build: disable osxkeychain TPM backend by default

Change-Id: I3e121a7cee0451d20f83aa73742077bc621652be
named-data · Mar 9, 2024 · 7211ea1 · 7211ea1
1 parent 80f3503
commit 7211ea1
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 25 deletions.
diff --git a/.jenkins.d/10-build.sh b/.jenkins.d/10-build.sh
@@ -4,8 +4,8 @@ set -eo pipefail
 if [[ -z $DISABLE_ASAN ]]; then
     ASAN="--with-sanitizer=address"
 fi
-if [[ $ID == macos && ${VERSION_ID%%.*} -ge 12 && -z $GITHUB_ACTIONS ]]; then
-    KEYCHAIN="--without-osx-keychain"
+if [[ -n $GITHUB_ACTIONS && $ID == macos && ${VERSION_ID%%.*} -le 12 ]]; then
+    KEYCHAIN="--with-osx-keychain"
 fi
 
 set -x
@@ -28,7 +28,7 @@ fi
 
 if [[ $JOB_NAME == *"code-coverage" ]]; then
     # Build for coverage testing: enable instrumentation and unit tests only
-    ./waf --color=yes configure --debug --with-coverage --with-unit-tests --without-tools $KEYCHAIN
+    ./waf --color=yes configure --debug --with-coverage --with-unit-tests --without-tools
     ./waf --color=yes build
 else
     # Build shared library in debug mode with tests

diff --git a/client.conf.sample b/client.conf.sample
@@ -13,16 +13,14 @@
 ;transport=unix:///var/run/nfd/nfd.sock
 
 ; "pib" determines which Public Information Base (PIB) should used by default in applications.
-; If "pib" is not specified, a platform-dependent default will be used.
-; If "pib" is specified, it may have a value of:
-;   - "pib-sqlite3"
+; Currently, the only supported value for "pib" is:
+;   - "pib-sqlite3"     (default if not specified)
 ;
 ;pib=pib-sqlite3
 
 ; "tpm" determines which Trusted Platform Module (TPM) should used by default in applications.
-; If "tpm" is not specified, a platform-dependent default will be used.
-; If "tpm" is specified, it may have a value of:
-;   - "tpm-osxkeychain"  (default on macOS)
-;   - "tpm-file"         (default on all other platforms)
+; The supported values for "tpm" are:
+;   - "tpm-file"         (default if not specified)
+;   - "tpm-osxkeychain"
 ;
 ;tpm=tpm-file
diff --git a/docs/manpages/ndn-client.conf.rst b/docs/manpages/ndn-client.conf.rst
@@ -43,7 +43,7 @@ pib
 
   Possible values for ``[scheme]`` are:
 
-  * ``pib-sqlite3``: local PIB implementation using the SQLite3 storage engine.
+  * ``pib-sqlite3``: local PIB implementation using the SQLite3 storage engine. This is the default.
 
     Possible values for ``[location]``:
 
@@ -53,7 +53,7 @@ pib
 
   When ``[location]`` is empty, the trailing ``:`` can be omitted.  For example::
 
-     pib=pib-sqlite3
+      pib=pib-sqlite3
 
   Changing PIB scheme without changing location is **not** allowed.  If a change like this is
   necessary, the whole backend storage must be destroyed.  For example, when the default location is
@@ -75,26 +75,26 @@ tpm
 
   Possible values for ``[scheme]`` are:
 
-  * ``tpm-osxkeychain`` (default on macOS): secure storage of private keys in the macOS
-    Keychain with OS-provided access restrictions.
+  * ``tpm-osxkeychain``: secure storage of private keys in the macOS Keychain with OS-provided
+    access restrictions.
 
     The ``[location]`` parameter is ignored.
 
     May not work for daemon applications, as user interaction may be required to access the
     macOS Keychain.
 
-  * ``tpm-file`` (default on all other platforms): file-based storage of private keys.
+  * ``tpm-file``: file-based storage of private keys. This is the default.
 
     Possible values for ``[location]``:
 
     * absolute path to directory that will store private/public key files (unencrypted with
       ``0700`` permission)
     * relative path (relative to ``client.conf``)
-    * empty: the default path ``$HOME/.ndn/ndnsec-tpm-file`` will be used
+    * empty: the default path ``$HOME/.ndn/ndnsec-key-file`` will be used
 
   When ``[location]`` is empty, the trailing ``:`` can be omitted.  For example::
 
-     tpm=tpm-file
+      tpm=tpm-file
 
   **Changing the ``tpm`` setting is only possible together with ``pib`` setting. Otherwise,
   an error will be generated during PIB/TPM access.**

diff --git a/ndn-cxx/security/key-chain.cpp b/ndn-cxx/security/key-chain.cpp
@@ -92,11 +92,11 @@ getDefaultPibScheme()
 static const auto&
 getDefaultTpmScheme()
 {
-#if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
+#ifdef NDN_CXX_WITH_OSX_KEYCHAIN
   return tpm::BackEndOsx::getScheme();
 #else
   return tpm::BackEndFile::getScheme();
-#endif // defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
+#endif // NDN_CXX_WITH_OSX_KEYCHAIN
 }
 
 const KeyParams&

diff --git a/tests/unit/security/key-chain.t.cpp b/tests/unit/security/key-chain.t.cpp
@@ -77,7 +77,7 @@ BOOST_FIXTURE_TEST_CASE(ConstructorEmptyConfig, TestHomeAndPibFixture<PibPathCon
 {
   createClientConf({"pib=pib-memory:"});
 
-#if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS)
+#ifdef NDN_CXX_HAVE_OSX_FRAMEWORKS
   std::string oldHOME;
   if (std::getenv("OLD_HOME"))
     oldHOME = std::getenv("OLD_HOME");
@@ -95,15 +95,15 @@ BOOST_FIXTURE_TEST_CASE(ConstructorEmptyConfig, TestHomeAndPibFixture<PibPathCon
   KeyChain keyChain;
   BOOST_CHECK_EQUAL(keyChain.getPib().getPibLocator(), "pib-memory:");
 
-#if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
+#ifdef NDN_CXX_WITH_OSX_KEYCHAIN
   BOOST_CHECK_EQUAL(keyChain.getPib().getTpmLocator(), "tpm-osxkeychain:");
   BOOST_CHECK_EQUAL(keyChain.getTpm().getTpmLocator(), "tpm-osxkeychain:");
 #else
   BOOST_CHECK_EQUAL(keyChain.getPib().getTpmLocator(), "tpm-file:");
   BOOST_CHECK_EQUAL(keyChain.getTpm().getTpmLocator(), "tpm-file:");
 #endif
 
-#if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS)
+#ifdef NDN_CXX_HAVE_OSX_FRAMEWORKS
   if (!HOME.empty())
     setenv("HOME", HOME.c_str(), 1);
   else

diff --git a/tests/unit/security/tpm/back-end.t.cpp b/tests/unit/security/tpm/back-end.t.cpp
@@ -50,7 +50,7 @@ BOOST_AUTO_TEST_SUITE(Security)
 BOOST_AUTO_TEST_SUITE(TestTpmBackEnd)
 
 using TestBackEnds = boost::mp11::mp_list<
-#if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
+#ifdef NDN_CXX_WITH_OSX_KEYCHAIN
   BackEndWrapperOsx,
 #endif
   BackEndWrapperMem,

diff --git a/wscript b/wscript
@@ -28,8 +28,8 @@ def options(opt):
     opt.add_option('--disable-shared', action='store_false', default=True,
                    dest='enable_shared', help='Do not build shared library (enabled by default)')
 
-    opt.add_option('--without-osx-keychain', action='store_false', default=True,
-                   dest='with_osx_keychain', help='Do not use macOS Keychain as default TPM (macOS only)')
+    opt.add_option('--with-osx-keychain', action='store_true', default=False,
+                   help='Use macOS Keychain as default TPM (macOS only)')
 
     opt.add_option('--without-sqlite-locking', action='store_false', default=True, dest='with_sqlite_locking',
                    help='Disable filesystem locking in sqlite3 database '