Fix compiler diff for unsafe

Bad copy pasta, thanks @

.github/workflows/codeql.yml

@@ -0,0 +1,47 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '26 15 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-26') || 'ubuntu-latest' }}
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        # Disable this until CodeQL supports Xcode 26 builds.
+        # - language: swift
+        #   build-mode: manual
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+    - if: matrix.build-mode == 'manual'
+      name: "Select Xcode"
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+    - if: matrix.build-mode == 'manual'
+      name: "Build"
+      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/nightly.yml

@@ -3,10 +3,16 @@ name: Nightly
 on: 
   schedule: 
     - cron: "0 8 * * *"
+  
 jobs:
   build:
-#     runs-on: macOS-latest
+    runs-on: macos-26
-    runs-on: macos-15
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+      artifact-metadata: write
+      actions: read
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v5
@@ -20,20 +26,33 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - name: Update Build Number
       env:
         RUN_ID: ${{ github.run_id }}
       run: |
-            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0/g" Sources/Config/Config.xcconfig
+            DATE=$(date "+%Y-%m-%d")
+            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0_nightly-$DATE/g" Sources/Config/Config.xcconfig
             sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
     - name: Build
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Create ZIPs
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v7
+      with:
+        name: Secretive
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
-            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive ./Archive.zip
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
     - name: Notarize
       env: 
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
@@ -41,11 +60,7 @@ jobs:
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
     - name: Attest
       id: attest
-      uses: actions/attest-build-provenance@v2
+      uses: actions/attest@v4
       with:
-        subject-path: 'Secretive.zip'
+        subject-name: "Secretive.zip"
-    - name: Upload App to Artifacts
+        subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
-      uses: actions/upload-artifact@v4
-      with:
-        name: Secretive.zip
-        path: Secretive.zip

.github/workflows/oneoff.yml

@@ -0,0 +1,65 @@
+name: One-Off Build
+
+on: 
+  workflow_dispatch:
+  
+jobs:
+  build:
+    runs-on: macos-26
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+      artifact-metadata: write
+      actions: read
+    timeout-minutes: 10
+    steps:
+    - uses: actions/checkout@v5
+    - name: Setup Signing
+      env: 
+        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
+        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
+        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
+        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      run: ./.github/scripts/signing.sh
+    - name: Set Environment
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
+    - name: Update Build Number
+      env:
+        RUN_ID: ${{ github.run_id }}
+      run: |
+            DATE=$(date "+%Y-%m-%d")
+            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0_oneoff-$DATE/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
+    - name: Build
+      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v7
+      with:
+        name: Secretive
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
+    - name: Notarize
+      env: 
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Attest
+      id: attest
+      uses: actions/attest@v4
+      with:
+        subject-name: "Secretive.zip"
+        subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}

.github/workflows/release.yml

@@ -6,8 +6,9 @@ on:
       - '*'
 jobs:
   test:
-#     runs-on: macOS-latest
+    permissions:
-    runs-on: macos-15
+        contents: read
+    runs-on: macos-26
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v5
@@ -21,16 +22,19 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - name: Test
-      run: swift test --build-system swiftbuild --package-path Sources/Packages
+      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
+      # SPM doesn't seem to pick up on the tests currently?
+      # run: swift test --build-system swiftbuild --package-path Sources/Packages
   build:
-#     runs-on: macOS-latest
-    runs-on: macos-15
     permissions:
       id-token: write
       contents: write
       attestations: write
+      artifact-metadata: write
+      actions: read
+    runs-on: macos-26
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v5
@@ -44,7 +48,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - name: Update Build Number
       env:
         TAG_NAME: ${{ github.ref }}
@@ -53,13 +57,25 @@ jobs:
             export CLEAN_TAG=$(echo $TAG_NAME | sed -e 's/refs\/tags\/v//')
             sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Sources/Config/Config.xcconfig
             sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
+            sed -i '' -e "s/GITHUB_BUILD_URL/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
     - name: Build
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Create ZIPs
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v7
+      with:
+        name: Secretive.zip
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
-            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive ./Xcode_Archive.zip
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
     - name: Notarize
       env: 
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
@@ -67,28 +83,17 @@ jobs:
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
     - name: Attest
       id: attest
-      uses: actions/attest-build-provenance@v2
+      uses: actions/attest@v4
       with:
-        subject-path: 'Secretive.zip, Xcode_Archive.zip'
+        subject-path: "Secretive.zip"
     - name: Create Release
-      run: |
-            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
-            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
-            gh release create $TAG_NAME -d -F .github/templates/release.md
-            gh release upload Secretive.zip
-            gh release upload Xcode_Archive.zip
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         TAG_NAME: ${{ github.ref }}
         RUN_ID: ${{ github.run_id }}
         ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
-    - name: Upload App to Artifacts
+      run: |
-      uses: actions/upload-artifact@v4
+            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
-      with:
+            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
-        name: Secretive.zip
+            gh release create $TAG_NAME -d -F .github/templates/release.md
-        path: Secretive.zip
+            gh release upload $TAG_NAME Secretive.zip
-    - name: Upload Archive to Artifacts
-      uses: actions/upload-artifact@v4
-      with:
-        name: Xcode_Archive.zip
-        path: Xcode_Archive.zip

.github/workflows/test.yml

@@ -3,14 +3,17 @@ name: Test
 on: [push, pull_request]
 jobs:
   test:
-#     runs-on: macOS-latest
+    permissions:
-    runs-on: macos-15
+        contents: read
+    runs-on: macos-26
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v5
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app
     - name: Test Main Packages
-      run: swift test --build-system swiftbuild --package-path Sources/Packages
+      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
+      # SPM doesn't seem to pick up on the tests currently?
+      # run: swift test --build-system swiftbuild --package-path Sources/Packages
     - name: Test SecretKit Packages
       run: swift test --build-system swiftbuild

.gitignore

@@ -93,3 +93,7 @@ iOSInjectionProject/
 Archive.xcarchive
 .DS_Store
 contents.xcworkspacedata
+
+# Per-User Configs
+
+Sources/Config/OpenSource.xcconfig

CONTRIBUTING.md

@@ -10,6 +10,10 @@ Security is obviously paramount for a project like Secretive. As such, any contr
 
 Secretive is designed to be easily auditable by people who are considering using it. In keeping with this, Secretive has no third party dependencies, and any contributions which bring in new dependencies will be rejected.
 
+### AI/LLM Policy
+
+For security and auditing reasons similar to the policy Secretive has on dependencies, any code generated with AI or LLM tools will not be accepted.
+
 ## Code of Conduct
 
 All contributors must abide by the [Code of Conduct](CODE_OF_CONDUCT.md)

LOCALIZING.md

@@ -2,36 +2,35 @@
 
 If you speak another language, and would like to help translate Secretive to support that language, we'd love your help!
 
-## Getting Started
+## Crowdin
 
-### Download Xcode
+[Secretive uses Crowdin for localization](https://crowdin.com/project/secretive/). Open the link and select your language to translate!
 
-Download the latest version of Xcode (at minimum, Xcode 15) from [Apple](http://developer.apple.com/download/applications/).
+### Manual Translation
 
-### Clone Secretive
+Crowdin is the easiest way to translate Secretive, but I'm happy to accept Pull Requests directly as well.
-
-Clone Secretive using [these instructions from GitHub](https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository).
-
-### Open Secretive
-
-Open [Sources/Secretive.xcodeproj](Sources/Secretive.xcodeproj) in Xcode.
-
-### Translate
-
-Navigate to [Secretive/Localizable](Sources/Secretive/Localizable.xcstrings). 
-
-<img src="/.github/readme/localize_sidebar.png" alt="Screenshot of Xcode navigating to the Localizable file" width="300">
-
-If your language already has an in-progress localization, select it from the list. If it isn't there, hit the "+" button and choose your language from the list.
-
-<img src="/.github/readme/localize_add.png" alt="Screenshot of Xcode adding a new language" width="600">
-
-Start translating! You'll see a list of english phrases, and a space to add a translation of your language.
-
-### Create a Pull Request
-
-Push your changes and open a pull request. 
 
 ### Questions
 
 Please open an issue if you have a question about translating the app. I'm more than happy to clarify any terms that are ambiguous or confusing. Thanks for contributing!
+
+### Thank You
+
+Thanks to all the folks who have contributed localizations so far!
+
+- @mtardy for the French localization
+- @GravityRyu for the Chinese localization
+- @Saeger for the Portuguese (Brazil) localization
+- @moritzsternemann for the German localization
+- @RoboRich00A16 for the Italian localization
+- @akx for the Finnish localization
+- @mog422 for the Korean localization
+- @niw for the Japanese localization
+- @truita for the Catalan localization
+- @Adimac93 for the Polish localization
+- @alongotv for the Russian localization
+
+
+
+
+A special thanks to [Crowdin](https://crowdin.com) for their [generous support of open source projects](https://crowdin.com/page/open-source-project-setup-request).

Package.swift

@@ -22,6 +22,15 @@ let package = Package(
         .library(
             name: "SmartCardSecretKit",
             targets: ["SmartCardSecretKit"]),
+        .library(
+            name: "CertificateKit",
+            targets: ["CertificateKit"]),
+        .library(
+            name: "SSHProtocolKit",
+            targets: ["SSHProtocolKit"]),
+        .library(
+            name: "Formatters",
+            targets: ["Formatters"]),
     ],
     dependencies: [
     ],
@@ -53,11 +62,38 @@ let package = Package(
             resources: [localization],
             swiftSettings: swiftSettings
         ),
+        .target(
+            name: "CertificateKit",
+            dependencies: ["SecretKit", "Formatters"],
+            path: "Sources/Packages/Sources/CertificateKit",
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
+        .target(
+            name: "SSHProtocolKit",
+            dependencies: ["SecretKit", "CertificateKit"],
+            path: "Sources/Packages/Sources/SSHProtocolKit",
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
+        .testTarget(
+            name: "SSHProtocolKitTests",
+            dependencies: ["SSHProtocolKit"],
+            path: "Sources/Packages/Tests/SSHProtocolKitTests",
+            swiftSettings: swiftSettings,
+        ),
+        .target(
+            name: "Formatters",
+            dependencies: [],
+            path: "Sources/Packages/Sources/Formatters",
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
     ]
 )
 
 var localization: Resource {
-    .process("../../Localizable.xcstrings")
+    .process("../../Resources/Localizable.xcstrings")
 }
 
 var swiftSettings: [PackageDescription.SwiftSetting] {

README.md

@@ -1,11 +1,11 @@
 # Secretive [![Test](https://github.com/maxgoedjen/secretive/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/maxgoedjen/secretive/actions/workflows/test.yml) ![Release](https://github.com/maxgoedjen/secretive/workflows/Release/badge.svg)
 
 
-Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the [sekey project](https://github.com/sekey/sekey), but rewritten in Swift with no external dependencies and with a handy native management app.
+Secretive is an app for protecting and managing SSH keys with the Secure Enclave.
-
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="/.github/readme/app-dark.png">
-  <img src="/.github/readme/app-light.png" alt="Screenshot of Secretive" width="600">
+  <source media="(prefers-color-scheme: light)" srcset="/.github/readme/app-light.png">
+  <img src="/.github/readme/app-dark.png" alt="Screenshot of Secretive" width="600">
 </picture>
 
 
@@ -13,7 +13,7 @@ Secretive is an app for storing and managing SSH keys in the Secure Enclave. It
 
 ### Safer Storage
 
-The most common setup for SSH keys is just keeping them on disk, guarded by proper permissions. This is fine in most cases, but it's not super hard for malicious users or malware to copy your private key. If you store your keys in the Secure Enclave, it's impossible to export them, by design.
+The most common setup for SSH keys is just keeping them on disk, guarded by proper permissions. This is fine in most cases, but it's not super hard for malicious users or malware to copy your private key. If you protect your keys with the Secure Enclave, it's impossible to export them, by design.
 
 ### Access Control
 
@@ -53,7 +53,7 @@ Builds are produced by GitHub Actions with an auditable build and release genera
 
 ### A Note Around Code Signing and Keychains
 
-While Secretive uses the Secure Enclave for key storage, it still relies on Keychain APIs to access them. Keychain restricts reads of keys to the app (and specifically, the bundle ID) that created them. If you build Secretive from source, make sure you are consistent in which bundle ID you use so that the Keychain is able to locate your keys.
+While Secretive uses the Secure Enclave to protect keys, it still relies on Keychain APIs to store and access them. Keychain restricts reads of keys to the app (and specifically, the bundle ID) that created them. If you build Secretive from source, make sure you are consistent in which bundle ID you use so that the Keychain is able to locate your keys.
 
 ### Backups and Transfers to New Machines
 
@@ -61,4 +61,12 @@ Because secrets in the Secure Enclave are not exportable, they are not able to b
 
 ## Security
 
-If you discover any vulnerabilities in this project, please notify [max.goedjen@gmail.com](mailto:max.goedjen@gmail.com) with the subject containing "SECRETIVE SECURITY."
+Secretive's security policy is detailed in [SECURITY.md](SECURITY.md). To report security issues, please use [GitHub's private reporting feature.](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)
+
+## Acknowledgements
+
+### sekey
+Secretive was inspired by the [sekey project](https://github.com/sekey/sekey).
+
+### Localization
+Secretive is localized to many languages by a generous team of volunteers. To learn more, see [LOCALIZING.md](LOCALIZING.md). Secretive's localization workflow is generously provided by [Crowdin](https://crowdin.com).

SECURITY.md

@@ -24,4 +24,4 @@ The latest version on the [Releases page](https://github.com/maxgoedjen/secretiv
 
 ## Reporting a Vulnerability
 
-If you discover any vulnerabilities in this project, please notify max.goedjen@gmail.com with the subject containing "SECRETIVE SECURITY."
+To report security issues, please use [GitHub's private reporting feature.](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)

Sources/Config/Config.xcconfig

@@ -1,2 +1,8 @@
 CI_VERSION = GITHUB_CI_VERSION
 CI_BUILD_NUMBER = GITHUB_BUILD_NUMBER
+CI_BUILD_LINK = GITHUB_BUILD_URL
+
+#include? "OpenSource.xcconfig"
+
+SECRETIVE_BASE_BUNDLE_ID = $(SECRETIVE_BASE_BUNDLE_ID_OSS:default=com.maxgoedjen.Secretive)
+SECRETIVE_DEVELOPMENT_TEAM = $(SECRETIVE_DEVELOPMENT_TEAM_OSS:default=Z72PRUAWF6)

Sources/Config/Secretive.xctestplan

@@ -13,12 +13,24 @@
   },
   "testTargets" : [
     {
-      "enabled" : false,
-      "parallelizable" : true,
       "target" : {
-        "containerPath" : "container:Secretive.xcodeproj",
+        "containerPath" : "container:Packages",
-        "identifier" : "50617D9323FCE48E0099B055",
+        "identifier" : "BriefTests",
-        "name" : "SecretiveTests"
+        "name" : "BriefTests"
+      }
+    },
+    {
+      "target" : {
+        "containerPath" : "container:Packages",
+        "identifier" : "SecretKitTests",
+        "name" : "SecretKitTests"
+      }
+    },
+    {
+      "target" : {
+        "containerPath" : "container:Packages",
+        "identifier" : "SecretAgentKitTests",
+        "name" : "SecretAgentKitTests"
       }
     }
   ],

Sources/Packages/Package.swift

@@ -19,15 +19,30 @@ let package = Package(
         .library(
             name: "SmartCardSecretKit",
             targets: ["SmartCardSecretKit"]),
+        .library(
+            name: "CertificateKit",
+            targets: ["CertificateKit"]),
         .library(
             name: "SecretAgentKit",
             targets: ["SecretAgentKit"]),
         .library(
-            name: "SecretAgentKitHeaders",
+            name: "Formatters",
-            targets: ["SecretAgentKitHeaders"]),
+            targets: ["Formatters"]),
+        .library(
+            name: "Common",
+            targets: ["Common"]),
+        .library(
+            name: "SharedXPCServices",
+            targets: ["SharedXPCServices"]),
         .library(
             name: "Brief",
             targets: ["Brief"]),
+        .library(
+            name: "XPCWrappers",
+            targets: ["XPCWrappers"]),
+        .library(
+            name: "SSHProtocolKit",
+            targets: ["SSHProtocolKit"]),
     ],
     dependencies: [
     ],
@@ -40,7 +55,7 @@ let package = Package(
         ),
         .testTarget(
             name: "SecretKitTests",
-            dependencies: ["SecretKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"],
+            dependencies: ["SecretKit", "SecretAgentKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"],
             swiftSettings: swiftSettings,
         ),
         .target(
@@ -56,38 +71,75 @@ let package = Package(
             swiftSettings: swiftSettings,
         ),
         .target(
-            name: "SecretAgentKit",
+            name: "CertificateKit",
-            dependencies: ["SecretKit", "SecretAgentKitHeaders"],
+            dependencies: ["SecretKit", "Formatters"],
             resources: [localization],
             swiftSettings: swiftSettings,
         ),
-        .systemLibrary(
+        .target(
-            name: "SecretAgentKitHeaders",
+            name: "SecretAgentKit",
+            dependencies: ["SecretKit", "SSHProtocolKit", "CertificateKit", "Common", "Formatters"],
+            resources: [localization],
+            swiftSettings: swiftSettings,
         ),
         .testTarget(
             name: "SecretAgentKitTests",
             dependencies: ["SecretAgentKit"],
         ),
         .target(
-            name: "Brief",
+            name: "SSHProtocolKit",
+            dependencies: ["SecretKit", "CertificateKit"],
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
+        .testTarget(
+            name: "SSHProtocolKitTests",
+            dependencies: ["SSHProtocolKit"],
+            swiftSettings: swiftSettings,
+        ),
+        .target(
+            name: "Formatters",
             dependencies: [],
             resources: [localization],
             swiftSettings: swiftSettings,
         ),
+        .target(
+            name: "Common",
+            dependencies: ["SSHProtocolKit", "SecretKit"],
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
+        .target(
+            name: "SharedXPCServices",
+            dependencies: ["CertificateKit", "SSHProtocolKit"],
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
+        .target(
+            name: "Brief",
+            dependencies: ["XPCWrappers", "SSHProtocolKit"],
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
         .testTarget(
             name: "BriefTests",
             dependencies: ["Brief"],
         ),
+        .target(
+            name: "XPCWrappers",
+            swiftSettings: swiftSettings,
+        ),
     ]
 )
 
 var localization: Resource {
-    .process("../../Localizable.xcstrings")
+    .process("../../Resources/Localizable.xcstrings")
 }
 
 var swiftSettings: [PackageDescription.SwiftSetting] {
     [
         .swiftLanguageMode(.v6),
         .treatAllWarnings(as: .error),
+        .strictMemorySafety()
     ]
 }

Sources/Packages/Sources/Brief/Release.swift

@@ -1,7 +1,8 @@
 import Foundation
+import SwiftUI
 
 /// A release is a representation of a downloadable update.
-public struct Release: Codable, Sendable {
+public struct Release: Codable, Sendable, Hashable {
 
     /// The user-facing name of the release. Typically "Secretive 1.2.3"
     public let name: String
@@ -15,6 +16,8 @@ public struct Release: Codable, Sendable {
     /// A user-facing description of the contents of the update.
     public let body: String
 
+    public let attributedBody: AttributedString
+
     /// Initializes a Release.
     /// - Parameters:
     ///   - name: The user-facing name of the release.
@@ -26,6 +29,56 @@ public struct Release: Codable, Sendable {
         self.prerelease = prerelease
         self.html_url = html_url
         self.body = body
+        self.attributedBody = AttributedString(_markdown: body)
+    }
+
+    public init(_ release: GitHubRelease) {
+        self.name = release.name
+        self.prerelease = release.prerelease
+        self.html_url = release.html_url
+        self.body = release.body
+        self.attributedBody = AttributedString(_markdown: release.body)
+    }
+
+}
+
+public struct GitHubRelease: Codable, Sendable {
+    let name: String
+    let prerelease: Bool
+    let html_url: URL
+    let body: String
+}
+
+fileprivate extension AttributedString {
+
+    init(_markdown markdown: String) {
+        let split = markdown.split(whereSeparator: \.isNewline)
+        let lines = split
+            .compactMap {
+                try? AttributedString(markdown: String($0), options: .init(allowsExtendedAttributes: true, interpretedSyntax: .full))
+            }
+            .map { (string: AttributedString) in
+                guard case let .header(level) = string.runs.first?.presentationIntent?.components.first?.kind else { return string }
+                return AttributedString("\n") + string
+                    .transformingAttributes(\.font) { font in
+                        font.value = switch level {
+                        case 2: .headline.bold()
+                        case 3: .headline
+                        default: .subheadline
+                        }
+                    }
+                    .transformingAttributes(\.underlineStyle) { underline in
+                        underline.value = switch level {
+                        case 2: .single
+                        default: .none
+                        }
+                    }
+                + AttributedString("\n")
+            }
+        self = lines.reduce(into: AttributedString()) { partialResult, next in
+            partialResult.append(next)
+            partialResult.append(AttributedString("\n"))
+        }
     }
 
 }

Sources/Packages/Sources/Brief/SemVer.swift

@@ -5,12 +5,20 @@ public struct SemVer: Sendable {
 
     /// The SemVer broken into an array of integers.
     let versionNumbers: [Int]
+    public let previewDescription: String?
+
+    public var isTestBuild: Bool {
+        versionNumbers == [0, 0, 0]
+    }
 
     /// Initializes a SemVer from a string representation.
     /// - Parameter version: A string representation of the SemVer, formatted as "major.minor.patch".
     public init(_ version: String) {
         // Betas have the format 1.2.3_beta1
-        let strippedBeta = version.split(separator: "_").first!
+        // Nightlies have the format 0.0.0_nightly-2025-09-03
+        let splitFull = version.split(separator: "_")
+        let strippedBeta = splitFull.first!
+        previewDescription = splitFull.count > 1 ? String(splitFull[1]) : nil
         var split = strippedBeta.split(separator: ".").compactMap { Int($0) }
         while split.count < 3 {
             split.append(0)
@@ -22,6 +30,7 @@ public struct SemVer: Sendable {
     /// - Parameter version: An  `OperatingSystemVersion` representation of the SemVer.
     public init(_ version: OperatingSystemVersion) {
         versionNumbers = [version.majorVersion, version.minorVersion, version.patchVersion]
+        previewDescription = nil
     }
 
 }

Sources/Packages/Sources/Brief/Updater.swift

@@ -1,5 +1,6 @@
 import Foundation
 import Observation
+import XPCWrappers
 
 /// A concrete implementation of ``UpdaterProtocol`` which considers the current release and OS version.
 @Observable public final class Updater: UpdaterProtocol, Sendable {
@@ -13,12 +14,11 @@ import Observation
         state.update
     }
 
-    public let testBuild: Bool
+    /// The current version of the app that is running.
+    public let currentVersion: SemVer
 
     /// The current OS version.
     private let osVersion: SemVer
-    /// The current version of the app that is running.
-    private let currentVersion: SemVer
 
     /// Initializes an Updater.
     /// - Parameters:
@@ -34,28 +34,25 @@ import Observation
     ) {
         self.osVersion = osVersion
         self.currentVersion = currentVersion
-        testBuild = currentVersion == SemVer("0.0.0")
-        if checkOnLaunch {
-            // Don't do a launch check if the user hasn't seen the setup prompt explaining updater yet.
-            Task {
-                await checkForUpdates()
-            }
-        }
         Task {
+            if checkOnLaunch {
+                try? await checkForUpdates()
+            }
             while !Task.isCancelled {
                 try? await Task.sleep(for: .seconds(Int(checkFrequency)))
-                await checkForUpdates()
+                try? await checkForUpdates()
             }
         }
     }
 
     /// Manually trigger an update check.
-    public func checkForUpdates() async {
+    public func checkForUpdates() async throws {
-        guard let (data, _) = try? await URLSession.shared.data(from: Constants.updateURL) else { return }
+        let session = try await XPCTypedSession<[Release], Never>(serviceName: "com.maxgoedjen.Secretive.SecretiveUpdater")
-        guard let releases = try? JSONDecoder().decode([Release].self, from: data) else { return }
+        await evaluate(releases: try await session.send())
-        await evaluate(releases: releases)
+        session.complete()
     }
 
+
     /// Ignores a specified release. `update` will be nil if the user has ignored the latest available release.
     /// - Parameter release: The release to ignore.
     public func ignore(release: Release) async {
@@ -102,11 +99,3 @@ extension Updater {
     }
 
 }
-
-extension Updater {
-
-    enum Constants {
-        static let updateURL = URL(string: "https://api.github.com/repos/maxgoedjen/secretive/releases")!
-    }
-
-}

Sources/Packages/Sources/Brief/UpdaterProtocol.swift

@@ -5,8 +5,8 @@ public protocol UpdaterProtocol: Observable, Sendable {
 
     /// The latest update
     @MainActor var update: Release? { get }
-    /// A boolean describing whether or not the current build of the app is a "test" build (ie, a debug build or otherwise special build)
+
-    var testBuild: Bool { get }
+    var currentVersion: SemVer { get }
 
     func ignore(release: Release) async
 }

Sources/Packages/Sources/CertificateKit/Certificate.swift

@@ -0,0 +1,24 @@
+import Foundation
+import CryptoKit
+import Formatters
+
+@dynamicMemberLookup
+public struct Certificate: Sendable, Codable, Equatable, Hashable, Identifiable, CustomDebugStringConvertible {
+
+    public var openSSHCertificate: OpenSSHCertificate
+    public let rawData: Data
+
+    public init(openSSHCertificate: OpenSSHCertificate, rawData: Data) {
+        self.openSSHCertificate = openSSHCertificate
+        self.rawData = rawData
+    }
+
+    public var id: String { Insecure.MD5.hash(data: rawData).formatted(.hex(separator: "")) }
+
+    public var debugDescription: String { openSSHCertificate.debugDescription }
+
+    public subscript<T>(dynamicMember keyPath: KeyPath<OpenSSHCertificate, T>) -> T {
+        openSSHCertificate[keyPath: keyPath]
+    }
+
+}

Sources/Packages/Sources/CertificateKit/CertificateStore.swift

@@ -0,0 +1,153 @@
+import Foundation
+import Observation
+import Security
+import os
+import SecretKit
+
+@Observable @MainActor public final class CertificateStore: Sendable {
+
+    public private(set) var certificates: [Certificate] = []
+
+    /// Initializes a Store.
+    public init() {
+        loadCertificates()
+        Task {
+            for await note in DistributedNotificationCenter.default().notifications(named: .certificateStoreUpdated) {
+                guard Constants.notificationToken != (note.object as? String) else {
+                    // Don't reload if we're the ones triggering this by reloading.
+                    continue
+                }
+                loadCertificates()
+            }
+        }
+    }
+
+    public func reloadCertificates() {
+        let before = certificates
+        certificates.removeAll()
+        loadCertificates()
+        if certificates != before {
+            NotificationCenter.default.post(name: .certificateStoreReloaded, object: self)
+            DistributedNotificationCenter.default().postNotificationName(.certificateStoreUpdated, object: Constants.notificationToken, deliverImmediately: true)
+        }
+    }
+
+    public func save(certificate: Certificate) throws {
+        let attributes = try JSONEncoder().encode(certificate.openSSHCertificate)
+        let keychainAttributes = KeychainDictionary([
+            kSecClass: Constants.keyClass,
+            kSecAttrService: Constants.keyTag,
+            kSecAttrAccount: certificate.id,
+            kSecUseDataProtectionKeychain: true,
+            kSecAttrAccessible: kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+            kSecValueData: certificate.rawData,
+            kSecAttrGeneric: attributes
+        ])
+        let status = SecItemAdd(keychainAttributes, nil)
+        if status != errSecSuccess && status != errSecDuplicateItem {
+            throw KeychainError(statusCode: status)
+        }
+        reloadCertificates()
+    }
+
+    public func delete(certificate: Certificate) throws {
+        let deleteAttributes = KeychainDictionary([
+            kSecClass: Constants.keyClass,
+            kSecAttrService: Constants.keyTag,
+            kSecUseDataProtectionKeychain: true,
+            kSecAttrAccount: certificate.id,
+        ])
+        let status = SecItemDelete(deleteAttributes)
+        if status != errSecSuccess {
+            throw KeychainError(statusCode: status)
+        }
+        reloadCertificates()
+    }
+
+    public func update(certificate: Certificate) throws {
+        let updateQuery = KeychainDictionary([
+            kSecClass: Constants.keyClass,
+            kSecAttrAccount: certificate.id,
+        ])
+
+        let cert = try JSONEncoder().encode(certificate.openSSHCertificate)
+        let updatedAttributes = KeychainDictionary([
+            kSecAttrGeneric: cert,
+        ])
+
+        let status = SecItemUpdate(updateQuery, updatedAttributes)
+        if status != errSecSuccess {
+            throw KeychainError(statusCode: status)
+        }
+        reloadCertificates()
+    }
+
+    public func certificates(for secret: any Secret) -> [Certificate] {
+        certificates.filter { $0.openSSHCertificate.publicKey.data == secret.publicKey }
+    }
+
+
+}
+
+extension CertificateStore {
+
+    /// Loads all certificates from the store.
+    private func loadCertificates() {
+        let queryAttributes = KeychainDictionary([
+            kSecClass: Constants.keyClass,
+            kSecAttrService: Constants.keyTag,
+            kSecUseDataProtectionKeychain: true,
+            kSecReturnData: true,
+            kSecMatchLimit: kSecMatchLimitAll,
+            kSecReturnAttributes: true
+            ])
+        var untyped: CFTypeRef?
+        unsafe SecItemCopyMatching(queryAttributes, &untyped)
+        guard let typed = untyped as? [[CFString: Any]] else { return }
+        let decoder = JSONDecoder()
+        let wrapped: [Certificate] = typed.compactMap {
+            do {
+                guard let data = $0[kSecValueData] as? Data,
+                      let attributesData = $0[kSecAttrGeneric] as? Data else {
+                    throw MissingAttributesError()
+                }
+                return Certificate(openSSHCertificate: try decoder.decode(OpenSSHCertificate.self, from: attributesData), rawData: data)
+            } catch {
+                return nil
+            }
+        }
+            .filter {
+                if let validityRange = $0.validityRange {
+                    validityRange.contains(Date())
+                } else {
+                    true
+                }
+            }
+
+        certificates.append(contentsOf: wrapped)
+    }
+
+    
+}
+
+extension CertificateStore {
+
+    enum Constants {
+        static let keyClass = kSecClassGenericPassword as String
+        static let keyTag = Data("com.maxgoedjen.certificatestore.opensshcertificate".utf8)
+        static let notificationToken = UUID().uuidString
+    }
+    
+    struct UnsupportedAlgorithmError: Error {}
+    struct MissingAttributesError: Error {}
+
+}
+
+extension NSNotification.Name {
+
+    // Distributed notification that keys were modified out of process (ie, that the management tool added/removed certificates)
+    public static let certificateStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.certificateStore.updated")
+    // Internal notification that certificates were reloaded from the backing store.
+    public static let certificateStoreReloaded = NSNotification.Name("com.maxgoedjen.Secretive.certificateStore.reloaded")
+
+}

Sources/Packages/Sources/CertificateKit/OpenSSHCertificate.swift

@@ -0,0 +1,82 @@
+import Foundation
+import Formatters
+
+public struct OpenSSHCertificate: Sendable, Codable, Equatable, Hashable, CustomDebugStringConvertible {
+
+    public var type: CertificateType
+    public var name: String
+    public var data: Data
+
+    public var publicKey: PublicKey
+    public var principals: [String]
+    public var keyID: String
+    public var serial: UInt64
+    public var validityRange: Range<Date>?
+    public var criticalOptions: [String]
+    public var extensions: [String]
+    public var signingKey: PublicKey
+
+    public init(
+        type: OpenSSHCertificate.CertificateType,
+        name: String,
+        data: Data,
+        publicKey: PublicKey,
+        principals: [String],
+        keyID: String,
+        serial: UInt64,
+        validityRange: Range<Date>? = nil,
+        criticalOptions: [String],
+        extensions: [String],
+        signingKey: PublicKey,
+    ) {
+        self.type = type
+        self.name = name
+        self.data = data
+        self.publicKey = publicKey
+        self.principals = principals
+        self.keyID = keyID
+        self.serial = serial
+        self.validityRange = validityRange
+        self.criticalOptions = criticalOptions
+        self.extensions = extensions
+        self.signingKey = signingKey
+    }
+
+    public var debugDescription: String {
+        "OpenSSH Certificate \(name, default: "Unnamed"): \(data.formatted(.hex()))"
+    }
+
+}
+
+extension OpenSSHCertificate {
+
+    public enum CertificateType: String, Sendable, Codable {
+        case ecdsa256 = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+        case ecdsa384 = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+        case nistp521 = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+
+        public var keyIdentifier: String {
+            rawValue.replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
+        }
+
+    }
+
+}
+
+extension OpenSSHCertificate {
+
+    public struct PublicKey: Hashable, Sendable, Codable {
+
+        public let keyType: String
+        public let curveName: String
+        public let data: Data
+
+        public init(keyType: String, curveName: String, data: Data) {
+            self.keyType = keyType
+            self.curveName = curveName
+            self.data = data
+        }
+
+    }
+
+}

Sources/Packages/Sources/Common/URLs.swift

@@ -0,0 +1,59 @@
+import Foundation
+import SSHProtocolKit
+import CertificateKit
+import SecretKit
+
+extension URL {
+
+    public static var agentHomeURL: URL {
+        URL(fileURLWithPath: URL.homeDirectory.path().replacingOccurrences(of: Bundle.hostBundleID, with: Bundle.agentBundleID))
+    }
+
+    public static var socketPath: String {
+        #if DEBUG
+        URL.agentHomeURL.appendingPathComponent("socket-debug.ssh").path()
+        #else
+        URL.agentHomeURL.appendingPathComponent("socket.ssh").path()
+        #endif
+    }
+
+    public static var publicKeyDirectory: URL {
+        agentHomeURL.appending(component: "PublicKeys")
+    }
+
+    public static var certificatesDirectory: URL {
+        agentHomeURL.appending(component: "Certificates")
+    }
+
+    /// The path for a Secret's public key.
+    /// - Parameter secret: The Secret to return the path for.
+    /// - Returns: The path to the Secret's public key.
+    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
+    public static func publicKeyPath<SecretType: Secret>(for secret: SecretType, in directory: URL) -> String {
+        let keyWriter = OpenSSHPublicKeyWriter()
+        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
+        return directory.appending(component: "\(minimalHex).pub").path()
+    }
+
+    /// The path for a certificate.
+    /// - Parameter certificate: The Certificate to return the path for.
+    /// - Returns: The path to the Certificate.
+    /// - Warning: This method returning a path does not imply that a certificate has been written to disk already. This method only describes where it will be written to.
+    public static func certificatePath(for certificateID: String, in directory: URL) -> String {
+        return directory.appending(component: "\(certificateID)-cert.pub").path()
+    }
+
+}
+
+extension String {
+
+    public var normalizedPathAndFolder: (String, String) {
+        // All foundation-based normalization methods replace this with the container directly.
+        let processedPath = replacingOccurrences(of: "~", with: "/Users/\(NSUserName())")
+        let url = URL(filePath: processedPath)
+        let folder = url.deletingLastPathComponent().path()
+        return (processedPath, folder)
+    }
+
+}
+

Sources/Packages/Sources/Formatters/Data+Hex.swift

@@ -0,0 +1,74 @@
+import Foundation
+import CryptoKit
+
+public struct HexDataStyle<SequenceType: Sequence>: Hashable, Codable {
+
+    let separator: String
+
+    public init(separator: String) {
+        self.separator = separator
+    }
+
+}
+
+extension HexDataStyle: FormatStyle where SequenceType.Element == UInt8 {
+
+    public func format(_ value: SequenceType) -> String {
+        value
+            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
+            .joined(separator: separator)
+    }
+
+}
+
+extension FormatStyle where Self == HexDataStyle<Data> {
+
+    public static func hex(separator: String = "") -> HexDataStyle<Data> {
+        HexDataStyle(separator: separator)
+    }
+
+}
+
+extension FormatStyle where Self == HexDataStyle<Insecure.MD5Digest> {
+
+    public static func hex(separator: String = ":") -> HexDataStyle<Insecure.MD5Digest> {
+        HexDataStyle(separator: separator)
+    }
+
+}
+
+public struct Base64DataStyle<SequenceType: Sequence>: Hashable, Codable {
+
+    private let stripPadding: Bool
+
+    public init(stripPadding: Bool) {
+        self.stripPadding = stripPadding
+    }
+
+}
+
+extension Base64DataStyle: FormatStyle where SequenceType.Element == UInt8 {
+
+    public func format(_ value: SequenceType) -> String {
+        let base64 = Data(value).base64EncodedString()
+        let paddingRange = base64.index(base64.endIndex, offsetBy: -2)..<base64.endIndex
+        return base64.replacingOccurrences(of: "=", with: "", range: paddingRange)
+    }
+
+}
+
+extension FormatStyle where Self == Base64DataStyle<Data> {
+
+    public static func base64(stripPadding: Bool) -> Base64DataStyle<Data> {
+        Base64DataStyle(stripPadding: stripPadding)
+    }
+
+}
+
+extension FormatStyle where Self == Base64DataStyle<SHA256.Digest> {
+
+    public static func base64(stripPadding: Bool) -> Base64DataStyle<SHA256.Digest> {
+        Base64DataStyle(stripPadding: stripPadding)
+    }
+
+}

Sources/Packages/Sources/Localization/Stub.swift

@@ -1 +0,0 @@
-

Sources/Packages/Sources/SSHProtocolKit/LengthAndData.swift

@@ -7,7 +7,7 @@ extension Data {
     package var lengthAndData: Data {
         let rawLength = UInt32(count)
         var endian = rawLength.bigEndian
-        return Data(bytes: &endian, count: UInt32.bitWidth/8) + self
+        return unsafe Data(bytes: &endian, count: MemoryLayout<UInt32>.size) + self
     }
 
 }

Sources/Packages/Sources/SSHProtocolKit/OpenSSHCertficateWriter.swift

@@ -0,0 +1,30 @@
+import Foundation
+import CryptoKit
+import CertificateKit
+import Formatters
+
+/// Generates OpenSSH representations of Certificates.
+public struct OpenSSHCertificateWriter: Sendable {
+
+    /// Initializes the writer.
+    public init() {
+    }
+
+    /// Generates an OpenSSH data payload identifying the certificate.
+    /// - Returns: OpenSSH data payload identifying the certificate.
+    public func data(publicKey: OpenSSHCertificate.PublicKey) -> Data {
+        // https://datatracker.ietf.org/doc/html/rfc5656#section-3.1
+        publicKey.keyType.lengthAndData +
+        publicKey.curveName.lengthAndData +
+        publicKey.data.lengthAndData
+    }
+
+    /// Generates an OpenSSH SHA256 fingerprint string.
+    /// - Returns: OpenSSH SHA256 fingerprint string.
+    public func openSSHSHA256KeyFingerprint(publicKey: OpenSSHCertificate.PublicKey) -> String {
+        // OpenSSL format seems to strip the padding at the end.
+        let cleaned = SHA256.hash(data: data(publicKey: publicKey)).formatted(.base64(stripPadding: true))
+        return "SHA256:\(cleaned)"
+    }
+
+}

Sources/Packages/Sources/SSHProtocolKit/OpenSSHCertificateParser.swift

@@ -0,0 +1,95 @@
+import Foundation
+import CertificateKit
+
+public protocol OpenSSHCertificateParserProtocol {
+    func parse(data: Data) async throws -> OpenSSHCertificate
+}
+
+public struct OpenSSHCertificateParser: OpenSSHCertificateParserProtocol, Sendable {
+
+    public init() {
+        assert(Bundle.main.bundleURL.pathExtension == "xpc" || ProcessInfo.processInfo.processName == "xctest", "Potentially unsafe parsing code should run in an XPC service")
+    }
+
+    public func parse(data: Data) throws(OpenSSHCertificateError) -> OpenSSHCertificate {
+        let string = String(decoding: data, as: UTF8.self)
+        var elements = string
+            .trimmingCharacters(in: .whitespacesAndNewlines)
+            .components(separatedBy: " ")
+        guard elements.count >= 2 else {
+            throw OpenSSHCertificateError.parsingFailed
+        }
+        let typeString = elements.removeFirst()
+        guard let type = OpenSSHCertificate.CertificateType(rawValue: typeString) else { throw .unsupportedType }
+        let encodedKey = elements.removeFirst()
+        guard let decoded = Data(base64Encoded: encodedKey)  else {
+            throw OpenSSHCertificateError.parsingFailed
+        }
+        let comment = elements.first
+        do {
+            let dataParser = OpenSSHReader(data: decoded)
+            let publicKeyType = try dataParser.readNextChunkAsString() // Theoretically the same as typeString, but
+                .replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
+            _ = try dataParser.readNextChunk() // Nonce
+            let publicKeyCurveName = try dataParser.readNextChunkAsString()
+            let publicKeyData = try dataParser.readNextChunk()
+            let publicKey = OpenSSHCertificate.PublicKey(keyType: publicKeyType, curveName: publicKeyCurveName, data: publicKeyData)
+            let serialNumber = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
+            let role = try dataParser.readNextBytes(as: UInt32.self, convertEndianness: true)
+            _ = role
+            let keyIdentifier = try dataParser.readNextChunkAsString()
+            let principalsReader = try dataParser.readNextChunkAsSubReader()
+            var principals: [String] = []
+            while !principalsReader.done {
+                try principals.append(principalsReader.readNextChunkAsString())
+            }
+            let validAfter = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
+            let validBefore = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
+            let validityRange = Date(timeIntervalSince1970: TimeInterval(validAfter))..<Date(timeIntervalSince1970: TimeInterval(validBefore))
+            let criticalOptionsReader = try dataParser.readNextChunkAsSubReader()
+            var criticalOptions: [String] = []
+            while !criticalOptionsReader.done {
+                let next = try criticalOptionsReader.readNextChunkAsString()
+                if !next.isEmpty {
+                    criticalOptions.append(next)
+                }
+            }
+            let extensionsReader = try dataParser.readNextChunkAsSubReader()
+            var extensions: [String] = []
+            while !extensionsReader.done {
+                let next = try extensionsReader.readNextChunkAsString()
+                if !next.isEmpty {
+                    extensions.append(next)
+                }
+            }
+            _ = try dataParser.readNextChunk() // reserved
+            let signingKeyReader = try dataParser.readNextChunkAsSubReader()
+            let signingKeyType = try signingKeyReader.readNextChunkAsString()
+            let signingKeyCurveName = try signingKeyReader.readNextChunkAsString()
+            let signingKeyData = try signingKeyReader.readNextChunk()
+            let signingKey = OpenSSHCertificate.PublicKey(keyType: signingKeyType, curveName: signingKeyCurveName, data: signingKeyData)
+
+            return OpenSSHCertificate(
+                type: type,
+                name: comment ?? keyIdentifier,
+                data: decoded,
+                publicKey: publicKey,
+                principals: principals,
+                keyID: keyIdentifier,
+                serial: serialNumber,
+                validityRange: validityRange,
+                criticalOptions: criticalOptions,
+                extensions: extensions,
+                signingKey: signingKey,
+            )
+        } catch {
+            throw .parsingFailed
+        }
+    }
+
+}
+
+public enum OpenSSHCertificateError: Error, Codable {
+    case unsupportedType
+    case parsingFailed
+}

Sources/Packages/Sources/SSHProtocolKit/OpenSSHPublicKeyWriter.swift

@@ -1,5 +1,6 @@
 import Foundation
 import CryptoKit
+import SecretKit
 
 /// Generates OpenSSH representations of the public key sof secrets.
 public struct OpenSSHPublicKeyWriter: Sendable {
@@ -31,18 +32,7 @@ public struct OpenSSHPublicKeyWriter: Sendable {
     /// Generates an OpenSSH string representation of the secret.
     /// - Returns: OpenSSH string representation of the secret.
     public func openSSHString<SecretType: Secret>(secret: SecretType) -> String {
-        let resolvedComment: String
+        return [openSSHIdentifier(for: secret.keyType), data(secret: secret).base64EncodedString(), comment(secret: secret)]
-        if let comment = secret.publicKeyAttribution {
-            resolvedComment = comment
-        } else {
-            let dashedKeyName = secret.name.replacingOccurrences(of: " ", with: "-")
-            let dashedHostName = ["secretive", Host.current().localizedName, "local"]
-                .compactMap { $0 }
-                .joined(separator: ".")
-                .replacingOccurrences(of: " ", with: "-")
-            resolvedComment = "\(dashedKeyName)@\(dashedHostName)"
-        }
-        return [openSSHIdentifier(for: secret.keyType), data(secret: secret).base64EncodedString(), resolvedComment]
             .compactMap { $0 }
             .joined(separator: " ")
     }
@@ -51,20 +41,29 @@ public struct OpenSSHPublicKeyWriter: Sendable {
     /// - Returns: OpenSSH SHA256 fingerprint string.
     public func openSSHSHA256Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
         // OpenSSL format seems to strip the padding at the end.
-        let base64 = Data(SHA256.hash(data: data(secret: secret))).base64EncodedString()
+        let cleaned = SHA256.hash(data: data(secret: secret)).formatted(.base64(stripPadding: true))
-        let paddingRange = base64.index(base64.endIndex, offsetBy: -2)..<base64.endIndex
-        let cleaned = base64.replacingOccurrences(of: "=", with: "", range: paddingRange)
         return "SHA256:\(cleaned)"
     }
 
     /// Generates an OpenSSH MD5 fingerprint string.
     /// - Returns: OpenSSH MD5 fingerprint string.
     public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
-        Insecure.MD5.hash(data: data(secret: secret))
+        Insecure.MD5.hash(data: data(secret: secret)).formatted(.hex(separator: ":"))
-            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
-            .joined(separator: ":")
     }
 
+    public func comment<SecretType: Secret>(secret: SecretType) -> String {
+        if let comment = secret.publicKeyAttribution {
+            return comment
+        } else {
+            let dashedKeyName = secret.name.replacingOccurrences(of: " ", with: "-")
+            let dashedHostName = ["secretive", Host.current().localizedName, "local"]
+                .compactMap { $0 }
+                .joined(separator: ".")
+                .replacingOccurrences(of: " ", with: "-")
+            return "\(dashedKeyName)@\(dashedHostName)"
+        }
+
+    }
 }
 
 extension OpenSSHPublicKeyWriter {
@@ -95,7 +94,7 @@ extension OpenSSHPublicKeyWriter {
 
 extension OpenSSHPublicKeyWriter {
 
-    public func rsaPublicKeyBlob<SecretType: Secret>(secret: SecretType) -> Data {
+    func rsaPublicKeyBlob<SecretType: Secret>(secret: SecretType) -> Data {
         // Cheap way to pull out e and n as defined in https://datatracker.ietf.org/doc/html/rfc4253
         // Keychain stores it as a thin ASN.1 wrapper with this format:
         // [4 byte prefix][2 byte prefix][n][2 byte prefix][e]

Sources/Packages/Sources/SSHProtocolKit/OpenSSHReader.swift

@@ -0,0 +1,57 @@
+import Foundation
+
+/// Reads OpenSSH protocol data.
+public final class OpenSSHReader {
+
+    var remaining: Data
+    var done = false
+
+    /// Initialize the reader with an OpenSSH data payload.
+    /// - Parameter data: The data to read.
+    public init(data: Data) {
+        remaining = Data(data)
+        if remaining.count == 0 {
+            done = true
+        }
+    }
+
+    /// Reads the next chunk of data from the playload.
+    /// - Returns: The next chunk of data.
+    public func readNextChunk(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> Data {
+        let length = try readNextBytes(as: UInt32.self, convertEndianness: convertEndianness)
+        guard remaining.count >= length else { throw .beyondBounds }
+        let dataRange = 0..<Int(length)
+        let ret = Data(remaining[dataRange])
+        remaining.removeSubrange(dataRange)
+        if remaining.isEmpty {
+            done = true
+        }
+        return ret
+    }
+
+    public func readNextBytes<T: FixedWidthInteger>(as: T.Type, convertEndianness: Bool = true) throws(OpenSSHReaderError) -> T {
+        let size = MemoryLayout<T>.size
+        guard remaining.count >= size else { throw .beyondBounds }
+        let lengthRange = 0..<size
+        let lengthChunk = remaining[lengthRange]
+        remaining.removeSubrange(lengthRange)
+        if remaining.isEmpty {
+            done = true
+        }
+        let value = unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
+        return convertEndianness ? T(value.bigEndian) : T(value)
+    }
+
+    public func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {
+        try String(decoding: readNextChunk(convertEndianness: convertEndianness), as: UTF8.self)
+    }
+
+    public func readNextChunkAsSubReader(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> OpenSSHReader {
+        OpenSSHReader(data: try readNextChunk(convertEndianness: convertEndianness))
+    }
+
+}
+
+public enum OpenSSHReaderError: Error, Codable {
+    case beyondBounds
+}

Sources/Packages/Sources/SSHProtocolKit/OpenSSHSignatureWriter.swift

@@ -1,5 +1,6 @@
 import Foundation
 import CryptoKit
+import SecretKit
 
 /// Generates OpenSSH representations of Secrets.
 public struct OpenSSHSignatureWriter: Sendable {
@@ -29,19 +30,28 @@ public struct OpenSSHSignatureWriter: Sendable {
 
 extension OpenSSHSignatureWriter {
 
+    /// Converts a fixed-width big-endian integer (e.g. r/s from CryptoKit rawRepresentation) into an SSH mpint.
+    /// Strips unnecessary leading zeros and prefixes `0x00` if needed to keep the value positive.
+    private func mpint(fromFixedWidthPositiveBytes bytes: Data) -> Data {
+        // mpint zero is encoded as a string with zero bytes of data.
+        guard let firstNonZeroIndex = bytes.firstIndex(where: { $0 != 0x00 }) else {
+            return Data()
+        }
+
+        let trimmed = Data(bytes[firstNonZeroIndex...])
+
+        if let first = trimmed.first, first >= 0x80 {
+            var prefixed = Data([0x00])
+            prefixed.append(trimmed)
+            return prefixed
+        }
+        return trimmed
+    }
+
     func ecdsaSignature(_ rawRepresentation: Data, keyType: KeyType) -> Data {
         let rawLength = rawRepresentation.count/2
-        // Check if we need to pad with 0x00 to prevent certain
+        let r = mpint(fromFixedWidthPositiveBytes: Data(rawRepresentation[0..<rawLength]))
-        // ssh servers from thinking r or s is negative
+        let s = mpint(fromFixedWidthPositiveBytes: Data(rawRepresentation[rawLength...]))
-        let paddingRange: ClosedRange<UInt8> = 0x80...0xFF
-        var r = Data(rawRepresentation[0..<rawLength])
-        if paddingRange ~= r.first! {
-            r.insert(0x00, at: 0)
-        }
-        var s = Data(rawRepresentation[rawLength...])
-        if paddingRange ~= s.first! {
-            s.insert(0x00, at: 0)
-        }
 
         var signatureChunk = Data()
         signatureChunk.append(r.lengthAndData)

Sources/Packages/Sources/SSHProtocolKit/SSHAgentInputParser.swift

@@ -0,0 +1,105 @@
+import Foundation
+import OSLog
+import SecretKit
+import CertificateKit
+
+public protocol SSHAgentInputParserProtocol {
+
+    func parse(data: Data) async throws -> SSHAgent.Request
+
+}
+
+public struct SSHAgentInputParser: SSHAgentInputParserProtocol {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "InputParser")
+
+    public init() {
+        assert(Bundle.main.bundleURL.pathExtension == "xpc" || ProcessInfo.processInfo.processName == "xctest", "Potentially unsafe parsing code should run in an XPC service")
+    }
+
+    public func parse(data: Data) throws(AgentParsingError) -> SSHAgent.Request {
+        logger.debug("Parsing new data")
+        guard data.count > 4 else {
+            throw .invalidData
+        }
+        let specifiedLength = unsafe (data[0..<4].bytes.unsafeLoad(as: UInt32.self).bigEndian) + 4
+        let rawRequestInt = data[4]
+        let remainingDataRange = 5..<min(Int(specifiedLength), data.count)
+        lazy var body: Data = { Data(data[remainingDataRange]) }()
+        switch rawRequestInt {
+        case SSHAgent.Request.requestIdentities.protocolID:
+            return .requestIdentities
+        case SSHAgent.Request.signRequest(.empty).protocolID:
+            do {
+                return .signRequest(try signatureRequestContext(from: body))
+            } catch {
+                throw .openSSHReader(error)
+            }
+        case SSHAgent.Request.addIdentity.protocolID:
+            return .addIdentity
+        case SSHAgent.Request.removeIdentity.protocolID:
+            return .removeIdentity
+        case SSHAgent.Request.removeAllIdentities.protocolID:
+            return .removeAllIdentities
+        case SSHAgent.Request.addIDConstrained.protocolID:
+            return .addIDConstrained
+        case SSHAgent.Request.addSmartcardKey.protocolID:
+            return .addSmartcardKey
+        case SSHAgent.Request.removeSmartcardKey.protocolID:
+            return .removeSmartcardKey
+        case SSHAgent.Request.lock.protocolID:
+            return .lock
+        case SSHAgent.Request.unlock.protocolID:
+            return .unlock
+        case SSHAgent.Request.addSmartcardKeyConstrained.protocolID:
+            return .addSmartcardKeyConstrained
+        case SSHAgent.Request.protocolExtension.protocolID:
+            return .protocolExtension
+        default:
+            return .unknown(rawRequestInt)
+        }
+    }
+
+}
+
+extension SSHAgentInputParser {
+
+    func signatureRequestContext(from data: Data) throws(OpenSSHReaderError) -> SSHAgent.Request.SignatureRequestContext {
+        let reader = OpenSSHReader(data: data)
+        let rawKeyBlob = try reader.readNextChunk()
+        let keyBlob = certificatePublicKeyBlob(from: rawKeyBlob) ?? rawKeyBlob
+        let dataToSign = try reader.readNextChunk()
+        return SSHAgent.Request.SignatureRequestContext(keyBlob: keyBlob, dataToSign: dataToSign)
+    }
+
+    func certificatePublicKeyBlob(from hash: Data) -> Data? {
+        let reader = OpenSSHReader(data: hash)
+        do {
+            let certType = try reader.readNextChunkAsString()
+            guard let certType = OpenSSHCertificate.CertificateType(rawValue: certType) else { return nil }
+            _ = try reader.readNextChunk() // nonce
+            let curveIdentifier = try reader.readNextChunk()
+            let publicKey = try reader.readNextChunk()
+            let openSSHIdentifier = certType.keyIdentifier
+            return openSSHIdentifier.lengthAndData +
+            curveIdentifier.lengthAndData +
+                publicKey.lengthAndData
+            
+        } catch {
+            return nil
+        }
+    }
+
+}
+
+
+extension SSHAgentInputParser {
+
+    public enum AgentParsingError: Error, Codable {
+        case unknownRequest
+        case unhandledRequest
+        case invalidData
+        case openSSHReader(OpenSSHReaderError)
+    }
+
+}

Sources/Packages/Sources/SSHProtocolKit/SSHAgentProtocol.swift

@@ -0,0 +1,99 @@
+import Foundation
+
+/// A namespace for the SSH Agent Protocol, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
+public enum SSHAgent {}
+
+extension SSHAgent {
+
+    /// The type of the SSH Agent Request, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
+    public enum Request: CustomDebugStringConvertible, Codable, Sendable {
+
+        case requestIdentities
+        case signRequest(SignatureRequestContext)
+        case addIdentity
+        case removeIdentity
+        case removeAllIdentities
+        case addIDConstrained
+        case addSmartcardKey
+        case removeSmartcardKey
+        case lock
+        case unlock
+        case addSmartcardKeyConstrained
+        case protocolExtension
+        case unknown(UInt8)
+
+        public var protocolID: UInt8 {
+            switch self {
+            case .requestIdentities: 11
+            case .signRequest: 13
+            case .addIdentity: 17
+            case .removeIdentity: 18
+            case .removeAllIdentities: 19
+            case .addIDConstrained: 25
+            case .addSmartcardKey: 20
+            case .removeSmartcardKey: 21
+            case .lock: 22
+            case .unlock: 23
+            case .addSmartcardKeyConstrained: 26
+            case .protocolExtension: 27
+            case .unknown(let value): value
+            }
+        }
+
+        public var debugDescription: String {
+            switch self {
+            case .requestIdentities: "SSH_AGENTC_REQUEST_IDENTITIES"
+            case .signRequest: "SSH_AGENTC_SIGN_REQUEST"
+            case .addIdentity: "SSH_AGENTC_ADD_IDENTITY"
+            case .removeIdentity: "SSH_AGENTC_REMOVE_IDENTITY"
+            case .removeAllIdentities: "SSH_AGENTC_REMOVE_ALL_IDENTITIES"
+            case .addIDConstrained: "SSH_AGENTC_ADD_ID_CONSTRAINED"
+            case .addSmartcardKey: "SSH_AGENTC_ADD_SMARTCARD_KEY"
+            case .removeSmartcardKey: "SSH_AGENTC_REMOVE_SMARTCARD_KEY"
+            case .lock: "SSH_AGENTC_LOCK"
+            case .unlock: "SSH_AGENTC_UNLOCK"
+            case .addSmartcardKeyConstrained: "SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED"
+            case .protocolExtension: "SSH_AGENTC_EXTENSION"
+            case .unknown: "UNKNOWN_MESSAGE"
+            }
+        }
+
+        public struct SignatureRequestContext: Sendable, Codable {
+            public let keyBlob: Data
+            public let dataToSign: Data
+
+            public init(keyBlob: Data, dataToSign: Data) {
+                self.keyBlob = keyBlob
+                self.dataToSign = dataToSign
+            }
+
+            public static var empty: SignatureRequestContext {
+                SignatureRequestContext(keyBlob: Data(), dataToSign: Data())
+            }
+        }
+
+    }
+
+    /// The type of the SSH Agent Response, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
+    public enum Response: UInt8, CustomDebugStringConvertible {
+        
+        case agentFailure = 5
+        case agentSuccess = 6
+        case agentIdentitiesAnswer = 12
+        case agentSignResponse = 14
+        case agentExtensionFailure = 28
+        case agentExtensionResponse = 29
+
+        public var debugDescription: String {
+            switch self {
+            case .agentFailure: "SSH_AGENT_FAILURE"
+            case .agentSuccess: "SSH_AGENT_SUCCESS"
+            case .agentIdentitiesAnswer: "SSH_AGENT_IDENTITIES_ANSWER"
+            case .agentSignResponse: "SSH_AGENT_SIGN_RESPONSE"
+            case .agentExtensionFailure: "SSH_AGENT_EXTENSION_FAILURE"
+            case .agentExtensionResponse: "SSH_AGENT_EXTENSION_RESPONSE"
+            }
+        }
+    }
+    
+}

Sources/Packages/Sources/SecretAgentKit/Agent.swift

@@ -2,75 +2,59 @@ import Foundation
 import CryptoKit
 import OSLog
 import SecretKit
+import CertificateKit
 import AppKit
+import SSHProtocolKit
 
 /// The `Agent` is an implementation of an SSH agent. It manages coordination and access between a socket, traces requests, notifies witnesses and passes requests to stores.
 public final class Agent: Sendable {
 
     private let storeList: SecretStoreList
+    private let certificateStore: CertificateStore
     private let witness: SigningWitness?
     private let publicKeyWriter = OpenSSHPublicKeyWriter()
     private let signatureWriter = OpenSSHSignatureWriter()
-    private let certificateHandler = OpenSSHCertificateHandler()
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
 
     /// Initializes an agent with a store list and a witness.
     /// - Parameters:
     ///   - storeList: The `SecretStoreList` to make available.
     ///   - witness: A witness to notify of requests.
-    public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
+    public init(storeList: SecretStoreList, certificateStore: CertificateStore, witness: SigningWitness? = nil) {
         logger.debug("Agent is running")
         self.storeList = storeList
+        self.certificateStore = certificateStore
         self.witness = witness
-        Task { @MainActor in
-            await certificateHandler.reloadCertificates(for: storeList.allSecrets)
-        }
     }
     
 }
 
 extension Agent {
 
-    /// Handles an incoming request.
+    public func handle(request: SSHAgent.Request, provenance: SigningRequestProvenance) async -> Data {
-    /// - Parameters:
-    ///   - data: The data to handle.
-    ///   - provenance: The origin of the request.
-    /// - Returns: A response data payload.
-    public func handle(data: Data, provenance: SigningRequestProvenance) async throws -> Data {
-        logger.debug("Agent handling new data")
-        guard data.count > 4 else {
-            throw InvalidDataProvidedError()
-        }
-        let requestTypeInt = data[4]
-        guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
-            logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
-            return SSHAgent.ResponseType.agentFailure.data.lengthAndData
-        }
-        logger.debug("Agent handling request of type \(requestType.debugDescription)")
-        let subData = Data(data[5...])
-        let response = await handle(requestType: requestType, data: subData, provenance: provenance)
-        return response
-    }
-
-    private func handle(requestType: SSHAgent.RequestType, data: Data, provenance: SigningRequestProvenance) async -> Data {
         // Depending on the launch context (such as after macOS update), the agent may need to reload secrets before acting
         await reloadSecretsIfNeccessary()
         var response = Data()
         do {
-            switch requestType {
+            switch request {
             case .requestIdentities:
-                response.append(SSHAgent.ResponseType.agentIdentitiesAnswer.data)
+                response.append(SSHAgent.Response.agentIdentitiesAnswer.data)
                 response.append(await identities())
-                logger.debug("Agent returned \(SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)")
+                logger.debug("Agent returned \(SSHAgent.Response.agentIdentitiesAnswer.debugDescription)")
-            case .signRequest:
+            case .signRequest(let context):
-                response.append(SSHAgent.ResponseType.agentSignResponse.data)
+                response.append(SSHAgent.Response.agentSignResponse.data)
-                response.append(try await sign(data: data, provenance: provenance))
+                response.append(try await sign(data: context.dataToSign, keyBlob: context.keyBlob, provenance: provenance))
-                logger.debug("Agent returned \(SSHAgent.ResponseType.agentSignResponse.debugDescription)")
+                logger.debug("Agent returned \(SSHAgent.Response.agentSignResponse.debugDescription)")
+            case .unknown(let value):
+                logger.error("Agent received unknown request of type \(value).")
+                throw UnhandledRequestError()
+            default:
+                logger.debug("Agent received valid request of type \(request.debugDescription), but not currently supported.")
+                throw UnhandledRequestError()
             }
         } catch {
-            response.removeAll()
+            response = SSHAgent.Response.agentFailure.data
-            response.append(SSHAgent.ResponseType.agentFailure.data)
+            logger.debug("Agent returned \(SSHAgent.Response.agentFailure.debugDescription)")
-            logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
         }
         return response.lengthAndData
     }
@@ -83,26 +67,23 @@ extension Agent {
     /// - Returns: An OpenSSH formatted Data payload listing the identities available for signing operations.
     func identities() async -> Data {
         let secrets = await storeList.allSecrets
-        await certificateHandler.reloadCertificates(for: secrets)
         var count = 0
         var keyData = Data()
 
         for secret in secrets {
             let keyBlob = publicKeyWriter.data(secret: secret)
-            let curveData = publicKeyWriter.openSSHIdentifier(for: secret.keyType)
             keyData.append(keyBlob.lengthAndData)
-            keyData.append(curveData.lengthAndData)
+            keyData.append(publicKeyWriter.comment(secret: secret).lengthAndData)
             count += 1
-
+            for certificate in await certificateStore.certificates(for: secret) {
-            if let (certificateData, name) = try? await certificateHandler.keyBlobAndName(for: secret) {
+                keyData.append(certificate.data.lengthAndData)
-                keyData.append(certificateData.lengthAndData)
+                keyData.append(certificate.name.lengthAndData)
-                keyData.append(name.lengthAndData)
                 count += 1
             }
         }
         logger.log("Agent enumerated \(count) identities")
         var countBigEndian = UInt32(count).bigEndian
-        let countData = Data(bytes: &countBigEndian, count: UInt32.bitWidth/8)
+        let countData = unsafe Data(bytes: &countBigEndian, count: MemoryLayout<UInt32>.size)
         return countData + keyData
     }
 
@@ -111,27 +92,16 @@ extension Agent {
     ///   - data: The data to sign.
     ///   - provenance: A ``SecretKit.SigningRequestProvenance`` object describing the origin of the request.
     /// - Returns: An OpenSSH formatted Data payload containing the signed data response.
-    func sign(data: Data, provenance: SigningRequestProvenance) async throws -> Data {
+    func sign(data: Data, keyBlob: Data, provenance: SigningRequestProvenance) async throws -> Data {
-        let reader = OpenSSHReader(data: data)
+        guard let (secret, store) = await secret(matching: keyBlob) else {
-        let payloadHash = reader.readNextChunk()
+            let keyBlobHex = keyBlob.formatted(.hex())
-        let hash: Data
+            logger.debug("Agent did not have a key matching \(keyBlobHex)")
-
-        // Check if hash is actually an openssh certificate and reconstruct the public key if it is
-        if let certificatePublicKey = await certificateHandler.publicKeyHash(from: payloadHash) {
-            hash = certificatePublicKey
-        } else {
-            hash = payloadHash
-        }
-        
-        guard let (secret, store) = await secret(matching: hash) else {
-            logger.debug("Agent did not have a key matching \(hash as NSData)")
             throw NoMatchingKeyError()
         }
 
         try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
 
-        let dataToSign = reader.readNextChunk()
+        let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance)
-        let rawRepresentation = try await store.sign(data: dataToSign, with: secret, for: provenance)
         let signedData = signatureWriter.data(secret: secret, signature: rawRepresentation)
 
         try await witness?.witness(accessTo: secret, from: store, by: provenance)
@@ -170,16 +140,16 @@ extension Agent {
 
 extension Agent {
 
-    struct InvalidDataProvidedError: Error {}
     struct NoMatchingKeyError: Error {}
+    struct UnhandledRequestError: Error {}
 
 }
 
-extension SSHAgent.ResponseType {
+extension SSHAgent.Response {
 
     var data: Data {
         var raw = self.rawValue
-        return  Data(bytes: &raw, count: UInt8.bitWidth/8)
+        return unsafe Data(bytes: &raw, count: MemoryLayout<UInt8>.size)
     }
 
 }

Sources/Packages/Sources/SecretAgentKit/FileHandleProtocols.swift

@@ -1,32 +1,12 @@
 import Foundation
 
-/// Protocol abstraction of the reading aspects of FileHandle.
+extension FileHandle {
-public protocol FileHandleReader: Sendable {
-
-    /// Gets data that is available for reading.
-    var availableData: Data { get }
-    /// A file descriptor of the handle.
-    var fileDescriptor: Int32 { get }
-    /// The  process ID of the process coonnected to the other end of the FileHandle.
-    var pidOfConnectedProcess: Int32 { get }
-
-}
-
-/// Protocol abstraction of the writing aspects of FileHandle.
-public protocol FileHandleWriter: Sendable {
-
-    /// Writes data to the handle.
-    func write(_ data: Data)
-
-}
-
-extension FileHandle: FileHandleReader, FileHandleWriter {
 
     public var pidOfConnectedProcess: Int32 {
-        let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: 4, alignment: 1)
+        let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: MemoryLayout<Int32>.size, alignment: 1)
         var len = socklen_t(MemoryLayout<Int32>.size)
-        getsockopt(fileDescriptor, SOCK_STREAM, LOCAL_PEERPID, pidPointer, &len)
+        unsafe getsockopt(fileDescriptor, SOCK_STREAM, LOCAL_PEERPID, pidPointer, &len)
-        return pidPointer.load(as: Int32.self)
+        return unsafe pidPointer.load(as: Int32.self)
     }
 
 }

Sources/Packages/Sources/SecretAgentKit/PublicKeyStandinFileController.swift

@@ -0,0 +1,83 @@
+import Foundation
+import OSLog
+import SecretKit
+import SSHProtocolKit
+import CertificateKit
+import Common
+
+/// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
+public final class PublicKeyFileStoreController: Sendable {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "PublicKeyFileStoreController")
+    private let publicKeysURL: URL
+    private let certificatesURL: URL
+    private let keyWriter = OpenSSHPublicKeyWriter()
+
+    /// Initializes a PublicKeyFileStoreController.
+    public init(publicKeysURL: URL, certificatesURL: URL) {
+        self.publicKeysURL = publicKeysURL
+        self.certificatesURL = certificatesURL
+    }
+
+    /// Writes out the keys specified to disk.
+    /// - Parameter secrets: The Secrets to generate keys for.
+    /// - Parameter clear: Whether or not any untracked files in the directory should be removed.
+    public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
+        logger.log("Writing public keys to disk")
+        if clear {
+            let validPaths = Set(secrets.map { URL.publicKeyPath(for: $0, in: publicKeysURL) })
+                .union(Set(secrets.map { legacySSHCertificatePath(for: $0) }))
+            let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: publicKeysURL.path())) ?? []
+            let fullPathContents = contentsOfDirectory.map { publicKeysURL.appending(path: $0).path() }
+
+            let untracked = Set(fullPathContents)
+                .subtracting(validPaths)
+            for path in untracked {
+                // string instead of fileURLWithPath since we're already using fileURL format.
+                try? FileManager.default.removeItem(at: URL(string: path)!)
+            }
+        }
+        try? FileManager.default.createDirectory(at: publicKeysURL, withIntermediateDirectories: false, attributes: nil)
+        for secret in secrets {
+            let path = URL.publicKeyPath(for: secret, in: publicKeysURL)
+            let data = Data(keyWriter.openSSHString(secret: secret).utf8)
+            FileManager.default.createFile(atPath: path, contents: data, attributes: nil)
+        }
+        logger.log("Finished writing public keys")
+    }
+
+    /// Writes out the certificates specified to disk.
+    /// - Parameter certificates: The Secrets to generate keys for.
+    /// - Parameter clear: Whether or not any untracked files in the directory should be removed.
+    public func generateCertificates(for certificates: [Certificate], clear: Bool = false) throws {
+        logger.log("Writing certificates to disk")
+        if clear {
+            let validPaths = Set(certificates.map { URL.certificatePath(for: $0.id, in: certificatesURL) })
+            let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: certificatesURL.path())) ?? []
+            let fullPathContents = contentsOfDirectory.map { certificatesURL.appending(path: $0).path() }
+
+            let untracked = Set(fullPathContents)
+                .subtracting(validPaths)
+            for path in untracked {
+                // string instead of fileURLWithPath since we're already using fileURL format.
+                try? FileManager.default.removeItem(at: URL(string: path)!)
+            }
+        }
+        try? FileManager.default.createDirectory(at: certificatesURL, withIntermediateDirectories: false, attributes: nil)
+        for certificate in certificates {
+            let path = URL.certificatePath(for: certificate.id, in: certificatesURL)
+            FileManager.default.createFile(atPath: path, contents: certificate.rawData, attributes: nil)
+        }
+        logger.log("Finished writing certificates")
+    }
+
+    /// The path for a Secret's SSH Certificate public key.
+    /// - Parameter secret: The Secret to return the path for.
+    /// - Returns: The path to the SSH Certificate public key.
+    /// - Warning: This method returning a path does not imply that a key has a SSH certificates. This method only describes where it will be.
+    private func legacySSHCertificatePath<SecretType: Secret>(for secret: SecretType) -> String {
+        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
+        return publicKeysURL.appending(component: "\(minimalHex).pub").path()
+    }
+
+}

Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift

@@ -1,46 +0,0 @@
-import Foundation
-
-/// A namespace for the SSH Agent Protocol, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
-public enum SSHAgent {}
-
-extension SSHAgent {
-
-    /// The type of the SSH Agent Request, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
-    public enum RequestType: UInt8, CustomDebugStringConvertible {
-
-        case requestIdentities = 11
-        case signRequest = 13
-
-        public var debugDescription: String {
-            switch self {
-            case .requestIdentities:
-                return "RequestIdentities"
-            case .signRequest:
-                return "SignRequest"
-            }
-        }
-    }
-
-    /// The type of the SSH Agent Response, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
-    public enum ResponseType: UInt8, CustomDebugStringConvertible {
-        
-        case agentFailure = 5
-        case agentSuccess = 6
-        case agentIdentitiesAnswer = 12
-        case agentSignResponse = 14
-
-        public var debugDescription: String {
-            switch self {
-            case .agentFailure:
-                return "AgentFailure"
-            case .agentSuccess:
-                return "AgentSuccess"
-            case .agentIdentitiesAnswer:
-                return "AgentIdentitiesAnswer"
-            case .agentSignResponse:
-                return "AgentSignResponse"
-            }
-        }
-    }
-    
-}

Sources/Packages/Sources/SecretAgentKit/SigningRequestTracer.swift

@@ -2,7 +2,6 @@ import Foundation
 import AppKit
 import Security
 import SecretKit
-import SecretAgentKitHeaders
 
 /// An object responsible for generating ``SecretKit.SigningRequestProvenance`` objects.
 struct SigningRequestTracer {
@@ -10,12 +9,11 @@ struct SigningRequestTracer {
 
 extension SigningRequestTracer {
 
-    /// Generates a ``SecretKit.SigningRequestProvenance`` from a ``FileHandleReader``.
+    /// Generates a ``SecretKit.SigningRequestProvenance`` from a ``FileHandle``.
-    /// - Parameter fileHandleReader: The reader involved in processing the request.
+    /// - Parameter fileHandle: The reader involved in processing the request.
     /// - Returns: A ``SecretKit.SigningRequestProvenance`` describing the origin of the request.
-    func provenance(from fileHandleReader: FileHandleReader) -> SigningRequestProvenance {
+    func provenance(from fileHandle: FileHandle) -> SigningRequestProvenance {
-        let firstInfo = process(from: fileHandleReader.pidOfConnectedProcess)
+        let firstInfo = process(from: fileHandle.pidOfConnectedProcess)
-
         var provenance = SigningRequestProvenance(root: firstInfo)
         while NSRunningApplication(processIdentifier: provenance.origin.pid) == nil && provenance.origin.parentPID != nil {
             provenance.chain.append(process(from: provenance.origin.parentPID!))
@@ -27,30 +25,30 @@ extension SigningRequestTracer {
     /// - Parameter pid: The process ID to look up.
     /// - Returns: a `kinfo_proc` struct describing the process ID.
     func pidAndNameInfo(from pid: Int32) -> kinfo_proc {
-        var len = MemoryLayout<kinfo_proc>.size
+        var len = unsafe MemoryLayout<kinfo_proc>.size
         let infoPointer = UnsafeMutableRawPointer.allocate(byteCount: len, alignment: 1)
         var name: [Int32] = [CTL_KERN, KERN_PROC, KERN_PROC_PID, pid]
-        sysctl(&name, UInt32(name.count), infoPointer, &len, nil, 0)
+        unsafe sysctl(&name, UInt32(name.count), infoPointer, &len, nil, 0)
-        return infoPointer.load(as: kinfo_proc.self)
+        return unsafe infoPointer.load(as: kinfo_proc.self)
     }
 
     /// Generates a ``SecretKit.SigningRequestProvenance.Process`` from a provided process ID.
     /// - Parameter pid: The process ID to look up.
     /// - Returns: A ``SecretKit.SigningRequestProvenance.Process`` describing the process.
     func process(from pid: Int32) -> SigningRequestProvenance.Process {
-        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
+        var pidAndNameInfo = unsafe self.pidAndNameInfo(from: pid)
-        let ppid = pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
+        let ppid = unsafe pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
-        let procName = withUnsafeMutablePointer(to: &pidAndNameInfo.kp_proc.p_comm.0) { pointer in
+        let procName = unsafe withUnsafeMutablePointer(to: &pidAndNameInfo.kp_proc.p_comm.0) { pointer in
-            String(cString: pointer)
+            unsafe String(cString: pointer)
         }
 
         let pathPointer = UnsafeMutablePointer<UInt8>.allocate(capacity: Int(MAXPATHLEN))
-        _ = proc_pidpath(pid, pathPointer, UInt32(MAXPATHLEN))
+        _ = unsafe proc_pidpath(pid, pathPointer, UInt32(MAXPATHLEN))
-        let path = String(cString: pathPointer)
+        let path = unsafe String(cString: pathPointer)
         var secCode: Unmanaged<SecCode>!
         let flags: SecCSFlags = [.considerExpiration, .enforceRevocationChecks]
-        SecCodeCreateWithPID(pid, SecCSFlags(), &secCode)
+        unsafe SecCodeCreateWithPID(pid, SecCSFlags(), &secCode)
-        let valid = SecCodeCheckValidity(secCode.takeRetainedValue(), flags, nil) == errSecSuccess
+        let valid = unsafe SecCodeCheckValidity(secCode.takeRetainedValue(), flags, nil) == errSecSuccess
         return SigningRequestProvenance.Process(pid: pid, processName: procName, appName: appName(for: pid), iconURL: iconURL(for: pid), path: path, validSignature: valid, parentPID: ppid)
     }
 
@@ -81,3 +79,11 @@ extension SigningRequestTracer {
     }
 
 }
+
+// from libproc.h
+@_silgen_name("proc_pidpath")
+@discardableResult func proc_pidpath(_ pid: Int32, _ buffer: UnsafeMutableRawPointer!, _ buffersize: UInt32) -> Int32
+
+//// from SecTask.h
+@_silgen_name("SecCodeCreateWithPID")
+@discardableResult func SecCodeCreateWithPID(_: Int32, _: SecCSFlags, _: UnsafeMutablePointer<Unmanaged<SecCode>?>!) -> OSStatus

Sources/Packages/Sources/SecretAgentKit/SocketController.swift

@@ -1,6 +1,7 @@
 import Foundation
 import OSLog
 import SecretKit
+import launch
 
 /// A controller that manages socket configuration and request dispatching.
 public struct SocketController {
@@ -12,7 +13,8 @@ public struct SocketController {
     private let sessionsContinuation: AsyncStream<Session>.Continuation
 
     /// The active SocketPort. Must be retained to be kept valid.
-    private let port: SocketPort
+    /// Only applicable for legacy non-launchd sockets.
+    private let port: SocketPort?
 
     /// The FileHandle for the main socket.
     private let fileHandle: FileHandle
@@ -23,30 +25,57 @@ public struct SocketController {
     /// Tracer which determines who originates a socket connection.
     private let requestTracer = SigningRequestTracer()
 
-    /// Initializes a socket controller with a specified path.
+    public enum Socket {
-    /// - Parameter path: The path to use as a socket.
+        case launchd(String)
-    public init(path: String) {
+        case path(String)
+    }
+
+    public init(_ socket: Socket) {
         (sessions, sessionsContinuation) = AsyncStream<Session>.makeStream()
-        logger.debug("Socket controller setting up at \(path)")
+        switch socket {
-        if let _ = try? FileManager.default.removeItem(atPath: path) {
+        case .path(let path):
-            logger.debug("Socket controller removed existing socket")
+            logger.debug("Socket controller setting up at \(path)")
+            if let _ = try? FileManager.default.removeItem(atPath: path) {
+                logger.debug("Socket controller removed existing socket")
+            }
+            let exists = FileManager.default.fileExists(atPath: path)
+            assert(!exists)
+            logger.debug("Socket controller path is clear")
+            let port = SocketPort(path: path)
+            fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
+            self.port = port
+            logger.debug("Socket listening at \(path)")
+        case .launchd(let name):
+            logger.debug("Socket controller setting for launchd-controlled socket \(name)")
+            port = nil
+            var fileDescriptors: UnsafeMutablePointer<Int32>? = nil
+            var count = 0
+            let result = unsafe launch_activate_socket(name, &fileDescriptors, &count)
+            guard result == kOSReturnSuccess, let socket = unsafe fileDescriptors?.pointee else {
+                fatalError()
+            }
+            fileHandle = FileHandle(fileDescriptor: socket, closeOnDealloc: true)
         }
-        let exists = FileManager.default.fileExists(atPath: path)
+        listen()
-        assert(!exists)
+    }
-        logger.debug("Socket controller path is clear")
+
-        port = SocketPort(path: path)
+    func listen() {
-        fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
+        Task { @MainActor [fileHandle, sessionsContinuation, logger] in
-        Task { [fileHandle, sessionsContinuation, logger] in
+            // Create the sequence before triggering the notification to
-            for await notification in NotificationCenter.default.notifications(named: .NSFileHandleConnectionAccepted) {
+            // ensure it will not be missed.
+            let connectionAcceptedNotifications = NotificationCenter.default.notifications(named: .NSFileHandleConnectionAccepted)
+
+            fileHandle.acceptConnectionInBackgroundAndNotify()
+
+            for await notification in connectionAcceptedNotifications {
                 logger.debug("Socket controller accepted connection")
                 guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { continue }
                 let session = Session(fileHandle: new)
                 sessionsContinuation.yield(session)
-                await fileHandle.acceptConnectionInBackgroundAndNotifyOnMainActor()
+                fileHandle.acceptConnectionInBackgroundAndNotify()
             }
         }
-        fileHandle.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.Mode.common])
+
-        logger.debug("Socket listening at \(path)")
     }
 
 }
@@ -77,14 +106,19 @@ extension SocketController {
             self.fileHandle = fileHandle
             provenance = SigningRequestTracer().provenance(from: fileHandle)
             (messages, messagesContinuation) = AsyncStream.makeStream()
-            Task { [messagesContinuation, logger] in
+            Task { @MainActor [messagesContinuation, logger] in
-                await fileHandle.waitForDataInBackgroundAndNotifyOnMainActor()
+                // Create the sequence before triggering the notification to
-                for await _ in NotificationCenter.default.notifications(named: .NSFileHandleDataAvailable, object: fileHandle) {
+                // ensure it will not be missed.
+                let dataAvailableNotifications = NotificationCenter.default.notifications(named: .NSFileHandleDataAvailable, object: fileHandle)
+
+                fileHandle.waitForDataInBackgroundAndNotify()
+
+                for await _ in dataAvailableNotifications {
                     let data = fileHandle.availableData
                     guard !data.isEmpty else {
                         logger.debug("Socket controller received empty data, ending continuation.")
                         messagesContinuation.finish()
-                        try fileHandle.close()
+                        try? fileHandle.close()
                         return
                     }
                     messagesContinuation.yield(data)
@@ -95,9 +129,9 @@ extension SocketController {
         
         /// Writes new data to the socket.
         /// - Parameter data: The data to write.
-        public func write(_ data: Data) async throws {
+        @MainActor public func write(_ data: Data) throws {
-            try fileHandle.write(contentsOf: data)
+          try fileHandle.write(contentsOf: data)
-            await fileHandle.waitForDataInBackgroundAndNotifyOnMainActor()
+          fileHandle.waitForDataInBackgroundAndNotify()
         }
         
         /// Closes the socket and cleans up resources.
@@ -111,43 +145,47 @@ extension SocketController {
 
 }
 
-private extension FileHandle {
-
-    /// Ensures waitForDataInBackgroundAndNotify will be called on the main actor.
-    @MainActor func waitForDataInBackgroundAndNotifyOnMainActor() {
-        waitForDataInBackgroundAndNotify()
-    }
-
-
-    /// Ensures acceptConnectionInBackgroundAndNotify will be called on the main actor.
-    /// - Parameter modes: the runloop modes to use.
-    @MainActor func acceptConnectionInBackgroundAndNotifyOnMainActor(forModes modes: [RunLoop.Mode]? = [RunLoop.Mode.common]) {
-        acceptConnectionInBackgroundAndNotify(forModes: modes)
-    }
-
-}
-
 private extension SocketPort {
 
     convenience init(path: String) {
         var addr = sockaddr_un()
+        let length = addr.setPath(path)
+        // This doesn't seem to be _strictly_ neccessary with SocketPort.
+        // but just for good form.
         addr.sun_family = sa_family_t(AF_UNIX)
+        // This mirrors the SUN_LEN macro format.
+        addr.sun_len = UInt8(MemoryLayout<sockaddr_un>.size - MemoryLayout.size(ofValue: addr.sun_path) + length)
 
-        var len: Int = 0
+        let data = unsafe Data(bytes: &addr, count: MemoryLayout<sockaddr_un>.size)
-        withUnsafeMutablePointer(to: &addr.sun_path.0) { pointer in
-            path.withCString { cstring in
-                len = strlen(cstring)
-                strncpy(pointer, cstring, len)
-            }
-        }
-        addr.sun_len = UInt8(len+2)
-
-        var data: Data!
-        withUnsafePointer(to: &addr) { pointer in
-            data = Data(bytes: pointer, count: MemoryLayout<sockaddr_un>.size)
-        }
-
         self.init(protocolFamily: AF_UNIX, socketType: SOCK_STREAM, protocol: 0, address: data)!
     }
 
 }
+
+private extension sockaddr_un {
+
+    mutating func setPath(_ path: String) -> Int {
+#if compiler(<6.4)
+        unsafe withUnsafeMutablePointer(to: &self.sun_path.0) { pointer in
+            unsafe path.withCString { cstring in
+                let len = unsafe strlen(cstring)
+                unsafe strncpy(pointer, cstring, len)
+                return len
+            }
+        }
+#else
+        withUnsafeMutablePointer(to: &self.sun_path.0) { pointer in
+            path.withCString { cstring in
+                let len = unsafe strlen(cstring)
+                unsafe strncpy(pointer, cstring, len)
+                return len
+            }
+        }
+#endif
+    }
+
+}
+
+// Changes the header from `UnsafeMutablePointer<UnsafeMutablePointer<Int32>?>?` -> `UnsafeMutablePointer<UnsafeMutablePointer<Int32>?>!`
+@_silgen_name("launch_activate_socket")
+func launch_activate_socket(_ name: UnsafePointer<CChar>, _ fds: UnsafeMutablePointer<UnsafeMutablePointer<Int32>?>!, _ cnt: UnsafeMutablePointer<Int>!) -> Int32

Sources/Packages/Sources/SecretAgentKitHeaders/Stub.swift

@@ -1 +0,0 @@
-

Sources/Packages/Sources/SecretAgentKitHeaders/include/SecretAgentKit.h

@@ -1,19 +0,0 @@
-#import <Foundation/Foundation.h>
-#import <Security/Security.h>
-
-
-// Forward declarations
-
-// from libproc.h
-int proc_pidpath(int pid, void * buffer, uint32_t  buffersize);
-
-// from SecTask.h
-OSStatus SecCodeCreateWithPID(int32_t, SecCSFlags, SecCodeRef *);
-
-//! Project version number for SecretAgentKit.
-FOUNDATION_EXPORT double SecretAgentKitVersionNumber;
-
-//! Project version string for SecretAgentKit.
-FOUNDATION_EXPORT const unsigned char SecretAgentKitVersionString[];
-
-

Sources/Packages/Sources/SecretAgentKitHeaders/module.modulemap

@@ -1,4 +0,0 @@
-module SecretAgentKitHeaders [system] {
-    header "include/SecretAgentKit.h"
-    export *
-}

Sources/Packages/Sources/SecretKit/Convenience/PersistentAuthenticationHandler.swift

@@ -0,0 +1,69 @@
+import LocalAuthentication
+
+/// A context describing a persisted authentication.
+package final class PersistentAuthenticationContext<SecretType: Secret>: PersistedAuthenticationContext {
+
+    /// The Secret to persist authentication for.
+    let secret: SecretType
+    /// The LAContext used to authorize the persistent context.
+    package nonisolated(unsafe) let context: LAContext
+    /// An expiration date for the context.
+    /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
+    let monotonicExpiration: UInt64
+
+    /// Initializes a context.
+    /// - Parameters:
+    ///   - secret: The Secret to persist authentication for.
+    ///   - context: The LAContext used to authorize the persistent context.
+    ///   - duration: The duration of the authorization context, in seconds.
+    init(secret: SecretType, context: LAContext, duration: TimeInterval) {
+        self.secret = secret
+        unsafe self.context = context
+        let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
+        self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
+    }
+
+    /// A boolean describing whether or not the context is still valid.
+    package var valid: Bool {
+        clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
+    }
+
+    package var expiration: Date {
+        let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
+        let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
+        return Date(timeIntervalSinceNow: remainingInSeconds)
+    }
+}
+
+package actor PersistentAuthenticationHandler<SecretType: Secret>: Sendable {
+
+    private var persistedAuthenticationContexts: [SecretType: PersistentAuthenticationContext<SecretType>] = [:]
+
+    package init() {
+    }
+
+    package func existingPersistedAuthenticationContext(secret: SecretType) -> PersistentAuthenticationContext<SecretType>? {
+        guard let persisted = persistedAuthenticationContexts[secret], persisted.valid else { return nil }
+        return persisted
+    }
+
+    package func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws {
+        let newContext = LAContext()
+        newContext.touchIDAuthenticationAllowableReuseDuration = duration
+        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+
+        let formatter = DateComponentsFormatter()
+        formatter.unitsStyle = .spellOut
+        formatter.allowedUnits = [.hour, .minute, .day]
+
+
+        let durationString = formatter.string(from: duration)!
+        newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
+        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
+        guard success else { return }
+        let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
+        persistedAuthenticationContexts[secret] = context
+    }
+
+}
+

Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift

@@ -64,7 +64,7 @@ public final class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiab
     private let _create: @Sendable (String, Attributes) async throws -> AnySecret
     private let _delete: @Sendable (AnySecret) async throws -> Void
     private let _update: @Sendable (AnySecret, String, Attributes) async throws -> Void
-    private let _supportedKeyTypes: @Sendable () -> [KeyType]
+    private let _supportedKeyTypes: @Sendable () -> KeyAvailability
 
     public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStoreModifiable {
         _create = { AnySecret(try await secretStore.create(name: $0, attributes: $1)) }
@@ -87,7 +87,7 @@ public final class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiab
         try await _update(secret, name, attributes)
     }
 
-    public var supportedKeyTypes: [KeyType] {
+    public var supportedKeyTypes: KeyAvailability {
         _supportedKeyTypes()
     }
 

Sources/Packages/Sources/SecretKit/KeychainTypes.swift

@@ -36,12 +36,12 @@ public struct KeychainError: Error {
 /// A signing-related error.
 public struct SigningError: Error {
     /// The underlying error reported by the API, if one was returned.
-    public let error: SecurityError?
+    public let error: CFError?
 
     /// Initializes a SigningError with an optional SecurityError.
     /// - Parameter statusCode: The SecurityError, if one is applicable.
     public init(error: SecurityError?) {
-        self.error = error
+        self.error = unsafe error?.takeRetainedValue()
     }
 
 }

Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHCertificateHandler.swift

@@ -1,110 +0,0 @@
-import Foundation
-import OSLog
-
-/// Manages storage and lookup for OpenSSH certificates.
-public actor OpenSSHCertificateHandler: Sendable {
-
-    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.homeDirectory)
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "OpenSSHCertificateHandler")
-    private let writer = OpenSSHPublicKeyWriter()
-    private var keyBlobsAndNames: [AnySecret: (Data, Data)] = [:]
-
-    /// Initializes an OpenSSHCertificateHandler.
-    public init() {
-    }
-
-    /// Reloads any certificates in the PublicKeys folder.
-    /// - Parameter secrets: the secrets to look up corresponding certificates for.
-    public func reloadCertificates(for secrets: [AnySecret]) {
-        guard publicKeyFileStoreController.hasAnyCertificates else {
-            logger.log("No certificates, short circuiting")
-            return
-        }
-        keyBlobsAndNames = secrets.reduce(into: [:]) { partialResult, next in
-            partialResult[next] = try? loadKeyblobAndName(for: next)
-        }
-    }
-
-    /// Reconstructs a public key from a ``Data``, if that ``Data`` contains an OpenSSH certificate hash. Currently only ecdsa certificates are supported
-    /// - Parameter certBlock: The openssh certificate to extract the public key from
-    /// - Returns: A ``Data`` object containing the public key in OpenSSH wire format if the ``Data`` is an OpenSSH certificate hash, otherwise nil.
-    public func publicKeyHash(from hash: Data) -> Data? {
-        let reader = OpenSSHReader(data: hash)
-        let certType = String(decoding: reader.readNextChunk(), as: UTF8.self)
-        switch certType {
-        case "ecdsa-sha2-nistp256-cert-v01@openssh.com",
-            "ecdsa-sha2-nistp384-cert-v01@openssh.com",
-            "ecdsa-sha2-nistp521-cert-v01@openssh.com":
-            _ = reader.readNextChunk() // nonce
-            let curveIdentifier = reader.readNextChunk()
-            let publicKey = reader.readNextChunk()
-
-            let openSSHIdentifier = certType.replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
-            return openSSHIdentifier.lengthAndData +
-            curveIdentifier.lengthAndData +
-            publicKey.lengthAndData
-        default:
-            return nil
-        }
-    }
-
-    /// Attempts to find an OpenSSH Certificate  that corresponds to a ``Secret``
-    /// - Parameter secret: The secret to search for a certificate with
-    /// - Returns: A (``Data``, ``Data``) tuple containing the certificate and certificate name, respectively.
-    public func keyBlobAndName<SecretType: Secret>(for secret: SecretType) throws -> (Data, Data)? {
-        keyBlobsAndNames[AnySecret(secret)]
-    }
-    
-    /// Attempts to find an OpenSSH Certificate  that corresponds to a ``Secret``
-    /// - Parameter secret: The secret to search for a certificate with
-    /// - Returns: A (``Data``, ``Data``) tuple containing the certificate and certificate name, respectively.
-    private func loadKeyblobAndName<SecretType: Secret>(for secret: SecretType) throws -> (Data, Data)? {
-        let certificatePath = publicKeyFileStoreController.sshCertificatePath(for: secret)
-        guard FileManager.default.fileExists(atPath: certificatePath) else {
-            return nil
-        }
-
-        logger.debug("Found certificate for \(secret.name)")
-        let certContent = try String(contentsOfFile:certificatePath, encoding: .utf8)
-        let certElements = certContent.trimmingCharacters(in: .whitespacesAndNewlines).components(separatedBy: " ")
-
-        guard certElements.count >= 2 else {
-            logger.warning("Certificate found for \(secret.name) but failed to load")
-            throw OpenSSHCertificateError.parsingFailed
-        }
-        guard let certDecoded = Data(base64Encoded: certElements[1] as String)  else {
-            logger.warning("Certificate found for \(secret.name) but failed to decode base64 key")
-            throw OpenSSHCertificateError.parsingFailed
-        }
-
-        if certElements.count >= 3 {
-            let certName = Data(certElements[2].utf8)
-            return (certDecoded, certName)
-        }
-        let certName = Data(secret.name.utf8)
-        logger.info("Certificate for \(secret.name) does not have a name tag, using secret name instead")
-        return (certDecoded, certName)
-    }
-
-}
-
-extension OpenSSHCertificateHandler {
-
-    enum OpenSSHCertificateError: LocalizedError {
-        case unsupportedType
-        case parsingFailed
-        case doesNotExist
-
-        public var errorDescription: String? {
-            switch self {
-            case .unsupportedType:
-                return "The key type was unsupported"
-            case .parsingFailed:
-                return "Failed to properly parse the SSH certificate"
-            case .doesNotExist:
-                return "Certificate does not exist"
-            }
-        }
-    }
-
-}

Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift

@@ -1,28 +0,0 @@
-import Foundation
-
-/// Reads OpenSSH protocol data.
-public final class OpenSSHReader {
-
-    var remaining: Data
-
-    /// Initialize the reader with an OpenSSH data payload.
-    /// - Parameter data: The data to read.
-    public init(data: Data) {
-        remaining = Data(data)
-    }
-
-    /// Reads the next chunk of data from the playload.
-    /// - Returns: The next chunk of data.
-    public func readNextChunk() -> Data {
-        let lengthRange = 0..<(UInt32.bitWidth/8)
-        let lengthChunk = remaining[lengthRange]
-        remaining.removeSubrange(lengthRange)
-        let littleEndianLength = lengthChunk.bytes.unsafeLoad(as: UInt32.self)
-        let length = Int(littleEndianLength.bigEndian)
-        let dataRange = 0..<length
-        let ret = Data(remaining[dataRange])
-        remaining.removeSubrange(dataRange)
-        return ret
-    }
-
-}

Sources/Packages/Sources/SecretKit/PublicKeyStandinFileController.swift

@@ -1,71 +0,0 @@
-import Foundation
-import OSLog
-
-/// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
-public final class PublicKeyFileStoreController: Sendable {
-
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "PublicKeyFileStoreController")
-    private let directory: URL
-    private let keyWriter = OpenSSHPublicKeyWriter()
-
-    /// Initializes a PublicKeyFileStoreController.
-    public init(homeDirectory: URL) {
-        directory = homeDirectory.appending(component: "PublicKeys")
-    }
-
-    /// Writes out the keys specified to disk.
-    /// - Parameter secrets: The Secrets to generate keys for.
-    /// - Parameter clear: Whether or not any untracked files in the directory should be removed.
-    public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
-        logger.log("Writing public keys to disk")
-        if clear {
-            let validPaths = Set(secrets.map { publicKeyPath(for: $0) }).union(Set(secrets.map { sshCertificatePath(for: $0) }))
-            let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: directory.path())) ?? []
-            let fullPathContents = contentsOfDirectory.map { "\(directory)/\($0)" }
-
-            let untracked = Set(fullPathContents)
-                .subtracting(validPaths)
-            for path in untracked {
-                try? FileManager.default.removeItem(at: URL(fileURLWithPath: path))
-            }
-        }
-        try? FileManager.default.createDirectory(at: directory, withIntermediateDirectories: false, attributes: nil)
-        for secret in secrets {
-            let path = publicKeyPath(for: secret)
-            let data = Data(keyWriter.openSSHString(secret: secret).utf8)
-            FileManager.default.createFile(atPath: path, contents: data, attributes: nil)
-        }
-        logger.log("Finished writing public keys")
-    }
-
-    /// The path for a Secret's public key.
-    /// - Parameter secret: The Secret to return the path for.
-    /// - Returns: The path to the Secret's public key.
-    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
-    public func publicKeyPath<SecretType: Secret>(for secret: SecretType) -> String {
-        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
-        return directory.appending(component: "\(minimalHex).pub").path()
-    }
-
-    /// Short-circuit check to ship enumerating a bunch of paths if there's nothing in the cert directory.
-    public var hasAnyCertificates: Bool {
-        do {
-            return try FileManager.default
-                .contentsOfDirectory(atPath: directory.path())
-                .filter { $0.hasSuffix("-cert.pub") }
-                .isEmpty == false
-        } catch {
-            return false
-        }
-    }
-
-    /// The path for a Secret's SSH Certificate public key.
-    /// - Parameter secret: The Secret to return the path for.
-    /// - Returns: The path to the SSH Certificate public key.
-    /// - Warning: This method returning a path does not imply that a key has a SSH certificates. This method only describes where it will be.
-    public func sshCertificatePath<SecretType: Secret>(for secret: SecretType) -> String {
-        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
-        return directory.appending(component: "\(minimalHex)-cert.pub").path()
-    }
-
-}

Sources/Packages/Sources/SecretKit/Types/SecretStore.swift

@@ -62,10 +62,37 @@ public protocol SecretStoreModifiable<SecretType>: SecretStore {
     ///   - attributes: The new attributes for the secret.
     func update(secret: SecretType, name: String, attributes: Attributes) async throws
 
-    var supportedKeyTypes: [KeyType] { get }
+    var supportedKeyTypes: KeyAvailability { get }
 
 }
 
+public struct KeyAvailability: Sendable {
+
+    public let available: [KeyType]
+    public let unavailable: [UnavailableKeyType]
+
+    public init(available: [KeyType], unavailable: [UnavailableKeyType]) {
+        self.available = available
+        self.unavailable = unavailable
+    }
+
+    public struct UnavailableKeyType: Sendable {
+        public let keyType: KeyType
+        public let reason: Reason
+
+        public init(keyType: KeyType, reason: Reason) {
+            self.keyType = keyType
+            self.reason = reason
+        }
+
+        public enum Reason: Sendable {
+            case macOSUpdateRequired
+        }
+    }
+
+}
+
+
 extension NSNotification.Name {
 
     // Distributed notification that keys were modified out of process (ie, that the management tool added/removed secrets)

Sources/Packages/Sources/SecureEnclaveSecretKit/CryptoKitMigrator.swift

@@ -27,10 +27,10 @@ extension SecureEnclave {
                 kSecReturnAttributes: true
             ])
             var privateUntyped: CFTypeRef?
-            SecItemCopyMatching(privateAttributes, &privateUntyped)
+            unsafe SecItemCopyMatching(privateAttributes, &privateUntyped)
             guard let privateTyped = privateUntyped as? [[CFString: Any]] else { return }
             let migratedPublicKeys = Set(store.secrets.map(\.publicKey))
-            var migrated = false
+            var migratedAny = false
             for key in privateTyped {
                 let name = key[kSecAttrLabel] as? String ?? String(localized: .unnamedSecret)
                 let id = key[kSecAttrApplicationLabel] as! Data
@@ -40,35 +40,39 @@ extension SecureEnclave {
                 }
                 let ref = key[kSecValueRef] as! SecKey
                 let attributes = SecKeyCopyAttributes(ref) as! [CFString: Any]
-                let tokenObjectID = attributes[Constants.tokenObjectID] as! Data
+                let tokenObjectID = unsafe attributes[Constants.tokenObjectID] as! Data
                 let accessControl = attributes[kSecAttrAccessControl] as! SecAccessControl
                 // Best guess.
                 let auth: AuthenticationRequirement = String(describing: accessControl)
                     .contains("DeviceOwnerAuthentication") ? .presenceRequired : .unknown
-                let parsed = try CryptoKit.SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: tokenObjectID)
+                do {
-                let secret = Secret(id: UUID().uuidString, name: name, publicKey: parsed.publicKey.x963Representation, attributes: Attributes(keyType: .init(algorithm: .ecdsa, size: 256), authentication: auth))
+                    let parsed = try CryptoKit.SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: tokenObjectID)
-                guard !migratedPublicKeys.contains(parsed.publicKey.x963Representation) else {
+                    let secret = Secret(id: UUID().uuidString, name: name, publicKey: parsed.publicKey.x963Representation, attributes: Attributes(keyType: .init(algorithm: .ecdsa, size: 256), authentication: auth))
-                    logger.log("Skipping \(name), public key already present. Marking as migrated.")
+                    guard !migratedPublicKeys.contains(parsed.publicKey.x963Representation) else {
-                    try markMigrated(secret: secret, oldID: id)
+                        logger.log("Skipping \(name), public key already present. Marking as migrated.")
-                    continue
+                        markMigrated(secret: secret, oldID: id)
+                        continue
+                    }
+                    logger.log("Migrating \(name).")
+                    try store.saveKey(tokenObjectID, name: name, attributes: secret.attributes)
+                    logger.log("Migrated \(name).")
+                    markMigrated(secret: secret, oldID: id)
+                    migratedAny = true
+                } catch {
+                    logger.error("Failed to migrate \(name): \(error.localizedDescription).")
                 }
-                logger.log("Migrating \(name).")
-                try store.saveKey(tokenObjectID, name: name, attributes: secret.attributes)
-                logger.log("Migrated \(name).")
-                try markMigrated(secret: secret, oldID: id)
-                migrated = true
             }
-            if migrated {
+            if migratedAny {
                 store.reloadSecrets()
             }
         }
 
 
 
-        public func markMigrated(secret: Secret, oldID: Data) throws {
+        public func markMigrated(secret: Secret, oldID: Data) {
             let updateQuery = KeychainDictionary([
                 kSecClass: kSecClassKey,
-                kSecAttrApplicationLabel: secret.id
+                kSecAttrApplicationLabel: oldID
             ])
 
             let newID = oldID + Constants.migrationMagicNumber
@@ -78,7 +82,7 @@ extension SecureEnclave {
 
             let status = SecItemUpdate(updateQuery, updatedAttributes)
             if status != errSecSuccess {
-                throw KeychainError(statusCode: status)
+                logger.warning("Failed to mark \(secret.name) as migrated: \(status).")
             }
         }
 

Sources/Packages/Sources/SecureEnclaveSecretKit/PersistentAuthenticationHandler.swift

@@ -1,72 +0,0 @@
-import LocalAuthentication
-import SecretKit
-
-extension SecureEnclave {
-
-    /// A context describing a persisted authentication.
-    final class PersistentAuthenticationContext: PersistedAuthenticationContext {
-
-        /// The Secret to persist authentication for.
-        let secret: Secret
-        /// The LAContext used to authorize the persistent context.
-        nonisolated(unsafe) let context: LAContext
-        /// An expiration date for the context.
-        /// - Note -  Monotonic time instead of Date() to prevent people setting the clock back.
-        let monotonicExpiration: UInt64
-
-        /// Initializes a context.
-        /// - Parameters:
-        ///   - secret: The Secret to persist authentication for.
-        ///   - context: The LAContext used to authorize the persistent context.
-        ///   - duration: The duration of the authorization context, in seconds.
-        init(secret: Secret, context: LAContext, duration: TimeInterval) {
-            self.secret = secret
-            self.context = context
-            let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
-            self.monotonicExpiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
-        }
-
-        /// A boolean describing whether or not the context is still valid.
-        var valid: Bool {
-            clock_gettime_nsec_np(CLOCK_MONOTONIC) < monotonicExpiration
-        }
-
-        var expiration: Date {
-            let remainingNanoseconds = monotonicExpiration - clock_gettime_nsec_np(CLOCK_MONOTONIC)
-            let remainingInSeconds = Measurement(value: Double(remainingNanoseconds), unit: UnitDuration.nanoseconds).converted(to: .seconds).value
-            return Date(timeIntervalSinceNow: remainingInSeconds)
-        }
-    }
-
-    actor PersistentAuthenticationHandler: Sendable {
-
-        private var persistedAuthenticationContexts: [Secret: PersistentAuthenticationContext] = [:]
-
-        func existingPersistedAuthenticationContext(secret: Secret) -> PersistentAuthenticationContext? {
-            guard let persisted = persistedAuthenticationContexts[secret], persisted.valid else { return nil }
-            return persisted
-        }
-
-        func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
-            let newContext = LAContext()
-            newContext.touchIDAuthenticationAllowableReuseDuration = duration
-            newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
-
-            let formatter = DateComponentsFormatter()
-            formatter.unitsStyle = .spellOut
-            formatter.allowedUnits = [.hour, .minute, .day]
-
-            if let durationString = formatter.string(from: duration) {
-                newContext.localizedReason = String(localized: .authContextPersistForDuration(secretName: secret.name, duration: durationString))
-            } else {
-                newContext.localizedReason = String(localized: .authContextPersistForDurationUnknown(secretName: secret.name))
-            }
-            let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
-            guard success else { return }
-            let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
-            persistedAuthenticationContexts[secret] = context
-        }
-
-    }
-
-}

Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift

@@ -2,7 +2,7 @@ import Foundation
 import Observation
 import Security
 import CryptoKit
-@preconcurrency import LocalAuthentication
+import LocalAuthentication
 import SecretKit
 import os
 
@@ -17,7 +17,7 @@ extension SecureEnclave {
         }
         public let id = UUID()
         public let name = String(localized: .secureEnclave)
-        private let persistentAuthenticationHandler = PersistentAuthenticationHandler()
+        private let persistentAuthenticationHandler = PersistentAuthenticationHandler<Secret>()
 
         /// Initializes a Store.
         @MainActor public init() {
@@ -26,7 +26,7 @@ extension SecureEnclave {
                 for await note in DistributedNotificationCenter.default().notifications(named: .secretStoreUpdated) {
                     guard Constants.notificationToken != (note.object as? String) else {
                         // Don't reload if we're the ones triggering this by reloading.
-                        return
+                        continue
                     }
                     reloadSecrets()
                 }
@@ -40,7 +40,7 @@ extension SecureEnclave {
         public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
             var context: LAContext
             if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret) {
-                context = existing.context
+                context = unsafe existing.context
             } else {
                 let newContext = LAContext()
                 newContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
@@ -57,7 +57,7 @@ extension SecureEnclave {
                 kSecReturnData: true,
             ])
             var untyped: CFTypeRef?
-            let status = SecItemCopyMatching(queryAttributes, &untyped)
+            let status = unsafe SecItemCopyMatching(queryAttributes, &untyped)
             if status != errSecSuccess {
                 throw KeychainError(statusCode: status)
             }
@@ -112,7 +112,7 @@ extension SecureEnclave {
             var accessError: SecurityError?
             let flags: SecAccessControlCreateFlags = switch attributes.authentication {
             case .notRequired:
-                []
+                [.privateKeyUsage]
             case .presenceRequired:
                 [.userPresence, .privateKeyUsage]
             case .biometryCurrent:
@@ -121,12 +121,12 @@ extension SecureEnclave {
                 fatalError()
             }
             let access =
-                SecAccessControlCreateWithFlags(kCFAllocatorDefault,
+            unsafe SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                                 kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
                                                 flags,
                                                 &accessError)
-            if let error = accessError {
+            if let error = unsafe accessError {
-                throw error.takeRetainedValue() as Error
+                throw unsafe error.takeRetainedValue() as Error
             }
             let dataRep: Data
             let publicKey: Data
@@ -186,17 +186,22 @@ extension SecureEnclave {
             await reloadSecrets()
         }
         
-        public var supportedKeyTypes: [KeyType] {
+        public let supportedKeyTypes: KeyAvailability = {
-            if #available(macOS 26, *) {
+            let macOS26Keys: [KeyType] = [.mldsa65, .mldsa87]
-                [
+            let isAtLeastMacOS26 = if #available(macOS 26, *) {
-                    .ecdsa256,
+                true
-                    .mldsa65,
-                    .mldsa87,
-                ]
             } else {
-                [.ecdsa256]
+                false
             }
-        }
+            return KeyAvailability(
+                available: [
+                    .ecdsa256,
+                ] + (isAtLeastMacOS26 ? macOS26Keys : []),
+                unavailable: (isAtLeastMacOS26 ? [] : macOS26Keys).map {
+                    KeyAvailability.UnavailableKeyType(keyType: $0, reason: .macOSUpdateRequired)
+                }
+            )
+        }()
     }
 
 }
@@ -214,7 +219,7 @@ extension SecureEnclave.Store {
             kSecReturnAttributes: true
             ])
         var untyped: CFTypeRef?
-        SecItemCopyMatching(queryAttributes, &untyped)
+        unsafe SecItemCopyMatching(queryAttributes, &untyped)
         guard let typed = untyped as? [[CFString: Any]] else { return }
         let wrapped: [SecureEnclave.Secret] = typed.compactMap {
             do {

Sources/Packages/Sources/SharedXPCServices/CertificateMigrator.swift

@@ -0,0 +1,53 @@
+import Foundation
+import Security
+import CryptoTokenKit
+import CryptoKit
+import os
+import SSHProtocolKit
+import CertificateKit
+
+public struct CertificateMigrator {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.migration", category: "CertificateKitMigrator")
+    private let publicKeysDirectory: URL
+    private let certificatesDirectory: URL
+    private let certificateStore: CertificateStore
+
+    /// Initializes a PublicKeyFileStoreController.
+    public init(homeDirectory: URL, certificateStore: CertificateStore) {
+        publicKeysDirectory = homeDirectory.appending(component: "PublicKeys")
+        certificatesDirectory = homeDirectory.appending(component: "Certificates")
+        self.certificateStore = certificateStore
+    }
+
+    @MainActor public func migrate() throws {
+        try migrate(directory: publicKeysDirectory)
+        try migrate(directory: certificatesDirectory)
+    }
+
+    @MainActor public func migrate(directory: URL) throws {
+        let fileCerts = try FileManager.default
+            .contentsOfDirectory(atPath: directory.path())
+            .filter { $0.hasSuffix("-cert.pub") }
+        Task {
+            for path in fileCerts {
+                do {
+                    let url = directory.appending(component: path)
+                    let data = try Data(contentsOf: url)
+                    let parser = try await XPCCertificateParser()
+                    let cert = try await parser.parse(data: data)
+                    try certificateStore.save(certificate: Certificate(openSSHCertificate: cert, rawData: data))
+                    do {
+                        try FileManager.default.removeItem(at: url)
+                    } catch {
+                        logger.error("Failed to delete successfully migrated cert: \(path)")
+                    }
+                } catch {
+                    logger.error("Failed to migrate cert: \(path)")
+                }
+            }
+
+        }
+    }
+
+}

Sources/Packages/Sources/SharedXPCServices/XPCCertificateParser.swift

@@ -0,0 +1,29 @@
+import Foundation
+import OSLog
+import SSHProtocolKit
+import CertificateKit
+import XPCWrappers
+
+/// Delegates all agent input parsing to an XPC service which wraps OpenSSH
+public final class XPCCertificateParser: OpenSSHCertificateParserProtocol {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "XPCCertificateParser")
+    private let session: XPCTypedSession<OpenSSHCertificate, OpenSSHCertificateError>
+
+    public init() async throws {
+        logger.debug("Creating XPCCertificateParser")
+        session = try await XPCTypedSession(serviceName: "com.maxgoedjen.Secretive.SecretiveCertificateParser", warmup: true)
+        logger.debug("XPCCertificateParser is warmed up.")
+    }
+
+    public func parse(data: Data) async throws -> OpenSSHCertificate {
+        logger.debug("Parsing input")
+        defer { logger.debug("Parsed input") }
+        return try await session.send(data)
+    }
+
+    deinit {
+        session.complete()
+    }
+
+}

Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift

@@ -1,7 +1,7 @@
 import Foundation
 import Observation
 import Security
-@preconcurrency import CryptoTokenKit
+@unsafe @preconcurrency import CryptoTokenKit
 import LocalAuthentication
 import SecretKit
 
@@ -34,6 +34,7 @@ extension SmartCard {
         public var secrets: [Secret] {
             state.secrets
         }
+        private let persistentAuthenticationHandler = PersistentAuthenticationHandler<Secret>()
 
         /// Initializes a Store.
         public init() {
@@ -58,9 +59,15 @@ extension SmartCard {
 
         public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
             guard let tokenID = await state.tokenID else { fatalError() }
-            let context = LAContext()
+            var context: LAContext
-            context.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret) {
-            context.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+                context = unsafe existing.context
+            } else {
+                let newContext = LAContext()
+                newContext.localizedReason = String(localized: .authContextRequestSignatureDescription(appName: provenance.origin.displayName, secretName: secret.name))
+                newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
+                context = newContext
+            }
             let attributes = KeychainDictionary([
                 kSecClass: kSecClassKey,
                 kSecAttrKeyClass: kSecAttrKeyClassPrivate,
@@ -70,7 +77,7 @@ extension SmartCard {
                 kSecReturnRef: true
             ])
             var untyped: CFTypeRef?
-            let status = SecItemCopyMatching(attributes, &untyped)
+            let status = unsafe SecItemCopyMatching(attributes, &untyped)
             if status != errSecSuccess {
                 throw KeychainError(statusCode: status)
             }
@@ -80,17 +87,18 @@ extension SmartCard {
             let key = untypedSafe as! SecKey
             var signError: SecurityError?
             guard let algorithm = signatureAlgorithm(for: secret) else { throw UnsupportKeyType() }
-            guard let signature = SecKeyCreateSignature(key, algorithm, data as CFData, &signError) else {
+            guard let signature = unsafe SecKeyCreateSignature(key, algorithm, data as CFData, &signError) else {
-                throw SigningError(error: signError)
+                throw unsafe SigningError(error: signError)
             }
             return signature as Data
         }
         
-        public func existingPersistedAuthenticationContext(secret: Secret) -> PersistedAuthenticationContext? {
+        public func existingPersistedAuthenticationContext(secret: Secret) async -> PersistedAuthenticationContext? {
-            nil
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret)
         }
 
-        public func persistAuthentication(secret: Secret, forDuration: TimeInterval) throws {
+        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
+            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
         }
 
         /// Reloads all secrets from the store.
@@ -152,7 +160,7 @@ extension SmartCard.Store {
             kSecReturnAttributes: true
         ])
         var untyped: CFTypeRef?
-        SecItemCopyMatching(attributes, &untyped)
+        unsafe SecItemCopyMatching(attributes, &untyped)
         guard let typed = untyped as? [[CFString: Any]] else { return }
         let wrapped: [SecretType] = typed.compactMap {
             let name = $0[kSecAttrLabel] as? String ?? String(localized: .unnamedSecret)
@@ -163,7 +171,7 @@ extension SmartCard.Store {
             let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!
             let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]
             let publicKey = publicKeyAttributes[kSecValueData] as! Data
-            let attributes = Attributes(keyType: KeyType(secAttr: algorithmSecAttr, size: keySize)!, authentication: .unknown)
+            let attributes = Attributes(keyType: KeyType(secAttr: algorithmSecAttr, size: keySize)!, authentication: .presenceRequired)
             let secret = SmartCard.Secret(id: tokenID, name: name, publicKey: publicKey, attributes: attributes)
             guard signatureAlgorithm(for: secret) != nil else { return nil }
             return secret

Sources/Packages/Sources/XPCWrappers/TeamID.swift

@@ -0,0 +1,26 @@
+import Foundation
+
+extension ProcessInfo {
+    private static let fallbackTeamID = "Z72PRUAWF6"
+
+    private static let teamID: String = {
+        #if DEBUG
+        guard let task = SecTaskCreateFromSelf(nil) else {
+            assertionFailure("SecTaskCreateFromSelf failed")
+            return fallbackTeamID
+        }
+
+        guard let value = SecTaskCopyValueForEntitlement(task, "com.apple.developer.team-identifier" as CFString, nil) as? String else {
+//            assertionFailure("SecTaskCopyValueForEntitlement(com.apple.developer.team-identifier) failed")
+            return fallbackTeamID
+        }
+
+        return value
+        #else
+        /// Always use hardcoded team ID for release builds, just in case.
+        return fallbackTeamID
+        #endif
+    }()
+
+    public var teamID: String { Self.teamID }
+}

Sources/Packages/Sources/XPCWrappers/XPCProtocol.swift

@@ -0,0 +1,14 @@
+import Foundation
+
+@objc protocol _XPCProtocol: Sendable {
+    func process(_ data: Data, with reply: @Sendable @escaping (Data?, Error?) -> Void)
+}
+
+public protocol XPCProtocol<Input, Output>: Sendable {
+
+    associatedtype Input: Codable
+    associatedtype Output: Codable
+
+    func process(_ data: Input) async throws -> Output
+
+}

Sources/Packages/Sources/XPCWrappers/XPCServiceDelegate.swift

@@ -0,0 +1,72 @@
+import Foundation
+
+public final class XPCServiceDelegate: NSObject, NSXPCListenerDelegate {
+
+    private let exportedObject: ErasedXPCProtocol
+
+    public init<XPCProtocolType: XPCProtocol>(exportedObject: XPCProtocolType) {
+        self.exportedObject = ErasedXPCProtocol(exportedObject)
+    }
+
+    public func listener(_ listener: NSXPCListener, shouldAcceptNewConnection newConnection: NSXPCConnection) -> Bool {
+        newConnection.exportedInterface = NSXPCInterface(with: (any _XPCProtocol).self)
+        let exportedObject = exportedObject
+        newConnection.exportedObject = exportedObject
+        newConnection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = \"\(ProcessInfo.processInfo.teamID)\"")
+        newConnection.resume()
+        return true
+    }
+}
+
+@objc private final class ErasedXPCProtocol: NSObject, _XPCProtocol {
+
+    let _process: @Sendable (Data, @Sendable @escaping (Data?, (any Error)?) -> Void) -> Void
+
+    public init<XPCProtocolType: XPCProtocol>(_ exportedObject: XPCProtocolType) {
+        _process = { data, reply in
+            Task { [reply] in
+                do {
+                    let decoded = try JSONDecoder().decode(XPCProtocolType.Input.self, from: data)
+                    let result = try await exportedObject.process(decoded)
+                    let encoded = try JSONEncoder().encode(result)
+                    reply(encoded, nil)
+                } catch {
+                    if let error = error as? Codable & Error {
+                        reply(nil, NSError(error))
+                    } else {
+                        // Sending cast directly tries to serialize it and crashes XPCEncoder.
+                        let cast = error as NSError
+                        reply(nil, NSError(domain: cast.domain, code: cast.code, userInfo: [NSLocalizedDescriptionKey: error.localizedDescription]))
+                    }
+                }
+            }
+        }
+    }
+
+    func process(_ data: Data, with reply: @Sendable @escaping (Data?, (any Error)?) -> Void) {
+        _process(data, reply)
+    }
+
+
+}
+
+extension NSError {
+
+    private enum Constants {
+        static let domain = "com.maxgoedjen.secretive.xpcwrappers"
+        static let code = -1
+        static let dataKey = "underlying"
+    }
+
+    @nonobjc convenience init<ErrorType: Codable & Error>(_ error: ErrorType) {
+        let encoded = try? JSONEncoder().encode(error)
+        self.init(domain: Constants.domain, code: Constants.code, userInfo: [Constants.dataKey: encoded as Any])
+    }
+
+    @nonobjc public func underlying<ErrorType: Codable & Error>(as errorType: ErrorType.Type) -> ErrorType? {
+        guard domain == Constants.domain && code == Constants.code, let data = userInfo[Constants.dataKey] as? Data else { return nil }
+        return try? JSONDecoder().decode(ErrorType.self, from: data)
+    }
+
+}
+

Sources/Packages/Sources/XPCWrappers/XPCTypedSession.swift

@@ -0,0 +1,53 @@
+import Foundation
+
+public struct XPCTypedSession<ResponseType: Codable & Sendable, ErrorType: Error & Codable>: ~Copyable {
+
+    private let connection: NSXPCConnection
+    private let proxy: _XPCProtocol
+
+    public init(serviceName: String, warmup: Bool = false) async throws {
+        let connection = NSXPCConnection(serviceName: serviceName)
+        connection.remoteObjectInterface = NSXPCInterface(with: (any _XPCProtocol).self)
+        connection.setCodeSigningRequirement("anchor apple generic and certificate leaf[subject.OU] = \"\(ProcessInfo.processInfo.teamID)\"")
+        connection.resume()
+        guard let proxy = connection.remoteObjectProxy as? _XPCProtocol else { fatalError() }
+        self.connection = connection
+        self.proxy = proxy
+        if warmup {
+            _ = try? await send()
+        }
+    }
+
+    public func send(_ message: some Encodable = Data()) async throws -> ResponseType {
+        let encoded = try JSONEncoder().encode(message)
+        return try await withCheckedThrowingContinuation { continuation in
+            proxy.process(encoded) { data, error in
+                do {
+                    if let error {
+                        throw error
+                    }
+                    guard let data else {
+                        throw NoDataError()
+                    }
+                    let decoded = try JSONDecoder().decode(ResponseType.self, from: data)
+                    continuation.resume(returning: decoded)
+                } catch {
+                    if let typed = (error as NSError).underlying(as: ErrorType.self) {
+                        continuation.resume(throwing: typed)
+                    } else {
+                        continuation.resume(throwing: error)
+                    }
+                }
+            }
+        }
+    }
+
+
+    public func complete() {
+        connection.invalidate()
+    }
+
+    public struct NoDataError: Error {}
+
+}
+

Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHPublicKeyWriterTests.swift

@@ -1,8 +1,7 @@
 import Foundation
 import Testing
 @testable import SecretKit
-@testable import SecureEnclaveSecretKit
+import SSHProtocolKit
-@testable import SmartCardSecretKit
 
 @Suite struct OpenSSHPublicKeyWriterTests {
 
@@ -47,8 +46,8 @@ import Testing
 extension OpenSSHPublicKeyWriterTests {
 
     enum Constants {
-        static let ecdsa256Secret =  SmartCard.Secret(id: Data(), name: "Test Key (ECDSA 256)", publicKey: Data(base64Encoded: "BOVEjgAA5PHqRgwykjN5qM21uWCHFSY/Sqo5gkHAkn+e1MMQKHOLga7ucB9b3mif33MBid59GRK9GEPVlMiSQwo=")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 256), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
+        static let ecdsa256Secret =  TestSecret(id: Data(), name: "Test Key (ECDSA 256)", publicKey: Data(base64Encoded: "BOVEjgAA5PHqRgwykjN5qM21uWCHFSY/Sqo5gkHAkn+e1MMQKHOLga7ucB9b3mif33MBid59GRK9GEPVlMiSQwo=")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 256), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
-        static let ecdsa384Secret = SmartCard.Secret(id: Data(), name: "Test Key (ECDSA 384)", publicKey: Data(base64Encoded: "BG2MNc/C5OTHFE2tBvbZCVcpOGa8vBMquiTLkH4lwkeqOPxhi+PyYUfQZMTRJNPiTyWPoMBqNiCIFRVv60yPN/AHufHaOgbdTP42EgMlMMImkAjYUEv9DESHTVIs2PW1yQ==")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 384), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
+        static let ecdsa384Secret = TestSecret(id: Data(), name: "Test Key (ECDSA 384)", publicKey: Data(base64Encoded: "BG2MNc/C5OTHFE2tBvbZCVcpOGa8vBMquiTLkH4lwkeqOPxhi+PyYUfQZMTRJNPiTyWPoMBqNiCIFRVv60yPN/AHufHaOgbdTP42EgMlMMImkAjYUEv9DESHTVIs2PW1yQ==")!, attributes: Attributes(keyType: KeyType(algorithm: .ecdsa, size: 384), authentication: .notRequired, publicKeyAttribution: "test@example.com"))
 
     }
 

Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHReaderTests.swift

@@ -1,18 +1,16 @@
 import Foundation
 import Testing
-@testable import SecretKit
+import SSHProtocolKit
-@testable import SecureEnclaveSecretKit
-@testable import SmartCardSecretKit
 
 @Suite struct OpenSSHReaderTests {
 
-    @Test func signatureRequest() {
+    @Test func signatureRequest() throws {
         let reader = OpenSSHReader(data: Constants.signatureRequest)
-        let hash = reader.readNextChunk()
+        let hash = try reader.readNextChunk()
         #expect(hash == Data(base64Encoded: "AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEqCbkJbOHy5S1wVCaJoKPmpS0egM4frMqllgnlRRQ/Uvnn6EVS8oV03cPA2Bz0EdESyRKA/sbmn0aBtgjIwGELxu45UXEW1TEz6TxyS0u3vuIqR3Wo1CrQWRDnkrG/pBQ=="))
-        let dataToSign = reader.readNextChunk()
+        let dataToSign = try reader.readNextChunk()
         #expect(dataToSign == Data(base64Encoded: "AAAAICi5xf1ixOestUlxdjvt/BDcM+rzhwy7Vo8cW5YcxA8+MgAAAANnaXQAAAAOc3NoLWNvbm5lY3Rpb24AAAAJcHVibGlja2V5AQAAABNlY2RzYS1zaGEyLW5pc3RwMzg0AAAAiAAAABNlY2RzYS1zaGEyLW5pc3RwMzg0AAAACG5pc3RwMzg0AAAAYQRKgm5CWzh8uUtcFQmiaCj5qUtHoDOH6zKpZYJ5UUUP1L55+hFUvKFdN3DwNgc9BHREskSgP7G5p9GgbYIyMBhC8buOVFxFtUxM+k8cktLt77iKkd1qNQq0FkQ55Kxv6QU="))
-        let empty = reader.readNextChunk()
+        let empty = try reader.readNextChunk()
         #expect(empty.isEmpty)
     }
 

Sources/Packages/Tests/SSHProtocolKitTests/OpenSSHSignatureWriterTests.swift

@@ -0,0 +1,83 @@
+import Foundation
+import Testing
+import SSHProtocolKit
+@testable import SecretKit
+
+@Suite struct OpenSSHSignatureWriterTests {
+
+    private let writer = OpenSSHSignatureWriter()
+
+    @Test func ecdsaMpintStripsUnnecessaryLeadingZeros() throws {
+        let secret = Constants.ecdsa256Secret
+
+        // r has a leading 0x00 followed by 0x01 (< 0x80): the mpint must not keep the leading zero.
+        let rBytes: [UInt8] = [0x00] + (1...31).map { UInt8($0) }
+        let r = Data(rBytes)
+        // s has two leading 0x00 bytes followed by 0x7f (< 0x80): the mpint must not keep the leading zeros.
+        let sBytes: [UInt8] = [0x00, 0x00, 0x7f] + Array(repeating: UInt8(0x01), count: 29)
+        let s = Data(sBytes)
+        let rawRepresentation = r + s
+
+        let response = writer.data(secret: secret, signature: rawRepresentation)
+        let (parsedR, parsedS) = try parseEcdsaSignatureMpints(from: response)
+
+        #expect(parsedR == Data((1...31).map { UInt8($0) }))
+        #expect(parsedS == Data([0x7f] + Array(repeating: UInt8(0x01), count: 29)))
+    }
+
+    @Test func ecdsaMpintPrefixesZeroWhenHighBitSet() throws {
+        let secret = Constants.ecdsa256Secret
+
+        // r starts with 0x80 (high bit set): mpint must be prefixed with 0x00.
+        let r = Data([UInt8(0x80)] + Array(repeating: UInt8(0x01), count: 31))
+        let s = Data([UInt8(0x01)] + Array(repeating: UInt8(0x02), count: 31))
+        let rawRepresentation = r + s
+
+        let response = writer.data(secret: secret, signature: rawRepresentation)
+        let (parsedR, parsedS) = try parseEcdsaSignatureMpints(from: response)
+
+        #expect(parsedR == Data([0x00, 0x80] + Array(repeating: UInt8(0x01), count: 31)))
+        #expect(parsedS == Data([0x01] + Array(repeating: UInt8(0x02), count: 31)))
+    }
+
+}
+
+private extension OpenSSHSignatureWriterTests {
+
+    enum Constants {
+        static let ecdsa256Secret = TestSecret(
+            id: Data(),
+            name: "Test Key (ECDSA 256)",
+            publicKey: Data(repeating: 0x01, count: 65),
+            attributes: Attributes(
+                keyType: KeyType(algorithm: .ecdsa, size: 256),
+                authentication: .notRequired,
+                publicKeyAttribution: "test@example.com"
+            )
+        )
+    }
+
+    enum ParseError: Error {
+        case eof
+        case invalidAlgorithm
+    }
+
+    func parseEcdsaSignatureMpints(from openSSHSignedData: Data) throws -> (r: Data, s: Data) {
+        let reader = OpenSSHReader(data: openSSHSignedData)
+
+        // Prefix
+        _ = try reader.readNextBytes(as: UInt32.self)
+
+        let algorithm = try reader.readNextChunkAsString()
+        guard algorithm == "ecdsa-sha2-nistp256" else {
+            throw ParseError.invalidAlgorithm
+        }
+
+        let sigReader = try reader.readNextChunkAsSubReader()
+        let r = try sigReader.readNextChunk()
+        let s = try sigReader.readNextChunk()
+        return (r, s)
+    }
+
+}
+

Sources/Packages/Tests/SSHProtocolKitTests/TestSecret.swift

@@ -0,0 +1,11 @@
+import Foundation
+import SecretKit
+
+public struct TestSecret: SecretKit.Secret {
+    
+    public let id: Data
+    public let name: String
+    public let publicKey: Data
+    public var attributes: Attributes
+    
+}

Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift

@@ -1,26 +1,31 @@
 import Foundation
 import Testing
 import CryptoKit
+import CertificateKit
+@testable import SSHProtocolKit
 @testable import SecretKit
 @testable import SecretAgentKit
 
-@Suite struct AgentTests {
+@Suite @MainActor struct AgentTests {
 
     // MARK: Identity Listing
 
-
-//    let testProvenance = SigningRequestProvenance(root: .init(pid: 0, processName: "Test", appName: "Test", iconURL: nil, path: /, validSignature: true, parentPID: nil))
-
     @Test func emptyStores() async throws {
-        let agent = Agent(storeList: SecretStoreList())
+        let agent = Agent(storeList: SecretStoreList(), certificateStore: CertificateStore())
-        let response = try await agent.handle(data: Constants.Requests.requestIdentities, provenance: .test)
+        let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestIdentities)
+        let response = await agent.handle(request: request, provenance: .test)
         #expect(response == Constants.Responses.requestIdentitiesEmpty)
     }
 
     @Test func identitiesList() async throws {
         let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
-        let agent = Agent(storeList: list)
+        let agent = Agent(storeList: list, certificateStore: CertificateStore())
-        let response = try await agent.handle(data: Constants.Requests.requestIdentities, provenance: .test)
+        let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestIdentities)
+        let response = await agent.handle(request: request, provenance: .test)
+
+        let actual = OpenSSHReader(data: response)
+        let expected = OpenSSHReader(data: Constants.Responses.requestIdentitiesMultiple)
+        print(actual, expected)
         #expect(response == Constants.Responses.requestIdentitiesMultiple)
     }
 
@@ -28,41 +33,43 @@ import CryptoKit
 
     @Test func noMatchingIdentities() async throws {
         let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
-        let agent = Agent(storeList: list)
+        let agent = Agent(storeList: list, certificateStore: CertificateStore())
-        let response = try await agent.handle(data: Constants.Requests.requestSignatureWithNoneMatching, provenance: .test)
+        let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignatureWithNoneMatching)
+        let response = await agent.handle(request: request, provenance: .test)
         #expect(response == Constants.Responses.requestFailure)
     }
 
-//    @Test func ecdsaSignature() async throws {
+    @Test func ecdsaSignature() async throws {
-//        let stubReader = StubFileHandleReader(availableData: Constants.Requests.requestSignature)
+        let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignature)
-//        let requestReader = OpenSSHReader(data: Constants.Requests.requestSignature[5...])
+        guard case SSHAgent.Request.signRequest(let context) = request else { return }
-//        _ = requestReader.readNextChunk()
+        let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
-//        let dataToSign = requestReader.readNextChunk()
+        let agent = Agent(storeList: list, certificateStore: CertificateStore())
-//        let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
+        let response = await agent.handle(request: request, provenance: .test)
-//        let agent = Agent(storeList: list)
+        let responseReader = OpenSSHReader(data: response)
-//        await agent.handle(reader: stubReader, writer: stubWriter)
+        let length = try responseReader.readNextBytes(as: UInt32.self)
-//        let outer = OpenSSHReader(data: stubWriter.data[5...])
+        let type = try responseReader.readNextBytes(as: UInt8.self)
-//        let payload = outer.readNextChunk()
+        #expect(length == response.count - MemoryLayout<UInt32>.size)
-//        let inner = OpenSSHReader(data: payload)
+        #expect(type == SSHAgent.Response.agentSignResponse.rawValue)
-//        _ = inner.readNextChunk()
+        let outer = OpenSSHReader(data: responseReader.remaining)
-//        let signedData = inner.readNextChunk()
+        let inner = try outer.readNextChunkAsSubReader()
-//        let rsData = OpenSSHReader(data: signedData)
+        _ = try inner.readNextChunk()
-//        var r = rsData.readNextChunk()
+        let rsData = try inner.readNextChunkAsSubReader()
-//        var s = rsData.readNextChunk()
+        var r = try rsData.readNextChunk()
-//        // This is fine IRL, but it freaks out CryptoKit
+        var s = try rsData.readNextChunk()
-//        if r[0] == 0 {
+        // This is fine IRL, but it freaks out CryptoKit
-//            r.removeFirst()
+        if r[0] == 0 {
-//        }
+            r.removeFirst()
-//        if s[0] == 0 {
+        }
-//            s.removeFirst()
+        if s[0] == 0 {
-//        }
+            s.removeFirst()
-//        var rs = r
+        }
-//        rs.append(s)
+        var rs = r
-//        let signature = try P256.Signing.ECDSASignature(rawRepresentation: rs)
+        rs.append(s)
-//        // Correct signature
+        let signature = try P256.Signing.ECDSASignature(rawRepresentation: rs)
-//        #expect(try P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey)
+        // Correct signature
-//            .isValidSignature(signature, for: dataToSign))
+        #expect(try P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey)
-//    }
+            .isValidSignature(signature, for: context.dataToSign))
+    }
 
     // MARK: Witness protocol
 
@@ -71,8 +78,8 @@ import CryptoKit
         let witness = StubWitness(speakNow: { _,_  in
             return true
         }, witness: { _, _ in })
-        let agent = Agent(storeList: list, witness: witness)
+        let agent = Agent(storeList: list, certificateStore: CertificateStore(), witness: witness)
-        let response = try await agent.handle(data: Constants.Requests.requestSignature, provenance: .test)
+        let response = await agent.handle(request: .signRequest(.empty), provenance: .test)
         #expect(response == Constants.Responses.requestFailure)
     }
 
@@ -84,8 +91,9 @@ import CryptoKit
         }, witness: { _, trace in
             witnessed = true
         })
-        let agent = Agent(storeList: list, witness: witness)
+        let agent = Agent(storeList: list, certificateStore: CertificateStore(), witness: witness)
-        _ = try await agent.handle(data: Constants.Requests.requestSignature, provenance: .test)
+        let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignature)
+        _ = await agent.handle(request: request, provenance: .test)
         #expect(witnessed)
     }
 
@@ -99,8 +107,9 @@ import CryptoKit
         }, witness: { _, trace in
             witnessTrace = trace
         })
-        let agent = Agent(storeList: list, witness: witness)
+        let agent = Agent(storeList: list, certificateStore: CertificateStore(), witness: witness)
-        _ = try await agent.handle(data: Constants.Requests.requestSignature, provenance: .test)
+        let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignature)
+        _ = await agent.handle(request: request, provenance: .test)
         #expect(witnessTrace == speakNowTrace)
         #expect(witnessTrace == .test)
     }
@@ -109,18 +118,19 @@ import CryptoKit
 
     @Test func signatureException() async throws {
         let list = await storeList(with: [Constants.Secrets.ecdsa256Secret, Constants.Secrets.ecdsa384Secret])
-        let store = await list.stores.first?.base as! Stub.Store
+        let store = list.stores.first?.base as! Stub.Store
         store.shouldThrow = true
-        let agent = Agent(storeList: list)
+        let agent = Agent(storeList: list, certificateStore: CertificateStore())
-        let response = try await agent.handle(data: Constants.Requests.requestSignature, provenance: .test)
+        let request = try SSHAgentInputParser().parse(data: Constants.Requests.requestSignature)
+        let response = await agent.handle(request: request, provenance: .test)
         #expect(response == Constants.Responses.requestFailure)
     }
 
     // MARK: Unsupported
 
     @Test func unhandledAdd() async throws {
-        let agent = Agent(storeList: SecretStoreList())
+        let agent = Agent(storeList: SecretStoreList(), certificateStore: CertificateStore())
-        let response = try await agent.handle(data: Constants.Requests.addIdentity, provenance: .test)
+        let response = await agent.handle(request: .addIdentity, provenance: .test)
         #expect(response == Constants.Responses.requestFailure)
     }
 
@@ -134,7 +144,7 @@ extension SigningRequestProvenance {
 
 extension AgentTests {
 
-    @MainActor func storeList(with secrets: [Stub.Secret]) async -> SecretStoreList {
+    func storeList(with secrets: [Stub.Secret]) async -> SecretStoreList {
         let store = Stub.Store()
         store.secrets.append(contentsOf: secrets)
         let storeList = SecretStoreList()
@@ -146,14 +156,13 @@ extension AgentTests {
 
         enum Requests {
             static let requestIdentities = Data(base64Encoded: "AAAAAQs=")!
-            static let addIdentity = Data(base64Encoded: "AAAAARE=")!
             static let requestSignatureWithNoneMatching = Data(base64Encoded: "AAABhA0AAACIAAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEqCbkJbOHy5S1wVCaJoKPmpS0egM4frMqllgnlRRQ/Uvnn6EVS8oV03cPA2Bz0EdESyRKA/sbmn0aBtgjIwGELxu45UXEW1TEz6TxyS0u3vuIqR3Wo1CrQWRDnkrG/pBQAAAO8AAAAgbqmrqPUtJ8mmrtaSVexjMYyXWNqjHSnoto7zgv86xvcyAAAAA2dpdAAAAA5zc2gtY29ubmVjdGlvbgAAAAlwdWJsaWNrZXkBAAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAACIAAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEqCbkJbOHy5S1wVCaJoKPmpS0egM4frMqllgnlRRQ/Uvnn6EVS8oV03cPA2Bz0EdESyRKA/sbmn0aBtgjIwGELxu45UXEW1TEz6TxyS0u3vuIqR3Wo1CrQWRDnkrG/pBQAAAAA=")!
             static let requestSignature = Data(base64Encoded: "AAABRA0AAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKzOkUiVJEcACMtAd9X7xalbc0FYZyhbmv2dsWl4IP2GWIi+RcsaHQNw+nAIQ8CKEYmLnl0VLDp5Ef8KMhgIy08AAADPAAAAIBIFsbCZ4/dhBmLNGHm0GKj7EJ4N8k/jXRxlyg+LFIYzMgAAAANnaXQAAAAOc3NoLWNvbm5lY3Rpb24AAAAJcHVibGlja2V5AQAAABNlY2RzYS1zaGEyLW5pc3RwMjU2AAAAaAAAABNlY2RzYS1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSszpFIlSRHAAjLQHfV+8WpW3NBWGcoW5r9nbFpeCD9hliIvkXLGh0DcPpwCEPAihGJi55dFSw6eRH/CjIYCMtPAAAAAA==")!
         }
 
         enum Responses {
             static let requestIdentitiesEmpty = Data(base64Encoded: "AAAABQwAAAAA")!
-            static let requestIdentitiesMultiple = Data(base64Encoded: "AAABKwwAAAACAAAAaAAAABNlY2RzYS1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSszpFIlSRHAAjLQHfV+8WpW3NBWGcoW5r9nbFpeCD9hliIvkXLGh0DcPpwCEPAihGJi55dFSw6eRH/CjIYCMtPAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAACIAAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLKSzA5q3jCb3q0JKigvcxfWVGrJ+bklpG0Zc9YzUwrbsh9SipvlSJi+sHQI+O0m88DOpRBAtuAHX60euD/Yv250tovN7/+MEFbXGZ/hLdd0BoFpWbLfJcQj806KJGlcDAAAABNlY2RzYS1zaGEyLW5pc3RwMzg0")!
+            static let requestIdentitiesMultiple = Data(base64Encoded: "AAABLwwAAAACAAAAaAAAABNlY2RzYS1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSszpFIlSRHAAjLQHfV+8WpW3NBWGcoW5r9nbFpeCD9hliIvkXLGh0DcPpwCEPAihGJi55dFSw6eRH/CjIYCMtPAAAAFWVjZHNhLTI1NkBleGFtcGxlLmNvbQAAAIgAAAATZWNkc2Etc2hhMi1uaXN0cDM4NAAAAAhuaXN0cDM4NAAAAGEEspLMDmreMJverQkqKC9zF9ZUasn5uSWkbRlz1jNTCtuyH1KKm+VImL6wdAj47SbzwM6lEEC24AdfrR64P9i/bnS2i83v/4wQVtcZn+Et13QGgWlZst8lxCPzTookaVwMAAAAFWVjZHNhLTM4NEBleGFtcGxlLmNvbQ==")!
             static let requestFailure = Data(base64Encoded: "AAAAAQU=")!
         }
 

Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift

@@ -1,6 +1,7 @@
 import Foundation
 import SecretKit
 import CryptoKit
+import SSHProtocolKit
 
 struct Stub {}
 
@@ -82,7 +83,7 @@ extension Stub {
         let privateKey: Data
 
         init(keySize: Int, publicKey: Data, privateKey: Data) {
-            self.attributes = Attributes(keyType: .init(algorithm: .ecdsa, size: keySize), authentication: .notRequired)
+            self.attributes = Attributes(keyType: .init(algorithm: .ecdsa, size: keySize), authentication: .notRequired, publicKeyAttribution: "ecdsa-\(keySize)@example.com")
             self.publicKey = publicKey
             self.privateKey = privateKey
         }

Sources/SecretAgent/AppDelegate.swift

@@ -6,7 +6,21 @@ import SmartCardSecretKit
 import SecretAgentKit
 import Brief
 import Observation
+import SSHProtocolKit
+import CertificateKit
+import Common
+import SwiftUI
 
+extension EnvironmentValues {
+
+    @MainActor fileprivate static let _certificateStore: CertificateStore = CertificateStore()
+
+    @MainActor var certificateStore: CertificateStore {
+        EnvironmentValues._certificateStore
+    }
+
+
+}
 @main
 class AppDelegate: NSObject, NSApplicationDelegate {
 
@@ -17,18 +31,18 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         try? migrator.migrate(to: cryptoKit)
         list.add(store: cryptoKit)
         list.add(store: SmartCard.Store())
+        let certsMigrator = CertificateMigrator(homeDirectory: URL.homeDirectory, certificateStore: EnvironmentValues._certificateStore)
+        try? certsMigrator.migrate()
         return list
     }()
     private let updater = Updater(checkOnLaunch: true)
     private let notifier = Notifier()
-    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: URL.homeDirectory)
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(publicKeysURL: URL.publicKeyDirectory, certificatesURL: URL.certificatesDirectory)
-    private lazy var agent: Agent = {
+    @MainActor private lazy var agent: Agent = {
-        Agent(storeList: storeList, witness: notifier)
+        Agent(storeList: storeList, certificateStore: EnvironmentValues._certificateStore, witness: notifier)
-    }()
-    private lazy var socketController: SocketController = {
-        let path = (NSHomeDirectory() as NSString).appendingPathComponent("socket.ssh") as String
-        return SocketController(path: path)
     }()
+    private var shutdownTask: Task<Void, Error>?
+    private let socketController = SocketController(.launchd("SecureListener"))
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AppDelegate")
 
     func applicationDidFinishLaunching(_ aNotification: Notification) {
@@ -37,13 +51,16 @@ class AppDelegate: NSObject, NSApplicationDelegate {
             for await session in socketController.sessions {
                 Task {
                     do {
+                        let inputParser = try await XPCAgentInputParser()
                         for await message in session.messages {
-                            let agentResponse = try await agent.handle(data: message, provenance: session.provenance)
+                            let request = try await inputParser.parse(data: message)
-                            try await session.write(agentResponse)
+                            let agentResponse = await agent.handle(request: request, provenance: session.provenance)
+                            try session.write(agentResponse)
                         }
                     } catch {
-                        try session.close()
+                        try? session.close()
                     }
+                    startCountdownClock()
                 }
             }
         }
@@ -52,13 +69,19 @@ class AppDelegate: NSObject, NSApplicationDelegate {
                 try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)
             }
         }
+        Task {
+            for await _ in NotificationCenter.default.notifications(named: .certificateStoreReloaded) {
+                try? publicKeyFileStoreController.generateCertificates(for: EnvironmentValues._certificateStore.certificates, clear: true)
+            }
+        }
         try? publicKeyFileStoreController.generatePublicKeys(for: storeList.allSecrets, clear: true)
+        try? publicKeyFileStoreController.generateCertificates(for: EnvironmentValues._certificateStore.certificates, clear: true)
         notifier.prompt()
         _ = withObservationTracking {
             updater.update
         } onChange: { [updater, notifier] in
             Task {
-                guard !updater.testBuild else { return }
+                guard !updater.currentVersion.isTestBuild else { return }
                 await notifier.notify(update: updater.update!) { release in
                     await updater.ignore(release: release)
                 }
@@ -66,5 +89,16 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         }
     }
 
+    func startCountdownClock() {
+        // FIXME: ACCOUNT FOR STORED AUTH
+        logger.log("Beginning countdown clock")
+        shutdownTask?.cancel()
+        shutdownTask = Task { [logger] in
+            try await Task.sleep(for: .seconds(30))
+            logger.log("Shutting down")
+            await NSApplication.shared.terminate(nil)
+        }
+    }
+
 }
 

Sources/SecretAgent/CertificateMigrator.swift

@@ -0,0 +1,47 @@
+import Foundation
+import Security
+import CryptoTokenKit
+import CryptoKit
+import os
+import SSHProtocolKit
+import CertificateKit
+import SharedXPCServices
+
+public struct CertificateMigrator {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.migration", category: "CertificateKitMigrator")
+    private let directory: URL
+    private let certificateStore: CertificateStore
+
+    /// Initializes a PublicKeyFileStoreController.
+    public init(homeDirectory: URL, certificateStore: CertificateStore) {
+        directory = homeDirectory.appending(component: "PublicKeys")
+        self.certificateStore = certificateStore
+    }
+
+    @MainActor public func migrate() throws {
+        let fileCerts = try FileManager.default
+            .contentsOfDirectory(atPath: directory.path())
+            .filter { $0.hasSuffix("-cert.pub") }
+        Task {
+            for path in fileCerts {
+                do {
+                    let url = directory.appending(component: path)
+                    let data = try Data(contentsOf: url)
+                    let parser = try await XPCCertificateParser()
+                    let cert = try await parser.parse(data: data)
+                    try certificateStore.save(certificate: Certificate(openSSHCertificate: cert, rawData: data))
+                    do {
+                        try FileManager.default.removeItem(at: url)
+                    } catch {
+                        logger.error("Failed to delete successfully migrated cert: \(path)")
+                    }
+                } catch {
+                    logger.error("Failed to migrate cert: \(path)")
+                }
+            }
+
+        }
+    }
+
+}

Sources/SecretAgent/InternetAccessPolicy.plist

@@ -9,22 +9,7 @@
 	<key>Website</key>
 	<string>https://github.com/maxgoedjen/secretive</string>
 	<key>Connections</key>
-	<array>
+	<array/>
-		<dict>
-			<key>IsIncoming</key>
-			<false/>
-			<key>Host</key>
-			<string>api.github.com</string>
-			<key>NetworkProtocol</key>
-			<string>TCP</string>
-			<key>Port</key>
-			<string>443</string>
-			<key>Purpose</key>
-			<string>Secretive checks GitHub for new versions and security updates.</string>
-			<key>DenyConsequences</key>
-			<string>If you deny these connections, you will not be notified about new versions and critical security updates.</string>
-		</dict>
-	</array>
 	<key>Services</key>
 	<array/>
 </dict>

Sources/SecretAgent/SecretAgent.entitlements

@@ -2,6 +2,22 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.security.hardened-process</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
+	<true/>
+	<key>com.apple.security.hardened-process.dyld-ro</key>
+	<true/>
+	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
+	<string>1</string>
+	<key>com.apple.security.hardened-process.hardened-heap</key>
+	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
+	<string>2</string>
 	<key>com.apple.security.smartcard</key>
 	<true/>
 	<key>keychain-access-groups</key>

Sources/SecretAgent/XPCInputParser.swift

@@ -0,0 +1,31 @@
+import Foundation
+import OSLog
+import SSHProtocolKit
+import Brief
+import XPCWrappers
+import OSLog
+import SSHProtocolKit
+
+/// Delegates all agent input parsing to an XPC service which wraps OpenSSH
+public final class XPCAgentInputParser: SSHAgentInputParserProtocol {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "XPCAgentInputParser")
+    private let session: XPCTypedSession<SSHAgent.Request, SSHAgentInputParser.AgentParsingError>
+
+    public init() async throws {
+        logger.debug("Creating XPCAgentInputParser")
+        session = try await XPCTypedSession(serviceName: "com.maxgoedjen.Secretive.SecretAgentInputParser", warmup: true)
+        logger.debug("XPCAgentInputParser is warmed up.")
+    }
+
+    public func parse(data: Data) async throws -> SSHAgent.Request {
+        logger.debug("Parsing input")
+        defer { logger.debug("Parsed input") }
+        return try await session.send(data)
+    }
+
+    deinit {
+        session.complete()
+    }
+
+}

Sources/SecretAgentInputParser/Info.plist

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>XPCService</key>
+	<dict>
+		<key>ServiceType</key>
+		<string>Application</string>
+	</dict>
+</dict>
+</plist>

Sources/SecretAgentInputParser/SecretAgentInputParser.entitlements

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.hardened-process</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
+	<true/>
+	<key>com.apple.security.hardened-process.dyld-ro</key>
+	<true/>
+	<key>com.apple.security.hardened-process.hardened-heap</key>
+	<true/>
+	<key>com.apple.security.hardened-process.enhanced-security-version-string</key>
+	<string>1</string>
+	<key>com.apple.security.hardened-process.platform-restrictions-string</key>
+	<string>2</string>
+</dict>
+</plist>

Sources/SecretAgentInputParser/SecretAgentInputParser.swift

@@ -0,0 +1,18 @@
+import Foundation
+import OSLog
+import XPCWrappers
+import SecretAgentKit
+import SSHProtocolKit
+
+final class SecretAgentInputParser: NSObject, XPCProtocol {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.SecretAgentInputParser", category: "SecretAgentInputParser")
+
+    func process(_ data: Data) async throws -> SSHAgent.Request {
+        let parser = SSHAgentInputParser()
+        let result = try parser.parse(data: data)
+        logger.log("Parser parsed message as type \(result.debugDescription)")
+        return result
+    }
+
+}

Sources/SecretAgentInputParser/main.swift

@@ -0,0 +1,7 @@
+import Foundation
+import XPCWrappers
+
+let delegate = XPCServiceDelegate(exportedObject: SecretAgentInputParser())
+let listener = NSXPCListener.service()
+listener.delegate = delegate
+listener.resume()

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/PackageTests.xcscheme

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "2640"
+   version = "1.7">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES"
+      buildArchitectures = "Automatic">
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      shouldUseLaunchSchemeArgsEnv = "YES">
+      <TestPlans>
+         <TestPlanReference
+            reference = "container:Config/Secretive.xctestplan"
+            default = "YES">
+         </TestPlanReference>
+      </TestPlans>
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      launchStyle = "0"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES">
+   </LaunchAction>
+   <ProfileAction
+      buildConfiguration = "Release"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      savedToolIdentifier = ""
+      useCustomWorkingDirectory = "NO"
+      debugDocumentVersioning = "YES">
+   </ProfileAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "Release"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/SecretAgent.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2600"
+   LastUpgradeVersion = "2640"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -70,7 +70,7 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
+      launchStyle = "1"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"
       debugDocumentVersioning = "YES"

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/Secretive.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "2600"
+   LastUpgradeVersion = "2640"
    version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -23,7 +23,7 @@
       </BuildActionEntries>
    </BuildAction>
    <TestAction
-      buildConfiguration = "Test"
+      buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       shouldUseLaunchSchemeArgsEnv = "YES">
@@ -87,6 +87,9 @@
             ReferencedContainer = "container:Secretive.xcodeproj">
          </BuildableReference>
       </BuildableProductRunnable>
+      <MetalAPIValidationSettings
+         isEnabled = "No">
+      </MetalAPIValidationSettings>
    </LaunchAction>
    <ProfileAction
       buildConfiguration = "Debug"

Sources/Secretive/App.swift

@@ -1,88 +1,87 @@
 import SwiftUI
+@unsafe @preconcurrency import ServiceManagement
 import SecretKit
 import SecureEnclaveSecretKit
 import SmartCardSecretKit
 import Brief
+import CertificateKit
 
-extension EnvironmentValues {
+@Observable
+final class LaunchService: Sendable {
+    private let service = SMAppService.agent(plistName: "com.maxgoedjen.Secretive.SecretAgent.plist")
+    var status: SMAppService.Status {
+        service.status
+    }
 
-    // This is injected through .environment modifier below instead of @Entry for performance reasons (basially, restrictions around init/mainactor causing delay in loading secrets/"empty screen" blip).
+    func configure() {
-    @MainActor fileprivate static let _secretStoreList: SecretStoreList = {
+        try? service.unregister()
-        let list = SecretStoreList()
+        try! service.register()
-        let cryptoKit = SecureEnclave.Store()
+    }
-        let migrator = SecureEnclave.CryptoKitMigrator()
-        try? migrator.migrate(to: cryptoKit)
-        list.add(store: cryptoKit)
-        list.add(store: SmartCard.Store())
-        return list
-    }()
 
-    private static let _agentStatusChecker = AgentStatusChecker()
+    func disable() {
-    @Entry var agentStatusChecker: any AgentStatusCheckerProtocol = _agentStatusChecker
+        try? service.unregister()
-    private static let _updater: any UpdaterProtocol = {
-        @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
-        return Updater(checkOnLaunch: hasRunSetup)
-    }()
-    @Entry var updater: any UpdaterProtocol = _updater
-
-    @MainActor var secretStoreList: SecretStoreList {
-        EnvironmentValues._secretStoreList
     }
 }
 
 @main
 struct Secretive: App {
     
-    private let justUpdatedChecker = JustUpdatedChecker()
+    @Environment(\.justUpdatedChecker) var justUpdatedChecker
-    @Environment(\.agentStatusChecker) var agentStatusChecker
-    @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
-    @State private var showingSetup = false
-    @State private var showingIntegrations = false
-    @State private var showingCreation = false
 
     @SceneBuilder var body: some Scene {
         WindowGroup {
-            ContentView(showingCreation: $showingCreation, runningSetup: $showingSetup, hasRunSetup: $hasRunSetup)
+            ContentView()
                 .environment(EnvironmentValues._secretStoreList)
+                .environment(EnvironmentValues._certificateStore)
                 .onAppear {
-                    if !hasRunSetup {
+                    EnvironmentValues._launchService.configure()
-                        showingSetup = true
-                    }
-                }
-                .onReceive(NotificationCenter.default.publisher(for: NSApplication.didBecomeActiveNotification)) { _ in
-                    guard hasRunSetup else { return }
-                    agentStatusChecker.check()
-                    if agentStatusChecker.running && justUpdatedChecker.justUpdated {
-                        // Relaunch the agent, since it'll be running from earlier update still
-                        reinstallAgent()
-                    } else if !agentStatusChecker.running && !agentStatusChecker.developmentBuild {
-                        forceLaunchAgent()
-                    }
-                }
-                .sheet(isPresented: $showingIntegrations) {
-                    IntegrationsView()
                 }
         }
         .commands {
+            AppCommands()
+        }
+        WindowGroup(id: String(describing: IntegrationsView.self)) {
+            IntegrationsView()
+        }
+        .windowResizability(.contentMinSize)
+        WindowGroup(id: String(describing: AboutView.self)) {
+            AboutView()
+        }
+        .windowStyle(.hiddenTitleBar)
+        .windowResizability(.contentSize)
+    }
+
+}
+
+extension Secretive {
+
+    struct AppCommands: Commands {
+
+        @Environment(\.openWindow) var openWindow
+        @Environment(\.openURL) var openURL
+        @FocusedValue(\.showCreateSecret) var showCreateSecret
+
+        var body: some Commands {
+            CommandGroup(replacing: .appInfo) {
+                Button(.aboutMenuBarTitle, systemImage: "info.circle") {
+                    openWindow(id: String(describing: AboutView.self))
+                }
+            }
             CommandGroup(before: CommandGroupPlacement.appSettings) {
                 Button(.integrationsMenuBarTitle, systemImage: "app.connected.to.app.below.fill") {
-                    showingIntegrations = true
+                    openWindow(id: String(describing: IntegrationsView.self))
                 }
             }
             CommandGroup(after: CommandGroupPlacement.newItem) {
-                Button(.appMenuNewSecretButton) {
+                Button(.appMenuNewSecretButton, systemImage: "plus") {
-                    showingCreation = true
+                    showCreateSecret?()
                 }
                 .keyboardShortcut(KeyboardShortcut(KeyEquivalent("N"), modifiers: [.command, .shift]))
+                .disabled(showCreateSecret?.isEnabled == false)
             }
             CommandGroup(replacing: .help) {
                 Button(.appMenuHelpButton) {
-                    NSWorkspace.shared.open(Constants.helpURL)
+                    openURL(Constants.helpURL)
-                }
-            }
-            CommandGroup(after: .help) {
-                Button("Setup") {
-                    showingSetup = true
                 }
             }
             SidebarCommands()
@@ -91,33 +90,66 @@ struct Secretive: App {
 
 }
 
-extension Secretive {
-
-    private func reinstallAgent() {
-        justUpdatedChecker.check()
-        Task {
-            _ = await LaunchAgentController().install()
-            try? await Task.sleep(for: .seconds(1))
-            agentStatusChecker.check()
-            if !agentStatusChecker.running {
-                forceLaunchAgent()
-            }
-        }
-    }
-
-    private func forceLaunchAgent() {
-        // We've run setup, we didn't just update, launchd is just not doing it's thing.
-        // Force a launch directly.
-        Task {
-            _ = await LaunchAgentController().forceLaunch()
-            agentStatusChecker.check()
-        }
-    }
-
-}
-
-
 private enum Constants {
     static let helpURL = URL(string: "https://github.com/maxgoedjen/secretive/blob/main/FAQ.md")!
 }
 
+
+extension EnvironmentValues {
+
+    // This is injected through .environment modifier below instead of @Entry for performance reasons (basially, restrictions around init/mainactor causing delay in loading secrets/"empty screen" blip).
+    @MainActor fileprivate static let _secretStoreList: SecretStoreList = {
+        let list = SecretStoreList()
+        let cryptoKit = SecureEnclave.Store()
+        let cryptoKitMigrator = SecureEnclave.CryptoKitMigrator()
+        try? cryptoKitMigrator.migrate(to: cryptoKit)
+        list.add(store: cryptoKit)
+        list.add(store: SmartCard.Store())
+        return list
+    }()
+
+    @MainActor fileprivate static let _certificateStore: CertificateStore = CertificateStore()
+    
+    private static let _agentLaunchController = AgentLaunchController()
+    @Entry var agentLaunchController: any AgentLaunchControllerProtocol = _agentLaunchController
+
+    private static let _updater: any UpdaterProtocol = {
+        @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
+        return Updater(checkOnLaunch: hasRunSetup)
+    }()
+    @Entry var updater: any UpdaterProtocol = _updater
+
+    private static let _justUpdatedChecker = JustUpdatedChecker()
+    @Entry var justUpdatedChecker: any JustUpdatedCheckerProtocol = _justUpdatedChecker
+
+    fileprivate static let _launchService = LaunchService()
+    @Entry var launchService: LaunchService = _launchService
+
+    @MainActor var secretStoreList: SecretStoreList {
+        EnvironmentValues._secretStoreList
+    }
+
+    @MainActor var certificateStore: CertificateStore {
+        EnvironmentValues._certificateStore
+    }
+}
+
+extension FocusedValues {
+    @Entry var showCreateSecret: OpenSheet?
+}
+
+final class OpenSheet {
+
+    let closure: () -> Void
+    let isEnabled: Bool
+
+    init(isEnabled: Bool = true, closure: @escaping () -> Void) {
+        self.isEnabled = isEnabled
+        self.closure = closure
+    }
+
+    func callAsFunction() {
+        closure()
+    }
+
+}

Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Contents.json

@@ -1,68 +0,0 @@
-{
-  "images" : [
-    {
-      "filename" : "Icon-macOS-ClearDark-16x16@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "16x16"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-16x16@2x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "16x16"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-32x32@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "32x32"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-32x32@2x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "32x32"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-128x128@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "128x128"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-128x128@2x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "128x128"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-256x256@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "256x256"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-256x256@2x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "256x256"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-512x512@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "512x512"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-1024x1024@1x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "512x512"
-    }
-  ],
-  "info" : {
-    "author" : "xcode",
-    "version" : 1
-  }
-}