Fix local generation by ensuring generation happens only after local store reload (#351)

This reverts commit 19f9494492.

.github/workflows/nightly.yml

@@ -0,0 +1,49 @@
+name: Nightly
+
+on: 
+  schedule: 
+    - cron: "0 8 * * *"
+jobs:
+  build:
+    runs-on: macos-11.0
+    timeout-minutes: 10
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup Signing
+      env: 
+        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
+        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
+        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
+        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      run: ./.github/scripts/signing.sh
+    - name: Set Environment
+      run: sudo xcrun xcode-select -s /Applications/Xcode_13.2.1.app
+    - name: Update Build Number
+      env:
+        RUN_ID: ${{ github.run_id }}
+      run: |
+            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
+    - name: Build
+      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
+    - name: Create ZIPs
+      run: |
+            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
+            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive ./Archive.zip
+    - name: Notarize
+      env: 
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Document SHAs
+      run: |
+            shasum -a 512 Secretive.zip
+            shasum -a 512 Archive.zip
+    - name: Upload App to Artifacts
+      uses: actions/upload-artifact@v1
+      with:
+        name: Secretive.zip
+        path: Secretive.zip

APP_CONFIG.md

@@ -51,6 +51,30 @@ Add this to `~/Library/LaunchAgents/com.maxgoedjen.Secretive.SecretAgent.plist`
 
 Log out and log in again before launching Cyberduck.
 
+## GitKraken
+
+Add this to `~/Library/LaunchAgents/com.maxgoedjen.Secretive.SecretAgent.plist`
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>link-ssh-auth-sock</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/bin/sh</string>
+    <string>-c</string>
+    <string>/bin/ln -sf $HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh $SSH_AUTH_SOCK</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+</dict>
+</plist>
+```
+
+Log out and log in again before launching Gitkraken. Then enable "Use local SSH agent in GitKraken Preferences (Located under Preferences -> SSH)
 
 # The app I use isn't listed here!
 

FAQ.md

@@ -38,7 +38,11 @@ Awesome! Just bear in mind that because an app only has access to the keychain i
 
 ### What's this network request to GitHub?
 
-Secretive checks in with GitHub's releases API to check if there's a new version of Secretive available. You can audit the source code for this feature [here](https://github.com/maxgoedjen/secretive/blob/main/Brief/Updater.swift).
+Secretive checks in with GitHub's releases API to check if there's a new version of Secretive available. You can audit the source code for this feature [here](https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/Brief/Updater.swift).
+
+### How do I uninstall Secretive?
+
+Drag Secretive.app to the trash and remove `~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent`. `SecretAgent` may continue running until you quit it or reboot.
 
 ### I have a security issue
 

Sources/Packages/Sources/SecretAgentKit/Agent.swift

@@ -30,20 +30,23 @@ extension Agent {
     /// - Parameters:
     ///   - reader: A ``FileHandleReader`` to read the content of the request.
     ///   - writer: A ``FileHandleWriter`` to write the response to.
-    public func handle(reader: FileHandleReader, writer: FileHandleWriter) {
+    /// - Return value: 
+    ///   - Boolean if data could be read
+    public func handle(reader: FileHandleReader, writer: FileHandleWriter) -> Bool {
         Logger().debug("Agent handling new data")
         let data = Data(reader.availableData)
-        guard data.count > 4 else { return }
+        guard data.count > 4 else { return false}
         let requestTypeInt = data[4]
         guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
             writer.write(OpenSSHKeyWriter().lengthAndData(of: SSHAgent.ResponseType.agentFailure.data))
             Logger().debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
-            return
+            return true
         }
         Logger().debug("Agent handling request of type \(requestType.debugDescription)")
         let subData = Data(data[5...])
         let response = handle(requestType: requestType, data: subData, reader: reader)
         writer.write(response)
+        return true
     }
 
     func handle(requestType: SSHAgent.RequestType, data: Data, reader: FileHandleReader) -> Data {

Sources/Packages/Sources/SecretAgentKit/SocketController.swift

@@ -6,8 +6,12 @@ public class SocketController {
 
     /// The active FileHandle.
     private var fileHandle: FileHandle?
+    /// The active SocketPort.
+    private var port: SocketPort?
     /// A handler that will be notified when a new read/write handle is available.
-    public var handler: ((FileHandleReader, FileHandleWriter) -> Void)?
+    /// False if no data could be read
+    public var handler: ((FileHandleReader, FileHandleWriter) -> Bool)?
+
 
     /// Initializes a socket controller with a specified path.
     /// - Parameter path: The path to use as a socket.
@@ -19,6 +23,7 @@ public class SocketController {
         let exists = FileManager.default.fileExists(atPath: path)
         assert(!exists)
         Logger().debug("Socket controller path is clear")
+        port = socketPort(at: path)
         configureSocket(at: path)
         Logger().debug("Socket listening at \(path)")
     }
@@ -26,7 +31,7 @@ public class SocketController {
     /// Configures the socket and a corresponding FileHandle.
     /// - Parameter path: The path to use as a socket.
     func configureSocket(at path: String) {
-        let port = socketPort(at: path)
+        guard let port = port else { return }
         fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
         NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionAccept(notification:)), name: .NSFileHandleConnectionAccepted, object: nil)
         NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionDataAvailable(notification:)), name: .NSFileHandleDataAvailable, object: nil)
@@ -62,7 +67,7 @@ public class SocketController {
     @objc func handleConnectionAccept(notification: Notification) {
         Logger().debug("Socket controller accepted connection")
         guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { return }
-        handler?(new, new)
+        _ = handler?(new, new)
         new.waitForDataInBackgroundAndNotify()
         fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
     }
@@ -73,7 +78,12 @@ public class SocketController {
         Logger().debug("Socket controller has new data available")
         guard let new = notification.object as? FileHandle else { return }
         Logger().debug("Socket controller received new file handle")
-        handler?(new, new)
+        if((handler?(new, new)) == true) {
+            Logger().debug("Socket controller handled data, wait for more data")
+            new.waitForDataInBackgroundAndNotify()
+        } else {
+            Logger().debug("Socket controller called with empty data, socked closed")
+        }
     }
 
 }

Sources/Packages/Sources/SecretKit/PublicKeyStandinFileController.swift

@@ -0,0 +1,42 @@
+import Foundation
+import OSLog
+
+/// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
+public class PublicKeyFileStoreController {
+
+    private let logger = Logger()
+    private let directory: String
+    private let keyWriter = OpenSSHKeyWriter()
+
+    /// Initializes a PublicKeyFileStoreController.
+    public init(homeDirectory: String) {
+        directory = homeDirectory.appending("/PublicKeys")
+    }
+
+    /// Writes out the keys specified to disk.
+    /// - Parameter secrets: The Secrets to generate keys for.
+    /// - Parameter clear: Whether or not the directory should be erased before writing keys.
+    public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
+        logger.log("Writing public keys to disk")
+        if clear {
+            try? FileManager.default.removeItem(at: URL(fileURLWithPath: directory))
+        }
+        try? FileManager.default.createDirectory(at: URL(fileURLWithPath: directory), withIntermediateDirectories: false, attributes: nil)
+        for secret in secrets {
+            let path = path(for: secret)
+            guard let data = keyWriter.openSSHString(secret: secret).data(using: .utf8) else { continue }
+            FileManager.default.createFile(atPath: path, contents: data, attributes: nil)
+        }
+        logger.log("Finished writing public keys")
+    }
+
+    /// The path for a Secret's public key.
+    /// - Parameter secret: The Secret to return the path for.
+    /// - Returns: The path to the Secret's public key.
+    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
+    public func path<SecretType: Secret>(for secret: SecretType) -> String {
+        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
+        return directory.appending("/").appending("\(minimalHex).pub")
+    }
+
+}

Sources/Packages/Sources/SecretKit/Types/SecretStore.swift

@@ -56,6 +56,9 @@ public protocol SecretStoreModifiable: SecretStore {
 
 extension NSNotification.Name {
 
+    // Distributed notification that keys were modified out of process (ie, that the management tool added/removed secrets)
     public static let secretStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.updated")
+    // Internal notification that keys were reloaded from the backing store.
+    public static let secretStoreReloaded = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.reloaded")
 
 }

Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift

@@ -24,7 +24,7 @@ extension SecureEnclave {
         /// Initializes a Store.
         public init() {
             DistributedNotificationCenter.default().addObserver(forName: .secretStoreUpdated, object: nil, queue: .main) { _ in
-                self.reloadSecrets(notify: false)
+                self.reloadSecrets(notifyAgent: false)
             }
             loadSecrets()
         }
@@ -171,12 +171,13 @@ extension SecureEnclave {
 extension SecureEnclave.Store {
 
     /// Reloads all secrets from the store.
-    /// - Parameter notify: A boolean indicating whether a distributed notification should be posted, notifying other processes (ie, the SecretAgent) to reload their stores as well.
+    /// - Parameter notifyAgent: A boolean indicating whether a distributed notification should be posted, notifying other processes (ie, the SecretAgent) to reload their stores as well.
-    private func reloadSecrets(notify: Bool = true) {
+    private func reloadSecrets(notifyAgent: Bool = true) {
         secrets.removeAll()
         loadSecrets()
-        if notify {
+        NotificationCenter.default.post(name: .secretStoreReloaded, object: self)
-            DistributedNotificationCenter.default().post(name: .secretStoreUpdated, object: nil)
+        if notifyAgent {
+            DistributedNotificationCenter.default().postNotificationName(.secretStoreUpdated, object: nil, deliverImmediately: true)
         }
     }
 

Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift

@@ -4,8 +4,6 @@ import CryptoTokenKit
 import LocalAuthentication
 import SecretKit
 
-// TODO: Might need to split this up into "sub-stores?"
-// ie, each token has its own Store.
 extension SmartCard {
 
     /// An implementation of Store backed by a Smart Card.

Sources/SecretAgent/AppDelegate.swift

@@ -18,6 +18,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
     }()
     private let updater = Updater(checkOnLaunch: false)
     private let notifier = Notifier()
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: NSHomeDirectory())
     private lazy var agent: Agent = {
         Agent(storeList: storeList, witness: notifier)
     }()
@@ -32,6 +33,10 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         DispatchQueue.main.async {
             self.socketController.handler = self.agent.handle(reader:writer:)
         }
+        NotificationCenter.default.addObserver(forName: .secretStoreReloaded, object: nil, queue: .main) { [self] _ in
+            try? publicKeyFileStoreController.generatePublicKeys(for: storeList.stores.flatMap({ $0.secrets }), clear: true)
+        }
+        try? publicKeyFileStoreController.generatePublicKeys(for: storeList.stores.flatMap({ $0.secrets }), clear: true)
         notifier.prompt()
         updateSink = updater.$update.sink { update in
             guard let update = update else { return }
@@ -39,6 +44,5 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         }
     }
 
-
 }
 

Sources/Secretive/Views/ContentView.swift

@@ -32,6 +32,9 @@ struct ContentView<UpdaterType: UpdaterProtocol, AgentStatusCheckerType: AgentSt
             appPathNotice
             newItem
         }
+        .sheet(isPresented: $runningSetup) {
+            SetupView(visible: $runningSetup, setupComplete: $hasRunSetup)
+        }
     }
 
 }
@@ -65,11 +68,11 @@ extension ContentView {
                         .font(.headline)
                         .foregroundColor(.white)
                 })
-                    .background(color)
+                .background(color)
-                    .cornerRadius(5)
+                .cornerRadius(5)
-                    .popover(item: $selectedUpdate, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) { update in
+                .popover(item: $selectedUpdate, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) { update in
-                        UpdateDetailView(update: update)
+                    UpdateDetailView(update: update)
-                    }
+                }
             )
         }
     }
@@ -85,11 +88,11 @@ extension ContentView {
                 }, label: {
                     Image(systemName: "plus")
                 })
-                    .popover(isPresented: $showingCreation, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
+                .popover(isPresented: $showingCreation, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
-                        if let modifiable = storeList.modifiableStore {
+                    if let modifiable = storeList.modifiableStore {
-                            CreateSecretView(store: modifiable, showing: $showingCreation)
+                        CreateSecretView(store: modifiable, showing: $showingCreation)
-                        }
                     }
+                }
 
             )
         }
@@ -113,15 +116,12 @@ extension ContentView {
                             .font(.headline)
                             .foregroundColor(.white)
                         })
-                            .background(Color.orange)
+                        .background(Color.orange)
-                            .cornerRadius(5)
+                        .cornerRadius(5)
                     } else {
                         EmptyView()
                     }
                 }
-                    .sheet(isPresented: $runningSetup) {
-                        SetupView(visible: $runningSetup, setupComplete: $hasRunSetup)
-                    }
             )
         }
     }
@@ -142,19 +142,19 @@ extension ContentView {
                     .font(.headline)
                     .foregroundColor(.white)
                 })
-                    .background(Color.orange)
+                .background(Color.orange)
-                    .cornerRadius(5)
+                .cornerRadius(5)
-                    .popover(isPresented: $showingAppPathNotice, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
+                .popover(isPresented: $showingAppPathNotice, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
-                        VStack {
+                    VStack {
-                            Image(systemName: "exclamationmark.triangle")
+                        Image(systemName: "exclamationmark.triangle")
-                                .resizable()
+                            .resizable()
-                                .aspectRatio(contentMode: .fit)
+                            .aspectRatio(contentMode: .fit)
-                                .frame(width: 64)
+                            .frame(width: 64)
-                            Text("Secretive needs to be in your Applications folder to work properly. Please move it and relaunch.")
+                        Text("Secretive needs to be in your Applications folder to work properly. Please move it and relaunch.")
-                                .frame(maxWidth: 300)
+                            .frame(maxWidth: 300)
-                        }
-                        .padding()
                     }
+                    .padding()
+                }
             )
         }
     }

Sources/Secretive/Views/SecretDetailView.swift

@@ -6,6 +6,7 @@ struct SecretDetailView<SecretType: Secret>: View {
     @State var secret: SecretType
 
     private let keyWriter = OpenSSHKeyWriter()
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: NSHomeDirectory().replacingOccurrences(of: Bundle.main.hostBundleID, with: Bundle.main.agentBundleID))
     
     var body: some View {
         ScrollView {
@@ -18,6 +19,9 @@ struct SecretDetailView<SecretType: Secret>: View {
                     Spacer()
                         .frame(height: 20)
                     CopyableView(title: "Public Key", image: Image(systemName: "key"), text: keyString)
+                    Spacer()
+                        .frame(height: 20)
+                    CopyableView(title: "Public Key Path", image: Image(systemName: "lock.doc"), text: publicKeyFileStoreController.path(for: secret))
                     Spacer()
                 }
             }
@@ -41,11 +45,6 @@ struct SecretDetailView<SecretType: Secret>: View {
         keyWriter.openSSHString(secret: secret, comment: "\(dashedKeyName)@\(dashedHostName)")
     }
 
-    func copy() {
-        NSPasteboard.general.declareTypes([.string], owner: nil)
-        NSPasteboard.general.setString(keyString, forType: .string)
-    }
-    
 }
 
 #if DEBUG

Sources/Secretive/Views/SetupView.swift

@@ -22,7 +22,7 @@ struct SetupView: View {
                         }
                         .frame(width: proxy.size.width)
                     }
-                    .offset(x: -proxy.size.width * CGFloat(stepIndex), y: 0)
+                    .offset(x: -proxy.size.width * Double(stepIndex), y: 0)
                 }
             }
         }
@@ -44,7 +44,7 @@ struct StepView: View {
     let currentStep: Int
 
     // Ideally we'd have a geometry reader inside this view doing this for us, but that crashes on 11.0b7
-    let width: CGFloat
+    let width: Double
 
     var body: some View {
         ZStack(alignment: .leading) {
@@ -53,7 +53,7 @@ struct StepView: View {
                 .frame(height: 5)
             Rectangle()
                 .foregroundColor(.green)
-                .frame(width: max(0, ((width - (Constants.padding * 2)) / CGFloat(numberOfSteps - 1)) * CGFloat(currentStep) - (Constants.circleWidth / 2)), height: 5)
+                .frame(width: max(0, ((width - (Constants.padding * 2)) / Double(numberOfSteps - 1)) * Double(currentStep) - (Constants.circleWidth / 2)), height: 5)
             HStack {
                 ForEach(0..<numberOfSteps) { index in
                     ZStack {
@@ -92,8 +92,8 @@ extension StepView {
 
     enum Constants {
 
-        static let padding: CGFloat = 15
+        static let padding: Double = 15
-        static let circleWidth: CGFloat = 30
+        static let circleWidth: Double = 30
 
     }