Turn on enhanced security

Toolbar tweaks
Fix shadowed type
2025-07-01 09:43:37 +00:00 · 2025-06-14 16:43:13 -07:00 · 2025-06-14 16:42:12 -07:00 · 2025-06-14 15:24:59 -07:00 · 2025-06-14 15:24:10 -07:00 · 2024-08-26 15:11:28 -07:00
10 changed files with 114 additions and 44 deletions
--- a/Sources/Packages/Package.swift
+++ b/Sources/Packages/Package.swift
@ -34,7 +34,7 @@ let package = Package(
        .target(
            name: "SecretKit",
            dependencies: [],
-            swiftSettings: [.enableExperimentalFeature("StrictConcurrency"), .unsafeFlags(["-warnings-as-errors"])]
+            swiftSettings: [.unsafeFlags(["-warnings-as-errors"])]
        ),
        .testTarget(
            name: "SecretKitTests",
--- a/Sources/Packages/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
@ -35,7 +35,7 @@ extension Agent {
    ///   - writer: A ``FileHandleWriter`` to write the response to.
    /// - Return value: 
    ///   - Boolean if data could be read
-    @discardableResult @Sendable public func handle(reader: FileHandleReader, writer: FileHandleWriter) async -> Bool {
+    @discardableResult public func handle(reader: FileHandleReader, writer: FileHandleWriter) async -> Bool {
        logger.debug("Agent handling new data")
        let data = Data(reader.availableData)
        guard data.count > 4 else { return false}
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
@ -211,7 +211,7 @@ extension SecureEnclave.Store {

    /// Reloads all secrets from the store.
    /// - Parameter notifyAgent: A boolean indicating whether a distributed notification should be posted, notifying other processes (ie, the SecretAgent) to reload their stores as well.
-    @Sendable private func reloadSecretsInternal(notifyAgent: Bool = true) {
+    private func reloadSecretsInternal(notifyAgent: Bool = true) {
        let before = secrets
        secrets.removeAll()
        loadSecrets()
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
@ -117,7 +117,7 @@ extension SmartCard {

 extension SmartCard.Store {

-    @Sendable private func reloadSecretsInternal() {
+    private func reloadSecretsInternal() {
        self.isAvailable = self.tokenID != nil
        let before = self.secrets
        self.secrets.removeAll()
--- a/Sources/SecretAgent/SecretAgent.entitlements
+++ b/Sources/SecretAgent/SecretAgent.entitlements
@ -4,6 +4,16 @@
 <dict>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
+	<key>com.apple.security.hardened-process</key>
+	<true/>
+	<key>com.apple.security.hardened-process.dyld-ro</key>
+	<true/>
+	<key>com.apple.security.hardened-process.enhanced-security-version</key>
+	<integer>1</integer>
+	<key>com.apple.security.hardened-process.hardened-heap</key>
+	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions</key>
+	<integer>2</integer>
 	<key>com.apple.security.network.client</key>
 	<true/>
 	<key>com.apple.security.smartcard</key>
--- a/Sources/Secretive.xcodeproj/project.pbxproj
+++ b/Sources/Secretive.xcodeproj/project.pbxproj
@ -3,7 +3,7 @@
 	archiveVersion = 1;
 	classes = {
 	};
-	objectVersion = 54;
+	objectVersion = 60;
 	objects = {

 /* Begin PBXBuildFile section */
@ -438,6 +438,9 @@
 				ca,
 			);
 			mainGroup = 50617D7623FCE48D0099B055;
+			packageReferences = (
+				5068431C2DFE2DE000920856 /* XCLocalSwiftPackageReference "Packages" */,
+			);
 			productRefGroup = 50617D8023FCE48E0099B055 /* Products */;
 			projectDirPath = "";
 			projectRoot = "";
@ -594,6 +597,8 @@
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COPY_PHASE_STRIP = NO;
 				DEBUG_INFORMATION_FORMAT = dwarf;
+				ENABLE_ENHANCED_SECURITY = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_TESTABILITY = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
@ -621,7 +626,6 @@
 				SWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG;
 				SWIFT_EMIT_LOC_STRINGS = YES;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
-				SWIFT_STRICT_CONCURRENCY = targeted;
 			};
 			name = Debug;
 		};
@ -661,7 +665,9 @@
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COPY_PHASE_STRIP = NO;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_NS_ASSERTIONS = NO;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				GCC_NO_COMMON_BLOCKS = YES;
@ -681,7 +687,6 @@
 				SWIFT_COMPILATION_MODE = wholemodule;
 				SWIFT_EMIT_LOC_STRINGS = YES;
 				SWIFT_OPTIMIZATION_LEVEL = "-O";
-				SWIFT_STRICT_CONCURRENCY = targeted;
 			};
 			name = Release;
 		};
@ -697,19 +702,20 @@
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
 				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				INFOPLIST_FILE = Secretive/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 12.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.0;
 				MARKETING_VERSION = 1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
-				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Debug;
@ -726,19 +732,20 @@
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
 				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				INFOPLIST_FILE = Secretive/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 12.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.0;
 				MARKETING_VERSION = 1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "Secretive - Host";
-				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Release;
@ -821,6 +828,8 @@
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COPY_PHASE_STRIP = NO;
 				DEBUG_INFORMATION_FORMAT = dwarf;
+				ENABLE_ENHANCED_SECURITY = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_TESTABILITY = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
@ -848,7 +857,6 @@
 				SWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG;
 				SWIFT_EMIT_LOC_STRINGS = YES;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
-				SWIFT_STRICT_CONCURRENCY = targeted;
 			};
 			name = Test;
 		};
@ -857,22 +865,24 @@
 			buildSettings = {
 				ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES = YES;
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
+				CODE_SIGN_ENTITLEMENTS = Secretive/Secretive.entitlements;
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = NO;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				INFOPLIST_FILE = Secretive/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 12.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.0;
 				MARKETING_VERSION = 1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Test;
@ -903,21 +913,23 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
+				CODE_SIGN_ENTITLEMENTS = SecretAgent/SecretAgent.entitlements;
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				INFOPLIST_FILE = SecretAgent/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 12.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.0;
 				MARKETING_VERSION = 1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Test;
@ -931,18 +943,19 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
 				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				INFOPLIST_FILE = SecretAgent/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 12.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.0;
 				MARKETING_VERSION = 1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Debug;
@ -957,19 +970,20 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
 				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				INFOPLIST_FILE = SecretAgent/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 12.0;
+				MACOSX_DEPLOYMENT_TARGET = 13.0;
 				MARKETING_VERSION = 1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "Secretive - Secret Agent";
-				SWIFT_STRICT_CONCURRENCY = complete;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Release;
@ -1019,6 +1033,13 @@
 		};
 /* End XCConfigurationList section */

+/* Begin XCLocalSwiftPackageReference section */
+		5068431C2DFE2DE000920856 /* XCLocalSwiftPackageReference "Packages" */ = {
+			isa = XCLocalSwiftPackageReference;
+			relativePath = Packages;
+		};
+/* End XCLocalSwiftPackageReference section */
+
 /* Begin XCSwiftPackageProductDependency section */
 		5003EF3A278005E800DF2006 /* SecretKit */ = {
 			isa = XCSwiftPackageProductDependency;
--- a/Sources/Secretive/Secretive.entitlements
+++ b/Sources/Secretive/Secretive.entitlements
@ -6,6 +6,16 @@
 	<true/>
 	<key>com.apple.security.files.user-selected.read-write</key>
 	<true/>
+	<key>com.apple.security.hardened-process</key>
+	<true/>
+	<key>com.apple.security.hardened-process.dyld-ro</key>
+	<true/>
+	<key>com.apple.security.hardened-process.enhanced-security-version</key>
+	<integer>1</integer>
+	<key>com.apple.security.hardened-process.hardened-heap</key>
+	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions</key>
+	<integer>2</integer>
 	<key>com.apple.security.network.client</key>
 	<true/>
 	<key>com.apple.security.smartcard</key>
--- a/Sources/Secretive/Views/ContentView.swift
+++ b/Sources/Secretive/Views/ContentView.swift
@ -30,11 +30,13 @@ struct ContentView<UpdaterType: UpdaterProtocol, AgentStatusCheckerType: AgentSt
        }
        .frame(minWidth: 640, minHeight: 320)
        .toolbar {
+            if #available(macOS 26.0, *) {
                toolbarItem(updateNoticeView, id: "update")
                toolbarItem(runningOrRunSetupView, id: "setup")
                toolbarItem(appPathNoticeView, id: "appPath")
                toolbarItem(newItemView, id: "new")
            }
+        }
        .sheet(isPresented: $runningSetup) {
            SetupView(visible: $runningSetup, setupComplete: $hasRunSetup)
        }
@ -44,9 +46,14 @@ struct ContentView<UpdaterType: UpdaterProtocol, AgentStatusCheckerType: AgentSt

 extension ContentView {

-
-    func toolbarItem(_ view: some View, id: String) -> ToolbarItem<String, some View> {
+    @ToolbarContentBuilder
+    func toolbarItem(_ view: some View, id: String) -> some ToolbarContent {
+        if #available(macOS 26.0, *) {
            ToolbarItem(id: id) { view }
+                .sharedBackgroundVisibility(.hidden)
+        } else {
+            ToolbarItem(id: id) { view }
+        }
    }

    var needsSetup: Bool {
--- a/Sources/Secretive/Views/CreateSecretView.swift
+++ b/Sources/Secretive/Views/CreateSecretView.swift
@ -93,14 +93,14 @@ struct ThumbnailPickerView<ValueType: Hashable>: View {

 extension ThumbnailPickerView {

-    struct Item<ValueType: Hashable>: Identifiable {
+    struct Item<InnerValueType: Hashable>: Identifiable {
        let id = UUID()
-        let value: ValueType
+        let value: InnerValueType
        let name: LocalizedStringKey
        let description: LocalizedStringKey
        let thumbnail: AnyView

-        init<ViewType: View>(value: ValueType, name: LocalizedStringKey, description: LocalizedStringKey, thumbnail: ViewType) {
+        init<ViewType: View>(value: InnerValueType, name: LocalizedStringKey, description: LocalizedStringKey, thumbnail: ViewType) {
            self.value = value
            self.name = name
            self.description = description
--- a/Sources/Secretive/Views/ToolbarButtonStyle.swift
+++ b/Sources/Secretive/Views/ToolbarButtonStyle.swift
@ -17,9 +17,30 @@ struct ToolbarButtonStyle: ButtonStyle {
        self.darkColor = darkColor
    }
    
+    private var backingColor: Color {
+        if !hovering {
+            colorScheme == .light ? lightColor : darkColor
+        } else {
+            colorScheme == .light ? .black.opacity(0.1) : .white.opacity(0.05)
+        }
+    }
+    @Namespace var namespace
+
    func makeBody(configuration: Configuration) -> some View {
-        configuration.label
+        if #available(macOS 26.0, *) {
+            configuration
+                .label
+                .foregroundColor(.white)
                .padding(EdgeInsets(top: 6, leading: 8, bottom: 6, trailing: 8))
+                .glassEffect(.regular.tint(backingColor), in: .capsule, isEnabled: true)
+                .onHover { hovering in
+                    withAnimation {
+                        self.hovering = hovering
+                    }
+                }
+        } else {
+            configuration
+                .label
                .background(colorScheme == .light ? lightColor : darkColor)
                .foregroundColor(.white)
                .clipShape(RoundedRectangle(cornerRadius: 5))
@ -34,4 +55,5 @@ struct ToolbarButtonStyle: ButtonStyle {
                    }
                }
        }
+    }
 }
Author	SHA1	Message	Date
Max Goedjen	076c6dad26	Turn on enhanced security	2025-06-14 16:43:13 -07:00
Max Goedjen	697fdfafe4	Toolbar tweaks	2025-06-14 16:42:12 -07:00
Max Goedjen	d68c5a162c	Fix shadowed type	2025-06-14 15:24:59 -07:00
Max Goedjen	6ca09f901f	Add packages as explicit dependency.	2025-06-14 15:24:10 -07:00
Max Goedjen	ad56019901	Update CI + Concurrency Warnings (#564 ) * Update test.yml * Update nightly.yml * Update release.yml * Tweak concurrency settings * Remove bad annotations	2024-08-26 15:11:28 -07:00