Fix local generation by ensuring generation happens only after local store reload (#351 )

Specify immediate delivery (#350 )
Switch key reps to an md5 based name (#349 )
2025-07-02 18:23:36 +00:00 · 2022-02-17 07:05:24 +00:00 · 2022-02-17 06:50:48 +00:00 · 2022-02-17 06:15:47 +00:00 · 2022-02-12 06:34:24 +00:00 · 2022-02-07 01:01:09 +00:00
13 changed files with 190 additions and 53 deletions
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -0,0 +1,49 @@
+name: Nightly
+
+on: 
+  schedule: 
+    - cron: "0 8 * * *"
+jobs:
+  build:
+    runs-on: macos-11.0
+    timeout-minutes: 10
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup Signing
+      env: 
+        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
+        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
+        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
+        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      run: ./.github/scripts/signing.sh
+    - name: Set Environment
+      run: sudo xcrun xcode-select -s /Applications/Xcode_13.2.1.app
+    - name: Update Build Number
+      env:
+        RUN_ID: ${{ github.run_id }}
+      run: |
+            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
+    - name: Build
+      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
+    - name: Create ZIPs
+      run: |
+            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
+            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive ./Archive.zip
+    - name: Notarize
+      env: 
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Document SHAs
+      run: |
+            shasum -a 512 Secretive.zip
+            shasum -a 512 Archive.zip
+    - name: Upload App to Artifacts
+      uses: actions/upload-artifact@v1
+      with:
+        name: Secretive.zip
+        path: Secretive.zip
--- a/APP_CONFIG.md
+++ b/APP_CONFIG.md
@ -51,6 +51,30 @@ Add this to `~/Library/LaunchAgents/com.maxgoedjen.Secretive.SecretAgent.plist`

 Log out and log in again before launching Cyberduck.

+## GitKraken
+
+Add this to `~/Library/LaunchAgents/com.maxgoedjen.Secretive.SecretAgent.plist`
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>link-ssh-auth-sock</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/bin/sh</string>
+    <string>-c</string>
+    <string>/bin/ln -sf $HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh $SSH_AUTH_SOCK</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+</dict>
+</plist>
+```
+
+Log out and log in again before launching Gitkraken. Then enable "Use local SSH agent in GitKraken Preferences (Located under Preferences -> SSH)

 # The app I use isn't listed here!

--- a/FAQ.md
+++ b/FAQ.md
@ -38,7 +38,11 @@ Awesome! Just bear in mind that because an app only has access to the keychain i

 ### What's this network request to GitHub?

-Secretive checks in with GitHub's releases API to check if there's a new version of Secretive available. You can audit the source code for this feature [here](https://github.com/maxgoedjen/secretive/blob/main/Brief/Updater.swift).
+Secretive checks in with GitHub's releases API to check if there's a new version of Secretive available. You can audit the source code for this feature [here](https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/Brief/Updater.swift).
+
+### How do I uninstall Secretive?
+
+Drag Secretive.app to the trash and remove `~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent`. `SecretAgent` may continue running until you quit it or reboot.

 ### I have a security issue

--- a/Sources/Packages/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
@ -30,20 +30,23 @@ extension Agent {
    /// - Parameters:
    ///   - reader: A ``FileHandleReader`` to read the content of the request.
    ///   - writer: A ``FileHandleWriter`` to write the response to.
-    public func handle(reader: FileHandleReader, writer: FileHandleWriter) {
+    /// - Return value: 
+    ///   - Boolean if data could be read
+    public func handle(reader: FileHandleReader, writer: FileHandleWriter) -> Bool {
        Logger().debug("Agent handling new data")
        let data = Data(reader.availableData)
-        guard data.count > 4 else { return }
+        guard data.count > 4 else { return false}
        let requestTypeInt = data[4]
        guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
            writer.write(OpenSSHKeyWriter().lengthAndData(of: SSHAgent.ResponseType.agentFailure.data))
            Logger().debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
-            return
+            return true
        }
        Logger().debug("Agent handling request of type \(requestType.debugDescription)")
        let subData = Data(data[5...])
        let response = handle(requestType: requestType, data: subData, reader: reader)
        writer.write(response)
+        return true
    }

    func handle(requestType: SSHAgent.RequestType, data: Data, reader: FileHandleReader) -> Data {
--- a/Sources/Packages/Sources/SecretAgentKit/SocketController.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SocketController.swift
@ -6,8 +6,12 @@ public class SocketController {

    /// The active FileHandle.
    private var fileHandle: FileHandle?
+    /// The active SocketPort.
+    private var port: SocketPort?
    /// A handler that will be notified when a new read/write handle is available.
-    public var handler: ((FileHandleReader, FileHandleWriter) -> Void)?
+    /// False if no data could be read
+    public var handler: ((FileHandleReader, FileHandleWriter) -> Bool)?
+

    /// Initializes a socket controller with a specified path.
    /// - Parameter path: The path to use as a socket.
@ -19,6 +23,7 @@ public class SocketController {
        let exists = FileManager.default.fileExists(atPath: path)
        assert(!exists)
        Logger().debug("Socket controller path is clear")
+        port = socketPort(at: path)
        configureSocket(at: path)
        Logger().debug("Socket listening at \(path)")
    }
@ -26,7 +31,7 @@ public class SocketController {
    /// Configures the socket and a corresponding FileHandle.
    /// - Parameter path: The path to use as a socket.
    func configureSocket(at path: String) {
-        let port = socketPort(at: path)
+        guard let port = port else { return }
        fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionAccept(notification:)), name: .NSFileHandleConnectionAccepted, object: nil)
        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionDataAvailable(notification:)), name: .NSFileHandleDataAvailable, object: nil)
@ -62,7 +67,7 @@ public class SocketController {
    @objc func handleConnectionAccept(notification: Notification) {
        Logger().debug("Socket controller accepted connection")
        guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { return }
-        handler?(new, new)
+        _ = handler?(new, new)
        new.waitForDataInBackgroundAndNotify()
        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
    }
@ -73,7 +78,12 @@ public class SocketController {
        Logger().debug("Socket controller has new data available")
        guard let new = notification.object as? FileHandle else { return }
        Logger().debug("Socket controller received new file handle")
-        handler?(new, new)
+        if((handler?(new, new)) == true) {
+            Logger().debug("Socket controller handled data, wait for more data")
+            new.waitForDataInBackgroundAndNotify()
+        } else {
+            Logger().debug("Socket controller called with empty data, socked closed")
+        }
    }

 }
--- a/Sources/Packages/Sources/SecretKit/PublicKeyStandinFileController.swift
+++ b/Sources/Packages/Sources/SecretKit/PublicKeyStandinFileController.swift
@ -0,0 +1,42 @@
+import Foundation
+import OSLog
+
+/// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
+public class PublicKeyFileStoreController {
+
+    private let logger = Logger()
+    private let directory: String
+    private let keyWriter = OpenSSHKeyWriter()
+
+    /// Initializes a PublicKeyFileStoreController.
+    public init(homeDirectory: String) {
+        directory = homeDirectory.appending("/PublicKeys")
+    }
+
+    /// Writes out the keys specified to disk.
+    /// - Parameter secrets: The Secrets to generate keys for.
+    /// - Parameter clear: Whether or not the directory should be erased before writing keys.
+    public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
+        logger.log("Writing public keys to disk")
+        if clear {
+            try? FileManager.default.removeItem(at: URL(fileURLWithPath: directory))
+        }
+        try? FileManager.default.createDirectory(at: URL(fileURLWithPath: directory), withIntermediateDirectories: false, attributes: nil)
+        for secret in secrets {
+            let path = path(for: secret)
+            guard let data = keyWriter.openSSHString(secret: secret).data(using: .utf8) else { continue }
+            FileManager.default.createFile(atPath: path, contents: data, attributes: nil)
+        }
+        logger.log("Finished writing public keys")
+    }
+
+    /// The path for a Secret's public key.
+    /// - Parameter secret: The Secret to return the path for.
+    /// - Returns: The path to the Secret's public key.
+    /// - Warning: This method returning a path does not imply that a key has been written to disk already. This method only describes where it will be written to.
+    public func path<SecretType: Secret>(for secret: SecretType) -> String {
+        let minimalHex = keyWriter.openSSHMD5Fingerprint(secret: secret).replacingOccurrences(of: ":", with: "")
+        return directory.appending("/").appending("\(minimalHex).pub")
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
@ -56,6 +56,9 @@ public protocol SecretStoreModifiable: SecretStore {

 extension NSNotification.Name {

+    // Distributed notification that keys were modified out of process (ie, that the management tool added/removed secrets)
    public static let secretStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.updated")
+    // Internal notification that keys were reloaded from the backing store.
+    public static let secretStoreReloaded = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.reloaded")

 }
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
@ -24,7 +24,7 @@ extension SecureEnclave {
        /// Initializes a Store.
        public init() {
            DistributedNotificationCenter.default().addObserver(forName: .secretStoreUpdated, object: nil, queue: .main) { _ in
-                self.reloadSecrets(notify: false)
+                self.reloadSecrets(notifyAgent: false)
            }
            loadSecrets()
        }
@ -171,12 +171,13 @@ extension SecureEnclave {
 extension SecureEnclave.Store {

    /// Reloads all secrets from the store.
-    /// - Parameter notify: A boolean indicating whether a distributed notification should be posted, notifying other processes (ie, the SecretAgent) to reload their stores as well.
-    private func reloadSecrets(notify: Bool = true) {
+    /// - Parameter notifyAgent: A boolean indicating whether a distributed notification should be posted, notifying other processes (ie, the SecretAgent) to reload their stores as well.
+    private func reloadSecrets(notifyAgent: Bool = true) {
        secrets.removeAll()
        loadSecrets()
-        if notify {
-            DistributedNotificationCenter.default().post(name: .secretStoreUpdated, object: nil)
+        NotificationCenter.default.post(name: .secretStoreReloaded, object: self)
+        if notifyAgent {
+            DistributedNotificationCenter.default().postNotificationName(.secretStoreUpdated, object: nil, deliverImmediately: true)
        }
    }

--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
@ -4,8 +4,6 @@ import CryptoTokenKit
 import LocalAuthentication
 import SecretKit

-// TODO: Might need to split this up into "sub-stores?"
-// ie, each token has its own Store.
 extension SmartCard {

    /// An implementation of Store backed by a Smart Card.
--- a/Sources/SecretAgent/AppDelegate.swift
+++ b/Sources/SecretAgent/AppDelegate.swift
@ -18,6 +18,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
    }()
    private let updater = Updater(checkOnLaunch: false)
    private let notifier = Notifier()
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: NSHomeDirectory())
    private lazy var agent: Agent = {
        Agent(storeList: storeList, witness: notifier)
    }()
@ -32,6 +33,10 @@ class AppDelegate: NSObject, NSApplicationDelegate {
        DispatchQueue.main.async {
            self.socketController.handler = self.agent.handle(reader:writer:)
        }
+        NotificationCenter.default.addObserver(forName: .secretStoreReloaded, object: nil, queue: .main) { [self] _ in
+            try? publicKeyFileStoreController.generatePublicKeys(for: storeList.stores.flatMap({ $0.secrets }), clear: true)
+        }
+        try? publicKeyFileStoreController.generatePublicKeys(for: storeList.stores.flatMap({ $0.secrets }), clear: true)
        notifier.prompt()
        updateSink = updater.$update.sink { update in
            guard let update = update else { return }
@ -39,6 +44,5 @@ class AppDelegate: NSObject, NSApplicationDelegate {
        }
    }

-
 }

--- a/Sources/Secretive/Views/ContentView.swift
+++ b/Sources/Secretive/Views/ContentView.swift
@ -32,6 +32,9 @@ struct ContentView<UpdaterType: UpdaterProtocol, AgentStatusCheckerType: AgentSt
            appPathNotice
            newItem
        }
+        .sheet(isPresented: $runningSetup) {
+            SetupView(visible: $runningSetup, setupComplete: $hasRunSetup)
+        }
    }

 }
@ -65,11 +68,11 @@ extension ContentView {
                        .font(.headline)
                        .foregroundColor(.white)
                })
-                    .background(color)
-                    .cornerRadius(5)
-                    .popover(item: $selectedUpdate, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) { update in
-                        UpdateDetailView(update: update)
-                    }
+                .background(color)
+                .cornerRadius(5)
+                .popover(item: $selectedUpdate, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) { update in
+                    UpdateDetailView(update: update)
+                }
            )
        }
    }
@ -85,11 +88,11 @@ extension ContentView {
                }, label: {
                    Image(systemName: "plus")
                })
-                    .popover(isPresented: $showingCreation, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
-                        if let modifiable = storeList.modifiableStore {
-                            CreateSecretView(store: modifiable, showing: $showingCreation)
-                        }
+                .popover(isPresented: $showingCreation, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
+                    if let modifiable = storeList.modifiableStore {
+                        CreateSecretView(store: modifiable, showing: $showingCreation)
                    }
+                }

            )
        }
@ -113,15 +116,12 @@ extension ContentView {
                            .font(.headline)
                            .foregroundColor(.white)
                        })
-                            .background(Color.orange)
-                            .cornerRadius(5)
+                        .background(Color.orange)
+                        .cornerRadius(5)
                    } else {
                        EmptyView()
                    }
                }
-                    .sheet(isPresented: $runningSetup) {
-                        SetupView(visible: $runningSetup, setupComplete: $hasRunSetup)
-                    }
            )
        }
    }
@ -142,19 +142,19 @@ extension ContentView {
                    .font(.headline)
                    .foregroundColor(.white)
                })
-                    .background(Color.orange)
-                    .cornerRadius(5)
-                    .popover(isPresented: $showingAppPathNotice, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
-                        VStack {
-                            Image(systemName: "exclamationmark.triangle")
-                                .resizable()
-                                .aspectRatio(contentMode: .fit)
-                                .frame(width: 64)
-                            Text("Secretive needs to be in your Applications folder to work properly. Please move it and relaunch.")
-                                .frame(maxWidth: 300)
-                        }
-                        .padding()
+                .background(Color.orange)
+                .cornerRadius(5)
+                .popover(isPresented: $showingAppPathNotice, attachmentAnchor: .point(.bottom), arrowEdge: .bottom) {
+                    VStack {
+                        Image(systemName: "exclamationmark.triangle")
+                            .resizable()
+                            .aspectRatio(contentMode: .fit)
+                            .frame(width: 64)
+                        Text("Secretive needs to be in your Applications folder to work properly. Please move it and relaunch.")
+                            .frame(maxWidth: 300)
                    }
+                    .padding()
+                }
            )
        }
    }
--- a/Sources/Secretive/Views/SecretDetailView.swift
+++ b/Sources/Secretive/Views/SecretDetailView.swift
@ -6,6 +6,7 @@ struct SecretDetailView<SecretType: Secret>: View {
    @State var secret: SecretType

    private let keyWriter = OpenSSHKeyWriter()
+    private let publicKeyFileStoreController = PublicKeyFileStoreController(homeDirectory: NSHomeDirectory().replacingOccurrences(of: Bundle.main.hostBundleID, with: Bundle.main.agentBundleID))
    
    var body: some View {
        ScrollView {
@ -18,6 +19,9 @@ struct SecretDetailView<SecretType: Secret>: View {
                    Spacer()
                        .frame(height: 20)
                    CopyableView(title: "Public Key", image: Image(systemName: "key"), text: keyString)
+                    Spacer()
+                        .frame(height: 20)
+                    CopyableView(title: "Public Key Path", image: Image(systemName: "lock.doc"), text: publicKeyFileStoreController.path(for: secret))
                    Spacer()
                }
            }
@ -41,11 +45,6 @@ struct SecretDetailView<SecretType: Secret>: View {
        keyWriter.openSSHString(secret: secret, comment: "\(dashedKeyName)@\(dashedHostName)")
    }

-    func copy() {
-        NSPasteboard.general.declareTypes([.string], owner: nil)
-        NSPasteboard.general.setString(keyString, forType: .string)
-    }
-    
 }

 #if DEBUG
--- a/Sources/Secretive/Views/SetupView.swift
+++ b/Sources/Secretive/Views/SetupView.swift
@ -22,7 +22,7 @@ struct SetupView: View {
                        }
                        .frame(width: proxy.size.width)
                    }
-                    .offset(x: -proxy.size.width * CGFloat(stepIndex), y: 0)
+                    .offset(x: -proxy.size.width * Double(stepIndex), y: 0)
                }
            }
        }
@ -44,7 +44,7 @@ struct StepView: View {
    let currentStep: Int

    // Ideally we'd have a geometry reader inside this view doing this for us, but that crashes on 11.0b7
-    let width: CGFloat
+    let width: Double

    var body: some View {
        ZStack(alignment: .leading) {
@ -53,7 +53,7 @@ struct StepView: View {
                .frame(height: 5)
            Rectangle()
                .foregroundColor(.green)
-                .frame(width: max(0, ((width - (Constants.padding * 2)) / CGFloat(numberOfSteps - 1)) * CGFloat(currentStep) - (Constants.circleWidth / 2)), height: 5)
+                .frame(width: max(0, ((width - (Constants.padding * 2)) / Double(numberOfSteps - 1)) * Double(currentStep) - (Constants.circleWidth / 2)), height: 5)
            HStack {
                ForEach(0..<numberOfSteps) { index in
                    ZStack {
@ -92,8 +92,8 @@ extension StepView {

    enum Constants {

-        static let padding: CGFloat = 15
-        static let circleWidth: CGFloat = 30
+        static let padding: Double = 15
+        static let circleWidth: Double = 30

    }
Author	SHA1	Message	Date
Max Goedjen	067f1526b0	Fix local generation by ensuring generation happens only after local store reload (#351 )	2022-02-17 07:05:24 +00:00
Max Goedjen	f43dea0d0d	Specify immediate delivery (#350 )	2022-02-17 06:50:48 +00:00
Max Goedjen	db8833fa25	Switch key reps to an md5 based name (#349 )	2022-02-17 06:15:47 +00:00
Max Goedjen	1409e9ac31	Revert "Remove 24h unlock duration (#342 )" (#346 ) This reverts commit `19f9494492`.	2022-02-12 06:34:24 +00:00
Max Goedjen	adabe801d3	Update FAQ.md (#344 )	2022-02-07 01:01:09 +00:00
Max Goedjen	19f9494492	Remove 24h unlock duration (#342 )	2022-01-31 08:09:57 +00:00
Max Goedjen	c50d2feaf9	Add nightly build (#341 )	2022-01-31 07:58:23 +00:00
David Gunzinger	03d3cc9177	wait for new packets on the agent socket after the handler is invoked… (#267 ) * wait for new packets on the agent socket after the handler is invoked. this fixes https://github.com/maxgoedjen/secretive/issues/244 * handle closing of the socked * fix compile Co-authored-by: David Gunzinger <david.gunzinger@smoca.ch>	2022-01-31 07:53:02 +00:00
Max Goedjen	141cc03b60	Move presentation of setup view off of toolbar item, since it's not a popover anymore (#340 )	2022-01-31 07:44:09 +00:00
Andrew Glaze	07559bd7ef	Add setup instructions for GitKraken (#339 )	2022-01-27 03:19:15 +00:00
Max Goedjen	cb206a18c2	Switch (#334 )	2022-01-18 21:24:57 +00:00
Anthony Kosednar	6cb3ff80d9	Corrected FAQ link to Updater.swift source code (#326 )	2022-01-18 21:20:03 +00:00
Max Goedjen	05c5aca9b6	Project public key files for use in configs (#264 )	2022-01-02 23:25:40 -08:00
Max Goedjen	5894bbca00	Unbreak (#318 )	2022-01-03 07:13:02 +00:00