maxgoedjen
Secrets disappeared and can't create new ones
I started Secretive today, and:
- My secrets are gone
- I can't create a new one
It seems like both issues are caused by the same issue: Secretive can't access the Security Server.
Secretive/CreateSecretView.swift:54: Fatal error: 'try!' expression unexpectedly raised an error: Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=failed to generate asymmetric keypair}
OS: macOS Monterey 12.1 Hardware: M1 Air
Crash report below, I don't believe I've left any PII in this...
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: Secretive [6377]
Path: /Applications/Secretive.app/Contents/MacOS/Secretive
Identifier: com.maxgoedjen.Secretive.Host
Version: 2.2.0 (1.1857237470)
Code Type: ARM-64 (Native)
Parent Process: launchd [1]
User ID: 501
Date/Time: 2022-04-19 10:34:13.4327 +1200
OS Version: macOS 12.1 (21C52)
Report Version: 12
Anonymous UUID: <redacted>
Sleep/Wake UUID: <redacted>
Time Awake Since Boot: 5400 seconds
Time Since Wake: 5340 seconds
System Integrity Protection: enabled
Notes:
thread_get_state(PAGEIN) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(EXCEPTION) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(FLAVOR) returned 0x10000003: (ipc/send) invalid destination port
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x0000000198f74818
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 5 Trace/BPT trap: 5
Terminating Process: exc handler [6377]
Application Specific Information:
Performing @selector(didPressButton:) from sender <redacted>SwiftUIAppKitButton <redacted>
Secretive/CreateSecretView.swift:54: Fatal error: 'try!' expression unexpectedly raised an error: Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=failed to generate asymmetric keypair}
Error Formulating Crash Report:
thread_get_state(PAGEIN) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(EXCEPTION) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(FLAVOR) returned 0x10000003: (ipc/send) invalid destination port
Kernel Triage:
VM - pmap_enter failed with resource shortage
VM - pmap_enter failed with resource shortage
VM - pmap_enter failed with resource shortage
VM - pmap_enter failed with resource shortage
VM - pmap_enter failed with resource shortage
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libswiftCore.dylib 0x198f74818 _assertionFailure(_:_:file:line:flags:) + 308
1 libswiftCore.dylib 0x198f74818 _assertionFailure(_:_:file:line:flags:) + 308
2 libswiftCore.dylib 0x198fdbb1c swift_unexpectedError + 564
3 Secretive 0x1049ed84c CreateSecretView.save() + 320
4 Secretive 0x1049edaf4 partial apply for implicit closure #2 in implicit closure #1 in closure #2 in closure #1 in CreateSecretView.body.getter + 32
5 SwiftUI 0x1b0fbbcd4 implicit closure #2 in implicit closure #1 in AppKitButtonStyle.Content.body(environment:) + 28
6 SwiftUI 0x1b0fc0f38 SwiftUIAppKitButton.didPressButton(_:) + 56
7 SwiftUI 0x1b0fc0f9c @objc SwiftUIAppKitButton.didPressButton(_:) + 56
8 AppKit 0x18ed350c0 -[NSApplication(NSResponder) sendAction:to:from:] + 456
9 AppKit 0x18ed34ec0 -[NSControl sendAction:to:] + 96
10 AppKit 0x18ed34dc8 __26-[NSCell _sendActionFrom:]_block_invoke + 152
11 AppKit 0x18ed34cbc -[NSCell _sendActionFrom:] + 196
12 AppKit 0x18ed34be8 -[NSButtonCell _sendActionFrom:] + 104
13 AppKit 0x18ed31a28 NSControlTrackMouse + 1720
14 AppKit 0x18ed31344 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 160
15 AppKit 0x18ed311b8 -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 740
16 AppKit 0x18ed30420 -[NSControl mouseDown:] + 636
17 AppKit 0x18ed2e874 -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4524
18 AppKit 0x18eca1ce4 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 2444
19 AppKit 0x18eca10ec -[NSWindow(NSEventRouting) sendEvent:] + 348
20 AppKit 0x18eca0050 -[NSApplication(NSEvent) sendEvent:] + 2776
21 AppKit 0x18ef5859c -[NSApplication _handleEvent:] + 76
22 AppKit 0x18eb215cc -[NSApplication run] + 636
23 AppKit 0x18eaf2c78 NSApplicationMain + 1064
24 SwiftUI 0x1b0a01c9c specialized runApp(_:) + 148
25 SwiftUI 0x1b152ba54 runApp<A>(_:) + 260
26 SwiftUI 0x1b0fbb66c static App.main() + 128
27 Secretive 0x1049d5a5c main + 160
28 dyld 0x104dd90f4 start + 520
Thread 1:: Dispatch queue: la_client
0 libsystem_kernel.dylib 0x18bed75d8 __getdirentries64 + 8
1 libsystem_c.dylib 0x18be27728 _readdir_unlocked + 208
2 libsystem_c.dylib 0x18be2781c readdir + 44
3 CoreFoundation 0x18bf71044 _CFIterateDirectory + 148
4 CoreFoundation 0x18bf707ec _CFBundleGetBundleVersionForURL + 416
5 CoreFoundation 0x18c07fd24 _CFBundleCreate + 508
6 Foundation 0x18ce537d8 -[NSBundle _cfBundle] + 76
7 Foundation 0x18ce79610 -[NSBundle localizedStringForKey:value:table:] + 44
8 SharedUtils 0x19e8259e8 +[LAErrorHelper localizedStringForError:] + 1212
9 SharedUtils 0x19e821b90 +[LAErrorHelper errorWithCode:message:moreInfo:] + 136
10 LocalAuthentication 0x19e8097fc -[LAClient _serializedInvalidateWithMessage:] + 108
11 LocalAuthentication 0x19e809770 __34-[LAClient invalidateWithMessage:]_block_invoke + 48
12 libdispatch.dylib 0x18bd50e60 _dispatch_call_block_and_release + 32
13 libdispatch.dylib 0x18bd52bac _dispatch_client_callout + 20
14 libdispatch.dylib 0x18bd5a330 _dispatch_lane_serial_drain + 672
15 libdispatch.dylib 0x18bd5aed8 _dispatch_lane_invoke + 444
16 libdispatch.dylib 0x18bd65708 _dispatch_workloop_worker_thread + 656
17 libsystem_pthread.dylib 0x18bf0d304 _pthread_wqthread + 288
18 libsystem_pthread.dylib 0x18bf0c018 start_wqthread + 8
Thread 2:
0 libsystem_pthread.dylib 0x18bf0c010 start_wqthread + 0
Thread 3:
0 libsystem_pthread.dylib 0x18bf0c010 start_wqthread + 0
Thread 4:
0 libsystem_pthread.dylib 0x18bf0c010 start_wqthread + 0
Thread 5:: com.apple.NSEventThread
0 libsystem_kernel.dylib 0x18bed5954 mach_msg_trap + 8
1 libsystem_kernel.dylib 0x18bed5d00 mach_msg + 76
2 CoreFoundation 0x18bfdced8 __CFRunLoopServiceMachPort + 372
3 CoreFoundation 0x18bfdb390 __CFRunLoopRun + 1212
4 CoreFoundation 0x18bfda734 CFRunLoopRunSpecific + 600
5 AppKit 0x18ec9dc90 _NSEventThread + 196
6 libsystem_pthread.dylib 0x18bf11240 _pthread_start + 148
7 libsystem_pthread.dylib 0x18bf0c024 thread_start + 8
Thread 6:
0 libsystem_pthread.dylib 0x18bf0c010 start_wqthread + 0
No thread state (register information) available
Binary Images:
0x198f3a000 - 0x19938cfff libswiftCore.dylib (*) <6923cdbf-7ae0-3339-9767-eccef4909653> /usr/lib/swift/libswiftCore.dylib
0x1049d0000 - 0x104a2ffff com.maxgoedjen.Secretive.Host (2.2.0) <141c43cb-5925-33f0-89be-bf208399e9d7> /Applications/Secretive.app/Contents/MacOS/Secretive
0x1b096f000 - 0x1b1956fff com.apple.SwiftUI (3.2.5) <12a9ab77-4f51-355a-b663-11234d47f911> /System/Library/Frameworks/SwiftUI.framework/Versions/A/SwiftUI
0x18eaef000 - 0x18f9a2fff com.apple.AppKit (6.9) <a8bbc643-113d-310f-96b6-77a973bf2dba> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x104dd4000 - 0x104e33fff dyld (*) <7e92b284-4b90-3b68-b31a-3ddc4c0e8d40> /usr/lib/dyld
0x18bed4000 - 0x18bf09fff libsystem_kernel.dylib (*) <c8b3081a-5081-3a99-bbe3-01413de444c6> /usr/lib/system/libsystem_kernel.dylib
0x18bdd5000 - 0x18be55fff libsystem_c.dylib (*) <00fc01c7-36bc-3193-86a3-5c03046b45fb> /usr/lib/system/libsystem_c.dylib
0x18bf58000 - 0x18c49bfff com.apple.CoreFoundation (6.9) <f5ea9592-4ef9-3d35-b23d-5c21283acc52> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x18ce4c000 - 0x18d239fff com.apple.Foundation (6.9) <cd7cdf11-986e-3754-8011-e628c3be8380> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x19e81e000 - 0x19e856fff com.apple.CoreAuthentication.SharedUtils (1.0) <0d91fc7d-d25f-34f3-9e55-2548fa622f28> /System/Library/Frameworks/LocalAuthentication.framework/Support/SharedUtils.framework/Versions/A/SharedUtils
0x19e804000 - 0x19e81dfff com.apple.LocalAuthentication (1.0) <1b0b50fa-53c9-3027-a59f-9f9255cfc064> /System/Library/Frameworks/LocalAuthentication.framework/Versions/A/LocalAuthentication
0x18bd4f000 - 0x18bd95fff libdispatch.dylib (*) <3a9e9a1e-72b6-3f66-aa17-d955384c1a39> /usr/lib/system/libdispatch.dylib
0x18bf0a000 - 0x18bf16fff libsystem_pthread.dylib (*) <ed328b18-eeef-3b15-8858-798b19b0c2cd> /usr/lib/system/libsystem_pthread.dylib
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=1.0G resident=0K(0%) swapped_out_or_unallocated=1.0G(100%)
Writable regions: Total=1.6G written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=1.6G(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Accelerate framework 768K 6
Activity Tracing 256K 1
CG backing stores 3520K 8
CG image 960K 10
ColorSync 592K 28
CoreAnimation 832K 33
CoreGraphics 48K 3
CoreUI image data 928K 12
Foundation 48K 2
Kernel Alloc Once 32K 1
MALLOC 282.7M 64
MALLOC guard page 288K 15
MALLOC_MEDIUM (reserved) 960.0M 8 reserved VM address space (unallocated)
MALLOC_NANO (reserved) 384.0M 1 reserved VM address space (unallocated)
SQLite page cache 192K 3
STACK GUARD 56.1M 7
Stack 11.2M 7
VM_ALLOCATE 1.0G 19
__AUTH 2425K 268
__AUTH_CONST 18.1M 448
__DATA 11.7M 433
__DATA_CONST 15.4M 453
__DATA_DIRTY 1545K 172
__FONT_DATA 4K 1
__LINKEDIT 576.9M 4
__OBJC_CONST 2617K 218
__OBJC_RO 82.0M 1
__OBJC_RW 3104K 1
__TEXT 431.4M 470
__UNICODE 588K 1
dyld private memory 1024K 1
libnetwork 128K 8
mapped file 180.9M 36
shared memory 960K 17
=========== ======= =======
TOTAL 4.0G 2760
TOTAL, minus reserved VM space 2.6G 2760
Yikes, that's not good - first time I'm seeing this one. Guessing you've got a bunch of other macOS issues going on right now too? Assuming you've already tried rebooting?
Also: any changes recently in security settings? Adding/removing fingers to Touch ID, changing password etc?
@maxgoedjen same error is happened to me today. Rebooting fixed it but it's not very good when it happens :D
FYI I didn't change anything related to touchid/password. I remember allowing a new app into the accessibility settings but I've done it frequently in the past without this error happening.
Heya I got this working again after some combination of reboots and OS upgrades.
Glad to hear that. When you peeps were seeing that state, was it just empty? Or was it telling your Mac had no Secure Enclave?
Glad to hear that. When you peeps were seeing that state, was it just empty? Or was it telling your Mac had no Secure Enclave?
It was an empty list. I opened secretive and there were no elements in it.
Will post a screenshot if it happens again. Is there anything else I might do to give you more information?
Here it is ;) Using Secretive Version 2.2.0 (1.1857237470)
I only have one secret in secretive and it doesn't appear here
@andrea-sdl thanks for the screenshot, that's very helpful (and very weird). I was expecting the Mac to just report that it didn't have a SEP to be perfectly honest.
I've been running into this issue off and on since installing the Rippling MDM agent and changing my Mac password. Today it came to a head. I think I found the resolution which is the "Local items" keychain was locked (presumably with my old password) and I wasn't able to put it in an unlocked state. For some reason, in the leadup to this, an adobe CC background process would prompt me for access to that chain and somehow that would unlock it, letting Secretive work.
I think it came to a head today because something in adobe updated and I was no longer getting those prompts to unlock that keychain and I had no way to get the prompts to show, and therefore I was locked out.
I had to delete the LocalItems keychain and restart. That then seems to have fixed the issue (i'll confirm in a few days if it stays fixed). On the downside, I lost what was in there.
This is a screenshot after fixing. Previously, the "login" chain was unlocked, but the "Local Items" chain was locked which is weird and suggests the "Local Items" chain isn't using the login password to the mac.
@maxgoedjen hi there, thanks for building Secretive. I started running into this issue today. Rebooting seems to help, but let me know if there's any information you'd like me to collect the next time it happens :)
Ok, upon further investigation, it seems that the issue is triggered by trying to use the key with the laptop locked?
Here's some information about the system:
% uname -a
Darwin ... 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:51 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T6030 arm64 arm Darwin
Reproducing steps:
- Confirm that everything is working:
% ssh -l git -T github.com
Hi fsouza! You've successfully authenticated, but GitHub does not provide shell access.
- "Schedule" the ssh command and lock the computer before it starts:
% sleep 30 && ssh -l git -T github.com
- Unlock the computer, confirm that ssh -T failed as expected.
% sleep 30 && ssh -l git -T github.com
sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: agent refused operation
[email protected]: Permission denied (publickey).
Again, this failure is expected as the Secure Enclave is not available while the computer is locked, but now that the computer is unlocked, ssh -T still doesn't work:
% ssh -l git -T github.com
sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: agent refused operation
[email protected]: Permission denied (publickey).
Checking Secretive, no secrets are listed:
If I restart the agent, secrets are still not available. They only come back after I restart the computer. If I try to add a new secret, Secretive crashes just like reported by the OP. Crash report: https://gist.github.com/fsouza/675c9ddc54f8e57393f9890bb269280b
I can reliably reproduce the issue with the steps listed above. I haven't found a way to recover from this state besides rebooting, so I haven't done this more than a couple of times heh
I realize that the Secure Enclave is not available while the computer is locked, but is there anything that can be done to prevent Secretive from getting stuck in the bad state? Or a more effective way to reset it that doesn't require rebooting the machine? Maybe some way to force unlock the Keychain used by Secretive? (via a special user signal maybe? Or some initialization check that would allow it to unlock when I restart the agent)
That is FANTASTIC @fsouza, I'll give that a go in a bit, I've had absolutely no luck reproducing this consistently, really appreciate the detailed steps, thanks!
Just one more thing and then I'll go to bed: logging out and logging in again seems to fix it too, no need to reboot.
Hm, having trouble reproducing it here. I can repro the "locked machine failed the request" bit but on unlock and retry it works fine.
% sleep 30 && ssh -l git -T github.com
sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: agent refused operation
[email protected]: Permission denied (publickey).
% ssh -l git -T github.com
Hi maxgoedjen! You've successfully authenticated, but GitHub does not provide shell access.
I see from your crash report you're on the same OS as me (14.2, at time of writing). I've tried locking while connected to external screen, while in standalone laptop, and closing lid. Any other detail I could be missing?
Yeah I've noticed the issue happens as soon as I lock my computer, regardless of whether or not I run ssh with the laptop locked. This didn't use to happen 😞 (note I've been using Secretive for one week)
I've been using the laptop with the lid closed, connected to an external monitor, keyboard and mouse, the things that changed since I first setup Secretive are:
- my location (and timezone). I assume this is not relevant as other folks in my organization have gone through the same process and don't get into this state. Including it for completeness.
- the monitor it connects to. I don't think this can be an issue, but I'm listing it for completeness.
- the keyboard it connects to (it used to connect with an apple external keyboard with touch id, but not anymore, and therefore I'm no longer using touch id)
So I started suspecting touch ID and that seems to be the issue?
- if I lock my laptop and unlock it with touch ID, Secretive works fine
- if I lock my laptop and unlock it with the password while the touchid-enabled keyboard is connected to it, sometimes works fine (I haven't been able to identify what causes it work sometimes)
- if I turn off the touchid-enabled keyboard, lock my laptop and unlock it with the password, Secretive does not work (I assume the Enclave remains locked?)
- if I logout and log back in (with the password, as that's required for first login), Secretive works fine
So it seems that with the laptop closed and no touchid-enabled device, the Enclave never unlocks once it's been locked? (probably because touch ID is effectively disabled?). Is this expected? Like, is Touch ID a requirement and I just missed that? 🙈 If that's the case, I apologize for wasting your time 😭
On a side note, as mentioned by @sdemjanenko, the "Local Items" keychain behavior matches the behavior of Secretive (i.e. it's unlocked in cases (1) and (2), but remains locked in (3)).
my location (and timezone). I assume this is not relevant as other folks in my organization have gone through the same process and don't get into this state. Including it for completeness. the monitor it connects to. I don't think this can be an issue, but I'm listing it for completeness. the keyboard it connects to (it used to connect with an apple external keyboard with touch id, but not anymore, and therefore I'm no longer using touch id)
The keyboard might be relevant there? But probably mostly to the extent of "unlocking it with password, not Touch ID." I'll try that, I think I've been unlocking with TID every time so far.
So it seems that with the laptop closed and no touchid-enabled device, the Enclave never unlocks once it's been locked? (probably because touch ID is effectively disabled?). Is this expected? Like, is Touch ID a requirement and I just missed that? 🙈 If that's the case, I apologize for wasting your time 😭
That definitely shouldn't be the case. You can definitely use it on non-TID Macs (I personally used it on a Mac mini with non-TID keyboard before the M1 MBPs came out)
I have no idea of what's going on anymore: after the recent upgrade (Sonoma 14.2.1), I can no longer reproduce the issue 🤔
Even though I can no longer reproduce the issue, other folks in the org are running into the same issue (secretive works when unlocked with touch id, but doesn't when unlocked with the password), even though they're also on 14.2.1 😭 Any additional ideas on how we can debug this?
@fsouza I'd be curious if they see anything unusual/mentioning the SEP in Console.app (Secretive-related or otherwise). If there's anyone encountering this that'd be brave enough to fire up Xcode and gather some debug info, I'd definitely be happy to figure out some stuff to try there.
If there's anyone encountering this that'd be brave enough to fire up Xcode and gather some debug info, I'd definitely be happy to figure out some stuff to try there.
I'll see if I can find some volunteers. Too bad I can no longer repro the issue. While I look for volunteers, any pointers on what debugging information would be useful and how we can gather it? Is the idea to run Secretive from some branch?
Mainly I'd want to be stepping through https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L228 and https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L36 and also keeping an eye on the console to see if there's anything interesting.
Using Kandji MDM here and had this issue after I needed to do a password verification after resume. I did not have to do this after a normal resume where I unlock with Touch ID. After a restart the key was present again.
Mainly I'd want to be stepping through https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L228 and https://github.com/maxgoedjen/secretive/blob/main/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L36 and also keeping an eye on the console to see if there's anything interesting.
I got lucky and can now reproduce the issue again lol I'm not sure what changed, my laptop "soft-crashed" (keyboard and mouse stopped responding, screen went dark, but sound was still on), then I manually restarted it and when it came back, I could repro the issue again: if I unlock with the password, secrets are not available, if I use Touch ID, everything is fine.
I stepped through creation and retrieval of secrets. I'll poke around the code a bit with help from AI™, but I'm posting an update here just in case the error is obvious to anyone reading this message.
First, creating a new secret fails with the following error:
Secretive/CreateSecretView.swift:48: Fatal error: 'try!' expression unexpectedly raised an error: Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=failed to generate asymmetric keypair}
That error is thrown here: https://github.com/maxgoedjen/secretive/blob/c7983bbf33d2111d85eac8ae6b5cdbb643ef97bb/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L65-L67
loadSecrets doesn't throw any errors, it returns from this guard: https://github.com/maxgoedjen/secretive/blob/c7983bbf33d2111d85eac8ae6b5cdbb643ef97bb/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift#L239
Because publicUntyped is nil.
Hm... that lines up with the other reports but doesn't give too much more additional information – basically the system just seems to be in a bad state, I'm not sure if there's anything we can do specifically to shake it loose. Anything interesting in Console.app (or Xcode console) about keychain?
I don't know why I didn't think of this before, but security unlock-keychain gets things rolling again, which is I guess yet another indication of what we already suspected here in this thread.
The only things I see in the Xcode console are:
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
This method should not be called on the main thread as it may lead to UI unresponsiveness.
FAULT: <NSRemoteView: 0x152f51df0 com.apple.TextInputUI.xpc.CursorUIViewService TUICursorUIViewService> determined it was necessary to configure <TUINSWindow: 0x132e49d60> to support remote view vibrancy
Console.app shows nothing interesting, either when I lock/unlock the laptop, or open/close Secretive.
Hadn't occurred to me either, but interesting thing to try.
Think the "best" solution here might be specifically watching for the interaction not allowed message and showing a "restart your Mac" error so people don't freak out and think there's data loss. Less than ideal but I'm kinda skeptical we'll be able to do much beyond that.
Do you think it's feasible to have Secretive detect that the Keychain/Secure Enclave is locked and try to unlock it automatically (which would require user authentication)? I haven't looked into the details of how it would work yet, but the idea is that we'd only want to do that if the screen is not locked, and hopefully we'd want to try to do it when the user tries to use the secrets.
So, for example, when I run ssh -T [email protected], rather than failing, Secretive would detect that the Secure Enclave is locked and try to unlock it (we'd need to differentiate between having no secrets and not having access to the Keychain stuff).
If you think that's an acceptable feature, I can try to flush it out a bit more to confirm what's feasible and potentially send a PR.
(fun fact: apparently, security lock-keychain on a random keychain that is locked helps too, it looks like any keychain operation fixes the issue, which probably points to some weird state getting out of sync within macOS 😭)