWithBiometrics;
+        }
+
+        [context evaluatePolicy:policyCode
                localizedReason:authMessage reply:^(BOOL success, NSError* error) {
                Q_UNUSED(error);
                result = success ? kTouchIDResultAllowed : kTouchIDResultFailed;