From 2c38aaed6f3337f3ad7e02876dfca9d21f27a3c1 Mon Sep 17 00:00:00 2001 From: Max Goedjen Date: Sat, 6 Sep 2025 23:28:58 -0700 Subject: [PATCH 1/2] Move internet access policy to xpc (#676) --- .../InternetAccessPolicy.plist | 31 +++++++++++++++++++ .../SecretAgent/InternetAccessPolicy.plist | 17 +--------- Sources/Secretive.xcodeproj/project.pbxproj | 4 +++ Sources/Secretive/InternetAccessPolicy.plist | 17 +--------- 4 files changed, 37 insertions(+), 32 deletions(-) create mode 100644 Sources/ReleasesDownloader/InternetAccessPolicy.plist diff --git a/Sources/ReleasesDownloader/InternetAccessPolicy.plist b/Sources/ReleasesDownloader/InternetAccessPolicy.plist new file mode 100644 index 0000000..37307a7 --- /dev/null +++ b/Sources/ReleasesDownloader/InternetAccessPolicy.plist @@ -0,0 +1,31 @@ + + + + + ApplicationDescription + Secretive is an app for storing and managing SSH keys in the Secure Enclave + DeveloperName + Max Goedjen + Website + https://github.com/maxgoedjen/secretive + Connections + + + IsIncoming + + Host + api.github.com + NetworkProtocol + TCP + Port + 443 + Purpose + Secretive checks GitHub for new versions and security updates. + DenyConsequences + If you deny these connections, you will not be notified about new versions and critical security updates. + + + Services + + + diff --git a/Sources/SecretAgent/InternetAccessPolicy.plist b/Sources/SecretAgent/InternetAccessPolicy.plist index 5ef4c38..32b9e35 100644 --- a/Sources/SecretAgent/InternetAccessPolicy.plist +++ b/Sources/SecretAgent/InternetAccessPolicy.plist @@ -9,22 +9,7 @@ Website https://github.com/maxgoedjen/secretive Connections - - - IsIncoming - - Host - api.github.com - NetworkProtocol - TCP - Port - 443 - Purpose - Secretive checks GitHub for new versions and security updates. - DenyConsequences - If you deny these connections, you will not be notified about new versions and critical security updates. - - + Services diff --git a/Sources/Secretive.xcodeproj/project.pbxproj b/Sources/Secretive.xcodeproj/project.pbxproj index c9fce11..6dd2a77 100644 --- a/Sources/Secretive.xcodeproj/project.pbxproj +++ b/Sources/Secretive.xcodeproj/project.pbxproj @@ -51,6 +51,7 @@ 5066A6C82516FE6E004B5A36 /* CopyableView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5066A6C72516FE6E004B5A36 /* CopyableView.swift */; }; 506772C72424784600034DED /* Credits.rtf in Resources */ = {isa = PBXBuildFile; fileRef = 506772C62424784600034DED /* Credits.rtf */; }; 506772C92425BB8500034DED /* NoStoresView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 506772C82425BB8500034DED /* NoStoresView.swift */; }; + 50692BA62E6D5CC90043C7BB /* InternetAccessPolicy.plist in Resources */ = {isa = PBXBuildFile; fileRef = 50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */; }; 5079BA0F250F29BF00EA86F4 /* StoreListView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5079BA0E250F29BF00EA86F4 /* StoreListView.swift */; }; 508A58AA241E06B40069DC07 /* PreviewUpdater.swift in Sources */ = {isa = PBXBuildFile; fileRef = 508A58A9241E06B40069DC07 /* PreviewUpdater.swift */; }; 508A58B3241ED2180069DC07 /* AgentStatusChecker.swift in Sources */ = {isa = PBXBuildFile; fileRef = 508A58B2241ED2180069DC07 /* AgentStatusChecker.swift */; }; @@ -201,6 +202,7 @@ 5066A6C72516FE6E004B5A36 /* CopyableView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CopyableView.swift; sourceTree = ""; }; 506772C62424784600034DED /* Credits.rtf */ = {isa = PBXFileReference; lastKnownFileType = text.rtf; path = Credits.rtf; sourceTree = ""; }; 506772C82425BB8500034DED /* NoStoresView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NoStoresView.swift; sourceTree = ""; }; + 50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = InternetAccessPolicy.plist; sourceTree = ""; }; 5079BA0E250F29BF00EA86F4 /* StoreListView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = StoreListView.swift; sourceTree = ""; }; 508A58A9241E06B40069DC07 /* PreviewUpdater.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PreviewUpdater.swift; sourceTree = ""; }; 508A58AB241E121B0069DC07 /* Config.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = Config.xcconfig; sourceTree = ""; }; @@ -290,6 +292,7 @@ isa = PBXGroup; children = ( 501577D52E6BC5F3004A37D0 /* Info.plist */, + 50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */, 501577D62E6BC5F3004A37D0 /* main.swift */, ); path = ReleasesDownloader; @@ -628,6 +631,7 @@ isa = PBXResourcesBuildPhase; buildActionMask = 2147483647; files = ( + 50692BA62E6D5CC90043C7BB /* InternetAccessPolicy.plist in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; diff --git a/Sources/Secretive/InternetAccessPolicy.plist b/Sources/Secretive/InternetAccessPolicy.plist index 37307a7..e1602de 100644 --- a/Sources/Secretive/InternetAccessPolicy.plist +++ b/Sources/Secretive/InternetAccessPolicy.plist @@ -9,22 +9,7 @@ Website https://github.com/maxgoedjen/secretive Connections - - - IsIncoming - - Host - api.github.com - NetworkProtocol - TCP - Port - 443 - Purpose - Secretive checks GitHub for new versions and security updates. - DenyConsequences - If you deny these connections, you will not be notified about new versions and critical security updates. - - + Services From 7d21e3983cfbc73a2a42e287c1399b38e9da140a Mon Sep 17 00:00:00 2001 From: Max Goedjen Date: Sun, 7 Sep 2025 23:50:33 -0700 Subject: [PATCH 2/2] Set teams (#677) --- Sources/Secretive.xcodeproj/project.pbxproj | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/Sources/Secretive.xcodeproj/project.pbxproj b/Sources/Secretive.xcodeproj/project.pbxproj index 6dd2a77..32faa95 100644 --- a/Sources/Secretive.xcodeproj/project.pbxproj +++ b/Sources/Secretive.xcodeproj/project.pbxproj @@ -805,6 +805,7 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; + "CODE_SIGN_IDENTITY[sdk=macosx*]" = "-"; CODE_SIGN_STYLE = Automatic; COMBINE_HIDPI_IMAGES = YES; CURRENT_PROJECT_VERSION = 1; @@ -835,10 +836,11 @@ buildSettings = { CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; CODE_SIGN_IDENTITY = "Developer ID Application"; - CODE_SIGN_STYLE = Automatic; + CODE_SIGN_STYLE = Manual; COMBINE_HIDPI_IMAGES = YES; CURRENT_PROJECT_VERSION = 1; - DEVELOPMENT_TEAM = Z72PRUAWF6; + DEVELOPMENT_TEAM = ""; + "DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6; ENABLE_APP_SANDBOX = YES; ENABLE_HARDENED_RUNTIME = YES; GCC_C_LANGUAGE_STANDARD = gnu17; @@ -851,6 +853,7 @@ MARKETING_VERSION = 1.0; PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.AgentRequestParser; PRODUCT_NAME = "$(TARGET_NAME)"; + PROVISIONING_PROFILE_SPECIFIER = ""; REGISTER_APP_GROUPS = YES; SKIP_INSTALL = YES; STRING_CATALOG_GENERATE_SYMBOLS = YES; @@ -949,11 +952,12 @@ buildSettings = { CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; CODE_SIGN_IDENTITY = "Developer ID Application"; - "CODE_SIGN_IDENTITY[sdk=macosx*]" = "-"; - CODE_SIGN_STYLE = Automatic; + "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; + CODE_SIGN_STYLE = Manual; COMBINE_HIDPI_IMAGES = YES; CURRENT_PROJECT_VERSION = 1; - DEVELOPMENT_TEAM = Z72PRUAWF6; + DEVELOPMENT_TEAM = ""; + "DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6; ENABLE_APP_SANDBOX = YES; ENABLE_HARDENED_RUNTIME = YES; ENABLE_INCOMING_NETWORK_CONNECTIONS = NO; @@ -976,6 +980,7 @@ MARKETING_VERSION = 1.0; PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.ReleasesDownloader; PRODUCT_NAME = "$(TARGET_NAME)"; + PROVISIONING_PROFILE_SPECIFIER = ""; REGISTER_APP_GROUPS = YES; SKIP_INSTALL = YES; STRING_CATALOG_GENERATE_SYMBOLS = YES;