biometric_signature 9.0.1

biometric_signature: ^9.0.1 copied to clipboard

• Feature: Added "Biometric Decryption" section to README.md with a detailed lifecycle diagram (usecase-2.png) and process description.
• Improved: Enhanced Windows platform documentation to clarify KeyCredentialManager usage, TPM backing, RSA-2048 constraints, and lack of decryption support.
• Metadata: Updated pubspec.yaml description to explicitly include supported platforms and Windows Hello.
• Maintenance: Updated Android native dependency.

• Breaking: Method signature changes:

  • createKeys() now takes config, keyFormat, promptMessage parameters
  • createSignature() now takes payload, config, signatureFormat, keyFormat, promptMessage parameters
  • decrypt() now takes payload, payloadFormat, config, promptMessage parameters

• Moved cross-platform parameters into unified config objects:

  • signatureType, enforceBiometric, setInvalidatedByBiometricEnrollment, useDeviceCredentials now in CreateKeysConfig
  • Each field is documented with which platform(s) it applies to

Architecture - Type-safe Communication with Pigeon #

• Breaking: Migrated entire platform communication layer to Pigeon.
• Breaking: Replaced raw string/map returns with structured strongly-typed objects:
  • KeyCreationResult: Contains publicKey, error, and code.
  • SignatureResult: Contains signature, publicKey, error, and code.
  • DecryptResult: Contains decryptedData, error, and code.
  • BiometricAvailability: detailed availability status including enrolled biometric types and error reasons.
• Breaking: Standardized BiometricError enum across all platforms.

API Improvements #

• Breaking: biometricAuthAvailable() now returns a BiometricAvailability object instead of a raw string.
• Removed legacy signature_options.dart, decryption_options.dart and old config classes.
• Enhanced error handling with specific error codes (e.g., userCanceled, notEnrolled, lockedOut) instead of generic strings.
• New getKeyInfo() method: Retrieve detailed information about existing biometric keys without creating a signature.
  • Returns KeyInfo object with: exists, isValid, algorithm, keySize, isHybridMode, publicKey, decryptingPublicKey.
  • Accepts checkValidity parameter to verify key hasn't been invalidated by biometric changes.
  • Accepts keyFormat parameter to specify output format (base64, pem, hex).
• New KeyInfo class: Exported via Pigeon for type-safe key metadata.
• biometricKeyExists() is now a convenience wrapper around getKeyInfo().

Improved #

• Cleaner, simpler API with fewer method parameters
• Better documentation of platform-specific options
• Updated all example projects to use new API

Added - macOS Platform Support #

Platform Integration

• Full macOS support for biometric authentication using Touch ID.
• Native macOS implementation via BiometricSignaturePlugin.swift.
• Support for macOS 10.15 (Catalina) and later.
• CocoaPods integration for seamless dependency management.

API and Configuration

• New MacosConfig class for platform-specific configuration:
  • useDeviceCredentials: Enable device credentials (passcode) fallback
  • signatureType: Support for both MacosSignatureType.RSA and MacosSignatureType.ECDSA
  • biometryCurrentSet: Bind keys to current Touch ID enrollment state
• New Parameter: Added optional promptMessage parameter to createKeys() method across all platforms
  • Allows customization of the authentication prompt when enforceBiometric is true
  • Defaults to "Authenticate to create keys" for backward compatibility
  • Provides context-specific instructions to users during key generation

Security Features

• App-specific keychain isolation: Keychain identifiers now incorporate bundle identifier to prevent cross-app conflicts on macOS
  • Each app's keys are completely isolated: {bundleId}.eckey, {bundleId}.biometric_key, etc.
  • Solves the issue where multiple apps using the plugin would share the same keychain items
  • iOS implementation remains unchanged as it already has proper sandboxing
• Secure Enclave integration for EC key storage and operations
• Hardware-backed cryptographic operations using macOS Security framework
• Domain state tracking for biometric enrollment changes

Cryptographic Features

• RSA Mode:
  • RSA-2048 hardware-backed signing
  • Hybrid mode with software RSA decryption key wrapped via ECIES
• EC Mode:
  • P-256 (secp256r1) hardware-backed signing in Secure Enclave
  • Native ECIES decryption using SecKeyAlgorithm.eciesEncryptionStandardX963SHA256AESGCM
  • Support for EC-only mode and hybrid EC mode

Implementation Details

• Biometry change detection via LAContext.evaluatedPolicyDomainState
• Automatic key invalidation when Touch ID enrollment changes (when biometryCurrentSet is true)
• Support for all key formats: BASE64, PEM, RAW, HEX
• Consistent error handling and Flutter method channel integration

Changed #

• Updated platform interface to distinguish macOS from iOS
• Enhanced BiometricSignaturePlatform to properly handle macOS-specific parameters
• Updated documentation with macOS integration steps and examples
• Added macOS to platform support table (macOS 10.15+)

Added #

• ECIES decryption on Android and iOS.
• X9.63-SHA256 KDF and AES-128-GCM support for elliptic-curve decryption.
• RSA decryption support via decrypt() on Android and iOS.
• enableDecryption option in AndroidConfig to generate RSA keys with decryption capability.
• Cross-platform ECIES support for P-256 (secp256r1) keys.

Android #

• Manual ECIES implementation using ECDH, X9.63 KDF, and AES-GCM.
• Software EC private key for decryption is encrypted using a biometric-protected AES-256 master key (Keystore/StrongBox).
• Wrapped EC private key blob is stored in app-private files with MODE_PRIVATE permissions.
• All sensitive key material is zeroized after use.

iOS #

• Native ECIES support through SecKeyAlgorithm.eciesEncryptionStandardX963SHA256AESGCM.
• Hybrid RSA mode: software RSA key for decryption encrypted via ECIES with Secure Enclave EC public key.

Architecture #

• Updated hybrid EC design:
  • Android: hardware EC signing key + AES-wrapped software EC decryption key
  • iOS: hardware EC signing key + ECIES-wrapped software RSA key

Misc #

• Expanded documentation and updated examples.
• Improved test coverage across decryption and hybrid modes.

• Optimize iOS createKeys implementation.
• ReadMe.md was updated.

• Added enforceBiometric parameter to createKeys() method to require biometric authentication before generating the key-pair.
• Added an optional subtitle parameter to Android biometric prompts via AndroidSignatureOptions.
• ReadMe.md and example updates.

• Upgraded Flutter from 3.32.8 to 3.35.7
• Upgraded Dart SDK from ^3.8.1 to ^3.9.2
• iOS minimum deployment target upgraded from 12.0 to 13.0
• Android minimum SDK upgraded from 23 to 24
• Upgraded Android Gradle Plugin from 8.7.3 to 8.9.1
• Upgraded Android compileSdk from 35 to 36
• Refactored Android native code to use internal objects for error constants and key aliases
• Code quality improvements: formatting and style consistency updates across example projects

• A small bug was fixed.

• Added an optional parameter to configure whether the key should be invalidated on new biometric enrollment when creating the key.

• Breaking: createKeys now returns a KeyCreationResult instead of a plain base64 string, enabling configurable output formats.
• Breaking: createSignature returns a SignatureResult that includes both the formatted signature and public key metadata.
• Added KeyFormat support across Dart, Android, and iOS with BASE64, PEM, RAW (DER/bytes), and HEX representations.
• Android: refactored native layer to emit structured maps, generate PEM blocks directly, and expose raw DER bytes when requested.
• iOS: aligned public key formatting with SubjectPublicKeyInfo, added PEM/RAW/HEX conversions, and unified signature responses.
• Updated documentation, examples, and helper classes to illustrate working with FormattedValue utilities.
• Removed createSignatureFromLegacyOptions helper.

• ReadMe.md updates.
• Reverting back to previous iOS IPHONEOS_DEPLOYMENT_TARGET(12.0).
• Added 3 practical-world examples.

• Updating documentations.
• Minor bug fixes.

• Fix formatting errors.

• Updating documentations.

• Breaking: Replace the map-based createSignature API with typed SignatureOptions, plus platform-specific option classes.
• Added createSignatureFromLegacyOptions helper to ease migration from the legacy API.
• Fixed Android allowDeviceCredentials parsing so boolean values are honoured.
• Updated the iOS plugin to accept native booleans for shouldMigrate.
• Improved Android native Kotlin coroutines implementation.
• Updated native dependencies.

• The migrate path for iOS from 5.x is preserved.
• ReadMe.md updates.

• Suggesting a fix for issue.

• Suggesting a fix for issue using Kotlin coroutines.

• fix dart formatting errors.

• Upgrading Flutter from 3.27.2 to 3.32.8.
• Updating the README.md file descriptions.
• Adding ECDSA Key support for cryptographic operations.
• Suggesting a fix for issue.

• Suggesting a fix for issue.

• Upgrading Flutter from 3.27.0 to 3.27.2.
• Updating the README.md file descriptions.
• Device Credentials' fallback support for compatible devices can be configured.

• Feature - Allow Device Credentials as a fallback for biometric authentication.

• Upgrading Flutter from 3.19.6 to 3.27.0

• A bug fix for key user not authenticated android crash.

• A bug fix for android KeyStoreException crash.

• A bug fix in iOS createKeys() flow.

• ReadMe.md updates.

• Feature Secure Enclave migration from Key Chain.

• Secure Enclave integration in iOS.

• Fix iOs issue: biometricKeyExists always false .

• Fix linting issues.

• Feature Use StrongBox in compatible android devices.
• Refactor key creation to use AndroidConfig object.

• fix Local Authentication bypass in iOS when calling createSignature().

• fix Biometric portal not coming up in iOS simulators when calling createSignature().
• General improvements.

• A crash on Android devices below API level 28 was fixed.
• General improvements.

• Fixed a bug in createKeys() for iOS.
• Fixed a bug in createSignature() for android.
• Error codes were updated to maintain consistency.
• Updated README.md and Licence content.
• Hardcoded default payload was removed.
• Improved error handling.

New Features: #

• The plugin offers more flexibility for advanced use cases, such as handling different biometric modalities and customizing the signature generation process.

Bug Fixes: #

• Improved the handling of biometric prompt cancellations.
• Enhanced the accuracy of biometric authentication on some devices.

Other Changes: #

• Updated the plugin's documentation to reflect the new features and improvements.
• Migrated the plugin to use the latest Flutter development tools.
• Improved the overall performance and stability of the plugin.
• This version is now compatible with AGP >=7.3 including 8.x support.

Breaking Changes: #

• The minimum supported Flutter version has been increased to 3.3.0.

Fixed: #

• Android: Fixed the issue with the createSignature() method, ensuring it doesn't encode the payload to base64.
• iOS: Corrected the public key header in createKeys() method to align with standard RSA key formats.

Other Changes: #

• Updated README.md and Licence content.

• Removes a redundant code push in Android native code.
• Updates README.md and the Example.

• Returns "biometric" for Android devices with multiple BIOMETRIC_STRONG options when called biometricAuthAvailable().
• Let createSignature() accept a "payload" keyValue pair in options arg.
• updates dependencies.
• updates README.md and the Example.

• Consistent Platform error handling.
• Upgrade dependencies.

• improved documentation.

• upgrading flutter sdk to 3.7.11.
• improved documentation.

• upgrading dependencies.
• refactoring.

• fixing createSignature's options param.

• downgrade min Dart Sdk.

• improved documentation.

• initial release.