Secrets disappeared and can't create new ones

[sminnee]

I started Secretive today, and:

• My secrets are gone
• I can't create a new one

It seems like both issues are caused by the same issue: Secretive can't access the Security Server.

Secretive/CreateSecretView.swift:54: Fatal error: 'try!' expression unexpectedly raised an error: Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed:  / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=failed to generate asymmetric keypair}

OS: macOS Monterey 12.1 Hardware: M1 Air

Crash report below, I don't believe I've left any PII in this...

-------------------------------------
Translated Report (Full Report Below)
-------------------------------------

Process:               Secretive [6377]
Path:                  /Applications/Secretive.app/Contents/MacOS/Secretive
Identifier:            com.maxgoedjen.Secretive.Host
Version:               2.2.0 (1.1857237470)
Code Type:             ARM-64 (Native)
Parent Process:        launchd [1]
User ID:               501

Date/Time:             2022-04-19 10:34:13.4327 +1200
OS Version:            macOS 12.1 (21C52)
Report Version:        12
Anonymous UUID:        <redacted>

Sleep/Wake UUID:       <redacted>

Time Awake Since Boot: 5400 seconds
Time Since Wake:       5340 seconds

System Integrity Protection: enabled

Notes:
thread_get_state(PAGEIN) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(EXCEPTION) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(FLAVOR) returned 0x10000003: (ipc/send) invalid destination port

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BREAKPOINT (SIGTRAP)
Exception Codes:       0x0000000000000001, 0x0000000198f74818
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace SIGNAL, Code 5 Trace/BPT trap: 5
Terminating Process:   exc handler [6377]

Application Specific Information:
Performing @selector(didPressButton:) from sender <redacted>SwiftUIAppKitButton <redacted>
Secretive/CreateSecretView.swift:54: Fatal error: 'try!' expression unexpectedly raised an error: Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed:  / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=failed to generate asymmetric keypair}

Error Formulating Crash Report:
thread_get_state(PAGEIN) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(EXCEPTION) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(FLAVOR) returned 0x10000003: (ipc/send) invalid destination port

Kernel Triage:
VM - pmap_enter failed with resource shortage
VM - pmap_enter failed with resource shortage
VM - pmap_enter failed with resource shortage
VM - pmap_enter failed with resource shortage
VM - pmap_enter failed with resource shortage

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   libswiftCore.dylib                     0x198f74818 _assertionFailure(_:_:file:line:flags:) + 308
1   libswiftCore.dylib                     0x198f74818 _assertionFailure(_:_:file:line:flags:) + 308
2   libswiftCore.dylib                     0x198fdbb1c swift_unexpectedError + 564
3   Secretive                              0x1049ed84c CreateSecretView.save() + 320
4   Secretive                              0x1049edaf4 partial apply for implicit closure #2 in implicit closure #1 in closure #2 in closure #1 in CreateSecretView.body.getter + 32
5   SwiftUI                                0x1b0fbbcd4 implicit closure #2 in implicit closure #1 in AppKitButtonStyle.Content.body(environment:) + 28
6   SwiftUI                                0x1b0fc0f38 SwiftUIAppKitButton.didPressButton(_:) + 56
7   SwiftUI                                0x1b0fc0f9c @objc SwiftUIAppKitButton.didPressButton(_:) + 56
8   AppKit                                 0x18ed350c0 -[NSApplication(NSResponder) sendAction:to:from:] + 456
9   AppKit                                 0x18ed34ec0 -[NSControl sendAction:to:] + 96
10  AppKit                                 0x18ed34dc8 __26-[NSCell _sendActionFrom:]_block_invoke + 152
11  AppKit                                 0x18ed34cbc -[NSCell _sendActionFrom:] + 196
12  AppKit                                 0x18ed34be8 -[NSButtonCell _sendActionFrom:] + 104
13  AppKit                                 0x18ed31a28 NSControlTrackMouse + 1720
14  AppKit                                 0x18ed31344 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 160
15  AppKit                                 0x18ed311b8 -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 740
16  AppKit                                 0x18ed30420 -[NSControl mouseDown:] + 636
17  AppKit                                 0x18ed2e874 -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4524
18  AppKit                                 0x18eca1ce4 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 2444
19  AppKit                                 0x18eca10ec -[NSWindow(NSEventRouting) sendEvent:] + 348
20  AppKit                                 0x18eca0050 -[NSApplication(NSEvent) sendEvent:] + 2776
21  AppKit                                 0x18ef5859c -[NSApplication _handleEvent:] + 76
22  AppKit                                 0x18eb215cc -[NSApplication run] + 636
23  AppKit                                 0x18eaf2c78 NSApplicationMain + 1064
24  SwiftUI                                0x1b0a01c9c specialized runApp(_:) + 148
25  SwiftUI                                0x1b152ba54 runApp<A>(_:) + 260
26  SwiftUI                                0x1b0fbb66c static App.main() + 128
27  Secretive                              0x1049d5a5c main + 160
28  dyld                                   0x104dd90f4 start + 520

Thread 1::  Dispatch queue: la_client
0   libsystem_kernel.dylib                 0x18bed75d8 __getdirentries64 + 8
1   libsystem_c.dylib                      0x18be27728 _readdir_unlocked + 208
2   libsystem_c.dylib                      0x18be2781c readdir + 44
3   CoreFoundation                         0x18bf71044 _CFIterateDirectory + 148
4   CoreFoundation                         0x18bf707ec _CFBundleGetBundleVersionForURL + 416
5   CoreFoundation                         0x18c07fd24 _CFBundleCreate + 508
6   Foundation                             0x18ce537d8 -[NSBundle _cfBundle] + 76
7   Foundation                             0x18ce79610 -[NSBundle localizedStringForKey:value:table:] + 44
8   SharedUtils                            0x19e8259e8 +[LAErrorHelper localizedStringForError:] + 1212
9   SharedUtils                            0x19e821b90 +[LAErrorHelper errorWithCode:message:moreInfo:] + 136
10  LocalAuthentication                    0x19e8097fc -[LAClient _serializedInvalidateWithMessage:] + 108
11  LocalAuthentication                    0x19e809770 __34-[LAClient invalidateWithMessage:]_block_invoke + 48
12  libdispatch.dylib                      0x18bd50e60 _dispatch_call_block_and_release + 32
13  libdispatch.dylib                      0x18bd52bac _dispatch_client_callout + 20
14  libdispatch.dylib                      0x18bd5a330 _dispatch_lane_serial_drain + 672
15  libdispatch.dylib                      0x18bd5aed8 _dispatch_lane_invoke + 444
16  libdispatch.dylib                      0x18bd65708 _dispatch_workloop_worker_thread + 656
17  libsystem_pthread.dylib                0x18bf0d304 _pthread_wqthread + 288
18  libsystem_pthread.dylib                0x18bf0c018 start_wqthread + 8

Thread 2:
0   libsystem_pthread.dylib                0x18bf0c010 start_wqthread + 0

Thread 3:
0   libsystem_pthread.dylib                0x18bf0c010 start_wqthread + 0

Thread 4:
0   libsystem_pthread.dylib                0x18bf0c010 start_wqthread + 0

Thread 5:: com.apple.NSEventThread
0   libsystem_kernel.dylib                 0x18bed5954 mach_msg_trap + 8
1   libsystem_kernel.dylib                 0x18bed5d00 mach_msg + 76
2   CoreFoundation                         0x18bfdced8 __CFRunLoopServiceMachPort + 372
3   CoreFoundation                         0x18bfdb390 __CFRunLoopRun + 1212
4   CoreFoundation                         0x18bfda734 CFRunLoopRunSpecific + 600
5   AppKit                                 0x18ec9dc90 _NSEventThread + 196
6   libsystem_pthread.dylib                0x18bf11240 _pthread_start + 148
7   libsystem_pthread.dylib                0x18bf0c024 thread_start + 8

Thread 6:
0   libsystem_pthread.dylib                0x18bf0c010 start_wqthread + 0

No thread state (register information) available

Binary Images:
       0x198f3a000 -        0x19938cfff libswiftCore.dylib (*) <6923cdbf-7ae0-3339-9767-eccef4909653> /usr/lib/swift/libswiftCore.dylib
       0x1049d0000 -        0x104a2ffff com.maxgoedjen.Secretive.Host (2.2.0) <141c43cb-5925-33f0-89be-bf208399e9d7> /Applications/Secretive.app/Contents/MacOS/Secretive
       0x1b096f000 -        0x1b1956fff com.apple.SwiftUI (3.2.5) <12a9ab77-4f51-355a-b663-11234d47f911> /System/Library/Frameworks/SwiftUI.framework/Versions/A/SwiftUI
       0x18eaef000 -        0x18f9a2fff com.apple.AppKit (6.9) <a8bbc643-113d-310f-96b6-77a973bf2dba> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
       0x104dd4000 -        0x104e33fff dyld (*) <7e92b284-4b90-3b68-b31a-3ddc4c0e8d40> /usr/lib/dyld
       0x18bed4000 -        0x18bf09fff libsystem_kernel.dylib (*) <c8b3081a-5081-3a99-bbe3-01413de444c6> /usr/lib/system/libsystem_kernel.dylib
       0x18bdd5000 -        0x18be55fff libsystem_c.dylib (*) <00fc01c7-36bc-3193-86a3-5c03046b45fb> /usr/lib/system/libsystem_c.dylib
       0x18bf58000 -        0x18c49bfff com.apple.CoreFoundation (6.9) <f5ea9592-4ef9-3d35-b23d-5c21283acc52> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
       0x18ce4c000 -        0x18d239fff com.apple.Foundation (6.9) <cd7cdf11-986e-3754-8011-e628c3be8380> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
       0x19e81e000 -        0x19e856fff com.apple.CoreAuthentication.SharedUtils (1.0) <0d91fc7d-d25f-34f3-9e55-2548fa622f28> /System/Library/Frameworks/LocalAuthentication.framework/Support/SharedUtils.framework/Versions/A/SharedUtils
       0x19e804000 -        0x19e81dfff com.apple.LocalAuthentication (1.0) <1b0b50fa-53c9-3027-a59f-9f9255cfc064> /System/Library/Frameworks/LocalAuthentication.framework/Versions/A/LocalAuthentication
       0x18bd4f000 -        0x18bd95fff libdispatch.dylib (*) <3a9e9a1e-72b6-3f66-aa17-d955384c1a39> /usr/lib/system/libdispatch.dylib
       0x18bf0a000 -        0x18bf16fff libsystem_pthread.dylib (*) <ed328b18-eeef-3b15-8858-798b19b0c2cd> /usr/lib/system/libsystem_pthread.dylib

External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0

VM Region Summary:
ReadOnly portion of Libraries: Total=1.0G resident=0K(0%) swapped_out_or_unallocated=1.0G(100%)
Writable regions: Total=1.6G written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=1.6G(100%)

                                VIRTUAL   REGION 
REGION TYPE                        SIZE    COUNT (non-coalesced) 
===========                     =======  ======= 
Accelerate framework               768K        6 
Activity Tracing                   256K        1 
CG backing stores                 3520K        8 
CG image                           960K       10 
ColorSync                          592K       28 
CoreAnimation                      832K       33 
CoreGraphics                        48K        3 
CoreUI image data                  928K       12 
Foundation                          48K        2 
Kernel Alloc Once                   32K        1 
MALLOC                           282.7M       64 
MALLOC guard page                  288K       15 
MALLOC_MEDIUM (reserved)         960.0M        8         reserved VM address space (unallocated)
MALLOC_NANO (reserved)           384.0M        1         reserved VM address space (unallocated)
SQLite page cache                  192K        3 
STACK GUARD                       56.1M        7 
Stack                             11.2M        7 
VM_ALLOCATE                        1.0G       19 
__AUTH                            2425K      268 
__AUTH_CONST                      18.1M      448 
__DATA                            11.7M      433 
__DATA_CONST                      15.4M      453 
__DATA_DIRTY                      1545K      172 
__FONT_DATA                          4K        1 
__LINKEDIT                       576.9M        4 
__OBJC_CONST                      2617K      218 
__OBJC_RO                         82.0M        1 
__OBJC_RW                         3104K        1 
__TEXT                           431.4M      470 
__UNICODE                          588K        1 
dyld private memory               1024K        1 
libnetwork                         128K        8 
mapped file                      180.9M       36 
shared memory                      960K       17 
===========                     =======  ======= 
TOTAL                              4.0G     2760 
TOTAL, minus reserved VM space     2.6G     2760 

[maxgoedjen]

Yikes, that's not good - first time I'm seeing this one. Guessing you've got a bunch of other macOS issues going on right now too? Assuming you've already tried rebooting?

[maxgoedjen]

Also: any changes recently in security settings? Adding/removing fingers to Touch ID, changing password etc?

[maxgoedjen]

@sminnee 👋 hey just checking in on this one, still happening?

[andrea-sdl]

@maxgoedjen same error is happened to me today. Rebooting fixed it but it's not very good when it happens :D

FYI I didn't change anything related to touchid/password. I remember allowing a new app into the accessibility settings but I've done it frequently in the past without this error happening.

[sminnee]

Heya I got this working again after some combination of reboots and OS upgrades.

[maxgoedjen]

Glad to hear that. When you peeps were seeing that state, was it just empty? Or was it telling your Mac had no Secure Enclave?

[maxgoedjen]

Anyone who sees in future: would love a screenshot 🙏

[andrea-sdl]

Glad to hear that. When you peeps were seeing that state, was it just empty? Or was it telling your Mac had no Secure Enclave?

It was an empty list. I opened secretive and there were no elements in it.

Will post a screenshot if it happens again. Is there anything else I might do to give you more information?

[andrea-sdl]

Here it is ;) Using Secretive Version 2.2.0 (1.1857237470)

I only have one secret in secretive and it doesn't appear here

[maxgoedjen]

@andrea-sdl thanks for the screenshot, that's very helpful (and very weird). I was expecting the Mac to just report that it didn't have a SEP to be perfectly honest.

[sdemjanenko]

I've been running into this issue off and on since installing the Rippling MDM agent and changing my Mac password. Today it came to a head. I think I found the resolution which is the "Local items" keychain was locked (presumably with my old password) and I wasn't able to put it in an unlocked state. For some reason, in the leadup to this, an adobe CC background process would prompt me for access to that chain and somehow that would unlock it, letting Secretive work.

I think it came to a head today because something in adobe updated and I was no longer getting those prompts to unlock that keychain and I had no way to get the prompts to show, and therefore I was locked out.

I had to delete the LocalItems keychain and restart. That then seems to have fixed the issue (i'll confirm in a few days if it stays fixed). On the downside, I lost what was in there.

This is a screenshot after fixing. Previously, the "login" chain was unlocked, but the "Local Items" chain was locked which is weird and suggests the "Local Items" chain isn't using the login password to the mac.

[fsouza]

@maxgoedjen hi there, thanks for building Secretive. I started running into this issue today. Rebooting seems to help, but let me know if there's any information you'd like me to collect the next time it happens :)

[fsouza]

Ok, upon further investigation, it seems that the issue is triggered by trying to use the key with the laptop locked?

Here's some information about the system:

％ uname -a
Darwin ... 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:51 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T6030 arm64 arm Darwin

Reproducing steps:

1. Confirm that everything is working:

％ ssh -l git -T github.com
Hi fsouza! You've successfully authenticated, but GitHub does not provide shell access.

2. "Schedule" the ssh command and lock the computer before it starts:

％ sleep 30 && ssh -l git -T github.com

3. Unlock the computer, confirm that ssh -T failed as expected.

％ sleep 30 && ssh -l git -T github.com
sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: agent refused operation
git@github.com: Permission denied (publickey).

Again, this failure is expected as the Secure Enclave is not available while the computer is locked, but now that the computer is unlocked, ssh -T still doesn't work:

％ ssh -l git -T github.com
sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: agent refused operation
git@github.com: Permission denied (publickey).

Checking Secretive, no secrets are listed:

If I restart the agent, secrets are still not available. They only come back after I restart the computer. If I try to add a new secret, Secretive crashes just like reported by the OP. Crash report: https://gist.github.com/fsouza/675c9ddc54f8e57393f9890bb269280b

I can reliably reproduce the issue with the steps listed above. I haven't found a way to recover from this state besides rebooting, so I haven't done this more than a couple of times heh

I realize that the Secure Enclave is not available while the computer is locked, but is there anything that can be done to prevent Secretive from getting stuck in the bad state? Or a more effective way to reset it that doesn't require rebooting the machine? Maybe some way to force unlock the Keychain used by Secretive? (via a special user signal maybe? Or some initialization check that would allow it to unlock when I restart the agent)

[maxgoedjen]

That is FANTASTIC @fsouza, I'll give that a go in a bit, I've had absolutely no luck reproducing this consistently, really appreciate the detailed steps, thanks!

[fsouza]

Just one more thing and then I'll go to bed: logging out and logging in again seems to fix it too, no need to reboot.

[maxgoedjen]

Hm, having trouble reproducing it here. I can repro the "locked machine failed the request" bit but on unlock and retry it works fine.

%  sleep 30 && ssh -l git -T github.com
sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: agent refused operation
git@github.com: Permission denied (publickey).
 % ssh -l git -T github.com            
Hi maxgoedjen! You've successfully authenticated, but GitHub does not provide shell access.

I see from your crash report you're on the same OS as me (14.2, at time of writing). I've tried locking while connected to external screen, while in standalone laptop, and closing lid. Any other detail I could be missing?

[fsouza]

Yeah I've noticed the issue happens as soon as I lock my computer, regardless of whether or not I run ssh with the laptop locked. This didn't use to happen 😞 (note I've been using Secretive for one week)

I've been using the laptop with the lid closed, connected to an external monitor, keyboard and mouse, the things that changed since I first setup Secretive are:

• my location (and timezone). I assume this is not relevant as other folks in my organization have gone through the same process and don't get into this state. Including it for completeness.
• the monitor it connects to. I don't think this can be an issue, but I'm listing it for completeness.
• the keyboard it connects to (it used to connect with an apple external keyboard with touch id, but not anymore, and therefore I'm no longer using touch id)

So I started suspecting touch ID and that seems to be the issue?

1. if I lock my laptop and unlock it with touch ID, Secretive works fine
2. if I lock my laptop and unlock it with the password while the touchid-enabled keyboard is connected to it, sometimes works fine (I haven't been able to identify what causes it work sometimes)
3. if I turn off the touchid-enabled keyboard, lock my laptop and unlock it with the password, Secretive does not work (I assume the Enclave remains locked?)
4. if I logout and log back in (with the password, as that's required for first login), Secretive works fine

So it seems that with the laptop closed and no touchid-enabled device, the Enclave never unlocks once it's been locked? (probably because touch ID is effectively disabled?). Is this expected? Like, is Touch ID a requirement and I just missed that? 🙈 If that's the case, I apologize for wasting your time 😭

On a side note, as mentioned by @sdemjanenko, the "Local Items" keychain behavior matches the behavior of Secretive (i.e. it's unlocked in cases (1) and (2), but remains locked in (3)).

[maxgoedjen]

my location (and timezone). I assume this is not relevant as other folks in my organization have gone through the same process and don't get into this state. Including it for completeness. the monitor it connects to. I don't think this can be an issue, but I'm listing it for completeness. the keyboard it connects to (it used to connect with an apple external keyboard with touch id, but not anymore, and therefore I'm no longer using touch id)

The keyboard might be relevant there? But probably mostly to the extent of "unlocking it with password, not Touch ID." I'll try that, I think I've been unlocking with TID every time so far.

So it seems that with the laptop closed and no touchid-enabled device, the Enclave never unlocks once it's been locked? (probably because touch ID is effectively disabled?). Is this expected? Like, is Touch ID a requirement and I just missed that? 🙈 If that's the case, I apologize for wasting your time 😭

That definitely shouldn't be the case. You can definitely use it on non-TID Macs (I personally used it on a Mac mini with non-TID keyboard before the M1 MBPs came out)

[fsouza]

I have no idea of what's going on anymore: after the recent upgrade (Sonoma 14.2.1), I can no longer reproduce the issue 🤔

[fsouza]

Even though I can no longer reproduce the issue, other folks in the org are running into the same issue (secretive works when unlocked with touch id, but doesn't when unlocked with the password), even though they're also on 14.2.1 😭 Any additional ideas on how we can debug this?

[maxgoedjen]

@fsouza I'd be curious if they see anything unusual/mentioning the SEP in Console.app (Secretive-related or otherwise). If there's anyone encountering this that'd be brave enough to fire up Xcode and gather some debug info, I'd definitely be happy to figure out some stuff to try there.

[fsouza]

If there's anyone encountering this that'd be brave enough to fire up Xcode and gather some debug info, I'd definitely be happy to figure out some stuff to try there.

I'll see if I can find some volunteers. Too bad I can no longer repro the issue. While I look for volunteers, any pointers on what debugging information would be useful and how we can gather it? Is the idea to run Secretive from some branch?

[maxgoedjen]

Mainly I'd want to be stepping through https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L228 and https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L36 and also keeping an eye on the console to see if there's anything interesting.

[grugnog]

Using Kandji MDM here and had this issue after I needed to do a password verification after resume. I did not have to do this after a normal resume where I unlock with Touch ID. After a restart the key was present again.

[fsouza]

Mainly I'd want to be stepping through https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L228 and https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L36 and also keeping an eye on the console to see if there's anything interesting.

I got lucky and can now reproduce the issue again lol I'm not sure what changed, my laptop "soft-crashed" (keyboard and mouse stopped responding, screen went dark, but sound was still on), then I manually restarted it and when it came back, I could repro the issue again: if I unlock with the password, secrets are not available, if I use Touch ID, everything is fine.

I stepped through creation and retrieval of secrets. I'll poke around the code a bit with help from AI™, but I'm posting an update here just in case the error is obvious to anyone reading this message.

First, creating a new secret fails with the following error:

Secretive/CreateSecretView.swift:48: Fatal error: 'try!' expression unexpectedly raised an error: Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed:  / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=failed to generate asymmetric keypair}

That error is thrown here: https://github.com/maxgoedjen/secretive/blob/c7983bbf33d2111d85eac8ae6b5cdbb643ef97bb/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L65-L67

loadSecrets doesn't throw any errors, it returns from this guard: https://github.com/maxgoedjen/secretive/blob/c7983bbf33d2111d85eac8ae6b5cdbb643ef97bb/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L239

Because publicUntyped is nil.

[maxgoedjen]

Hm... that lines up with the other reports but doesn't give too much more additional information – basically the system just seems to be in a bad state, I'm not sure if there's anything we can do specifically to shake it loose. Anything interesting in Console.app (or Xcode console) about keychain?

[fsouza]

I don't know why I didn't think of this before, but security unlock-keychain gets things rolling again, which is I guess yet another indication of what we already suspected here in this thread.

The only things I see in the Xcode console are:

This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
FAULT: <NSRemoteView: 0x152f51df0 com.apple.TextInputUI.xpc.CursorUIViewService TUICursorUIViewService> determined it was necessary to configure <TUINSWindow: 0x132e49d60> to support remote view vibrancy

Console.app shows nothing interesting, either when I lock/unlock the laptop, or open/close Secretive.

[maxgoedjen]

Hadn't occurred to me either, but interesting thing to try.

Think the "best" solution here might be specifically watching for the interaction not allowed message and showing a "restart your Mac" error so people don't freak out and think there's data loss. Less than ideal but I'm kinda skeptical we'll be able to do much beyond that.

[fsouza]

Do you think it's feasible to have Secretive detect that the Keychain/Secure Enclave is locked and try to unlock it automatically (which would require user authentication)? I haven't looked into the details of how it would work yet, but the idea is that we'd only want to do that if the screen is not locked, and hopefully we'd want to try to do it when the user tries to use the secrets.

So, for example, when I run ssh -T git@github.com, rather than failing, Secretive would detect that the Secure Enclave is locked and try to unlock it (we'd need to differentiate between having no secrets and not having access to the Keychain stuff).

If you think that's an acceptable feature, I can try to flush it out a bit more to confirm what's feasible and potentially send a PR.

[fsouza]

(fun fact: apparently, security lock-keychain on a random keychain that is locked helps too, it looks like any keychain operation fixes the issue, which probably points to some weird state getting out of sync within macOS 😭)

[maxgoedjen]

I think I feel differently about different parts of this:

• Detecting the state: definitely in favor. If we can come up with a reliable way to get an identifiable failure, I'm definitely game to show some sort of FAQ link/instructions/etc.
• Trying to shake it loose: I'm game for this in principle, but I'm hesitant to do something as drastic as locking/unlocking the keychain, since that may have a lot of knock-on effects people don't expect. It could be a good thing to suggest to people if we detect the state. If there's some less drastic way to fix the state programmatically I'm fine with that too.

Overall definitely feel free to do some POC work here – I'd be interested to see what's doable.

[fsouza]

A quick update on this, we continue to investigate it and are trying to get more information to escalate. We inspected the logs when unlocking computers to see if we'd find anything useful, and we did. Will keep digging.

On affected laptops, we see:

loginwindow: [com.apple.loginwindow.logging:Standard] -[LWScreenLockAuthentication _authSuccessUsingPassword:forUser:] | Screen saver unlocked by admin, did NOT unlock the user's keychain

On non-affected laptops, we see:

loginwindow: [com.apple.loginwindow.logging:Standard] -[LWScreenLockAuthentication _authSuccessUsingPassword:forUser:] | Unlock succeeded, with password, attempting to unlock the login keychain
...
loginwindow: [com.apple.loginwindow.logging:Standard] -[LWKeychainSupport unlockLoginKeychainFromScreenLock:pwd:] |      SecKeychainLogin returned success
loginwindow: [com.apple.loginwindow.logging:Standard] -[LWKeychainSupport unlockLoginKeychainFromScreenLock:pwd:] |      returning; 1
loginwindow: [com.apple.loginwindow.logging:Standard] -[LWScreenLockAuthentication _authSuccessUsingPassword:forUser:] | Unlock succeeded, with password, attempting to unlock the keybag
...

(and that succeeds)

Sharing in case other folks have ideas, but we'll continue to explore investigate on our side here :)

(note: we check the logs with something like log show --predicate "process == 'loginwindow'" --last 1m after unlocking, and search for _authSuccessUsingPassword:forUser:)