From e86aa559a4a59f9d077a3d98aa624c591951e3e7 Mon Sep 17 00:00:00 2001 From: Max Goedjen Date: Tue, 19 Aug 2025 23:32:46 -0700 Subject: [PATCH 1/2] Remove unchecked sendable (#617) --- .../Packages/Sources/SecretAgentKit/Sendability.swift | 11 ----------- .../Sources/SecretAgentKit/SocketController.swift | 6 +++--- 2 files changed, 3 insertions(+), 14 deletions(-) delete mode 100644 Sources/Packages/Sources/SecretAgentKit/Sendability.swift diff --git a/Sources/Packages/Sources/SecretAgentKit/Sendability.swift b/Sources/Packages/Sources/SecretAgentKit/Sendability.swift deleted file mode 100644 index 5338464..0000000 --- a/Sources/Packages/Sources/SecretAgentKit/Sendability.swift +++ /dev/null @@ -1,11 +0,0 @@ -import Foundation - -struct UncheckedSendable: @unchecked Sendable { - - let value: T - - init(_ value: T) { - self.value = value - } - -} diff --git a/Sources/Packages/Sources/SecretAgentKit/SocketController.swift b/Sources/Packages/Sources/SecretAgentKit/SocketController.swift index a51951f..acaf542 100644 --- a/Sources/Packages/Sources/SecretAgentKit/SocketController.swift +++ b/Sources/Packages/Sources/SecretAgentKit/SocketController.swift @@ -82,12 +82,12 @@ public final class SocketController { logger.debug("Socket controller has new data available") guard let new = notification.object as? FileHandle else { return } logger.debug("Socket controller received new file handle") - Task { [handler, logger = UncheckedSendable(logger)] in + Task { [handler, logger = logger] in if((await handler?(new, new)) == true) { - logger.value.debug("Socket controller handled data, wait for more data") + logger.debug("Socket controller handled data, wait for more data") await new.waitForDataInBackgroundAndNotifyOnMainActor() } else { - logger.value.debug("Socket controller called with empty data, socked closed") + logger.debug("Socket controller called with empty data, socked closed") } } } From 45bcb03fef5f4be5e99ee1852daf07c6c15a8279 Mon Sep 17 00:00:00 2001 From: Max Goedjen Date: Wed, 20 Aug 2025 00:10:23 -0700 Subject: [PATCH 2/2] Enable enhanced security. (#618) --- Sources/Secretive.xcodeproj/project.pbxproj | 13 +++++++++++++ .../xcshareddata/WorkspaceSettings.xcsettings | 8 ++++++++ Sources/Secretive/Secretive.entitlements | 10 ++++++++++ 3 files changed, 31 insertions(+) create mode 100644 Sources/Secretive.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings diff --git a/Sources/Secretive.xcodeproj/project.pbxproj b/Sources/Secretive.xcodeproj/project.pbxproj index 0c85007..add5a1e 100644 --- a/Sources/Secretive.xcodeproj/project.pbxproj +++ b/Sources/Secretive.xcodeproj/project.pbxproj @@ -526,6 +526,8 @@ COPY_PHASE_STRIP = NO; DEAD_CODE_STRIPPING = YES; DEBUG_INFORMATION_FORMAT = dwarf; + ENABLE_ENHANCED_SECURITY = YES; + ENABLE_POINTER_AUTHENTICATION = YES; ENABLE_STRICT_OBJC_MSGSEND = YES; ENABLE_TESTABILITY = YES; ENABLE_USER_SCRIPT_SANDBOXING = YES; @@ -598,7 +600,9 @@ COPY_PHASE_STRIP = NO; DEAD_CODE_STRIPPING = YES; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_ENHANCED_SECURITY = YES; ENABLE_NS_ASSERTIONS = NO; + ENABLE_POINTER_AUTHENTICATION = YES; ENABLE_STRICT_OBJC_MSGSEND = YES; ENABLE_USER_SCRIPT_SANDBOXING = YES; GCC_C_LANGUAGE_STANDARD = gnu11; @@ -637,8 +641,10 @@ DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\""; DEVELOPMENT_TEAM = Z72PRUAWF6; ENABLE_APP_SANDBOX = YES; + ENABLE_ENHANCED_SECURITY = YES; ENABLE_HARDENED_RUNTIME = YES; ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES; + ENABLE_POINTER_AUTHENTICATION = YES; ENABLE_PREVIEWS = YES; ENABLE_USER_SELECTED_FILES = readwrite; INFOPLIST_FILE = Secretive/Info.plist; @@ -667,8 +673,10 @@ DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\""; DEVELOPMENT_TEAM = Z72PRUAWF6; ENABLE_APP_SANDBOX = YES; + ENABLE_ENHANCED_SECURITY = YES; ENABLE_HARDENED_RUNTIME = YES; ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES; + ENABLE_POINTER_AUTHENTICATION = YES; ENABLE_PREVIEWS = YES; ENABLE_USER_SELECTED_FILES = readwrite; INFOPLIST_FILE = Secretive/Info.plist; @@ -723,6 +731,8 @@ COPY_PHASE_STRIP = NO; DEAD_CODE_STRIPPING = YES; DEBUG_INFORMATION_FORMAT = dwarf; + ENABLE_ENHANCED_SECURITY = YES; + ENABLE_POINTER_AUTHENTICATION = YES; ENABLE_STRICT_OBJC_MSGSEND = YES; ENABLE_TESTABILITY = YES; ENABLE_USER_SCRIPT_SANDBOXING = YES; @@ -760,14 +770,17 @@ isa = XCBuildConfiguration; buildSettings = { ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; + CODE_SIGN_ENTITLEMENTS = Secretive/Secretive.entitlements; CODE_SIGN_STYLE = Manual; COMBINE_HIDPI_IMAGES = YES; CURRENT_PROJECT_VERSION = 1; DEAD_CODE_STRIPPING = YES; DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\""; ENABLE_APP_SANDBOX = YES; + ENABLE_ENHANCED_SECURITY = YES; ENABLE_HARDENED_RUNTIME = NO; ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES; + ENABLE_POINTER_AUTHENTICATION = YES; ENABLE_PREVIEWS = YES; ENABLE_USER_SELECTED_FILES = readwrite; INFOPLIST_FILE = Secretive/Info.plist; diff --git a/Sources/Secretive.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings b/Sources/Secretive.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings new file mode 100644 index 0000000..561e394 --- /dev/null +++ b/Sources/Secretive.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings @@ -0,0 +1,8 @@ + + + + + iOSPackagesShouldBuildARM64e + + + diff --git a/Sources/Secretive/Secretive.entitlements b/Sources/Secretive/Secretive.entitlements index c9423c4..ab2c42b 100644 --- a/Sources/Secretive/Secretive.entitlements +++ b/Sources/Secretive/Secretive.entitlements @@ -2,6 +2,16 @@ + com.apple.security.hardened-process + + com.apple.security.hardened-process.dyld-ro + + com.apple.security.hardened-process.enhanced-security-version + 1 + com.apple.security.hardened-process.hardened-heap + + com.apple.security.hardened-process.platform-restrictions + 2 com.apple.security.smartcard keychain-access-groups