- Restore the default accent, but extend it to toggles on iOS
- Keep the "gold" color for the upgrade icon
- Replace the upgrade icon with the universally understandable lock icon
Restart from the v2 flow most users are familiar with.
- Restore the global v2 accent
- Restore the per-profile toggles
- Single tap to edit a profile
- Reuse the same chevron for profile and module navigation
- Improve the iCloud/TV section and rename it to "Synchronization"
- Drop the misleading moon icon from the "Keep alive on sleep" toggle
- Drop the marginal "Enable"/"Disable" action from context menus
- Drop the grid cell highlighting, now marginal with toggles
- Drop the complexity of `nextProfileId`
Ultimately, rework `TunnelToggleButton` into `TunnelToggle` for better
reuse across all platforms.
Things left to improve:
- The duplication of the active profile on top has not changed, but the
toggles may make it more visually apparent
- The "Inactive" subtitle in disabled profiles is there for balance as
it keeps rows and cells of the same height, but it serves no real
purpose
- Access to secondary actions (e.g. provider server, credentials)
- Use of TipKit for less intuitive flows (e.g. context menus, building a
profile from scratch)
Fixes#1111
#1070 is very tricky. When the device boots, StoreKit operations seem to
be severely affected by on-demand VPN profiles. Slowdowns are huge and
unpredictable, as per my [report on the Apple
forums](https://developer.apple.com/forums/thread/773723). I found no
easy way to work around the chicken-and-egg situation where the VPN
requires StoreKit validation to start, but StoreKit requires network
access.
On the other hand, without StoreKit validations, the on-demand tunnel
starts on boot just fine, and so does the app. No eternal activity
indicators. StoreKit is clearly the culprit here.
Therefore, below is the strategy that this PR implements for a decent
trade-off:
- Configure a graceful period for the VPN to start without limitations.
This is initially set to 2 minutes in production, and 10 minutes in
TestFlight. Postpone StoreKit validation until then.
- After the graceful period, StoreKit validation is more likely to
complete fast
- At this point, paying users have their receipts validated and the
connection will silently keep going
- Non-paying users, instead, will see their connection hit the "Purchase
required" message
On the UI side, adjust the app accordingly:
- Drop the "Purchase required" icon from the list/grid of profiles
- The paywall informs that the connection will start, but it will
disconnect after the graceful period if the receipt is not valid
- Add a note that receipt validation may take a while if the device has
just started
This PR also introduces changes in TestFlight behavior:
- Profiles can be saved without limitations
- Profiles using free features work as usual
- Profiles using paid features work for 10 minutes
- Eligibility based on local receipt is ignored (deprecated in iOS 18)
Beta users may therefore test all paid features on iOS/macOS/tvOS for 10
minutes. Until now, paid features were only available to paying iOS
users and unavailable on macOS/tvOS. The tvOS beta was, in fact,
completely useless.
The downside is that paying iOS users will see beta builds restricted
like anybody else. I'll see if I can find a better solution later.
The ubiquity token does not seem to be a reliable source of truth for
the state of CloudKit. Faced with tvOS, now also with Advanced Data
Protection. It is nil, but CloudKit actually works.
Therefore, start a CloudKit container regardless of the ubiquity token.
The only downside is that the iCloud/TV icons of a profile will now only
appear crossed in case of in-app ineligibility, but this is in favor of
better functionality.
URL.startAccessingSecurityScopedResource() fails in that case, but
permission is not required at all.
Could reproduce by importing .ovpn file from a Telegram chat.
- Simplify build/version updates by moving MARKETING_VERSION and
CURRENT_PROJECT_VERSION to Config.xcconfig
- Provide Ruby (for fastlane) and Bash (for CI) versions of
xconfig-get/set
- Copy release notes atomically inside the lane to guarantee they are
included in the version commit
- Add -nt to skip the build tag
### OpenVPN
- Make CPassepartoutCryptoOpenSSL agnostic of PassepartoutKit
- Move Allocation/ZeroingData from PassepartoutKit to package for
internal use
- Rename ZeroingData.count to .length for consistency with NSData
- Duplicate some Data manipulation code in CryptoOpenSSL
- Retain a simplified version of ZeroingData in PassepartoutKit
(AutoerasingData)
### WireGuard
- Make WireGuardKit imports `internal`
Simplify development and maintenance immensely by making this a
monorepository:
- Convert PassepartoutKit and VPN bindings to local packages
- OpenVPN/OpenSSL
- WireGuard/Go
- Make PassepartoutKit available via
- Source submodule for production (private)
- [Binary XCFramework for
development](https://github.com/passepartoutvpn/passepartoutkit)
- Add PassepartoutKit Demo in root
- Deploy package later
The entitlement "clean-up" was pushed by the App Review, but this had
horrible consequences apparently.
In fact, the WireGuard Go adapter is unable to bind the UDP socket
without the "server" entitlement, making WireGuard on macOS silently
broken:
```
Unable to update bind: listen udp4 :0: bind: operation not permitted
```
Regression in #1042
Especially useful on macOS and tvOS where Network Extension does not
retain this information when the profile is disabled. On these
platforms, there's no native way to tell the last used profile, so save
it to UserDefaults and fall back to it when tunnel.currentProfile is
nil.
When level is .beta, it was relying on beta receipt exclusively without
falling back to production receipt.
This was preventing the sandbox receipt ("production" in TestFlight)
from being read unless the AppUserLevel was explicitly set to .freemium
(0).
The remote container is shared by ProfileManager and
PreferencesManager, but it must be the same for CloudKit sync
to work properly.
Externalize the logic of onEligibleFeatures() so that the
AppContext singleton can update the managers (and their
repositories) with the new remote store.
Now that the remote profile repository is reloaded every time that
eligible features change, the .removeDuplicates() may also be
restored. Just add a .dropFirst() to skip the initially empty
value of eligible features. Even when features are eventually empty,
a value is always emitted after IAPManager.reloadReceipt()
Lastly, enable Core Data lightweight migration.
Regressions from #1017
