Clear needs review.

.github/workflows/codeql.yml

@@ -37,7 +37,7 @@ jobs:
         build-mode: ${{ matrix.build-mode }}
     - if: matrix.build-mode == 'manual'
       name: "Select Xcode"
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
     - if: matrix.build-mode == 'manual'
       name: "Build"
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO

.github/workflows/nightly.yml

@@ -3,6 +3,7 @@ name: Nightly
 on: 
   schedule: 
     - cron: "0 8 * * *"
+  workflow_dispatch:
   
 jobs:
   build:
@@ -11,7 +12,6 @@ jobs:
       id-token: write
       contents: write
       attestations: write
-      actions: read
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v5
@@ -25,7 +25,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
     - name: Update Build Number
       env:
         RUN_ID: ${{ github.run_id }}
@@ -33,30 +33,23 @@ jobs:
             DATE=$(date "+%Y-%m-%d")
             sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0_nightly-$DATE/g" Sources/Config/Config.xcconfig
             sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
     - name: Build
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Move to Artifact Folder
-      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
-    - name: Upload App to Artifacts
-      id: upload
-      uses: actions/upload-artifact@v4
-      with:
-        name: Secretive
-        path: Artifact
-    - name: Download Zipped Artifact
-      id: download
-      env: 
-        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Create ZIP
       run: |
-            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
-            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
+            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
     - name: Notarize
       env: 
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
         APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v4
+      with:
+        name: Secretive.zip
+        path: Secretive.zip
     - name: Attest
       id: attest
       uses: actions/attest-build-provenance@v2

.github/workflows/oneoff.yml

@@ -1,64 +0,0 @@
-name: One-Off Build
-
-on: 
-  workflow_dispatch:
-  
-jobs:
-  build:
-    runs-on: macos-26
-    permissions:
-      id-token: write
-      contents: write
-      attestations: write
-      actions: read
-    timeout-minutes: 10
-    steps:
-    - uses: actions/checkout@v5
-    - name: Setup Signing
-      env: 
-        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
-        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
-        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
-        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
-        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
-        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
-      run: ./.github/scripts/signing.sh
-    - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
-    - name: Update Build Number
-      env:
-        RUN_ID: ${{ github.run_id }}
-      run: |
-            DATE=$(date "+%Y-%m-%d")
-            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0_oneoff-$DATE/g" Sources/Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
-    - name: Build
-      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Move to Artifact Folder
-      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
-    - name: Upload App to Artifacts
-      id: upload
-      uses: actions/upload-artifact@v4
-      with:
-        name: Secretive
-        path: Artifact
-    - name: Download Zipped Artifact
-      id: download
-      env: 
-        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
-            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
-    - name: Notarize
-      env: 
-        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
-        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
-      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
-    - name: Attest
-      id: attest
-      uses: actions/attest-build-provenance@v2
-      with:
-        subject-name: "Secretive.zip"
-        subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
     - name: Test
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
       # SPM doesn't seem to pick up on the tests currently?
@@ -32,7 +32,6 @@ jobs:
       id-token: write
       contents: write
       attestations: write
-      actions: read
     runs-on: macos-26
     timeout-minutes: 10
     steps:
@@ -47,7 +46,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
     - name: Update Build Number
       env:
         TAG_NAME: ${{ github.ref }}
@@ -56,43 +55,37 @@ jobs:
             export CLEAN_TAG=$(echo $TAG_NAME | sed -e 's/refs\/tags\/v//')
             sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Sources/Config/Config.xcconfig
             sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_URL/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
     - name: Build
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Move to Artifact Folder
-      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
-    - name: Upload App to Artifacts
-      id: upload
-      uses: actions/upload-artifact@v4
-      with:
-        name: Secretive.zip
-        path: Artifact
-    - name: Download Zipped Artifact
-      id: download
-      env: 
-        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Create ZIP
       run: |
-            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
-            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
+            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
     - name: Notarize
       env: 
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
         APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v4
+      with:
+        name: Secretive.zip
+        path: Secretive.zip
     - name: Attest
       id: attest
       uses: actions/attest-build-provenance@v2
       with:
-        subject-path: "Secretive.zip"
+        subject-name: "Secretive.zip"
+        subject-digest: ${{ steps.upload.outputs.artifact-digest }}
     - name: Create Release
+      run: |
+            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
+            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
+            gh release create $TAG_NAME -d -F .github/templates/release.md
+            gh release upload Secretive.zip
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         TAG_NAME: ${{ github.ref }}
         RUN_ID: ${{ github.run_id }}
         ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
-      run: |
-            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
-            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
-            gh release create $TAG_NAME -d -F .github/templates/release.md
-            gh release upload $TAG_NAME Secretive.zip

.github/workflows/test.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
     - uses: actions/checkout@v5
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
     - name: Test Main Packages
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
       # SPM doesn't seem to pick up on the tests currently?

.gitignore

@@ -93,7 +93,3 @@ iOSInjectionProject/
 Archive.xcarchive
 .DS_Store
 contents.xcworkspacedata
-
-# Per-User Configs
-
-Sources/Config/OpenSource.xcconfig

CONTRIBUTING.md

@@ -10,10 +10,6 @@ Security is obviously paramount for a project like Secretive. As such, any contr
 
 Secretive is designed to be easily auditable by people who are considering using it. In keeping with this, Secretive has no third party dependencies, and any contributions which bring in new dependencies will be rejected.
 
-### AI/LLM Policy
-
-For security and auditing reasons similar to the policy Secretive has on dependencies, any code generated with AI or LLM tools will not be accepted.
-
 ## Code of Conduct
 
 All contributors must abide by the [Code of Conduct](CODE_OF_CONDUCT.md)

Package.swift

@@ -22,15 +22,6 @@ let package = Package(
         .library(
             name: "SmartCardSecretKit",
             targets: ["SmartCardSecretKit"]),
-        .library(
-            name: "CertificateKit",
-            targets: ["CertificateKit"]),
-        .library(
-            name: "SSHProtocolKit",
-            targets: ["SSHProtocolKit"]),
-        .library(
-            name: "Formatters",
-            targets: ["Formatters"]),
     ],
     dependencies: [
     ],
@@ -62,33 +53,6 @@ let package = Package(
             resources: [localization],
             swiftSettings: swiftSettings
         ),
-        .target(
-            name: "CertificateKit",
-            dependencies: ["SecretKit", "Formatters"],
-            path: "Sources/Packages/Sources/CertificateKit",
-            resources: [localization],
-            swiftSettings: swiftSettings,
-        ),
-        .target(
-            name: "SSHProtocolKit",
-            dependencies: ["SecretKit", "CertificateKit"],
-            path: "Sources/Packages/Sources/SSHProtocolKit",
-            resources: [localization],
-            swiftSettings: swiftSettings,
-        ),
-        .testTarget(
-            name: "SSHProtocolKitTests",
-            dependencies: ["SSHProtocolKit"],
-            path: "Sources/Packages/Tests/SSHProtocolKitTests",
-            swiftSettings: swiftSettings,
-        ),
-        .target(
-            name: "Formatters",
-            dependencies: [],
-            path: "Sources/Packages/Sources/Formatters",
-            resources: [localization],
-            swiftSettings: swiftSettings,
-        ),
     ]
 )
 

README.md

@@ -1,11 +1,11 @@
 # Secretive [![Test](https://github.com/maxgoedjen/secretive/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/maxgoedjen/secretive/actions/workflows/test.yml) ![Release](https://github.com/maxgoedjen/secretive/workflows/Release/badge.svg)
 
 
-Secretive is an app for protecting and managing SSH keys with the Secure Enclave.
+Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the [sekey project](https://github.com/sekey/sekey), but rewritten in Swift with no external dependencies and with a handy native management app.
+
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="/.github/readme/app-dark.png">
-  <source media="(prefers-color-scheme: light)" srcset="/.github/readme/app-light.png">
-  <img src="/.github/readme/app-dark.png" alt="Screenshot of Secretive" width="600">
+  <img src="/.github/readme/app-light.png" alt="Screenshot of Secretive" width="600">
 </picture>
 
 
@@ -13,7 +13,7 @@ Secretive is an app for protecting and managing SSH keys with the Secure Enclave
 
 ### Safer Storage
 
-The most common setup for SSH keys is just keeping them on disk, guarded by proper permissions. This is fine in most cases, but it's not super hard for malicious users or malware to copy your private key. If you protect your keys with the Secure Enclave, it's impossible to export them, by design.
+The most common setup for SSH keys is just keeping them on disk, guarded by proper permissions. This is fine in most cases, but it's not super hard for malicious users or malware to copy your private key. If you store your keys in the Secure Enclave, it's impossible to export them, by design.
 
 ### Access Control
 
@@ -53,7 +53,7 @@ Builds are produced by GitHub Actions with an auditable build and release genera
 
 ### A Note Around Code Signing and Keychains
 
-While Secretive uses the Secure Enclave to protect keys, it still relies on Keychain APIs to store and access them. Keychain restricts reads of keys to the app (and specifically, the bundle ID) that created them. If you build Secretive from source, make sure you are consistent in which bundle ID you use so that the Keychain is able to locate your keys.
+While Secretive uses the Secure Enclave for key storage, it still relies on Keychain APIs to access them. Keychain restricts reads of keys to the app (and specifically, the bundle ID) that created them. If you build Secretive from source, make sure you are consistent in which bundle ID you use so that the Keychain is able to locate your keys.
 
 ### Backups and Transfers to New Machines
 
@@ -62,11 +62,3 @@ Because secrets in the Secure Enclave are not exportable, they are not able to b
 ## Security
 
 Secretive's security policy is detailed in [SECURITY.md](SECURITY.md). To report security issues, please use [GitHub's private reporting feature.](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)
-
-## Acknowledgements
-
-### sekey
-Secretive was inspired by the [sekey project](https://github.com/sekey/sekey).
-
-### Localization
-Secretive is localized to many languages by a generous team of volunteers. To learn more, see [LOCALIZING.md](LOCALIZING.md). Secretive's localization workflow is generously provided by [Crowdin](https://crowdin.com).

Sources/Config/Config.xcconfig

@@ -1,8 +1,2 @@
 CI_VERSION = GITHUB_CI_VERSION
 CI_BUILD_NUMBER = GITHUB_BUILD_NUMBER
-CI_BUILD_LINK = GITHUB_BUILD_URL
-
-#include? "OpenSource.xcconfig"
-
-SECRETIVE_BASE_BUNDLE_ID = $(SECRETIVE_BASE_BUNDLE_ID_OSS:default=com.maxgoedjen.Secretive)
-SECRETIVE_DEVELOPMENT_TEAM = $(SECRETIVE_DEVELOPMENT_TEAM_OSS:default=Z72PRUAWF6)

Sources/Packages/Package.swift

@@ -19,30 +19,15 @@ let package = Package(
         .library(
             name: "SmartCardSecretKit",
             targets: ["SmartCardSecretKit"]),
-        .library(
-            name: "CertificateKit",
-            targets: ["CertificateKit"]),
         .library(
             name: "SecretAgentKit",
-            targets: ["SecretAgentKit"]),
-        .library(
-            name: "Formatters",
-            targets: ["Formatters"]),
-        .library(
-            name: "Common",
-            targets: ["Common"]),
-        .library(
-            name: "SharedXPCServices",
-            targets: ["SharedXPCServices"]),
+            targets: ["SecretAgentKit", "XPCWrappers"]),
         .library(
             name: "Brief",
             targets: ["Brief"]),
         .library(
             name: "XPCWrappers",
             targets: ["XPCWrappers"]),
-        .library(
-            name: "SSHProtocolKit",
-            targets: ["SSHProtocolKit"]),
     ],
     dependencies: [
     ],
@@ -55,7 +40,7 @@ let package = Package(
         ),
         .testTarget(
             name: "SecretKitTests",
-            dependencies: ["SecretKit", "SecretAgentKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"],
+            dependencies: ["SecretKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"],
             swiftSettings: swiftSettings,
         ),
         .target(
@@ -70,15 +55,9 @@ let package = Package(
             resources: [localization],
             swiftSettings: swiftSettings,
         ),
-        .target(
-            name: "CertificateKit",
-            dependencies: ["SecretKit", "Formatters"],
-            resources: [localization],
-            swiftSettings: swiftSettings,
-        ),
         .target(
             name: "SecretAgentKit",
-            dependencies: ["SecretKit", "SSHProtocolKit", "CertificateKit", "Common", "Formatters"],
+            dependencies: ["SecretKit"],
             resources: [localization],
             swiftSettings: swiftSettings,
         ),
@@ -86,38 +65,9 @@ let package = Package(
             name: "SecretAgentKitTests",
             dependencies: ["SecretAgentKit"],
         ),
-        .target(
-            name: "SSHProtocolKit",
-            dependencies: ["SecretKit", "CertificateKit"],
-            resources: [localization],
-            swiftSettings: swiftSettings,
-        ),
-        .testTarget(
-            name: "SSHProtocolKitTests",
-            dependencies: ["SSHProtocolKit"],
-            swiftSettings: swiftSettings,
-        ),
-        .target(
-            name: "Formatters",
-            dependencies: [],
-            resources: [localization],
-            swiftSettings: swiftSettings,
-        ),
-        .target(
-            name: "Common",
-            dependencies: ["SSHProtocolKit", "SecretKit"],
-            resources: [localization],
-            swiftSettings: swiftSettings,
-        ),
-        .target(
-            name: "SharedXPCServices",
-            dependencies: ["CertificateKit", "SSHProtocolKit"],
-            resources: [localization],
-            swiftSettings: swiftSettings,
-        ),
         .target(
             name: "Brief",
-            dependencies: ["XPCWrappers", "SSHProtocolKit"],
+            dependencies: ["XPCWrappers"],
             resources: [localization],
             swiftSettings: swiftSettings,
         ),

Sources/Packages/Sources/Brief/Release.swift

@@ -1,8 +1,7 @@
 import Foundation
-import SwiftUI
 
 /// A release is a representation of a downloadable update.
-public struct Release: Codable, Sendable, Hashable {
+public struct Release: Codable, Sendable {
 
     /// The user-facing name of the release. Typically "Secretive 1.2.3"
     public let name: String
@@ -16,8 +15,6 @@ public struct Release: Codable, Sendable, Hashable {
     /// A user-facing description of the contents of the update.
     public let body: String
 
-    public let attributedBody: AttributedString
-
     /// Initializes a Release.
     /// - Parameters:
     ///   - name: The user-facing name of the release.
@@ -29,56 +26,6 @@ public struct Release: Codable, Sendable, Hashable {
         self.prerelease = prerelease
         self.html_url = html_url
         self.body = body
-        self.attributedBody = AttributedString(_markdown: body)
-    }
-
-    public init(_ release: GitHubRelease) {
-        self.name = release.name
-        self.prerelease = release.prerelease
-        self.html_url = release.html_url
-        self.body = release.body
-        self.attributedBody = AttributedString(_markdown: release.body)
-    }
-
-}
-
-public struct GitHubRelease: Codable, Sendable {
-    let name: String
-    let prerelease: Bool
-    let html_url: URL
-    let body: String
-}
-
-fileprivate extension AttributedString {
-
-    init(_markdown markdown: String) {
-        let split = markdown.split(whereSeparator: \.isNewline)
-        let lines = split
-            .compactMap {
-                try? AttributedString(markdown: String($0), options: .init(allowsExtendedAttributes: true, interpretedSyntax: .full))
-            }
-            .map { (string: AttributedString) in
-                guard case let .header(level) = string.runs.first?.presentationIntent?.components.first?.kind else { return string }
-                return AttributedString("\n") + string
-                    .transformingAttributes(\.font) { font in
-                        font.value = switch level {
-                        case 2: .headline.bold()
-                        case 3: .headline
-                        default: .subheadline
-                        }
-                    }
-                    .transformingAttributes(\.underlineStyle) { underline in
-                        underline.value = switch level {
-                        case 2: .single
-                        default: .none
-                        }
-                    }
-                + AttributedString("\n")
-            }
-        self = lines.reduce(into: AttributedString()) { partialResult, next in
-            partialResult.append(next)
-            partialResult.append(AttributedString("\n"))
-        }
     }
 
 }

Sources/Packages/Sources/Brief/Updater.swift

@@ -35,15 +35,13 @@ import XPCWrappers
         self.osVersion = osVersion
         self.currentVersion = currentVersion
         Task {
-            do {
-                if checkOnLaunch {
-                    try await checkForUpdates()
-                }
-                while !Task.isCancelled {
-                    try? await Task.sleep(for: .seconds(Int(checkFrequency)))
-                    try await checkForUpdates()
-                }
-            } catch {}
+            if checkOnLaunch {
+                try await checkForUpdates()
+            }
+            while !Task.isCancelled {
+                try? await Task.sleep(for: .seconds(Int(checkFrequency)))
+                try await checkForUpdates()
+            }
         }
     }
 

Sources/Packages/Sources/CertificateKit/Certificate.swift

@@ -1,24 +0,0 @@
-import Foundation
-import CryptoKit
-import Formatters
-
-@dynamicMemberLookup
-public struct Certificate: Sendable, Codable, Equatable, Hashable, Identifiable, CustomDebugStringConvertible {
-
-    public var openSSHCertificate: OpenSSHCertificate
-    public let rawData: Data
-
-    public init(openSSHCertificate: OpenSSHCertificate, rawData: Data) {
-        self.openSSHCertificate = openSSHCertificate
-        self.rawData = rawData
-    }
-
-    public var id: String { Insecure.MD5.hash(data: rawData).formatted(.hex(separator: "")) }
-
-    public var debugDescription: String { openSSHCertificate.debugDescription }
-
-    public subscript<T>(dynamicMember keyPath: KeyPath<OpenSSHCertificate, T>) -> T {
-        openSSHCertificate[keyPath: keyPath]
-    }
-
-}

Sources/Packages/Sources/CertificateKit/CertificateStore.swift

@@ -1,153 +0,0 @@
-import Foundation
-import Observation
-import Security
-import os
-import SecretKit
-
-@Observable @MainActor public final class CertificateStore: Sendable {
-
-    public private(set) var certificates: [Certificate] = []
-
-    /// Initializes a Store.
-    public init() {
-        loadCertificates()
-        Task {
-            for await note in DistributedNotificationCenter.default().notifications(named: .certificateStoreUpdated) {
-                guard Constants.notificationToken != (note.object as? String) else {
-                    // Don't reload if we're the ones triggering this by reloading.
-                    continue
-                }
-                loadCertificates()
-            }
-        }
-    }
-
-    public func reloadCertificates() {
-        let before = certificates
-        certificates.removeAll()
-        loadCertificates()
-        if certificates != before {
-            NotificationCenter.default.post(name: .certificateStoreReloaded, object: self)
-            DistributedNotificationCenter.default().postNotificationName(.certificateStoreUpdated, object: Constants.notificationToken, deliverImmediately: true)
-        }
-    }
-
-    public func save(certificate: Certificate) throws {
-        let attributes = try JSONEncoder().encode(certificate.openSSHCertificate)
-        let keychainAttributes = KeychainDictionary([
-            kSecClass: Constants.keyClass,
-            kSecAttrService: Constants.keyTag,
-            kSecAttrAccount: certificate.id,
-            kSecUseDataProtectionKeychain: true,
-            kSecAttrAccessible: kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
-            kSecValueData: certificate.rawData,
-            kSecAttrGeneric: attributes
-        ])
-        let status = SecItemAdd(keychainAttributes, nil)
-        if status != errSecSuccess && status != errSecDuplicateItem {
-            throw KeychainError(statusCode: status)
-        }
-        reloadCertificates()
-    }
-
-    public func delete(certificate: Certificate) throws {
-        let deleteAttributes = KeychainDictionary([
-            kSecClass: Constants.keyClass,
-            kSecAttrService: Constants.keyTag,
-            kSecUseDataProtectionKeychain: true,
-            kSecAttrAccount: certificate.id,
-        ])
-        let status = SecItemDelete(deleteAttributes)
-        if status != errSecSuccess {
-            throw KeychainError(statusCode: status)
-        }
-        reloadCertificates()
-    }
-
-    public func update(certificate: Certificate) throws {
-        let updateQuery = KeychainDictionary([
-            kSecClass: Constants.keyClass,
-            kSecAttrAccount: certificate.id,
-        ])
-
-        let cert = try JSONEncoder().encode(certificate.openSSHCertificate)
-        let updatedAttributes = KeychainDictionary([
-            kSecAttrGeneric: cert,
-        ])
-
-        let status = SecItemUpdate(updateQuery, updatedAttributes)
-        if status != errSecSuccess {
-            throw KeychainError(statusCode: status)
-        }
-        reloadCertificates()
-    }
-
-    public func certificates(for secret: any Secret) -> [Certificate] {
-        certificates.filter { $0.openSSHCertificate.publicKey.data == secret.publicKey }
-    }
-
-
-}
-
-extension CertificateStore {
-
-    /// Loads all certificates from the store.
-    private func loadCertificates() {
-        let queryAttributes = KeychainDictionary([
-            kSecClass: Constants.keyClass,
-            kSecAttrService: Constants.keyTag,
-            kSecUseDataProtectionKeychain: true,
-            kSecReturnData: true,
-            kSecMatchLimit: kSecMatchLimitAll,
-            kSecReturnAttributes: true
-            ])
-        var untyped: CFTypeRef?
-        unsafe SecItemCopyMatching(queryAttributes, &untyped)
-        guard let typed = untyped as? [[CFString: Any]] else { return }
-        let decoder = JSONDecoder()
-        let wrapped: [Certificate] = typed.compactMap {
-            do {
-                guard let data = $0[kSecValueData] as? Data,
-                      let attributesData = $0[kSecAttrGeneric] as? Data else {
-                    throw MissingAttributesError()
-                }
-                return Certificate(openSSHCertificate: try decoder.decode(OpenSSHCertificate.self, from: attributesData), rawData: data)
-            } catch {
-                return nil
-            }
-        }
-            .filter {
-                if let validityRange = $0.validityRange {
-                    validityRange.contains(Date())
-                } else {
-                    true
-                }
-            }
-
-        certificates.append(contentsOf: wrapped)
-    }
-
-    
-}
-
-extension CertificateStore {
-
-    enum Constants {
-        static let keyClass = kSecClassGenericPassword as String
-        static let keyTag = Data("com.maxgoedjen.certificatestore.opensshcertificate".utf8)
-        static let notificationToken = UUID().uuidString
-    }
-    
-    struct UnsupportedAlgorithmError: Error {}
-    struct MissingAttributesError: Error {}
-
-}
-
-extension NSNotification.Name {
-
-    // Distributed notification that keys were modified out of process (ie, that the management tool added/removed certificates)
-    public static let certificateStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.certificateStore.updated")
-    // Internal notification that certificates were reloaded from the backing store.
-    public static let certificateStoreReloaded = NSNotification.Name("com.maxgoedjen.Secretive.certificateStore.reloaded")
-
-}

Sources/Packages/Sources/CertificateKit/OpenSSHCertificate.swift

@@ -1,82 +0,0 @@
-import Foundation
-import Formatters
-
-public struct OpenSSHCertificate: Sendable, Codable, Equatable, Hashable, CustomDebugStringConvertible {
-
-    public var type: CertificateType
-    public var name: String
-    public var data: Data
-
-    public var publicKey: PublicKey
-    public var principals: [String]
-    public var keyID: String
-    public var serial: UInt64
-    public var validityRange: Range<Date>?
-    public var criticalOptions: [String]
-    public var extensions: [String]
-    public var signingKey: PublicKey
-
-    public init(
-        type: OpenSSHCertificate.CertificateType,
-        name: String,
-        data: Data,
-        publicKey: PublicKey,
-        principals: [String],
-        keyID: String,
-        serial: UInt64,
-        validityRange: Range<Date>? = nil,
-        criticalOptions: [String],
-        extensions: [String],
-        signingKey: PublicKey,
-    ) {
-        self.type = type
-        self.name = name
-        self.data = data
-        self.publicKey = publicKey
-        self.principals = principals
-        self.keyID = keyID
-        self.serial = serial
-        self.validityRange = validityRange
-        self.criticalOptions = criticalOptions
-        self.extensions = extensions
-        self.signingKey = signingKey
-    }
-
-    public var debugDescription: String {
-        "OpenSSH Certificate \(name, default: "Unnamed"): \(data.formatted(.hex()))"
-    }
-
-}
-
-extension OpenSSHCertificate {
-
-    public enum CertificateType: String, Sendable, Codable {
-        case ecdsa256 = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
-        case ecdsa384 = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
-        case nistp521 = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
-
-        public var keyIdentifier: String {
-            rawValue.replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
-        }
-
-    }
-
-}
-
-extension OpenSSHCertificate {
-
-    public struct PublicKey: Hashable, Sendable, Codable {
-
-        public let keyType: String
-        public let curveName: String
-        public let data: Data
-
-        public init(keyType: String, curveName: String, data: Data) {
-            self.keyType = keyType
-            self.curveName = curveName
-            self.data = data
-        }
-
-    }
-
-}

Sources/Packages/Sources/Common/URLs.swift

@@ -1,59 +0,0 @@
-import Foundation
-import SSHProtocolKit
-import CertificateKit
-import SecretKit
-
-extension URL {
-
-    public static var agentHomeURL: URL {
-        URL(fileURLWithPath: URL.homeDirectory.path().replacingOccurrences(of: Bundle.hostBundleID, with: Bundle.agentBundleID))
-    }
-
-    public static var socketPath: String {
-        #if DEBUG
-        URL.agentHomeURL.appendingPathComponent("socket-debug.ssh").path()
-        #else
-        URL.agentHomeURL.appendingPathComponent("socket.ssh").path()
-        #endif
-    }
-
-    public static var publicKeyDirectory: URL {
-        agentHomeURL.appending(component: "PublicKeys")
-    }
-
-    public static var certificatesDirectory: URL {
-        agentHomeURL.appending(component: "Certificates")
-    }
-
-    /// The path for a Secret's public key.
-    /// - Parameter secret: The Secret to return the path for.
-    /// - Returns: The path to the Secret's public key.
-    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
-    public static func publicKeyPath<SecretType: Secret>(for secret: SecretType, in directory: URL) -> String {
-        let keyWriter = OpenSSHPublicKeyWriter()
-        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
-        return directory.appending(component: "\(minimalHex).pub").path()
-    }
-
-    /// The path for a certificate.
-    /// - Parameter certificate: The Certificate to return the path for.
-    /// - Returns: The path to the Certificate.
-    /// - Warning: This method returning a path does not imply that a certificate has been written to disk already. This method only describes where it will be written to.
-    public static func certificatePath(for certificateID: String, in directory: URL) -> String {
-        return directory.appending(component: "\(certificateID)-cert.pub").path()
-    }
-
-}
-
-extension String {
-
-    public var normalizedPathAndFolder: (String, String) {
-        // All foundation-based normalization methods replace this with the container directly.
-        let processedPath = replacingOccurrences(of: "~", with: "/Users/\(NSUserName())")
-        let url = URL(filePath: processedPath)
-        let folder = url.deletingLastPathComponent().path()
-        return (processedPath, folder)
-    }
-
-}
-

Sources/Packages/Sources/Formatters/Data+Hex.swift

@@ -1,74 +0,0 @@
-import Foundation
-import CryptoKit
-
-public struct HexDataStyle<SequenceType: Sequence>: Hashable, Codable {
-
-    let separator: String
-
-    public init(separator: String) {
-        self.separator = separator
-    }
-
-}
-
-extension HexDataStyle: FormatStyle where SequenceType.Element == UInt8 {
-
-    public func format(_ value: SequenceType) -> String {
-        value
-            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
-            .joined(separator: separator)
-    }
-
-}
-
-extension FormatStyle where Self == HexDataStyle<Data> {
-
-    public static func hex(separator: String = "") -> HexDataStyle<Data> {
-        HexDataStyle(separator: separator)
-    }
-
-}
-
-extension FormatStyle where Self == HexDataStyle<Insecure.MD5Digest> {
-
-    public static func hex(separator: String = ":") -> HexDataStyle<Insecure.MD5Digest> {
-        HexDataStyle(separator: separator)
-    }
-
-}
-
-public struct Base64DataStyle<SequenceType: Sequence>: Hashable, Codable {
-
-    private let stripPadding: Bool
-
-    public init(stripPadding: Bool) {
-        self.stripPadding = stripPadding
-    }
-
-}
-
-extension Base64DataStyle: FormatStyle where SequenceType.Element == UInt8 {
-
-    public func format(_ value: SequenceType) -> String {
-        let base64 = Data(value).base64EncodedString()
-        let paddingRange = base64.index(base64.endIndex, offsetBy: -2)..<base64.endIndex
-        return base64.replacingOccurrences(of: "=", with: "", range: paddingRange)
-    }
-
-}
-
-extension FormatStyle where Self == Base64DataStyle<Data> {
-
-    public static func base64(stripPadding: Bool) -> Base64DataStyle<Data> {
-        Base64DataStyle(stripPadding: stripPadding)
-    }
-
-}
-
-extension FormatStyle where Self == Base64DataStyle<SHA256.Digest> {
-
-    public static func base64(stripPadding: Bool) -> Base64DataStyle<SHA256.Digest> {
-        Base64DataStyle(stripPadding: stripPadding)
-    }
-
-}

Sources/Packages/Sources/SSHProtocolKit/OpenSSHCertficateWriter.swift

@@ -1,30 +0,0 @@
-import Foundation
-import CryptoKit
-import CertificateKit
-import Formatters
-
-/// Generates OpenSSH representations of Certificates.
-public struct OpenSSHCertificateWriter: Sendable {
-
-    /// Initializes the writer.
-    public init() {
-    }
-
-    /// Generates an OpenSSH data payload identifying the certificate.
-    /// - Returns: OpenSSH data payload identifying the certificate.
-    public func data(publicKey: OpenSSHCertificate.PublicKey) -> Data {
-        // https://datatracker.ietf.org/doc/html/rfc5656#section-3.1
-        publicKey.keyType.lengthAndData +
-        publicKey.curveName.lengthAndData +
-        publicKey.data.lengthAndData
-    }
-
-    /// Generates an OpenSSH SHA256 fingerprint string.
-    /// - Returns: OpenSSH SHA256 fingerprint string.
-    public func openSSHSHA256KeyFingerprint(publicKey: OpenSSHCertificate.PublicKey) -> String {
-        // OpenSSL format seems to strip the padding at the end.
-        let cleaned = SHA256.hash(data: data(publicKey: publicKey)).formatted(.base64(stripPadding: true))
-        return "SHA256:\(cleaned)"
-    }
-
-}

Sources/Packages/Sources/SSHProtocolKit/OpenSSHCertificateParser.swift

@@ -1,95 +0,0 @@
-import Foundation
-import CertificateKit
-
-public protocol OpenSSHCertificateParserProtocol {
-    func parse(data: Data) async throws -> OpenSSHCertificate
-}
-
-public struct OpenSSHCertificateParser: OpenSSHCertificateParserProtocol, Sendable {
-
-    public init() {
-        assert(Bundle.main.bundleURL.pathExtension == "xpc" || ProcessInfo.processInfo.processName == "xctest", "Potentially unsafe parsing code should run in an XPC service")
-    }
-
-    public func parse(data: Data) throws(OpenSSHCertificateError) -> OpenSSHCertificate {
-        let string = String(decoding: data, as: UTF8.self)
-        var elements = string
-            .trimmingCharacters(in: .whitespacesAndNewlines)
-            .components(separatedBy: " ")
-        guard elements.count >= 2 else {
-            throw OpenSSHCertificateError.parsingFailed
-        }
-        let typeString = elements.removeFirst()
-        guard let type = OpenSSHCertificate.CertificateType(rawValue: typeString) else { throw .unsupportedType }
-        let encodedKey = elements.removeFirst()
-        guard let decoded = Data(base64Encoded: encodedKey)  else {
-            throw OpenSSHCertificateError.parsingFailed
-        }
-        let comment = elements.first
-        do {
-            let dataParser = OpenSSHReader(data: decoded)
-            let publicKeyType = try dataParser.readNextChunkAsString() // Theoretically the same as typeString, but
-                .replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
-            _ = try dataParser.readNextChunk() // Nonce
-            let publicKeyCurveName = try dataParser.readNextChunkAsString()
-            let publicKeyData = try dataParser.readNextChunk()
-            let publicKey = OpenSSHCertificate.PublicKey(keyType: publicKeyType, curveName: publicKeyCurveName, data: publicKeyData)
-            let serialNumber = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
-            let role = try dataParser.readNextBytes(as: UInt32.self, convertEndianness: true)
-            _ = role
-            let keyIdentifier = try dataParser.readNextChunkAsString()
-            let principalsReader = try dataParser.readNextChunkAsSubReader()
-            var principals: [String] = []
-            while !principalsReader.done {
-                try principals.append(principalsReader.readNextChunkAsString())
-            }
-            let validAfter = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
-            let validBefore = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
-            let validityRange = Date(timeIntervalSince1970: TimeInterval(validAfter))..<Date(timeIntervalSince1970: TimeInterval(validBefore))
-            let criticalOptionsReader = try dataParser.readNextChunkAsSubReader()
-            var criticalOptions: [String] = []
-            while !criticalOptionsReader.done {
-                let next = try criticalOptionsReader.readNextChunkAsString()
-                if !next.isEmpty {
-                    criticalOptions.append(next)
-                }
-            }
-            let extensionsReader = try dataParser.readNextChunkAsSubReader()
-            var extensions: [String] = []
-            while !extensionsReader.done {
-                let next = try extensionsReader.readNextChunkAsString()
-                if !next.isEmpty {
-                    extensions.append(next)
-                }
-            }
-            _ = try dataParser.readNextChunk() // reserved
-            let signingKeyReader = try dataParser.readNextChunkAsSubReader()
-            let signingKeyType = try signingKeyReader.readNextChunkAsString()
-            let signingKeyCurveName = try signingKeyReader.readNextChunkAsString()
-            let signingKeyData = try signingKeyReader.readNextChunk()
-            let signingKey = OpenSSHCertificate.PublicKey(keyType: signingKeyType, curveName: signingKeyCurveName, data: signingKeyData)
-
-            return OpenSSHCertificate(
-                type: type,
-                name: comment ?? keyIdentifier,
-                data: decoded,
-                publicKey: publicKey,
-                principals: principals,
-                keyID: keyIdentifier,
-                serial: serialNumber,
-                validityRange: validityRange,
-                criticalOptions: criticalOptions,
-                extensions: extensions,
-                signingKey: signingKey,
-            )
-        } catch {
-            throw .parsingFailed
-        }
-    }
-
-}
-
-public enum OpenSSHCertificateError: Error, Codable {
-    case unsupportedType
-    case parsingFailed
-}

Sources/Packages/Sources/SecretAgentKit/Agent.swift

@@ -2,36 +2,29 @@ import Foundation
 import CryptoKit
 import OSLog
 import SecretKit
-import CertificateKit
 import AppKit
-import SSHProtocolKit
 
 /// The `Agent` is an implementation of an SSH agent. It manages coordination and access between a socket, traces requests, notifies witnesses and passes requests to stores.
 public final class Agent: Sendable {
 
     private let storeList: SecretStoreList
-    private let authenticationHandler: AuthenticationHandler
-    private let certificateStore: CertificateStore
     private let witness: SigningWitness?
     private let publicKeyWriter = OpenSSHPublicKeyWriter()
     private let signatureWriter = OpenSSHSignatureWriter()
+    private let certificateHandler = OpenSSHCertificateHandler()
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
 
     /// Initializes an agent with a store list and a witness.
     /// - Parameters:
     ///   - storeList: The `SecretStoreList` to make available.
     ///   - witness: A witness to notify of requests.
-    public init(
-        storeList: SecretStoreList,
-        certificateStore: CertificateStore,
-        authenticationHandler: AuthenticationHandler,
-        witness: SigningWitness? = nil
-    ) {
+    public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
         logger.debug("Agent is running")
         self.storeList = storeList
-        self.certificateStore = certificateStore
-        self.authenticationHandler = authenticationHandler
         self.witness = witness
+        Task { @MainActor in
+            await certificateHandler.reloadCertificates(for: storeList.allSecrets)
+        }
     }
     
 }
@@ -54,7 +47,6 @@ extension Agent {
                 logger.debug("Agent returned \(SSHAgent.Response.agentSignResponse.debugDescription)")
             case .unknown(let value):
                 logger.error("Agent received unknown request of type \(value).")
-                throw UnhandledRequestError()
             default:
                 logger.debug("Agent received valid request of type \(request.debugDescription), but not currently supported.")
                 throw UnhandledRequestError()
@@ -74,6 +66,7 @@ extension Agent {
     /// - Returns: An OpenSSH formatted Data payload listing the identities available for signing operations.
     func identities() async -> Data {
         let secrets = await storeList.allSecrets
+        await certificateHandler.reloadCertificates(for: secrets)
         var count = 0
         var keyData = Data()
 
@@ -82,9 +75,10 @@ extension Agent {
             keyData.append(keyBlob.lengthAndData)
             keyData.append(publicKeyWriter.comment(secret: secret).lengthAndData)
             count += 1
-            for certificate in await certificateStore.certificates(for: secret) {
-                keyData.append(certificate.data.lengthAndData)
-                keyData.append(certificate.name.lengthAndData)
+
+            if let (certificateData, name) = try? await certificateHandler.keyBlobAndName(for: secret) {
+                keyData.append(certificateData.lengthAndData)
+                keyData.append(name.lengthAndData)
                 count += 1
             }
         }
@@ -101,57 +95,20 @@ extension Agent {
     /// - Returns: An OpenSSH formatted Data payload containing the signed data response.
     func sign(data: Data, keyBlob: Data, provenance: SigningRequestProvenance) async throws -> Data {
         guard let (secret, store) = await secret(matching: keyBlob) else {
-            let keyBlobHex = keyBlob.formatted(.hex())
+            let keyBlobHex = keyBlob.compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }.joined()
             logger.debug("Agent did not have a key matching \(keyBlobHex)")
             throw NoMatchingKeyError()
         }
 
-        logger.debug("Agent offering witness chance to object")
-        do {
-            try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
-        } catch {
-            logger.debug("Witness objected")
-            throw error
-        }
-        logger.debug("Witness did not object")
+        try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
 
-        if secret.authenticationRequirement.required {
-            // Slow path, may block or suggest batching.
-            return try await signWithRequiredAuthentication(data: data, store: store, secret: secret, provenance: provenance)
-        } else {
-            // Fast path, no blocking/enqueing required
-            return try await signWithoutRequiredAuthentication(data: data, store: store, secret: secret, provenance: provenance)
-        }
-    }
-
-    func signWithoutRequiredAuthentication(data: Data, store: AnySecretStore, secret: AnySecret, provenance: SigningRequestProvenance) async throws -> Data {
-        let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance, context: nil)
+        let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance)
         let signedData = signatureWriter.data(secret: secret, signature: rawRepresentation)
-        try await witness?.witness(accessTo: secret, from: store, by: provenance, offerPersistence: false)
+
+        try await witness?.witness(accessTo: secret, from: store, by: provenance)
+
         logger.debug("Agent signed request")
-        return signedData
-    }
 
-    func signWithRequiredAuthentication(data: Data, store: AnySecretStore, secret: AnySecret, provenance: SigningRequestProvenance) async throws -> Data {
-//        let context: any AuthenticationContextProtocol
-//        let offerPersistence: Bool
-//        if let existing = await authenticationHandler.existingAuthenticationContextProtocol(for: SignatureRequest(secret: secret, provenance: provenance)) {
-//            context = existing
-//            offerPersistence = false
-//            logger.debug("Using existing auth context")
-//        } else {
-//            context = authenticationHandler.createAuthenticationContext(for: SignatureRequest(secret: secret, provenance: provenance))
-//            offerPersistence = secret.authenticationRequirement.required
-//            logger.debug("Creating fresh auth context")
-//        }
-
-
-
-        let context = try await authenticationHandler.waitForAuthentication(for: SignatureRequest(secret: secret, provenance: provenance))
-        let result = try await store.sign(data: data, with: secret, for: provenance, context: context.laContext)
-        let signedData = signatureWriter.data(secret: secret, signature: result)
-        try await witness?.witness(accessTo: secret, from: store, by: provenance, offerPersistence: false) // FIXME: THIS
-        logger.debug("Agent signed request")
         return signedData
     }
 

Sources/Packages/Sources/SecretAgentKit/AuthenticationHandler.swift

@@ -1,185 +0,0 @@
-@unsafe @preconcurrency import LocalAuthentication
-import SecretKit
-import OSLog
-
-/// A context describing a persisted authentication.
-public final class AuthenticationContext: AuthenticationContextProtocol {
-
-    /// The Secret to persist authentication for.
-    public let secret: AnySecret
-    /// The LAContext used to authorize the persistent context.
-    public let laContext: LAContext
-
-    enum Validity {
-        /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
-        case time(monotonicExpiration: UInt64)
-        case requestIDs(Set<UUID>)
-        case exclusive(UUID)
-    }
-
-    let validity: Validity
-
-    /// Initializes a context.
-    /// - Parameters:
-    ///   - secret: The Secret to persist authentication for.
-    ///   - context: The LAContext used to authorize the persistent context.
-    ///   - duration: The duration of the authorization context, in seconds.
-    init<SecretType: Secret>(secret: SecretType, context: LAContext, duration: TimeInterval) {
-        self.secret = AnySecret(secret)
-        self.laContext = context
-        let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
-        self.validity = .time(monotonicExpiration: clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds))
-    }
-
-    init<SecretType: Secret>(secret: SecretType, context: LAContext, requestIDs: Set<UUID>) {
-        self.secret = AnySecret(secret)
-        self.laContext = context
-        self.validity = .requestIDs(requestIDs)
-    }
-
-    init<SecretType: Secret>(secret: SecretType, context: LAContext, requestID: UUID) {
-        self.secret = AnySecret(secret)
-        self.laContext = context
-        self.validity = .exclusive(requestID)
-    }
-
-    /// A boolean describing whether or not the context is still valid.
-    public func valid(for request: SignatureRequest) -> Bool {
-        switch validity {
-        case .time(let monotonicExpiration):
-            clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
-        case .requestIDs(let set):
-            set.contains(request.id)
-        case .exclusive(let id):
-            id == request.id
-        }
-    }
-
-}
-
-public actor AuthenticationHandler {
-
-    private var persistedContexts: [AnySecret: AuthenticationContext] = [:]
-    private var holdingRequests: Set<SignatureRequest> = []
-    private var activeTask: Task<Void, any Error>?
-
-    private var lastBatchAuthPresentation: Set<SignatureRequest>?
-    private var presentBatchAuth: (([[SignatureRequest]], @escaping @Sendable (Set<SignatureRequest>) async throws -> Void) async throws -> Void)?
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
-
-    public init() {
-    }
-
-    public func setBatchAuthHandler(_ handler: @escaping (@Sendable ([[SignatureRequest]], @escaping @Sendable (Set<SignatureRequest>) async throws -> Void) async throws -> Void)) {
-        self.presentBatchAuth = handler
-    }
-
-    public func waitForAuthentication(for request: SignatureRequest) async throws -> any AuthenticationContextProtocol {
-        logger.log("Entering waitForAuthentication for \(request.id)")
-        if let existing = existingAuthenticationContext(for: request) {
-            logger.log("Short circuiting wait, existing valid context already exists.")
-            return existing
-        }
-        holdingRequests.insert(request)
-        logger.log("Waiting for authentication for \(request.id)")
-        defer {
-            logger.log("Removed hold for \(request.id)")
-            holdingRequests.remove(request)
-        }
-        while holdingRequests.count > 1 {
-            if hasBatchableRequests, holdingRequests != lastBatchAuthPresentation {
-                logger.log("Batchable requests exist, cancelling existing auth prompt")
-                activeTask?.cancel()
-                lastBatchAuthPresentation = holdingRequests
-                logger.log("Requesting batch auth presentation")
-                try await presentBatchAuth?(batchableRequests, persistAuthentication(for:))
-                logger.log("Requested batch auth presentation")
-            }
-            if let preauthorized = existingAuthenticationContext(for: request) {
-                logger.log("Batch auth context found, proceededing with preauthorized context")
-                return preauthorized
-            } else {
-                logger.log("Waiting for batch request handling")
-            }
-            try await Task.sleep(for: .milliseconds(100))
-        }
-        let laContext = LAContext()
-        laContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: request.provenance.origin.displayName, secretName: request.secret.name))
-        laContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
-        let context = AuthenticationContext(secret: request.secret, context: laContext, requestID: request.id)
-
-        activeTask = Task {
-            logger.log("Beginning individual auth prompt")
-            try await Task.sleep(for: .seconds(1000))
-//            _ = try? await laContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: laContext.localizedReason)
-            logger.log("Ended individual auth prompt")
-        }
-        _ = try await activeTask?.value
-        // TODO: Check something beyond cancellation? id?
-        // Is this okay? Do we always assume that a cancelled task will be the proceeded on?
-        if activeTask?.isCancelled ?? false {
-            logger.log("Auth prompt was cancelled, waiting for explicit auth")
-            // If we explicitly cancelled the task, hang on until we auth it.
-            while true {
-                if let preauthorized = existingAuthenticationContext(for: request) {
-                    logger.log("Explicit auth context found")
-                    return preauthorized
-                }
-                try await Task.sleep(for: .milliseconds(100))
-            }
-        }
-        return context
-    }
-
-    private var batchableRequests: [[SignatureRequest]] {
-        holdingRequests.reduce(into: [:]) { partialResult, next in
-            partialResult[next.batchID, default: []].append(next)
-        }
-        .values
-        .map { $0.sorted() }
-    }
-
-    private var hasBatchableRequests: Bool {
-        guard presentBatchAuth != nil else { return false }
-        return batchableRequests.count < holdingRequests.count
-    }
-
-    private func existingAuthenticationContext(for request: SignatureRequest) -> (any AuthenticationContextProtocol)? {
-        guard let persisted = persistedContexts[request.secret], persisted.valid(for: request) else { return nil }
-        return persisted
-    }
-
-    public func persistAuthentication<SecretType: Secret>(secret: SecretType, forDuration duration: TimeInterval) async throws {
-        let newContext = LAContext()
-        newContext.touchIDAuthenticationAllowableReuseDuration = duration
-        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
-
-        let formatter = DateComponentsFormatter()
-        formatter.unitsStyle = .spellOut
-        formatter.allowedUnits = [.hour, .minute, .day]
-
-
-        let durationString = formatter.string(from: duration)!
-        newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
-        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
-        guard success else { return }
-        let context = AuthenticationContext(secret: secret, context: newContext, duration: duration)
-        persistedContexts[AnySecret(secret)] = context
-    }
-
-    private func persistAuthentication(for requests: Set<SignatureRequest>) async throws {
-        activeTask?.cancel()
-        guard let first = requests.first else { return }
-        let newContext = LAContext()
-        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
-
-        newContext.localizedReason = String("Multiple")
-//        newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
-        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
-        guard success else { return }
-        let context = AuthenticationContext(secret: first.secret, context: newContext, requestIDs: Set(requests.map(\.id)))
-        persistedContexts[AnySecret(first.secret)] = context
-    }
-
-}
-

Sources/Packages/Sources/SecretAgentKit/OpenSSHCertificateHandler.swift

@@ -0,0 +1,88 @@
+import Foundation
+import OSLog
+import SecretKit
+
+/// Manages storage and lookup for OpenSSH certificates.
+public actor OpenSSHCertificateHandler: Sendable {
+
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.homeDirectory)
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "OpenSSHCertificateHandler")
+    private let writer = OpenSSHPublicKeyWriter()
+    private var keyBlobsAndNames: [AnySecret: (Data, Data)] = [:]
+
+    /// Initializes an OpenSSHCertificateHandler.
+    public init() {
+    }
+
+    /// Reloads any certificates in the PublicKeys folder.
+    /// - Parameter secrets: the secrets to look up corresponding certificates for.
+    public func reloadCertificates(for secrets: [AnySecret]) {
+        guard publicKeyFileStoreController.hasAnyCertificates else {
+            logger.log("No certificates, short circuiting")
+            return
+        }
+        keyBlobsAndNames = secrets.reduce(into: [:]) { partialResult, next in
+            partialResult[next] = try? loadKeyblobAndName(for: next)
+        }
+    }
+
+    /// Attempts to find an OpenSSH Certificate  that corresponds to a ``Secret``
+    /// - Parameter secret: The secret to search for a certificate with
+    /// - Returns: A (``Data``, ``Data``) tuple containing the certificate and certificate name, respectively.
+    public func keyBlobAndName<SecretType: Secret>(for secret: SecretType) throws -> (Data, Data)? {
+        keyBlobsAndNames[AnySecret(secret)]
+    }
+    
+    /// Attempts to find an OpenSSH Certificate  that corresponds to a ``Secret``
+    /// - Parameter secret: The secret to search for a certificate with
+    /// - Returns: A (``Data``, ``Data``) tuple containing the certificate and certificate name, respectively.
+    private func loadKeyblobAndName<SecretType: Secret>(for secret: SecretType) throws -> (Data, Data)? {
+        let certificatePath = publicKeyFileStoreController.sshCertificatePath(for: secret)
+        guard FileManager.default.fileExists(atPath: certificatePath) else {
+            return nil
+        }
+
+        logger.debug("Found certificate for \(secret.name)")
+        let certContent = try String(contentsOfFile:certificatePath, encoding: .utf8)
+        let certElements = certContent.trimmingCharacters(in: .whitespacesAndNewlines).components(separatedBy: " ")
+
+        guard certElements.count >= 2 else {
+            logger.warning("Certificate found for \(secret.name) but failed to load")
+            throw OpenSSHCertificateError.parsingFailed
+        }
+        guard let certDecoded = Data(base64Encoded: certElements[1] as String)  else {
+            logger.warning("Certificate found for \(secret.name) but failed to decode base64 key")
+            throw OpenSSHCertificateError.parsingFailed
+        }
+
+        if certElements.count >= 3 {
+            let certName = Data(certElements[2].utf8)
+            return (certDecoded, certName)
+        }
+        let certName = Data(secret.name.utf8)
+        logger.info("Certificate for \(secret.name) does not have a name tag, using secret name instead")
+        return (certDecoded, certName)
+    }
+
+}
+
+extension OpenSSHCertificateHandler {
+
+    enum OpenSSHCertificateError: LocalizedError {
+        case unsupportedType
+        case parsingFailed
+        case doesNotExist
+
+        public var errorDescription: String? {
+            switch self {
+            case .unsupportedType:
+                return "The key type was unsupported"
+            case .parsingFailed:
+                return "Failed to properly parse the SSH certificate"
+            case .doesNotExist:
+                return "Certificate does not exist"
+            }
+        }
+    }
+
+}

Sources/Packages/Sources/SecretAgentKit/OpenSSHReader.swift

@@ -1,52 +1,42 @@
 import Foundation
 
 /// Reads OpenSSH protocol data.
-public final class OpenSSHReader {
+final class OpenSSHReader {
 
     var remaining: Data
-    var done = false
 
     /// Initialize the reader with an OpenSSH data payload.
     /// - Parameter data: The data to read.
-    public init(data: Data) {
+    init(data: Data) {
         remaining = Data(data)
-        if remaining.count == 0 {
-            done = true
-        }
     }
 
     /// Reads the next chunk of data from the playload.
     /// - Returns: The next chunk of data.
-    public func readNextChunk(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> Data {
-        let length = try readNextBytes(as: UInt32.self, convertEndianness: convertEndianness)
+    func readNextChunk(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> Data {
+        let littleEndianLength = try readNextBytes(as: UInt32.self)
+        let length = convertEndianness ? Int(littleEndianLength.bigEndian) : Int(littleEndianLength)
         guard remaining.count >= length else { throw .beyondBounds }
-        let dataRange = 0..<Int(length)
+        let dataRange = 0..<length
         let ret = Data(remaining[dataRange])
         remaining.removeSubrange(dataRange)
-        if remaining.isEmpty {
-            done = true
-        }
         return ret
     }
 
-    public func readNextBytes<T: FixedWidthInteger>(as: T.Type, convertEndianness: Bool = true) throws(OpenSSHReaderError) -> T {
+    func readNextBytes<T>(as: T.Type) throws(OpenSSHReaderError) -> T {
         let size = MemoryLayout<T>.size
         guard remaining.count >= size else { throw .beyondBounds }
         let lengthRange = 0..<size
         let lengthChunk = remaining[lengthRange]
         remaining.removeSubrange(lengthRange)
-        if remaining.isEmpty {
-            done = true
-        }
-        let value = unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
-        return convertEndianness ? T(value.bigEndian) : T(value)
+        return unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
     }
 
-    public func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {
+    func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {
         try String(decoding: readNextChunk(convertEndianness: convertEndianness), as: UTF8.self)
     }
 
-    public func readNextChunkAsSubReader(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> OpenSSHReader {
+    func readNextChunkAsSubReader(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> OpenSSHReader {
         OpenSSHReader(data: try readNextChunk(convertEndianness: convertEndianness))
     }
 

Sources/Packages/Sources/SecretAgentKit/PublicKeyStandinFileController.swift

@@ -1,83 +0,0 @@
-import Foundation
-import OSLog
-import SecretKit
-import SSHProtocolKit
-import CertificateKit
-import Common
-
-/// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
-public final class PublicKeyFileStoreController: Sendable {
-
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "PublicKeyFileStoreController")
-    private let publicKeysURL: URL
-    private let certificatesURL: URL
-    private let keyWriter = OpenSSHPublicKeyWriter()
-
-    /// Initializes a PublicKeyFileStoreController.
-    public init(publicKeysURL: URL, certificatesURL: URL) {
-        self.publicKeysURL = publicKeysURL
-        self.certificatesURL = certificatesURL
-    }
-
-    /// Writes out the keys specified to disk.
-    /// - Parameter secrets: The Secrets to generate keys for.
-    /// - Parameter clear: Whether or not any untracked files in the directory should be removed.
-    public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
-        logger.log("Writing public keys to disk")
-        if clear {
-            let validPaths = Set(secrets.map { URL.publicKeyPath(for: $0, in: publicKeysURL) })
-                .union(Set(secrets.map { legacySSHCertificatePath(for: $0) }))
-            let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: publicKeysURL.path())) ?? []
-            let fullPathContents = contentsOfDirectory.map { publicKeysURL.appending(path: $0).path() }
-
-            let untracked = Set(fullPathContents)
-                .subtracting(validPaths)
-            for path in untracked {
-                // string instead of fileURLWithPath since we're already using fileURL format.
-                try? FileManager.default.removeItem(at: URL(string: path)!)
-            }
-        }
-        try? FileManager.default.createDirectory(at: publicKeysURL, withIntermediateDirectories: false, attributes: nil)
-        for secret in secrets {
-            let path = URL.publicKeyPath(for: secret, in: publicKeysURL)
-            let data = Data(keyWriter.openSSHString(secret: secret).utf8)
-            FileManager.default.createFile(atPath: path, contents: data, attributes: nil)
-        }
-        logger.log("Finished writing public keys")
-    }
-
-    /// Writes out the certificates specified to disk.
-    /// - Parameter certificates: The Secrets to generate keys for.
-    /// - Parameter clear: Whether or not any untracked files in the directory should be removed.
-    public func generateCertificates(for certificates: [Certificate], clear: Bool = false) throws {
-        logger.log("Writing certificates to disk")
-        if clear {
-            let validPaths = Set(certificates.map { URL.certificatePath(for: $0.id, in: certificatesURL) })
-            let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: certificatesURL.path())) ?? []
-            let fullPathContents = contentsOfDirectory.map { certificatesURL.appending(path: $0).path() }
-
-            let untracked = Set(fullPathContents)
-                .subtracting(validPaths)
-            for path in untracked {
-                // string instead of fileURLWithPath since we're already using fileURL format.
-                try? FileManager.default.removeItem(at: URL(string: path)!)
-            }
-        }
-        try? FileManager.default.createDirectory(at: certificatesURL, withIntermediateDirectories: false, attributes: nil)
-        for certificate in certificates {
-            let path = URL.certificatePath(for: certificate.id, in: certificatesURL)
-            FileManager.default.createFile(atPath: path, contents: certificate.rawData, attributes: nil)
-        }
-        logger.log("Finished writing certificates")
-    }
-
-    /// The path for a Secret's SSH Certificate public key.
-    /// - Parameter secret: The Secret to return the path for.
-    /// - Returns: The path to the SSH Certificate public key.
-    /// - Warning: This method returning a path does not imply that a key has a SSH certificates. This method only describes where it will be.
-    private func legacySSHCertificatePath<SecretType: Secret>(for secret: SecretType) -> String {
-        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
-        return publicKeysURL.appending(component: "\(minimalHex).pub").path()
-    }
-
-}

Sources/Packages/Sources/SecretAgentKit/SSHAgentInputParser.swift

@@ -1,7 +1,6 @@
 import Foundation
 import OSLog
 import SecretKit
-import CertificateKit
 
 public protocol SSHAgentInputParserProtocol {
 
@@ -14,7 +13,7 @@ public struct SSHAgentInputParser: SSHAgentInputParserProtocol {
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "InputParser")
 
     public init() {
-        assert(Bundle.main.bundleURL.pathExtension == "xpc" || ProcessInfo.processInfo.processName == "xctest", "Potentially unsafe parsing code should run in an XPC service")
+        
     }
 
     public func parse(data: Data) throws(AgentParsingError) -> SSHAgent.Request {
@@ -75,16 +74,21 @@ extension SSHAgentInputParser {
     func certificatePublicKeyBlob(from hash: Data) -> Data? {
         let reader = OpenSSHReader(data: hash)
         do {
-            let certType = try reader.readNextChunkAsString()
-            guard let certType = OpenSSHCertificate.CertificateType(rawValue: certType) else { return nil }
-            _ = try reader.readNextChunk() // nonce
-            let curveIdentifier = try reader.readNextChunk()
-            let publicKey = try reader.readNextChunk()
-            let openSSHIdentifier = certType.keyIdentifier
-            return openSSHIdentifier.lengthAndData +
-            curveIdentifier.lengthAndData +
+            let certType = String(decoding: try reader.readNextChunk(), as: UTF8.self)
+            switch certType {
+            case "ecdsa-sha2-nistp256-cert-v01@openssh.com",
+                "ecdsa-sha2-nistp384-cert-v01@openssh.com",
+                "ecdsa-sha2-nistp521-cert-v01@openssh.com":
+                _ = try reader.readNextChunk() // nonce
+                let curveIdentifier = try reader.readNextChunk()
+                let publicKey = try reader.readNextChunk()
+                let openSSHIdentifier = certType.replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
+                return openSSHIdentifier.lengthAndData +
+                curveIdentifier.lengthAndData +
                 publicKey.lengthAndData
-            
+            default:
+                return nil
+            }
         } catch {
             return nil
         }

Sources/Packages/Sources/SecretAgentKit/SigningRequestTracer.swift

@@ -36,7 +36,7 @@ extension SigningRequestTracer {
     /// - Parameter pid: The process ID to look up.
     /// - Returns: A ``SecretKit.SigningRequestProvenance.Process`` describing the process.
     func process(from pid: Int32) -> SigningRequestProvenance.Process {
-        var pidAndNameInfo = unsafe self.pidAndNameInfo(from: pid)
+        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
         let ppid = unsafe pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
         let procName = unsafe withUnsafeMutablePointer(to: &pidAndNameInfo.kp_proc.p_comm.0) { pointer in
             unsafe String(cString: pointer)

Sources/Packages/Sources/SecretAgentKit/SigningWitness.swift

@@ -17,6 +17,6 @@ public protocol SigningWitness: Sendable {
     ///   - secret: The `Secret` that will was used to sign the request.
     ///   - store: The `Store` that signed the request..
     ///   - provenance: A `SigningRequestProvenance` object describing the origin of the request.
-    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, offerPersistence: Bool) async throws
+    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws
 
 }

Sources/Packages/Sources/SecretAgentKit/SocketController.swift

@@ -36,21 +36,16 @@ public struct SocketController {
         logger.debug("Socket controller path is clear")
         port = SocketPort(path: path)
         fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
-        Task { @MainActor [fileHandle, sessionsContinuation, logger] in
-            // Create the sequence before triggering the notification to
-            // ensure it will not be missed.
-            let connectionAcceptedNotifications = NotificationCenter.default.notifications(named: .NSFileHandleConnectionAccepted, object: fileHandle)
-
-            fileHandle.acceptConnectionInBackgroundAndNotify()
-
-            for await notification in connectionAcceptedNotifications {
+        Task { [fileHandle, sessionsContinuation, logger] in
+            for await notification in NotificationCenter.default.notifications(named: .NSFileHandleConnectionAccepted) {
                 logger.debug("Socket controller accepted connection")
                 guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { continue }
                 let session = Session(fileHandle: new)
                 sessionsContinuation.yield(session)
-                fileHandle.acceptConnectionInBackgroundAndNotify()
+                await fileHandle.acceptConnectionInBackgroundAndNotifyOnMainActor()
             }
         }
+        fileHandle.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.Mode.common])
         logger.debug("Socket listening at \(path)")
     }
 
@@ -82,32 +77,29 @@ extension SocketController {
             self.fileHandle = fileHandle
             provenance = SigningRequestTracer().provenance(from: fileHandle)
             (messages, messagesContinuation) = AsyncStream.makeStream()
-            Task { @MainActor [messagesContinuation, logger] in
-                // Create the sequence before triggering the notification to
-                // ensure it will not be missed.
-                let dataAvailableNotifications = NotificationCenter.default.notifications(named: .NSFileHandleDataAvailable, object: fileHandle)
-
-                fileHandle.waitForDataInBackgroundAndNotify()
-
-                for await _ in dataAvailableNotifications {
+            Task { [messagesContinuation, logger] in
+                for await _ in NotificationCenter.default.notifications(named: .NSFileHandleDataAvailable, object: fileHandle) {
                     let data = fileHandle.availableData
                     guard !data.isEmpty else {
                         logger.debug("Socket controller received empty data, ending continuation.")
                         messagesContinuation.finish()
-                        try? fileHandle.close()
+                        try fileHandle.close()
                         return
                     }
                     messagesContinuation.yield(data)
                     logger.debug("Socket controller yielded data.")
                 }
             }
+            Task {
+                await fileHandle.waitForDataInBackgroundAndNotifyOnMainActor()
+            }
         }
         
         /// Writes new data to the socket.
         /// - Parameter data: The data to write.
-        @MainActor public func write(_ data: Data) throws {
-          try fileHandle.write(contentsOf: data)
-          fileHandle.waitForDataInBackgroundAndNotify()
+        public func write(_ data: Data) async throws {
+            try fileHandle.write(contentsOf: data)
+            await fileHandle.waitForDataInBackgroundAndNotifyOnMainActor()
         }
         
         /// Closes the socket and cleans up resources.
@@ -121,13 +113,29 @@ extension SocketController {
 
 }
 
+private extension FileHandle {
+
+    /// Ensures waitForDataInBackgroundAndNotify will be called on the main actor.
+    @MainActor func waitForDataInBackgroundAndNotifyOnMainActor() {
+        waitForDataInBackgroundAndNotify()
+    }
+
+
+    /// Ensures acceptConnectionInBackgroundAndNotify will be called on the main actor.
+    /// - Parameter modes: the runloop modes to use.
+    @MainActor func acceptConnectionInBackgroundAndNotifyOnMainActor(forModes modes: [RunLoop.Mode]? = [RunLoop.Mode.common]) {
+        acceptConnectionInBackgroundAndNotify(forModes: modes)
+    }
+
+}
+
 private extension SocketPort {
 
     convenience init(path: String) {
         var addr = sockaddr_un()
 
-        let length = withUnsafeMutablePointer(to: &addr.sun_path.0) { pointer in
-            path.withCString { cstring in
+        let length = unsafe withUnsafeMutablePointer(to: &addr.sun_path.0) { pointer in
+            unsafe path.withCString { cstring in
                 let len = unsafe strlen(cstring)
                 unsafe strncpy(pointer, cstring, len)
                 return len

Sources/Packages/Sources/SecretKit/Documentation.docc/Documentation.md

@@ -31,7 +31,7 @@ SecretKit is a collection of protocols describing secrets and stores.
 
 ### Authentication Persistence
 
-- ``AuthenticationContextProtocol``
+- ``PersistedAuthenticationContext``
 
 ### Errors
 

Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift

@@ -1,5 +1,4 @@
 import Foundation
-import LocalAuthentication
 
 /// Type eraser for SecretStore.
 open class AnySecretStore: SecretStore, @unchecked Sendable {
@@ -9,7 +8,9 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
     private let _id: @Sendable () -> UUID
     private let _name: @MainActor @Sendable () -> String
     private let _secrets: @MainActor @Sendable () -> [AnySecret]
-    private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance, LAContext?) async throws -> Data
+    private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance) async throws -> Data
+    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret) async -> PersistedAuthenticationContext?
+    private let _persistAuthentication: @Sendable (AnySecret, TimeInterval) async throws -> Void
     private let _reloadSecrets: @Sendable () async -> Void
 
     public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
@@ -18,7 +19,9 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
         _name = { secretStore.name }
         _id = { secretStore.id }
         _secrets = { secretStore.secrets.map { AnySecret($0) } }
-        _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2, context: $3) }
+        _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
+        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) }
+        _persistAuthentication = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
         _reloadSecrets = { await secretStore.reloadSecrets() }
     }
 
@@ -38,8 +41,16 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
         return _secrets()
     }
 
-    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance, context: LAContext?) async throws -> Data {
-        try await _sign(data, secret, provenance, context)
+    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance) async throws -> Data {
+        try await _sign(data, secret, provenance)
+    }
+
+    public func existingPersistedAuthenticationContext(secret: AnySecret) async -> PersistedAuthenticationContext? {
+        await _existingPersistedAuthenticationContext(secret)
+    }
+
+    public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) async throws {
+        try await _persistAuthentication(secret, duration)
     }
 
     public func reloadSecrets() async {
@@ -53,7 +64,7 @@ public final class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiab
     private let _create: @Sendable (String, Attributes) async throws -> AnySecret
     private let _delete: @Sendable (AnySecret) async throws -> Void
     private let _update: @Sendable (AnySecret, String, Attributes) async throws -> Void
-    private let _supportedKeyTypes: @Sendable () -> KeyAvailability
+    private let _supportedKeyTypes: @Sendable () -> [KeyType]
 
     public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStoreModifiable {
         _create = { AnySecret(try await secretStore.create(name: $0, attributes: $1)) }
@@ -76,7 +87,7 @@ public final class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiab
         try await _update(secret, name, attributes)
     }
 
-    public var supportedKeyTypes: KeyAvailability {
+    public var supportedKeyTypes: [KeyType] {
         _supportedKeyTypes()
     }
 

Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHPublicKeyWriter.swift

@@ -1,6 +1,5 @@
 import Foundation
 import CryptoKit
-import SecretKit
 
 /// Generates OpenSSH representations of the public key sof secrets.
 public struct OpenSSHPublicKeyWriter: Sendable {
@@ -41,14 +40,18 @@ public struct OpenSSHPublicKeyWriter: Sendable {
     /// - Returns: OpenSSH SHA256 fingerprint string.
     public func openSSHSHA256Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
         // OpenSSL format seems to strip the padding at the end.
-        let cleaned = SHA256.hash(data: data(secret: secret)).formatted(.base64(stripPadding: true))
+        let base64 = Data(SHA256.hash(data: data(secret: secret))).base64EncodedString()
+        let paddingRange = base64.index(base64.endIndex, offsetBy: -2)..<base64.endIndex
+        let cleaned = base64.replacingOccurrences(of: "=", with: "", range: paddingRange)
         return "SHA256:\(cleaned)"
     }
 
     /// Generates an OpenSSH MD5 fingerprint string.
     /// - Returns: OpenSSH MD5 fingerprint string.
     public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
-        Insecure.MD5.hash(data: data(secret: secret)).formatted(.hex(separator: ":"))
+        Insecure.MD5.hash(data: data(secret: secret))
+            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
+            .joined(separator: ":")
     }
 
     public func comment<SecretType: Secret>(secret: SecretType) -> String {

Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHSignatureWriter.swift

@@ -1,6 +1,5 @@
 import Foundation
 import CryptoKit
-import SecretKit
 
 /// Generates OpenSSH representations of Secrets.
 public struct OpenSSHSignatureWriter: Sendable {
@@ -30,28 +29,19 @@ public struct OpenSSHSignatureWriter: Sendable {
 
 extension OpenSSHSignatureWriter {
 
-    /// Converts a fixed-width big-endian integer (e.g. r/s from CryptoKit rawRepresentation) into an SSH mpint.
-    /// Strips unnecessary leading zeros and prefixes `0x00` if needed to keep the value positive.
-    private func mpint(fromFixedWidthPositiveBytes bytes: Data) -> Data {
-        // mpint zero is encoded as a string with zero bytes of data.
-        guard let firstNonZeroIndex = bytes.firstIndex(where: { $0 != 0x00 }) else {
-            return Data()
-        }
-
-        let trimmed = Data(bytes[firstNonZeroIndex...])
-
-        if let first = trimmed.first, first >= 0x80 {
-            var prefixed = Data([0x00])
-            prefixed.append(trimmed)
-            return prefixed
-        }
-        return trimmed
-    }
-
     func ecdsaSignature(_ rawRepresentation: Data, keyType: KeyType) -> Data {
         let rawLength = rawRepresentation.count/2
-        let r = mpint(fromFixedWidthPositiveBytes: Data(rawRepresentation[0..<rawLength]))
-        let s = mpint(fromFixedWidthPositiveBytes: Data(rawRepresentation[rawLength...]))
+        // Check if we need to pad with 0x00 to prevent certain
+        // ssh servers from thinking r or s is negative
+        let paddingRange: ClosedRange<UInt8> = 0x80...0xFF
+        var r = Data(rawRepresentation[0..<rawLength])
+        if paddingRange ~= r.first! {
+            r.insert(0x00, at: 0)
+        }
+        var s = Data(rawRepresentation[rawLength...])
+        if paddingRange ~= s.first! {
+            s.insert(0x00, at: 0)
+        }
 
         var signatureChunk = Data()
         signatureChunk.append(r.lengthAndData)

Sources/Packages/Sources/SecretKit/PublicKeyStandinFileController.swift

@@ -0,0 +1,72 @@
+import Foundation
+import OSLog
+
+/// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
+public final class PublicKeyFileStoreController: Sendable {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "PublicKeyFileStoreController")
+    private let directory: URL
+    private let keyWriter = OpenSSHPublicKeyWriter()
+
+    /// Initializes a PublicKeyFileStoreController.
+    public init(homeDirectory: URL) {
+        directory = homeDirectory.appending(component: "PublicKeys")
+    }
+
+    /// Writes out the keys specified to disk.
+    /// - Parameter secrets: The Secrets to generate keys for.
+    /// - Parameter clear: Whether or not any untracked files in the directory should be removed.
+    public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
+        logger.log("Writing public keys to disk")
+        if clear {
+            let validPaths = Set(secrets.map { publicKeyPath(for: $0) }).union(Set(secrets.map { sshCertificatePath(for: $0) }))
+            let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: directory.path())) ?? []
+            let fullPathContents = contentsOfDirectory.map { "\(directory)/\($0)" }
+
+            let untracked = Set(fullPathContents)
+                .subtracting(validPaths)
+            for path in untracked {
+                // string instead of fileURLWithPath since we're already using fileURL format.
+                try? FileManager.default.removeItem(at: URL(string: path)!)
+            }
+        }
+        try? FileManager.default.createDirectory(at: directory, withIntermediateDirectories: false, attributes: nil)
+        for secret in secrets {
+            let path = publicKeyPath(for: secret)
+            let data = Data(keyWriter.openSSHString(secret: secret).utf8)
+            FileManager.default.createFile(atPath: path, contents: data, attributes: nil)
+        }
+        logger.log("Finished writing public keys")
+    }
+
+    /// The path for a Secret's public key.
+    /// - Parameter secret: The Secret to return the path for.
+    /// - Returns: The path to the Secret's public key.
+    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
+    public func publicKeyPath<SecretType: Secret>(for secret: SecretType) -> String {
+        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
+        return directory.appending(component: "\(minimalHex).pub").path()
+    }
+
+    /// Short-circuit check to ship enumerating a bunch of paths if there's nothing in the cert directory.
+    public var hasAnyCertificates: Bool {
+        do {
+            return try FileManager.default
+                .contentsOfDirectory(atPath: directory.path())
+                .filter { $0.hasSuffix("-cert.pub") }
+                .isEmpty == false
+        } catch {
+            return false
+        }
+    }
+
+    /// The path for a Secret's SSH Certificate public key.
+    /// - Parameter secret: The Secret to return the path for.
+    /// - Returns: The path to the SSH Certificate public key.
+    /// - Warning: This method returning a path does not imply that a key has a SSH certificates. This method only describes where it will be.
+    public func sshCertificatePath<SecretType: Secret>(for secret: SecretType) -> String {
+        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
+        return directory.appending(component: "\(minimalHex)-cert.pub").path()
+    }
+
+}

Sources/Packages/Sources/SecretKit/Types/AuthenticationContext.swift

@@ -1,41 +0,0 @@
-import Foundation
-import LocalAuthentication
-
-/// Protocol describing an authentication context. This is an authorization that can be reused for multiple access to a secret that requires authentication for a specific period of time.
-public protocol AuthenticationContextProtocol: Sendable, Identifiable {
-    /// Whether the context remains valid.
-
-    var secret: AnySecret { get }
-
-    var laContext: LAContext { get }
-
-    func valid(for request: SignatureRequest) -> Bool
-
-}
-
-public struct SignatureRequest: Identifiable, Hashable, Sendable, Comparable {
-
-    public let id: UUID
-    public let date: Date
-    public let secret: AnySecret
-    public let provenance: SigningRequestProvenance
-
-    public init(secret: AnySecret, provenance: SigningRequestProvenance) {
-        self.id = UUID()
-        self.date = Date()
-        self.secret = secret
-        self.provenance = provenance
-    }
-
-    public var batchID: Int {
-        var hasher = Hasher()
-        provenance.batchID.hash(into: &hasher)
-        secret.id.hash(into: &hasher)
-        return hasher.finalize()
-    }
-
-    public static func < (lhs: SignatureRequest, rhs: SignatureRequest) -> Bool {
-        lhs.date < rhs.date
-    }
-
-}

Sources/Packages/Sources/SecretKit/Types/PersistedAuthenticationContext.swift

@@ -0,0 +1,9 @@
+import Foundation
+
+/// Protocol describing a persisted authentication context. This is an authorization that can be reused for multiple access to a secret that requires authentication for a specific period of time.
+public protocol PersistedAuthenticationContext: Sendable {
+    /// Whether the context remains valid.
+    var valid: Bool { get }
+    /// The date at which the authorization expires and the context becomes invalid.
+    var expiration: Date { get }
+}

Sources/Packages/Sources/SecretKit/Types/SecretStore.swift

@@ -1,5 +1,4 @@
 import Foundation
-import LocalAuthentication
 
 /// Manages access to Secrets, and performs signature operations on data using those Secrets.
 public protocol SecretStore<SecretType>: Identifiable, Sendable {
@@ -21,7 +20,20 @@ public protocol SecretStore<SecretType>: Identifiable, Sendable {
     ///   - secret: The ``Secret`` to sign with.
     ///   - provenance: A ``SigningRequestProvenance`` describing where the request came from.
     /// - Returns: The signed data.
-    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance, context: LAContext?) async throws -> Data
+    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) async throws -> Data
+
+    /// Checks to see if there is currently a valid persisted authentication for a given secret.
+    /// - Parameters:
+    ///   - secret: The ``Secret`` to check if there is a persisted authentication for.
+    /// - Returns: A persisted authentication context, if a valid one exists.
+    func existingPersistedAuthenticationContext(secret: SecretType) async -> PersistedAuthenticationContext?
+
+    /// Persists user authorization for access to a secret.
+    /// - Parameters:
+    ///   - secret: The ``Secret`` to persist the authorization for.
+    ///   - duration: The duration that the authorization should persist for.
+    ///  - Note: This is used for temporarily unlocking access to a secret which would otherwise require authentication every single use. This is useful for situations where the user anticipates several rapid accesses to a authorization-guarded secret.
+    func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws
 
     /// Requests that the store reload secrets from any backing store, if neccessary.
     func reloadSecrets() async
@@ -50,37 +62,10 @@ public protocol SecretStoreModifiable<SecretType>: SecretStore {
     ///   - attributes: The new attributes for the secret.
     func update(secret: SecretType, name: String, attributes: Attributes) async throws
 
-    var supportedKeyTypes: KeyAvailability { get }
+    var supportedKeyTypes: [KeyType] { get }
 
 }
 
-public struct KeyAvailability: Sendable {
-
-    public let available: [KeyType]
-    public let unavailable: [UnavailableKeyType]
-
-    public init(available: [KeyType], unavailable: [UnavailableKeyType]) {
-        self.available = available
-        self.unavailable = unavailable
-    }
-
-    public struct UnavailableKeyType: Sendable {
-        public let keyType: KeyType
-        public let reason: Reason
-
-        public init(keyType: KeyType, reason: Reason) {
-            self.keyType = keyType
-            self.reason = reason
-        }
-
-        public enum Reason: Sendable {
-            case macOSUpdateRequired
-        }
-    }
-
-}
-
-
 extension NSNotification.Name {
 
     // Distributed notification that keys were modified out of process (ie, that the management tool added/removed secrets)

Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift

@@ -2,23 +2,13 @@ import Foundation
 import AppKit
 
 /// Describes the chain of applications that requested a signature operation.
-public struct SigningRequestProvenance: Hashable, Sendable {
+public struct SigningRequestProvenance: Equatable, Sendable {
 
     /// A list of processes involved in the request.
     /// - Note: A chain will typically consist of many elements even for a simple request. For example, running `git fetch` in Terminal.app would generate a request chain of `ssh` -> `git` -> `zsh` -> `login` -> `Terminal.app`
     public var chain: [Process]
-
-    public var date: Date
-
-    public init(root: Process, date: Date = .now) {
+    public init(root: Process) {
         self.chain = [root]
-        self.date = date
-    }
-
-    public var batchID: Int {
-        var hasher = Hasher()
-        chain.map(\.path).hash(into: &hasher)
-        return hasher.finalize()
     }
 
 }
@@ -40,7 +30,7 @@ extension SigningRequestProvenance {
 extension SigningRequestProvenance {
 
     /// Describes a process in a `SigningRequestProvenance` chain.
-    public struct Process: Hashable, Sendable {
+    public struct Process: Equatable, Sendable {
 
         /// The pid of the process.
         public let pid: Int32

Sources/Packages/Sources/SecureEnclaveSecretKit/CryptoKitMigrator.swift

@@ -50,16 +50,16 @@ extension SecureEnclave {
                     let secret = Secret(id: UUID().uuidString, name: name, publicKey: parsed.publicKey.x963Representation, attributes: Attributes(keyType: .init(algorithm: .ecdsa, size: 256), authentication: auth))
                     guard !migratedPublicKeys.contains(parsed.publicKey.x963Representation) else {
                         logger.log("Skipping \(name), public key already present. Marking as migrated.")
-                        markMigrated(secret: secret, oldID: id)
+                        try markMigrated(secret: secret, oldID: id)
                         continue
                     }
                     logger.log("Migrating \(name).")
                     try store.saveKey(tokenObjectID, name: name, attributes: secret.attributes)
                     logger.log("Migrated \(name).")
-                    markMigrated(secret: secret, oldID: id)
+                    try markMigrated(secret: secret, oldID: id)
                     migratedAny = true
                 } catch {
-                    logger.error("Failed to migrate \(name): \(error.localizedDescription).")
+                    logger.error("Failed to migrate \(name): \(error).")
                 }
             }
             if migratedAny {
@@ -69,10 +69,10 @@ extension SecureEnclave {
 
 
 
-        public func markMigrated(secret: Secret, oldID: Data) {
+        public func markMigrated(secret: Secret, oldID: Data) throws {
             let updateQuery = KeychainDictionary([
                 kSecClass: kSecClassKey,
-                kSecAttrApplicationLabel: oldID
+                kSecAttrApplicationLabel: secret.id
             ])
 
             let newID = oldID + Constants.migrationMagicNumber
@@ -82,7 +82,7 @@ extension SecureEnclave {
 
             let status = SecItemUpdate(updateQuery, updatedAttributes)
             if status != errSecSuccess {
-                logger.warning("Failed to mark \(secret.name) as migrated: \(status).")
+                throw KeychainError(statusCode: status)
             }
         }
 

Sources/Packages/Sources/SecureEnclaveSecretKit/PersistentAuthenticationHandler.swift

@@ -0,0 +1,70 @@
+import LocalAuthentication
+import SecretKit
+
+extension SecureEnclave {
+
+    /// A context describing a persisted authentication.
+    final class PersistentAuthenticationContext: PersistedAuthenticationContext {
+
+        /// The Secret to persist authentication for.
+        let secret: Secret
+        /// The LAContext used to authorize the persistent context.
+        nonisolated(unsafe) let context: LAContext
+        /// An expiration date for the context.
+        /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
+        let monotonicExpiration: UInt64
+
+        /// Initializes a context.
+        /// - Parameters:
+        ///   - secret: The Secret to persist authentication for.
+        ///   - context: The LAContext used to authorize the persistent context.
+        ///   - duration: The duration of the authorization context, in seconds.
+        init(secret: Secret, context: LAContext, duration: TimeInterval) {
+            self.secret = secret
+            unsafe self.context = context
+            let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
+            self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
+        }
+
+        /// A boolean describing whether or not the context is still valid.
+        var valid: Bool {
+            clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
+        }
+
+        var expiration: Date {
+            let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
+            let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
+            return Date(timeIntervalSinceNow: remainingInSeconds)
+        }
+    }
+
+    actor PersistentAuthenticationHandler: Sendable {
+
+        private var persistedAuthenticationContexts: [Secret: PersistentAuthenticationContext] = [:]
+
+        func existingPersistedAuthenticationContext(secret: Secret) -> PersistentAuthenticationContext? {
+            guard let persisted = persistedAuthenticationContexts[secret], persisted.valid else { return nil }
+            return persisted
+        }
+
+        func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
+            let newContext = LAContext()
+            newContext.touchIDAuthenticationAllowableReuseDuration = duration
+            newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+
+            let formatter = DateComponentsFormatter()
+            formatter.unitsStyle = .spellOut
+            formatter.allowedUnits = [.hour, .minute, .day]
+
+            
+            let durationString = formatter.string(from: duration)!
+            newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
+            let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
+            guard success else { return }
+            let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
+            persistedAuthenticationContexts[secret] = context
+        }
+
+    }
+
+}

Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift

@@ -17,6 +17,7 @@ extension SecureEnclave {
         }
         public let id = UUID()
         public let name = String(localized: .secureEnclave)
+        private let persistentAuthenticationHandler = PersistentAuthenticationHandler()
 
         /// Initializes a Store.
         @MainActor public init() {
@@ -36,7 +37,16 @@ extension SecureEnclave {
         
         // MARK: SecretStore
         
-        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance, context: LAContext?) async throws -> Data {
+        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
+            var context: LAContext
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret) {
+                context = unsafe existing.context
+            } else {
+                let newContext = LAContext()
+                newContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
+                newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+                context = newContext
+            }
 
             let queryAttributes = KeychainDictionary([
                 kSecClass: Constants.keyClass,
@@ -78,6 +88,14 @@ extension SecureEnclave {
 
         }
 
+        public func existingPersistedAuthenticationContext(secret: Secret) async -> PersistedAuthenticationContext? {
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret)
+        }
+
+        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
+        }
+
         @MainActor public func reloadSecrets() {
             let before = secrets
             secrets.removeAll()
@@ -168,22 +186,17 @@ extension SecureEnclave {
             await reloadSecrets()
         }
         
-        public let supportedKeyTypes: KeyAvailability = {
-            let macOS26Keys: [KeyType] = [.mldsa65, .mldsa87]
-            let isAtLeastMacOS26 = if #available(macOS 26, *) {
-                true
-            } else {
-                false
-            }
-            return KeyAvailability(
-                available: [
+        public var supportedKeyTypes: [KeyType] {
+            if #available(macOS 26, *) {
+                [
                     .ecdsa256,
-                ] + (isAtLeastMacOS26 ? macOS26Keys : []),
-                unavailable: (isAtLeastMacOS26 ? [] : macOS26Keys).map {
-                    KeyAvailability.UnavailableKeyType(keyType: $0, reason: .macOSUpdateRequired)
-                }
-            )
-        }()
+                    .mldsa65,
+                    .mldsa87,
+                ]
+            } else {
+                [.ecdsa256]
+            }
+        }
     }
 
 }

Sources/Packages/Sources/SharedXPCServices/CertificateMigrator.swift

@@ -1,53 +0,0 @@
-import Foundation
-import Security
-import CryptoTokenKit
-import CryptoKit
-import os
-import SSHProtocolKit
-import CertificateKit
-
-public struct CertificateMigrator {
-
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.migration", category: "CertificateKitMigrator")
-    private let publicKeysDirectory: URL
-    private let certificatesDirectory: URL
-    private let certificateStore: CertificateStore
-
-    /// Initializes a PublicKeyFileStoreController.
-    public init(homeDirectory: URL, certificateStore: CertificateStore) {
-        publicKeysDirectory = homeDirectory.appending(component: "PublicKeys")
-        certificatesDirectory = homeDirectory.appending(component: "Certificates")
-        self.certificateStore = certificateStore
-    }
-
-    @MainActor public func migrate() throws {
-        try migrate(directory: publicKeysDirectory)
-        try migrate(directory: certificatesDirectory)
-    }
-
-    @MainActor public func migrate(directory: URL) throws {
-        let fileCerts = try FileManager.default
-            .contentsOfDirectory(atPath: directory.path())
-            .filter { $0.hasSuffix("-cert.pub") }
-        Task {
-            for path in fileCerts {
-                do {
-                    let url = directory.appending(component: path)
-                    let data = try Data(contentsOf: url)
-                    let parser = try await XPCCertificateParser()
-                    let cert = try await parser.parse(data: data)
-                    try certificateStore.save(certificate: Certificate(openSSHCertificate: cert, rawData: data))
-                    do {
-                        try FileManager.default.removeItem(at: url)
-                    } catch {
-                        logger.error("Failed to delete successfully migrated cert: \(path)")
-                    }
-                } catch {
-                    logger.error("Failed to migrate cert: \(path)")
-                }
-            }
-
-        }
-    }
-
-}

Sources/Packages/Sources/SharedXPCServices/XPCCertificateParser.swift

@@ -1,29 +0,0 @@
-import Foundation
-import OSLog
-import SSHProtocolKit
-import CertificateKit
-import XPCWrappers
-
-/// Delegates all agent input parsing to an XPC service which wraps OpenSSH
-public final class XPCCertificateParser: OpenSSHCertificateParserProtocol {
-
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "XPCCertificateParser")
-    private let session: XPCTypedSession<OpenSSHCertificate, OpenSSHCertificateError>
-
-    public init() async throws {
-        logger.debug("Creating XPCCertificateParser")
-        session = try await XPCTypedSession(serviceName: "com.maxgoedjen.Secretive.SecretiveCertificateParser", warmup: true)
-        logger.debug("XPCCertificateParser is warmed up.")
-    }
-
-    public func parse(data: Data) async throws -> OpenSSHCertificate {
-        logger.debug("Parsing input")
-        defer { logger.debug("Parsed input") }
-        return try await session.send(data)
-    }
-
-    deinit {
-        session.complete()
-    }
-
-}

Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift

@@ -56,15 +56,17 @@ extension SmartCard {
 
         // MARK: Public API
 
-
-        public func sign(data: Data, with secret: SmartCard.Secret, for provenance: SigningRequestProvenance, context: LAContext?) async throws -> Data {
+        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
             guard let tokenID = await state.tokenID else { fatalError() }
+            let context = LAContext()
+            context.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
+            context.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
             let attributes = KeychainDictionary([
                 kSecClass: kSecClassKey,
                 kSecAttrKeyClass: kSecAttrKeyClassPrivate,
                 kSecAttrApplicationLabel: secret.id as CFData,
                 kSecAttrTokenID: tokenID,
-                kSecUseAuthenticationContext: context!, // FIXME: THIS
+                kSecUseAuthenticationContext: context,
                 kSecReturnRef: true
             ])
             var untyped: CFTypeRef?
@@ -84,6 +86,13 @@ extension SmartCard {
             return signature as Data
         }
         
+        public func existingPersistedAuthenticationContext(secret: Secret) -> PersistedAuthenticationContext? {
+            nil
+        }
+
+        public func persistAuthentication(secret: Secret, forDuration: TimeInterval) throws {
+        }
+
         /// Reloads all secrets from the store.
         @MainActor public func reloadSecrets() {
             reloadSecretsInternal()
@@ -154,7 +163,7 @@ extension SmartCard.Store {
             let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!
             let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]
             let publicKey = publicKeyAttributes[kSecValueData] as! Data
-            let attributes = Attributes(keyType: KeyType(secAttr: algorithmSecAttr, size: keySize)!, authentication: .presenceRequired)
+            let attributes = Attributes(keyType: KeyType(secAttr: algorithmSecAttr, size: keySize)!, authentication: .unknown)
             let secret = SmartCard.Secret(id: tokenID, name: name, publicKey: publicKey, attributes: attributes)
             guard signatureAlgorithm(for: secret) != nil else { return nil }
             return secret

Sources/Packages/Sources/XPCWrappers/TeamID.swift

@@ -1,26 +0,0 @@
-import Foundation
-
-extension ProcessInfo {
-    private static let fallbackTeamID = "Z72PRUAWF6"
-
-    private static let teamID: String = {
-        #if DEBUG
-        guard let task = SecTaskCreateFromSelf(nil) else {
-            assertionFailure("SecTaskCreateFromSelf failed")
-            return fallbackTeamID
-        }
-
-        guard let value = SecTaskCopyValueForEntitlement(task, "com.apple.developer.team-identifier" as CFString, nil) as? String else {
-//            assertionFailure("SecTaskCopyValueForEntitlement(com.apple.developer.team-identifier) failed")
-            return fallbackTeamID
-        }
-
-        return value
-        #else
-        /// Always use hardcoded team ID for release builds, just in case.
-        return fallbackTeamID
-        #endif
-    }()
-
-    public var teamID: String { Self.teamID }
-}

Sources/Packages/Sources/XPCWrappers/XPCServiceDelegate.swift

@@ -12,7 +12,7 @@ public final class XPCServiceDelegate: NSObject, NSXPCListenerDelegate {
         newConnection.exportedInterface = NSXPCInterface(with: (any _XPCProtocol).self)
         let exportedObject = exportedObject
         newConnection.exportedObject = exportedObject
-        newConnection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = \"\(ProcessInfo.processInfo.teamID)\"")
+        newConnection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = Z72PRUAWF6")
         newConnection.resume()
         return true
     }
@@ -34,9 +34,7 @@ public final class XPCServiceDelegate: NSObject, NSXPCListenerDelegate {
                     if let error = error as? Codable & Error {
                         reply(nil, NSError(error))
                     } else {
-                        // Sending cast directly tries to serialize it and crashes XPCEncoder.
-                        let cast = error as NSError
-                        reply(nil, NSError(domain: cast.domain, code: cast.code, userInfo: [NSLocalizedDescriptionKey: error.localizedDescription]))
+                        reply(nil, error)
                     }
                 }
             }

Sources/Packages/Sources/XPCWrappers/XPCTypedSession.swift

@@ -8,7 +8,7 @@ public struct XPCTypedSession<ResponseType: Codable & Sendable, ErrorType: Error
     public init(serviceName: String, warmup: Bool = false) async throws {
         let connection = NSXPCConnection(serviceName: serviceName)
         connection.remoteObjectInterface = NSXPCInterface(with: (any _XPCProtocol).self)
-        connection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = \"\(ProcessInfo.processInfo.teamID)\"")
+        connection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = Z72PRUAWF6")
         connection.resume()
         guard let proxy = connection.remoteObjectProxy as? _XPCProtocol else { fatalError() }
         self.connection = connection

Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHSignatureWriterTests.swift

@@ -1,83 +0,0 @@
-import Foundation
-import Testing
-import SSHProtocolKit
-@testable import SecretKit
-
-@Suite struct OpenSSHSignatureWriterTests {
-
-    private let writer = OpenSSHSignatureWriter()
-
-    @Test func ecdsaMpintStripsUnnecessaryLeadingZeros() throws {
-        let secret = Constants.ecdsa256Secret
-
-        // r has a leading 0x00 followed by 0x01 (< 0x80): the mpint must not keep the leading zero.
-        let rBytes: [UInt8] = [0x00] + (1...31).map { UInt8($0) }
-        let r = Data(rBytes)
-        // s has two leading 0x00 bytes followed by 0x7f (< 0x80): the mpint must not keep the leading zeros.
-        let sBytes: [UInt8] = [0x00, 0x00, 0x7f] + Array(repeating: UInt8(0x01), count: 29)
-        let s = Data(sBytes)
-        let rawRepresentation = r + s
-
-        let response = writer.data(secret: secret, signature: rawRepresentation)
-        let (parsedR, parsedS) = try parseEcdsaSignatureMpints(from: response)
-
-        #expect(parsedR == Data((1...31).map { UInt8($0) }))
-        #expect(parsedS == Data([0x7f] + Array(repeating: UInt8(0x01), count: 29)))
-    }
-
-    @Test func ecdsaMpintPrefixesZeroWhenHighBitSet() throws {
-        let secret = Constants.ecdsa256Secret
-
-        // r starts with 0x80 (high bit set): mpint must be prefixed with 0x00.
-        let r = Data([UInt8(0x80)] + Array(repeating: UInt8(0x01), count: 31))
-        let s = Data([UInt8(0x01)] + Array(repeating: UInt8(0x02), count: 31))
-        let rawRepresentation = r + s
-
-        let response = writer.data(secret: secret, signature: rawRepresentation)
-        let (parsedR, parsedS) = try parseEcdsaSignatureMpints(from: response)
-
-        #expect(parsedR == Data([0x00, 0x80] + Array(repeating: UInt8(0x01), count: 31)))
-        #expect(parsedS == Data([0x01] + Array(repeating: UInt8(0x02), count: 31)))
-    }
-
-}
-
-private extension OpenSSHSignatureWriterTests {
-
-    enum Constants {
-        static let ecdsa256Secret = TestSecret(
-            id: Data(),
-            name: "Test Key (ECDSA 256)",
-            publicKey: Data(repeating: 0x01, count: 65),
-            attributes: Attributes(
-                keyType: KeyType(algorithm: .ecdsa, size: 256),
-                authentication: .notRequired,
-                publicKeyAttribution: "test@example.com"
-            )
-        )
-    }
-
-    enum ParseError: Error {
-        case eof
-        case invalidAlgorithm
-    }
-
-    func parseEcdsaSignatureMpints(from openSSHSignedData: Data) throws -> (r: Data, s: Data) {
-        let reader = OpenSSHReader(data: openSSHSignedData)
-
-        // Prefix
-        _ = try reader.readNextBytes(as: UInt32.self)
-
-        let algorithm = try reader.readNextChunkAsString()
-        guard algorithm == "ecdsa-sha2-nistp256" else {
-            throw ParseError.invalidAlgorithm
-        }
-
-        let sigReader = try reader.readNextChunkAsSubReader()
-        let r = try sigReader.readNextChunk()
-        let s = try sigReader.readNextChunk()
-        return (r, s)
-    }
-
-}
-

Sources/Packages/Tests/SSHProtocolKitTests/TestSecret.swift

@@ -1,11 +0,0 @@
-import Foundation
-import SecretKit
-
-public struct TestSecret: SecretKit.Secret {
-    
-    public let id: Data
-    public let name: String
-    public let publicKey: Data
-    public var attributes: Attributes
-    
-}

Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift

@@ -1,17 +1,15 @@
 import Foundation
 import Testing
 import CryptoKit
-import CertificateKit
-@testable import SSHProtocolKit
 @testable import SecretKit
 @testable import SecretAgentKit
 
-@Suite @MainActor struct AgentTests {
+@Suite struct AgentTests {
 
     // MARK: Identity Listing
 
     @Test func emptyStores() async throws {
-        let agent = Agent(storeList: SecretStoreList(), certificateStore: CertificateStore())
+        let agent = Agent(storeList: SecretStoreList())
         let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestIdentities)
         let response = await agent.handle(request: request, provenance: .test)
         #expect(response == Constants.Responses.requestIdentitiesEmpty)
@@ -19,7 +17,7 @@ import CertificateKit
 
     @Test func identitiesList() async throws {
         let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
-        let agent = Agent(storeList: list, certificateStore: CertificateStore())
+        let agent = Agent(storeList: list)
         let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestIdentities)
         let response = await agent.handle(request: request, provenance: .test)
 
@@ -33,7 +31,7 @@ import CertificateKit
 
     @Test func noMatchingIdentities() async throws {
         let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
-        let agent = Agent(storeList: list, certificateStore: CertificateStore())
+        let agent = Agent(storeList: list)
         let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignatureWithNoneMatching)
         let response = await agent.handle(request: request, provenance: .test)
         #expect(response == Constants.Responses.requestFailure)
@@ -43,11 +41,11 @@ import CertificateKit
         let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignature)
         guard case SSHAgent.Request.signRequest(let context) = request else { return }
         let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
-        let agent = Agent(storeList: list, certificateStore: CertificateStore())
+        let agent = Agent(storeList: list)
         let response = await agent.handle(request: request, provenance: .test)
         let responseReader = OpenSSHReader(data: response)
-        let length = try responseReader.readNextBytes(as: UInt32.self)
-        let type = try responseReader.readNextBytes(as: UInt8.self)
+        let length = try responseReader.readNextBytes(as: UInt32.self).bigEndian
+        let type = try responseReader.readNextBytes(as: UInt8.self).bigEndian
         #expect(length == response.count - MemoryLayout<UInt32>.size)
         #expect(type == SSHAgent.Response.agentSignResponse.rawValue)
         let outer = OpenSSHReader(data: responseReader.remaining)
@@ -78,7 +76,7 @@ import CertificateKit
         let witness = StubWitness(speakNow: { _,_  in
             return true
         }, witness: { _, _ in })
-        let agent = Agent(storeList: list, certificateStore: CertificateStore(), witness: witness)
+        let agent = Agent(storeList: list, witness: witness)
         let response = await agent.handle(request: .signRequest(.empty), provenance: .test)
         #expect(response == Constants.Responses.requestFailure)
     }
@@ -91,7 +89,7 @@ import CertificateKit
         }, witness: { _, trace in
             witnessed = true
         })
-        let agent = Agent(storeList: list, certificateStore: CertificateStore(), witness: witness)
+        let agent = Agent(storeList: list, witness: witness)
         let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignature)
         _ = await agent.handle(request: request, provenance: .test)
         #expect(witnessed)
@@ -107,7 +105,7 @@ import CertificateKit
         }, witness: { _, trace in
             witnessTrace = trace
         })
-        let agent = Agent(storeList: list, certificateStore: CertificateStore(), witness: witness)
+        let agent = Agent(storeList: list, witness: witness)
         let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignature)
         _ = await agent.handle(request: request, provenance: .test)
         #expect(witnessTrace == speakNowTrace)
@@ -118,9 +116,9 @@ import CertificateKit
 
     @Test func signatureException() async throws {
         let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
-        let store = list.stores.first?.base as! Stub.Store
+        let store = await list.stores.first?.base as! Stub.Store
         store.shouldThrow = true
-        let agent = Agent(storeList: list, certificateStore: CertificateStore())
+        let agent = Agent(storeList: list)
         let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignature)
         let response = await agent.handle(request: request, provenance: .test)
         #expect(response == Constants.Responses.requestFailure)
@@ -129,7 +127,7 @@ import CertificateKit
     // MARK: Unsupported
 
     @Test func unhandledAdd() async throws {
-        let agent = Agent(storeList: SecretStoreList(), certificateStore: CertificateStore())
+        let agent = Agent(storeList: SecretStoreList())
         let response = await agent.handle(request: .addIdentity, provenance: .test)
         #expect(response == Constants.Responses.requestFailure)
     }
@@ -144,7 +142,7 @@ extension SigningRequestProvenance {
 
 extension AgentTests {
 
-    func storeList(with secrets: [Stub.Secret]) async -> SecretStoreList {
+    @MainActor func storeList(with secrets: [Stub.Secret]) async -> SecretStoreList {
         let store = Stub.Store()
         store.secrets.append(contentsOf: secrets)
         let storeList = SecretStoreList()

Sources/Packages/Tests/SecretAgentKitTests/OpenSSHReaderTests.swift

@@ -1,6 +1,8 @@
 import Foundation
 import Testing
-import SSHProtocolKit
+@testable import SecretAgentKit
+@testable import SecureEnclaveSecretKit
+@testable import SmartCardSecretKit
 
 @Suite struct OpenSSHReaderTests {
 

Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift

@@ -1,7 +1,6 @@
 import Foundation
 import SecretKit
 import CryptoKit
-import SSHProtocolKit
 
 struct Stub {}
 
@@ -49,7 +48,7 @@ extension Stub {
             print("Public Key OpenSSH: \(OpenSSHPublicKeyWriter().openSSHString(secret: secret))")
         }
 
-        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance, context: AuthenticationContextProtocol?) throws -> Data {
+        public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) throws -> Data {
             guard !shouldThrow else {
                 throw NSError(domain: "test", code: 0, userInfo: nil)
             }
@@ -57,7 +56,7 @@ extension Stub {
             return try privateKey.signature(for: data).rawRepresentation
         }
 
-        public func existingAuthenticationContextProtocol(secret: Stub.Secret) -> AuthenticationContextProtocol? {
+        public func existingPersistedAuthenticationContext(secret: Stub.Secret) -> PersistedAuthenticationContext? {
             nil
         }
 

Sources/Packages/Tests/SecretKitTests/OpenSSHPublicKeyWriterTests.swift

@@ -1,7 +1,8 @@
 import Foundation
 import Testing
 @testable import SecretKit
-import SSHProtocolKit
+@testable import SecureEnclaveSecretKit
+@testable import SmartCardSecretKit
 
 @Suite struct OpenSSHPublicKeyWriterTests {
 
@@ -46,8 +47,8 @@ import SSHProtocolKit
 extension OpenSSHPublicKeyWriterTests {
 
     enum Constants {
-        static let ecdsa256Secret =  TestSecret(id: Data(), name: "Test Key (ECDSA 256)", publicKey: Data(base64Encoded: "BOVEjgAA5PHqRgwykjN5qM21uWCHFSY/Sqo5gkHAkn+e1MMQKHOLga7ucB9b3mif33MBid59GRK9GEPVlMiSQwo=")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 256), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
-        static let ecdsa384Secret = TestSecret(id: Data(), name: "Test Key (ECDSA 384)", publicKey: Data(base64Encoded: "BG2MNc/C5OTHFE2tBvbZCVcpOGa8vBMquiTLkH4lwkeqOPxhi+PyYUfQZMTRJNPiTyWPoMBqNiCIFRVv60yPN/AHufHaOgbdTP42EgMlMMImkAjYUEv9DESHTVIs2PW1yQ==")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 384), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
+        static let ecdsa256Secret =  SmartCard.Secret(id: Data(), name: "Test Key (ECDSA 256)", publicKey: Data(base64Encoded: "BOVEjgAA5PHqRgwykjN5qM21uWCHFSY/Sqo5gkHAkn+e1MMQKHOLga7ucB9b3mif33MBid59GRK9GEPVlMiSQwo=")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 256), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
+        static let ecdsa384Secret = SmartCard.Secret(id: Data(), name: "Test Key (ECDSA 384)", publicKey: Data(base64Encoded: "BG2MNc/C5OTHFE2tBvbZCVcpOGa8vBMquiTLkH4lwkeqOPxhi+PyYUfQZMTRJNPiTyWPoMBqNiCIFRVv60yPN/AHufHaOgbdTP42EgMlMMImkAjYUEv9DESHTVIs2PW1yQ==")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 384), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
 
     }
 

Sources/SecretAgent/App.swift

@@ -1,138 +0,0 @@
-import Cocoa
-import OSLog
-import SecretKit
-import SecureEnclaveSecretKit
-import SmartCardSecretKit
-import SecretAgentKit
-import Brief
-import Observation
-import Common
-import SwiftUI
-import CertificateKit
-
-@main
-struct SecretAgent: App {
-
-    @MainActor private let storeList: SecretStoreList = {
-        let list = SecretStoreList()
-        let cryptoKit = SecureEnclave.Store()
-        let migrator = SecureEnclave.CryptoKitMigrator()
-        try? migrator.migrate(to: cryptoKit)
-        list.add(store: cryptoKit)
-        list.add(store: SmartCard.Store())
-        return list
-    }()
-    @MainActor private let certificateStore: CertificateStore = CertificateStore()
-
-    private let updater = Updater(checkOnLaunch: true)
-    private let notifier = Notifier()
-    private let authenticationHandler = AuthenticationHandler()
-    private let publicKeyFileStoreController = PublicKeyFileStoreController(publicKeysURL: URL.publicKeyDirectory, certificatesURL: URL.certificatesDirectory)
-
-    @State var pending: ([[SignatureRequest]], (Set<SignatureRequest>) async throws -> Void)?
-    @Environment(\.openWindow) var openWindow
-
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "App")
-    @SceneBuilder var body: some Scene {
-        MenuBarExtra(isInserted: .constant(false)) {
-            EmptyView()
-        } label: {
-            Image(systemName: "lock")
-                .task {
-                    await notifier.registerPersistenceHandler {
-                        try await authenticationHandler.persistAuthentication(secret: $0, forDuration: $1)
-                    }
-                }
-                .task {
-                    let socketController = SocketController(path: URL.socketPath)
-                    let agent = Agent(
-                        storeList: storeList,
-                        certificateStore: certificateStore,
-                        authenticationHandler: authenticationHandler,
-                        witness: notifier
-                    )
-                    for await session in socketController.sessions {
-                        Task {
-                            do {
-                                let inputParser = try await XPCAgentInputParser()
-                                for await message in session.messages {
-                                    let request = try await inputParser.parse(data: message)
-                                    let agentResponse = await agent.handle(request: request, provenance: session.provenance)
-                                    try session.write(agentResponse)
-                                }
-                            } catch {
-                                try? session.close()
-                            }
-                        }
-                    }
-                }
-//                .task {
-//                    let socketController = SocketController(path:     URL.agentHomeURL.appendingPathComponent("socket-two.ssh").path())
-//                    let socketController = SocketController(path: "/Users/max/Downloads/test.ssh")
-//                    let agent = Agent(storeList: storeList, authenticationHandler: authenticationHandler, witness: notifier)
-//                    for await session in socketController.sessions {
-//                        Task {
-//                            let inputParser = try await XPCAgentInputParser()
-//                            do {
-//                                for await message in session.messages {
-//                                    let request = try await inputParser.parse(data: message)
-//                                    let agentResponse = await agent.handle(request: request, provenance: session.provenance)
-//                                    try session.write(agentResponse)
-//                                }
-//                            } catch {
-//                                try session.close()
-//                            }
-//                        }
-//                    }
-//                }
-                .task {
-                    try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)
-                    for await _ in NotificationCenter.default.notifications(named: .secretStoreReloaded) {
-                        try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)
-                    }
-                }
-                .task {
-                    let certsMigrator = CertificateMigrator(homeDirectory: URL.homeDirectory, certificateStore: certificateStore)
-                    try? certsMigrator.migrate()
-                    try? publicKeyFileStoreController.generateCertificates(for: certificateStore.certificates, clear: true)
-                    for await _ in NotificationCenter.default.notifications(named: .certificateStoreReloaded) {
-                        try? publicKeyFileStoreController.generateCertificates(for: certificateStore.certificates, clear: true)
-                    }
-                }
-                .task {
-                    await authenticationHandler.setBatchAuthHandler { @MainActor pending, authorize in
-                        self.pending = (pending, authorize)
-                        openWindow(id: String(describing: BatchedRequestsView.self))
-                    }
-
-                }
-                .task {
-                    notifier.prompt()
-                    _ = withObservationTracking {
-                        updater.update
-                    } onChange: { [updater, notifier] in
-                        Task {
-                            guard !updater.currentVersion.isTestBuild else { return }
-                            await notifier.notify(update: updater.update!) { release in
-                                await updater.ignore(release: release)
-                            }
-                        }
-                    }
-                }
-        }
-        WindowGroup(id: String(describing: BatchedRequestsView.self)) {
-            pendingView
-        }
-        .windowStyle(.hiddenTitleBar)
-        .windowResizability(.contentSize)
-    }
-
-    @ViewBuilder
-    var pendingView: some View {
-        if let (requests, authorize) = pending {
-            BatchedRequestsView(pending: requests, review: authorize)
-        }
-    }
-
-
-}

Sources/SecretAgent/AppDelegate.swift

@@ -0,0 +1,72 @@
+import Cocoa
+import OSLog
+import SecretKit
+import SecureEnclaveSecretKit
+import SmartCardSecretKit
+import SecretAgentKit
+import Brief
+import Observation
+
+@main
+class AppDelegate: NSObject, NSApplicationDelegate {
+
+    @MainActor private let storeList: SecretStoreList = {
+        let list = SecretStoreList()
+        let cryptoKit = SecureEnclave.Store()
+        let migrator = SecureEnclave.CryptoKitMigrator()
+        try? migrator.migrate(to: cryptoKit)
+        list.add(store: cryptoKit)
+        list.add(store: SmartCard.Store())
+        return list
+    }()
+    private let updater = Updater(checkOnLaunch: true)
+    private let notifier = Notifier()
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.homeDirectory)
+    private lazy var agent: Agent = {
+        Agent(storeList: storeList, witness: notifier)
+    }()
+    private lazy var socketController: SocketController = {
+        let path = (NSHomeDirectory() as NSString).appendingPathComponent("socket.ssh") as String
+        return SocketController(path: path)
+    }()
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AppDelegate")
+
+    func applicationDidFinishLaunching(_ aNotification: Notification) {
+        logger.debug("SecretAgent finished launching")
+        Task {
+            let inputParser = try await XPCAgentInputParser()
+            for await session in socketController.sessions {
+                Task {
+                    do {
+                        for await message in session.messages {
+                            let request = try await inputParser.parse(data: message)
+                            let agentResponse = await agent.handle(request: request, provenance: session.provenance)
+                            try await session.write(agentResponse)
+                        }
+                    } catch {
+                        try session.close()
+                    }
+                }
+            }
+        }
+        Task {
+            for await _ in NotificationCenter.default.notifications(named: .secretStoreReloaded) {
+                try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)
+            }
+        }
+        try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)
+        notifier.prompt()
+        _ = withObservationTracking {
+            updater.update
+        } onChange: { [updater, notifier] in
+            Task {
+                guard !updater.currentVersion.isTestBuild else { return }
+                await notifier.notify(update: updater.update!) { release in
+                    await updater.ignore(release: release)
+                }
+            }
+        }
+    }
+
+}
+

Sources/SecretAgent/BatchedRequestsView.swift

@@ -1,58 +0,0 @@
-import SwiftUI
-import SecretKit
-import SecretAgentKit
-import SmartCardSecretKit
-
-struct BatchedRequestsView: View {
-
-    let pending: [[SignatureRequest]]
-    let review: (Set<SignatureRequest>) async throws -> Void
-
-    init(pending: [[SignatureRequest]], review: @escaping (Set<SignatureRequest>) async throws -> Void) {
-        self.pending = pending
-        self.review = review
-    }
-
-    var body: some View {
-        VStack(alignment: .leading) {
-//                .padding()
-            Form {
-//                Text("Multiple authenticated requests are pending. You can approve them batches, or request they all proceed individually.")
-                ForEach(Array(pending.enumerated()), id: \.offset) { group in
-                    Section {
-                        ForEach(Array(group.element.enumerated()), id: \.offset) { pending in
-                            HStack {
-                                VStack(alignment: .leading) {
-                                    Text(pending.element.provenance.origin.displayName)
-                                        .font(.headline)
-                                    Text(pending.element.provenance.date.formatted())
-                                        .font(.footnote)
-                                }
-                                Spacer()
-                                Button("Review") {
-                                    Task {
-                                        try? await review([pending.element])
-                                    }
-                                }
-                            }
-                        }
-                    } header: {
-                        HStack {
-                            Text("\(group.element.first!.provenance.origin.displayName) - \(group.element.first!.secret.name)")
-                            Spacer()
-                            Button("Review All") {
-                                Task {
-                                    try? await review(Set(group.element))
-                                }
-
-                            }
-                        }
-                    }
-                }
-            }
-            .formStyle(.grouped)
-        }
-        .frame(maxWidth: .infinity, maxHeight: .infinity)
-    }
-
-}

Sources/SecretAgent/CertificateMigrator.swift

@@ -1,47 +0,0 @@
-import Foundation
-import Security
-import CryptoTokenKit
-import CryptoKit
-import os
-import SSHProtocolKit
-import CertificateKit
-import SharedXPCServices
-
-public struct CertificateMigrator {
-
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.migration", category: "CertificateKitMigrator")
-    private let directory: URL
-    private let certificateStore: CertificateStore
-
-    /// Initializes a PublicKeyFileStoreController.
-    public init(homeDirectory: URL, certificateStore: CertificateStore) {
-        directory = homeDirectory.appending(component: "PublicKeys")
-        self.certificateStore = certificateStore
-    }
-
-    @MainActor public func migrate() throws {
-        let fileCerts = try FileManager.default
-            .contentsOfDirectory(atPath: directory.path())
-            .filter { $0.hasSuffix("-cert.pub") }
-        Task {
-            for path in fileCerts {
-                do {
-                    let url = directory.appending(component: path)
-                    let data = try Data(contentsOf: url)
-                    let parser = try await XPCCertificateParser()
-                    let cert = try await parser.parse(data: data)
-                    try certificateStore.save(certificate: Certificate(openSSHCertificate: cert, rawData: data))
-                    do {
-                        try FileManager.default.removeItem(at: url)
-                    } catch {
-                        logger.error("Failed to delete successfully migrated cert: \(path)")
-                    }
-                } catch {
-                    logger.error("Failed to migrate cert: \(path)")
-                }
-            }
-
-        }
-    }
-
-}

Sources/SecretAgent/Notifier.swift

@@ -5,8 +5,6 @@ import SecretKit
 import SecretAgentKit
 import Brief
 
-typealias PersistAction = (@Sendable (AnySecret, TimeInterval) async throws -> Void)
-
 final class Notifier: Sendable {
 
     private let notificationDelegate = NotificationDelegate()
@@ -17,12 +15,6 @@ final class Notifier: Sendable {
         let updateCategory = UNNotificationCategory(identifier: Constants.updateCategoryIdentitifier, actions: [updateAction, ignoreAction], intentIdentifiers: [], options: [])
         let criticalUpdateCategory = UNNotificationCategory(identifier: Constants.criticalUpdateCategoryIdentitifier, actions: [updateAction], intentIdentifiers: [], options: [])
 
-        UNUserNotificationCenter.current().setNotificationCategories([updateCategory, criticalUpdateCategory])
-        UNUserNotificationCenter.current().delegate = notificationDelegate
-
-    }
-
-    func registerPersistenceHandler(action: @escaping PersistAction) async {
         let rawDurations = [
             Measurement(value: 1, unit: UnitDuration.minutes),
             Measurement(value: 5, unit: UnitDuration.minutes),
@@ -32,9 +24,11 @@ final class Notifier: Sendable {
 
         let doNotPersistAction = UNNotificationAction(identifier: Constants.doNotPersistActionIdentitifier, title: String(localized: .persistAuthenticationDeclineButton), options: [])
         var allPersistenceActions = [doNotPersistAction]
+
         let formatter = DateComponentsFormatter()
         formatter.unitsStyle = .spellOut
         formatter.allowedUnits = [.hour, .minute, .day]
+
         var identifiers: [String: TimeInterval] = [:]
         for duration in rawDurations {
             let seconds = duration.converted(to: .seconds).value
@@ -49,11 +43,16 @@ final class Notifier: Sendable {
         if persistAuthenticationCategory.responds(to: Selector(("actionsMenuTitle"))) {
             persistAuthenticationCategory.setValue(String(localized: .persistAuthenticationAcceptButton), forKey: "_actionsMenuTitle")
         }
-        var categories = await UNUserNotificationCenter.current().notificationCategories()
-        categories.insert(persistAuthenticationCategory)
-        UNUserNotificationCenter.current().setNotificationCategories(categories)
+        UNUserNotificationCenter.current().setNotificationCategories([updateCategory, criticalUpdateCategory, persistAuthenticationCategory])
+        UNUserNotificationCenter.current().delegate = notificationDelegate
+
+        Task {
+            await notificationDelegate.state.setPersistenceState(options: identifiers) { secret, store, duration in
+                guard let duration = duration else { return }
+                try? await store.persistAuthentication(secret: secret, forDuration: duration)
+            }
+        }
 
-        await notificationDelegate.state.setPersistenceState(options: identifiers, action: action)
     }
 
     func prompt() {
@@ -61,7 +60,7 @@ final class Notifier: Sendable {
         notificationCenter.requestAuthorization(options: .alert) { _, _ in }
     }
 
-    func notify(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, offerPersistence: Bool) async {
+    func notify(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async {
         await notificationDelegate.state.setPending(secret: secret, store: store)
         let notificationCenter = UNUserNotificationCenter.current()
         let notificationContent = UNMutableNotificationContent()
@@ -70,7 +69,7 @@ final class Notifier: Sendable {
         notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
         notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
         notificationContent.interruptionLevel = .timeSensitive
-        if offerPersistence {
+        if await store.existingPersistedAuthenticationContext(secret: secret) == nil && secret.authenticationRequirement.required {
             notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
         }
         if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
@@ -104,8 +103,8 @@ extension Notifier: SigningWitness {
     func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
     }
 
-    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, offerPersistence: Bool) async throws {
-        await notify(accessTo: secret, from: store, by: provenance, offerPersistence: offerPersistence)
+    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
+        await notify(accessTo: secret, from: store, by: provenance)
     }
 
 }
@@ -134,24 +133,28 @@ extension Notifier {
 final class NotificationDelegate: NSObject, UNUserNotificationCenterDelegate, Sendable {
 
     fileprivate actor State {
+        typealias PersistAction = (@Sendable (AnySecret, AnySecretStore, TimeInterval?) async -> Void)
         typealias IgnoreAction = (@Sendable (Release) async -> Void)
         fileprivate var release: Release?
         fileprivate var ignoreAction: IgnoreAction?
         fileprivate var persistAction: PersistAction?
         fileprivate var persistOptions: [String: TimeInterval] = [:]
+        fileprivate var pendingPersistableStores: [String: AnySecretStore] = [:]
         fileprivate var pendingPersistableSecrets: [String: AnySecret] = [:]
 
         func setPending(secret: AnySecret, store: AnySecretStore) {
             pendingPersistableSecrets[secret.id.description] = secret
+            pendingPersistableStores[store.id.description] = store
         }
 
-        func retrievePending(secretID: String, optionID: String) -> (AnySecret, TimeInterval)? {
+        func retrievePending(secretID: String, storeID: String, optionID: String) -> (AnySecret, AnySecretStore, TimeInterval)? {
             guard let secret = pendingPersistableSecrets[secretID],
+                  let store = pendingPersistableStores[storeID],
                   let options = persistOptions[optionID] else {
                 return nil
             }
             pendingPersistableSecrets.removeValue(forKey: secretID)
-            return (secret, options)
+            return (secret, store, options)
         }
 
         func setPersistenceState(options: [String: TimeInterval], action: @escaping PersistAction) {
@@ -199,12 +202,13 @@ final class NotificationDelegate: NSObject, UNUserNotificationCenterDelegate, Se
     }
 
     func handlePersistAuthenticationResponse(response: UNNotificationResponse) async {
-        guard let secretID = response.notification.request.content.userInfo[Notifier.Constants.persistSecretIDKey] as? String else {
+        guard let secretID = response.notification.request.content.userInfo[Notifier.Constants.persistSecretIDKey] as? String,
+              let storeID = response.notification.request.content.userInfo[Notifier.Constants.persistStoreIDKey] as? String else {
             return
         }
         let optionID = response.actionIdentifier
-        guard let (secret, persistOptions) = await state.retrievePending(secretID: secretID, optionID: optionID) else { return }
-        try? await state.persistAction?(secret, persistOptions)
+        guard let (secret, store, persistOptions) = await state.retrievePending(secretID: secretID, storeID: storeID, optionID: optionID) else { return }
+        await state.persistAction?(secret, store, persistOptions)
     }
 
 

Sources/SecretAgent/SecretAgent.entitlements

@@ -2,22 +2,6 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>com.apple.security.hardened-process</key>
-	<true/>
-	<key>com.apple.security.hardened-process.checked-allocations</key>
-	<true/>
-	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
-	<true/>
-	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
-	<true/>
-	<key>com.apple.security.hardened-process.dyld-ro</key>
-	<true/>
-	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
-	<string>1</string>
-	<key>com.apple.security.hardened-process.hardened-heap</key>
-	<true/>
-	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
-	<string>2</string>
 	<key>com.apple.security.smartcard</key>
 	<true/>
 	<key>keychain-access-groups</key>

Sources/SecretAgent/XPCInputParser.swift

@@ -1,27 +1,19 @@
 import Foundation
-import OSLog
-import SSHProtocolKit
+import SecretAgentKit
 import Brief
 import XPCWrappers
-import OSLog
-import SSHProtocolKit
 
 /// Delegates all agent input parsing to an XPC service which wraps OpenSSH
 public final class XPCAgentInputParser: SSHAgentInputParserProtocol {
 
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "XPCAgentInputParser")
     private let session: XPCTypedSession<SSHAgent.Request, SSHAgentInputParser.AgentParsingError>
 
     public init() async throws {
-        logger.debug("Creating XPCAgentInputParser")
         session = try await XPCTypedSession(serviceName: "com.maxgoedjen.Secretive.SecretAgentInputParser", warmup: true)
-        logger.debug("XPCAgentInputParser is warmed up.")
     }
 
     public func parse(data: Data) async throws -> SSHAgent.Request {
-        logger.debug("Parsing input")
-        defer { logger.debug("Parsed input") }
-        return try await session.send(data)
+        try await session.send(data)
     }
 
     deinit {

Sources/SecretAgentInputParser/SecretAgentInputParser.entitlements

@@ -1,22 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>com.apple.security.hardened-process</key>
-	<true/>
-	<key>com.apple.security.hardened-process.checked-allocations</key>
-	<true/>
-	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
-	<true/>
-	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
-	<true/>
-	<key>com.apple.security.hardened-process.dyld-ro</key>
-	<true/>
-	<key>com.apple.security.hardened-process.hardened-heap</key>
-	<true/>
-	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
-	<string>1</string>
-	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
-	<string>2</string>
-</dict>
-</plist>

Sources/SecretAgentInputParser/SecretAgentInputParser.swift

@@ -2,7 +2,6 @@ import Foundation
 import OSLog
 import XPCWrappers
 import SecretAgentKit
-import SSHProtocolKit
 
 final class SecretAgentInputParser: NSObject, XPCProtocol {
 

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/PackageTests.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2640"
+   LastUpgradeVersion = "2600"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -14,8 +14,7 @@
       shouldUseLaunchSchemeArgsEnv = "YES">
       <TestPlans>
          <TestPlanReference
-            reference = "container:Config/Secretive.xctestplan"
-            default = "YES">
+            reference = "container:Config/Secretive.xctestplan">
          </TestPlanReference>
       </TestPlans>
    </TestAction>

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgent.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2640"
+   LastUpgradeVersion = "2600"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/Secretive.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2640"
+   LastUpgradeVersion = "2600"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -23,7 +23,7 @@
       </BuildActionEntries>
    </BuildAction>
    <TestAction
-      buildConfiguration = "Debug"
+      buildConfiguration = "Test"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       shouldUseLaunchSchemeArgsEnv = "YES">

Sources/Secretive/App.swift

@@ -3,90 +3,6 @@ import SecretKit
 import SecureEnclaveSecretKit
 import SmartCardSecretKit
 import Brief
-import CertificateKit
-
-@main
-struct Secretive: App {
-    
-    @Environment(\.agentLaunchController) var agentLaunchController
-    @Environment(\.justUpdatedChecker) var justUpdatedChecker
-
-    @SceneBuilder var body: some Scene {
-        WindowGroup {
-            ContentView()
-                .environment(EnvironmentValues._secretStoreList)
-                .environment(EnvironmentValues._certificateStore)
-                .onReceive(NotificationCenter.default.publisher(for: NSApplication.didBecomeActiveNotification)) { _ in
-                    Task {
-                        @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
-                        @AppStorage("explicitlyDisabled") var explicitlyDisabled = false
-                        guard hasRunSetup && !explicitlyDisabled else { return }
-                        agentLaunchController.check()
-                        guard !agentLaunchController.developmentBuild else { return }
-                        if justUpdatedChecker.justUpdatedBuild || !agentLaunchController.running {
-                            // Relaunch the agent, since it'll be running from earlier update still
-                            try? await agentLaunchController.forceLaunch()
-                        }
-                    }
-                }
-        }
-        .commands {
-            AppCommands()
-        }
-        WindowGroup(id: String(describing: IntegrationsView.self)) {
-            IntegrationsView()
-        }
-        .windowResizability(.contentMinSize)
-        WindowGroup(id: String(describing: AboutView.self)) {
-            AboutView()
-        }
-        .windowStyle(.hiddenTitleBar)
-        .windowResizability(.contentSize)
-    }
-
-}
-
-extension Secretive {
-
-    struct AppCommands: Commands {
-
-        @Environment(\.openWindow) var openWindow
-        @Environment(\.openURL) var openURL
-        @FocusedValue(\.showCreateSecret) var showCreateSecret
-
-        var body: some Commands {
-            CommandGroup(replacing: .appInfo) {
-                Button(.aboutMenuBarTitle, systemImage: "info.circle") {
-                    openWindow(id: String(describing: AboutView.self))
-                }
-            }
-            CommandGroup(before: CommandGroupPlacement.appSettings) {
-                Button(.integrationsMenuBarTitle, systemImage: "app.connected.to.app.below.fill") {
-                    openWindow(id: String(describing: IntegrationsView.self))
-                }
-            }
-            CommandGroup(after: CommandGroupPlacement.newItem) {
-                Button(.appMenuNewSecretButton, systemImage: "plus") {
-                    showCreateSecret?()
-                }
-                .keyboardShortcut(KeyboardShortcut(KeyEquivalent("N"), modifiers: [.command, .shift]))
-                .disabled(showCreateSecret?.isEnabled == false)
-            }
-            CommandGroup(replacing: .help) {
-                Button(.appMenuHelpButton) {
-                    openURL(Constants.helpURL)
-                }
-            }
-            SidebarCommands()
-        }
-    }
-
-}
-
-private enum Constants {
-    static let helpURL = URL(string: "https://github.com/maxgoedjen/secretive/blob/main/FAQ.md")!
-}
-
 
 extension EnvironmentValues {
 
@@ -94,18 +10,15 @@ extension EnvironmentValues {
     @MainActor fileprivate static let _secretStoreList: SecretStoreList = {
         let list = SecretStoreList()
         let cryptoKit = SecureEnclave.Store()
-        let cryptoKitMigrator = SecureEnclave.CryptoKitMigrator()
-        try? cryptoKitMigrator.migrate(to: cryptoKit)
+        let migrator = SecureEnclave.CryptoKitMigrator()
+        try? migrator.migrate(to: cryptoKit)
         list.add(store: cryptoKit)
         list.add(store: SmartCard.Store())
         return list
     }()
 
-    @MainActor fileprivate static let _certificateStore: CertificateStore = CertificateStore()
-    
-    private static let _agentLaunchController = AgentLaunchController()
-    @Entry var agentLaunchController: any AgentLaunchControllerProtocol = _agentLaunchController
-
+    private static let _agentStatusChecker = AgentStatusChecker()
+    @Entry var agentStatusChecker: any AgentStatusCheckerProtocol = _agentStatusChecker
     private static let _updater: any UpdaterProtocol = {
         @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
         return Updater(checkOnLaunch: hasRunSetup)
@@ -118,28 +31,90 @@ extension EnvironmentValues {
     @MainActor var secretStoreList: SecretStoreList {
         EnvironmentValues._secretStoreList
     }
-
-    @MainActor var certificateStore: CertificateStore {
-        EnvironmentValues._certificateStore
-    }
 }
 
-extension FocusedValues {
-    @Entry var showCreateSecret: OpenSheet?
-}
+@main
+struct Secretive: App {
     
-final class OpenSheet {
+    @Environment(\.agentStatusChecker) var agentStatusChecker
+    @Environment(\.justUpdatedChecker) var justUpdatedChecker
+    @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
+    @State private var showingSetup = false
+    @State private var showingIntegrations = false
+    @State private var showingCreation = false
 
-    let closure: () -> Void
-    let isEnabled: Bool
-
-    init(isEnabled: Bool = true, closure: @escaping () -> Void) {
-        self.isEnabled = isEnabled
-        self.closure = closure
-    }
-
-    func callAsFunction() {
-        closure()
+    @SceneBuilder var body: some Scene {
+        WindowGroup {
+            ContentView(showingCreation: $showingCreation, runningSetup: $showingSetup, hasRunSetup: $hasRunSetup)
+                .environment(EnvironmentValues._secretStoreList)
+                .onAppear {
+                    if !hasRunSetup {
+                        showingSetup = true
+                    }
+                }
+                .onReceive(NotificationCenter.default.publisher(for: NSApplication.didBecomeActiveNotification)) { _ in
+                    guard hasRunSetup else { return }
+                    agentStatusChecker.check()
+                    if agentStatusChecker.running && justUpdatedChecker.justUpdatedBuild {
+                        // Relaunch the agent, since it'll be running from earlier update still
+                        reinstallAgent()
+                    } else if !agentStatusChecker.running && !agentStatusChecker.developmentBuild {
+                        forceLaunchAgent()
+                    }
+                }
+                .sheet(isPresented: $showingIntegrations) {
+                    IntegrationsView()
+                }
+        }
+        .commands {
+            CommandGroup(before: CommandGroupPlacement.appSettings) {
+                Button(.integrationsMenuBarTitle, systemImage: "app.connected.to.app.below.fill") {
+                    showingIntegrations = true
+                }
+            }
+            CommandGroup(after: CommandGroupPlacement.newItem) {
+                Button(.appMenuNewSecretButton) {
+                    showingCreation = true
+                }
+                .keyboardShortcut(KeyboardShortcut(KeyEquivalent("N"), modifiers: [.command, .shift]))
+            }
+            CommandGroup(replacing: .help) {
+                Button(.appMenuHelpButton) {
+                    NSWorkspace.shared.open(Constants.helpURL)
+                }
+            }
+            SidebarCommands()
+        }
     }
 
 }
+
+extension Secretive {
+
+    private func reinstallAgent() {
+        Task {
+            _ = await LaunchAgentController().install()
+            try? await Task.sleep(for: .seconds(1))
+            agentStatusChecker.check()
+            if !agentStatusChecker.running {
+                forceLaunchAgent()
+            }
+        }
+    }
+
+    private func forceLaunchAgent() {
+        // We've run setup, we didn't just update, launchd is just not doing it's thing.
+        // Force a launch directly.
+        Task {
+            _ = await LaunchAgentController().forceLaunch()
+            agentStatusChecker.check()
+        }
+    }
+
+}
+
+
+private enum Constants {
+    static let helpURL = URL(string: "https://github.com/maxgoedjen/secretive/blob/main/FAQ.md")!
+}
+

Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Contents.json

@@ -0,0 +1,68 @@
+{
+  "images" : [
+    {
+      "filename" : "Icon-macOS-ClearDark-16x16@1x.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "16x16"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-16x16@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "16x16"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-32x32@1x.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "32x32"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-32x32@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "32x32"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-128x128@1x.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "128x128"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-128x128@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "128x128"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-256x256@1x.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "256x256"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-256x256@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "256x256"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-512x512@1x.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "512x512"
+    },
+    {
+      "filename" : "Icon-macOS-ClearDark-1024x1024@1x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "512x512"
+    }
+  ],
+  "info" : {
+    "author" : "xcode",
+    "version" : 1
+  }
+}

Sources/Secretive/Assets.xcassets/Contents.json

@@ -0,0 +1,6 @@
+{
+  "info" : {
+    "author" : "xcode",
+    "version" : 1
+  }
+}

Sources/Secretive/Controllers/AgentStatusChecker.swift

@@ -2,26 +2,18 @@ import Foundation
 import AppKit
 import SecretKit
 import Observation
-import OSLog
-import ServiceManagement
-import Common
 
-@MainActor protocol AgentLaunchControllerProtocol: Observable, Sendable {
+@MainActor protocol AgentStatusCheckerProtocol: Observable, Sendable {
     var running: Bool { get }
     var developmentBuild: Bool { get }
     var process: NSRunningApplication? { get }
     func check()
-    func install() async throws
-    func uninstall() async throws
-    func forceLaunch() async throws
 }
 
-@Observable @MainActor final class AgentLaunchController: AgentLaunchControllerProtocol {
+@Observable @MainActor final class AgentStatusChecker: AgentStatusCheckerProtocol {
 
     var running: Bool = false
     var process: NSRunningApplication? = nil
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "LaunchAgentController")
-    private let service = SMAppService.loginItem(identifier: Bundle.agentBundleID)
 
     nonisolated init() {
         Task { @MainActor in
@@ -41,7 +33,7 @@ import Common
 
     // The process corresponding to this instance of Secretive
     var instanceSecretAgentProcess: NSRunningApplication? {
-        // TODO: CHECK VERSION
+        // FIXME: CHECK VERSION
         let agents = allSecretAgentProcesses
         for agent in agents {
             guard let url = agent.bundleURL else { continue }
@@ -57,47 +49,6 @@ import Common
         Bundle.main.bundleURL.isXcodeURL
     }
 
-    func install() async throws {
-        logger.debug("Installing agent")
-        try? await service.unregister()
-        // This is definitely a bit of a "seems to work better" thing but:
-        // Seems to more reliably hit if these are on separate runloops, otherwise it seems like it sometimes doesn't kill old
-        // and start new?
-        try await Task.sleep(for: .seconds(1))
-        try service.register()
-        try await Task.sleep(for: .seconds(1))
-        check()
-    }
-
-    func uninstall() async throws {
-        logger.debug("Uninstalling agent")
-        try await Task.sleep(for: .seconds(1))
-        try await service.unregister()
-        try await Task.sleep(for: .seconds(1))
-        check()
-    }
-
-    func forceLaunch() async throws {
-        logger.debug("Agent is not running, attempting to force launch by reinstalling")
-        try await install()
-        if running {
-            logger.debug("Agent successfully force launched by reinstalling")
-            return
-        }
-        logger.debug("Agent is not running, attempting to force launch by launching directly")
-        let url = Bundle.main.bundleURL.appendingPathComponent("Contents/Library/LoginItems/SecretAgent.app")
-        let config = NSWorkspace.OpenConfiguration()
-        config.activates = false
-        do {
-            try await NSWorkspace.shared.openApplication(at: url, configuration: config)
-            logger.debug("Agent force launched")
-            try await Task.sleep(for: .seconds(1))
-        } catch {
-            logger.error("Error force launching \(error.localizedDescription)")
-        }
-        check()
-    }
-
 }
 
 extension URL {

Sources/Secretive/Controllers/LaunchAgentController.swift

@@ -0,0 +1,65 @@
+import Foundation
+import ServiceManagement
+import AppKit
+import OSLog
+import SecretKit
+
+struct LaunchAgentController {
+    
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "LaunchAgentController")
+
+    func install() async -> Bool {
+        logger.debug("Installing agent")
+        _ = setEnabled(false)
+        // This is definitely a bit of a "seems to work better" thing but:
+        // Seems to more reliably hit if these are on separate runloops, otherwise it seems like it sometimes doesn't kill old
+        // and start new?
+        try? await Task.sleep(for: .seconds(1))
+        let result = await MainActor.run {
+            setEnabled(true)
+        }
+        try? await Task.sleep(for: .seconds(1))
+        return result
+    }
+
+    func uninstall() async -> Bool {
+        logger.debug("Uninstalling agent")
+        try? await Task.sleep(for: .seconds(1))
+        let result = await MainActor.run {
+            setEnabled(false)
+        }
+        try? await Task.sleep(for: .seconds(1))
+        return result
+    }
+
+    func forceLaunch() async -> Bool {
+        logger.debug("Agent is not running, attempting to force launch")
+        let url = Bundle.main.bundleURL.appendingPathComponent("Contents/Library/LoginItems/SecretAgent.app")
+        let config = NSWorkspace.OpenConfiguration()
+        config.activates = false
+        do {
+            try await NSWorkspace.shared.openApplication(at: url, configuration: config)
+            logger.debug("Agent force launched")
+            try? await Task.sleep(for: .seconds(1))
+            return true
+        } catch {
+            logger.error("Error force launching \(error.localizedDescription)")
+            return false
+        }
+    }
+
+    private func setEnabled(_ enabled: Bool) -> Bool {
+        let service = SMAppService.loginItem(identifier: Bundle.agentBundleID)
+        do {
+            if enabled {
+                try service.register()
+            } else {
+                try service.unregister()
+            }
+            return true
+        } catch {
+            return false
+        }
+    }
+
+}

Sources/Secretive/Controllers/URLs.swift

@@ -0,0 +1,25 @@
+import Foundation
+
+extension URL {
+
+    static var agentHomeURL: URL {
+        URL(fileURLWithPath: URL.homeDirectory.path().replacingOccurrences(of: Bundle.hostBundleID, with: Bundle.agentBundleID))
+    }
+
+    static var socketPath: String {
+        URL.agentHomeURL.appendingPathComponent("socket.ssh").path()
+    }
+
+}
+
+extension String {
+
+    var normalizedPathAndFolder: (String, String) {
+        // All foundation-based normalization methods replace this with the container directly.
+        let processedPath = replacingOccurrences(of: "~", with: "/Users/\(NSUserName())")
+        let url = URL(filePath: processedPath)
+        let folder = url.deletingLastPathComponent().path()
+        return (processedPath, folder)
+    }
+
+}

Sources/Secretive/Credits.rtf

@@ -0,0 +1,36 @@
+{\rtf1\ansi\ansicpg1252\cocoartf2580
+\cocoatextscaling0\cocoaplatform0{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+{\*\expandedcolortbl;;}
+\margl1440\margr1440\vieww9000\viewh8400\viewkind0
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6119\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
+{\field{\*\fldinst{HYPERLINK "https://github.com/maxgoedjen/secretive"}}{\fldrslt 
+\f0\fs24 \cf0 GitHub Repository}}
+\f0\fs24 \
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
+\cf0 \
+{\field{\*\fldinst{HYPERLINK "GITHUB_BUILD_URL"}}{\fldrslt Build Log}}\
+\
+Special Thanks To:\
+\
+{\field{\*\fldinst{HYPERLINK "https://github.com/maxgoedjen/secretive/graphs/contributors"}}{\fldrslt Contributors}}:\
+{\field{\*\fldinst{HYPERLINK "https://github.com/0xflotus"}}{\fldrslt 0xflotus}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/aaron-trout"}}{\fldrslt Aaron Trout}}\
+\pard\pardeftab720\partightenfactor0
+{\field{\*\fldinst{HYPERLINK "https://github.com/EppO"}}{\fldrslt \cf0 Florent Monbillard}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/vladimyr"}}{\fldrslt Dario Vladovi\uc0\u263 }}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/lavalleeale"}}{\fldrslt Alex Lavallee}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/joshheyse"}}{\fldrslt Josh}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/diesal11"}}{\fldrslt Dylan Lundy}}\
+\
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
+\cf0 Testers:\
+{\field{\*\fldinst{HYPERLINK "https://github.com/bdash"}}{\fldrslt Mark Rowe}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/danielctull"}}{\fldrslt Daniel Tull}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/davedelong"}}{\fldrslt Dave DeLong}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/esttorhe"}}{\fldrslt Esteban Torres}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/joeblau"}}{\fldrslt Joe Blau}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/marksands"}}{\fldrslt Mark Sands}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/mergesort"}}{\fldrslt Joe Fabisevich}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/phillco"}}{\fldrslt Phil Cohen}}\
+{\field{\*\fldinst{HYPERLINK "https://github.com/zackdotcomputer"}}{\fldrslt Zack Sheppard}}}

Sources/Secretive/Info.plist

@@ -20,8 +20,6 @@
 	<string>$(CI_VERSION)</string>
 	<key>CFBundleVersion</key>
 	<string>$(CI_BUILD_NUMBER)</string>
-	<key>GitHubBuildLog</key>
-	<string>https://$(CI_BUILD_LINK)</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
 	<key>NSHumanReadableCopyright</key>