From 412687467bba97208f75b82ecc8a14d9e20ae6fc Mon Sep 17 00:00:00 2001 From: Max Goedjen Date: Wed, 3 Sep 2025 22:01:44 -0700 Subject: [PATCH] Digest wants 'sha256:' prefix that the upload step doesn't add for some reason (#667) --- .github/workflows/nightly.yml | 2 +- .../CryptoKitMigrator.swift | 28 +++++++++++-------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 0d156bb..dc61369 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -55,4 +55,4 @@ jobs: uses: actions/attest-build-provenance@v2 with: subject-name: "Secretive.zip" - subject-digest: ${{ steps.upload.outputs.artifact-digest }} + subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }} diff --git a/Sources/Packages/Sources/SecureEnclaveSecretKit/CryptoKitMigrator.swift b/Sources/Packages/Sources/SecureEnclaveSecretKit/CryptoKitMigrator.swift index ddcc042..a4c69d2 100644 --- a/Sources/Packages/Sources/SecureEnclaveSecretKit/CryptoKitMigrator.swift +++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/CryptoKitMigrator.swift @@ -30,7 +30,7 @@ extension SecureEnclave { SecItemCopyMatching(privateAttributes, &privateUntyped) guard let privateTyped = privateUntyped as? [[CFString: Any]] else { return } let migratedPublicKeys = Set(store.secrets.map(\.publicKey)) - var migrated = false + var migratedAny = false for key in privateTyped { let name = key[kSecAttrLabel] as? String ?? String(localized: .unnamedSecret) let id = key[kSecAttrApplicationLabel] as! Data @@ -45,20 +45,24 @@ extension SecureEnclave { // Best guess. let auth: AuthenticationRequirement = String(describing: accessControl) .contains("DeviceOwnerAuthentication") ? .presenceRequired : .unknown - let parsed = try CryptoKit.SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: tokenObjectID) - let secret = Secret(id: UUID().uuidString, name: name, publicKey: parsed.publicKey.x963Representation, attributes: Attributes(keyType: .init(algorithm: .ecdsa, size: 256), authentication: auth)) - guard !migratedPublicKeys.contains(parsed.publicKey.x963Representation) else { - logger.log("Skipping \(name), public key already present. Marking as migrated.") + do { + let parsed = try CryptoKit.SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: tokenObjectID) + let secret = Secret(id: UUID().uuidString, name: name, publicKey: parsed.publicKey.x963Representation, attributes: Attributes(keyType: .init(algorithm: .ecdsa, size: 256), authentication: auth)) + guard !migratedPublicKeys.contains(parsed.publicKey.x963Representation) else { + logger.log("Skipping \(name), public key already present. Marking as migrated.") + try markMigrated(secret: secret, oldID: id) + continue + } + logger.log("Migrating \(name).") + try store.saveKey(tokenObjectID, name: name, attributes: secret.attributes) + logger.log("Migrated \(name).") try markMigrated(secret: secret, oldID: id) - continue + migratedAny = true + } catch { + logger.error("Failed to migrate \(name): \(error).") } - logger.log("Migrating \(name).") - try store.saveKey(tokenObjectID, name: name, attributes: secret.attributes) - logger.log("Migrated \(name).") - try markMigrated(secret: secret, oldID: id) - migrated = true } - if migrated { + if migratedAny { store.reloadSecrets() } }