- Restore the default accent, but extend it to toggles on iOS
- Keep the "gold" color for the upgrade icon
- Replace the upgrade icon with the universally understandable lock icon
Restart from the v2 flow most users are familiar with.
- Restore the global v2 accent
- Restore the per-profile toggles
- Single tap to edit a profile
- Reuse the same chevron for profile and module navigation
- Improve the iCloud/TV section and rename it to "Synchronization"
- Drop the misleading moon icon from the "Keep alive on sleep" toggle
- Drop the marginal "Enable"/"Disable" action from context menus
- Drop the grid cell highlighting, now marginal with toggles
- Drop the complexity of `nextProfileId`
Ultimately, rework `TunnelToggleButton` into `TunnelToggle` for better
reuse across all platforms.
Things left to improve:
- The duplication of the active profile on top has not changed, but the
toggles may make it more visually apparent
- The "Inactive" subtitle in disabled profiles is there for balance as
it keeps rows and cells of the same height, but it serves no real
purpose
- Access to secondary actions (e.g. provider server, credentials)
- Use of TipKit for less intuitive flows (e.g. context menus, building a
profile from scratch)
Fixes#1111
#1070 is very tricky. When the device boots, StoreKit operations seem to
be severely affected by on-demand VPN profiles. Slowdowns are huge and
unpredictable, as per my [report on the Apple
forums](https://developer.apple.com/forums/thread/773723). I found no
easy way to work around the chicken-and-egg situation where the VPN
requires StoreKit validation to start, but StoreKit requires network
access.
On the other hand, without StoreKit validations, the on-demand tunnel
starts on boot just fine, and so does the app. No eternal activity
indicators. StoreKit is clearly the culprit here.
Therefore, below is the strategy that this PR implements for a decent
trade-off:
- Configure a graceful period for the VPN to start without limitations.
This is initially set to 2 minutes in production, and 10 minutes in
TestFlight. Postpone StoreKit validation until then.
- After the graceful period, StoreKit validation is more likely to
complete fast
- At this point, paying users have their receipts validated and the
connection will silently keep going
- Non-paying users, instead, will see their connection hit the "Purchase
required" message
On the UI side, adjust the app accordingly:
- Drop the "Purchase required" icon from the list/grid of profiles
- The paywall informs that the connection will start, but it will
disconnect after the graceful period if the receipt is not valid
- Add a note that receipt validation may take a while if the device has
just started
This PR also introduces changes in TestFlight behavior:
- Profiles can be saved without limitations
- Profiles using free features work as usual
- Profiles using paid features work for 10 minutes
- Eligibility based on local receipt is ignored (deprecated in iOS 18)
Beta users may therefore test all paid features on iOS/macOS/tvOS for 10
minutes. Until now, paid features were only available to paying iOS
users and unavailable on macOS/tvOS. The tvOS beta was, in fact,
completely useless.
The downside is that paying iOS users will see beta builds restricted
like anybody else. I'll see if I can find a better solution later.
The ubiquity token does not seem to be a reliable source of truth for
the state of CloudKit. Faced with tvOS, now also with Advanced Data
Protection. It is nil, but CloudKit actually works.
Therefore, start a CloudKit container regardless of the ubiquity token.
The only downside is that the iCloud/TV icons of a profile will now only
appear crossed in case of in-app ineligibility, but this is in favor of
better functionality.
URL.startAccessingSecurityScopedResource() fails in that case, but
permission is not required at all.
Could reproduce by importing .ovpn file from a Telegram chat.
- Simplify build/version updates by moving MARKETING_VERSION and
CURRENT_PROJECT_VERSION to Config.xcconfig
- Provide Ruby (for fastlane) and Bash (for CI) versions of
xconfig-get/set
- Copy release notes atomically inside the lane to guarantee they are
included in the version commit
- Add -nt to skip the build tag
### OpenVPN
- Make CPassepartoutCryptoOpenSSL agnostic of PassepartoutKit
- Move Allocation/ZeroingData from PassepartoutKit to package for
internal use
- Rename ZeroingData.count to .length for consistency with NSData
- Duplicate some Data manipulation code in CryptoOpenSSL
- Retain a simplified version of ZeroingData in PassepartoutKit
(AutoerasingData)
### WireGuard
- Make WireGuardKit imports `internal`
Simplify development and maintenance immensely by making this a
monorepository:
- Convert PassepartoutKit and VPN bindings to local packages
- OpenVPN/OpenSSL
- WireGuard/Go
- Make PassepartoutKit available via
- Source submodule for production (private)
- [Binary XCFramework for
development](https://github.com/passepartoutvpn/passepartoutkit)
- Add PassepartoutKit Demo in root
- Deploy package later
The entitlement "clean-up" was pushed by the App Review, but this had
horrible consequences apparently.
In fact, the WireGuard Go adapter is unable to bind the UDP socket
without the "server" entitlement, making WireGuard on macOS silently
broken:
```
Unable to update bind: listen udp4 :0: bind: operation not permitted
```
Regression in #1042
