Merge

* [fix]: eliminate race condition in SocketController

* [refactor]: use sequence- rather than iterator-based iteration

* [fix]: remove now-superfluous await

---------

Co-authored-by: Max Goedjen <max.goedjen@gmail.com>

.github/workflows/codeql.yml

@@ -37,7 +37,7 @@ jobs:
         build-mode: ${{ matrix.build-mode }}
     - if: matrix.build-mode == 'manual'
       name: "Select Xcode"
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
     - if: matrix.build-mode == 'manual'
       name: "Build"
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO

.github/workflows/nightly.yml

@@ -3,7 +3,6 @@ name: Nightly
 on: 
   schedule: 
     - cron: "0 8 * * *"
-  workflow_dispatch:
   
 jobs:
   build:
@@ -12,6 +11,7 @@ jobs:
       id-token: write
       contents: write
       attestations: write
+      actions: read
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v5
@@ -25,7 +25,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
     - name: Update Build Number
       env:
         RUN_ID: ${{ github.run_id }}
@@ -33,23 +33,30 @@ jobs:
             DATE=$(date "+%Y-%m-%d")
             sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0_nightly-$DATE/g" Sources/Config/Config.xcconfig
             sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
     - name: Build
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Create ZIP
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v4
+      with:
+        name: Secretive
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
     - name: Notarize
       env: 
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
         APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
-    - name: Upload App to Artifacts
-      id: upload
-      uses: actions/upload-artifact@v4
-      with:
-        name: Secretive.zip
-        path: Secretive.zip
     - name: Attest
       id: attest
       uses: actions/attest-build-provenance@v2

.github/workflows/oneoff.yml

@@ -0,0 +1,64 @@
+name: One-Off Build
+
+on: 
+  workflow_dispatch:
+  
+jobs:
+  build:
+    runs-on: macos-26
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+      actions: read
+    timeout-minutes: 10
+    steps:
+    - uses: actions/checkout@v5
+    - name: Setup Signing
+      env: 
+        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
+        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
+        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
+        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      run: ./.github/scripts/signing.sh
+    - name: Set Environment
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
+    - name: Update Build Number
+      env:
+        RUN_ID: ${{ github.run_id }}
+      run: |
+            DATE=$(date "+%Y-%m-%d")
+            sed -i '' -e "s/GITHUB_CI_VERSION/0.0.0_oneoff-$DATE/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
+            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
+    - name: Build
+      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
+    - name: Upload App to Artifacts
+      id: upload
+      uses: actions/upload-artifact@v4
+      with:
+        name: Secretive
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
+    - name: Notarize
+      env: 
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Attest
+      id: attest
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-name: "Secretive.zip"
+        subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
     - name: Test
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
       # SPM doesn't seem to pick up on the tests currently?
@@ -32,6 +32,7 @@ jobs:
       id-token: write
       contents: write
       attestations: write
+      actions: read
     runs-on: macos-26
     timeout-minutes: 10
     steps:
@@ -46,7 +47,7 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
       run: ./.github/scripts/signing.sh
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
     - name: Update Build Number
       env:
         TAG_NAME: ${{ github.ref }}
@@ -55,37 +56,43 @@ jobs:
             export CLEAN_TAG=$(echo $TAG_NAME | sed -e 's/refs\/tags\/v//')
             sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Sources/Config/Config.xcconfig
             sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
-            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
+            sed -i '' -e "s/GITHUB_BUILD_URL/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
     - name: Build
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
-    - name: Create ZIP
-      run: |
-            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
-    - name: Notarize
-      env: 
-        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
-        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
-      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
+    - name: Move to Artifact Folder
+      run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
     - name: Upload App to Artifacts
       id: upload
       uses: actions/upload-artifact@v4
       with:
         name: Secretive.zip
-        path: Secretive.zip
+        path: Artifact
+    - name: Download Zipped Artifact
+      id: download
+      env: 
+        ZIP_ID: ${{ steps.upload.outputs.artifact-id }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+            curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \
+            https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip
+    - name: Notarize
+      env: 
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
     - name: Attest
       id: attest
       uses: actions/attest-build-provenance@v2
       with:
-        subject-name: "Secretive.zip"
-        subject-digest: ${{ steps.upload.outputs.artifact-digest }}
+        subject-path: "Secretive.zip"
     - name: Create Release
-      run: |
-            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
-            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
-            gh release create $TAG_NAME -d -F .github/templates/release.md
-            gh release upload Secretive.zip
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         TAG_NAME: ${{ github.ref }}
         RUN_ID: ${{ github.run_id }}
         ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
+      run: |
+            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
+            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
+            gh release create $TAG_NAME -d -F .github/templates/release.md
+            gh release upload $TAG_NAME Secretive.zip

.github/workflows/test.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
     - uses: actions/checkout@v5
     - name: Set Environment
-      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
+      run: sudo xcrun xcode-select -s /Applications/Xcode_26.2.app
     - name: Test Main Packages
       run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
       # SPM doesn't seem to pick up on the tests currently?

README.md

@@ -1,11 +1,11 @@
 # Secretive [![Test](https://github.com/maxgoedjen/secretive/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/maxgoedjen/secretive/actions/workflows/test.yml) ![Release](https://github.com/maxgoedjen/secretive/workflows/Release/badge.svg)
 
 
-Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the [sekey project](https://github.com/sekey/sekey), but rewritten in Swift with no external dependencies and with a handy native management app.
-
+Secretive is an app for protecting and managing SSH keys with the Secure Enclave.
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="/.github/readme/app-dark.png">
-  <img src="/.github/readme/app-light.png" alt="Screenshot of Secretive" width="600">
+  <source media="(prefers-color-scheme: light)" srcset="/.github/readme/app-light.png">
+  <img src="/.github/readme/app-dark.png" alt="Screenshot of Secretive" width="600">
 </picture>
 
 
@@ -13,7 +13,7 @@ Secretive is an app for storing and managing SSH keys in the Secure Enclave. It
 
 ### Safer Storage
 
-The most common setup for SSH keys is just keeping them on disk, guarded by proper permissions. This is fine in most cases, but it's not super hard for malicious users or malware to copy your private key. If you store your keys in the Secure Enclave, it's impossible to export them, by design.
+The most common setup for SSH keys is just keeping them on disk, guarded by proper permissions. This is fine in most cases, but it's not super hard for malicious users or malware to copy your private key. If you protect your keys with the Secure Enclave, it's impossible to export them, by design.
 
 ### Access Control
 
@@ -53,7 +53,7 @@ Builds are produced by GitHub Actions with an auditable build and release genera
 
 ### A Note Around Code Signing and Keychains
 
-While Secretive uses the Secure Enclave for key storage, it still relies on Keychain APIs to access them. Keychain restricts reads of keys to the app (and specifically, the bundle ID) that created them. If you build Secretive from source, make sure you are consistent in which bundle ID you use so that the Keychain is able to locate your keys.
+While Secretive uses the Secure Enclave to protect keys, it still relies on Keychain APIs to store and access them. Keychain restricts reads of keys to the app (and specifically, the bundle ID) that created them. If you build Secretive from source, make sure you are consistent in which bundle ID you use so that the Keychain is able to locate your keys.
 
 ### Backups and Transfers to New Machines
 
@@ -62,3 +62,11 @@ Because secrets in the Secure Enclave are not exportable, they are not able to b
 ## Security
 
 Secretive's security policy is detailed in [SECURITY.md](SECURITY.md). To report security issues, please use [GitHub's private reporting feature.](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)
+
+## Acknowledgements
+
+### sekey
+Secretive was inspired by the [sekey project](https://github.com/sekey/sekey).
+
+### Localization
+Secretive is localized to many languages by a generous team of volunteers. To learn more, see [LOCALIZING.md](LOCALIZING.md). Secretive's localization workflow is generously provided by [Crowdin](https://crowdin.com).

Sources/Config/Config.xcconfig

@@ -1,2 +1,3 @@
 CI_VERSION = GITHUB_CI_VERSION
 CI_BUILD_NUMBER = GITHUB_BUILD_NUMBER
+CI_BUILD_LINK = GITHUB_BUILD_URL

Sources/Packages/Package.swift

@@ -19,15 +19,24 @@ let package = Package(
         .library(
             name: "SmartCardSecretKit",
             targets: ["SmartCardSecretKit"]),
+        .library(
+            name: "CertificateKit",
+            targets: ["CertificateKit"]),
         .library(
             name: "SecretAgentKit",
-            targets: ["SecretAgentKit", "XPCWrappers"]),
+            targets: ["SecretAgentKit"]),
+        .library(
+            name: "Common",
+            targets: ["Common"]),
         .library(
             name: "Brief",
             targets: ["Brief"]),
         .library(
             name: "XPCWrappers",
             targets: ["XPCWrappers"]),
+        .library(
+            name: "SSHProtocolKit",
+            targets: ["SSHProtocolKit"]),
     ],
     dependencies: [
     ],
@@ -55,9 +64,15 @@ let package = Package(
             resources: [localization],
             swiftSettings: swiftSettings,
         ),
+        .target(
+            name: "CertificateKit",
+            dependencies: ["SecretKit", "SSHProtocolKit"],
+            resources: [localization],
+//            swiftSettings: swiftSettings,
+        ),
         .target(
             name: "SecretAgentKit",
-            dependencies: ["SecretKit"],
+            dependencies: ["SecretKit", "SSHProtocolKit", "CertificateKit"],
             resources: [localization],
             swiftSettings: swiftSettings,
         ),
@@ -65,9 +80,25 @@ let package = Package(
             name: "SecretAgentKitTests",
             dependencies: ["SecretAgentKit"],
         ),
+        .target(
+            name: "SSHProtocolKit",
+            dependencies: ["SecretKit"],
+            resources: [localization],
+//            swiftSettings: swiftSettings,
+        ),
+        .testTarget(
+            name: "SSHProtocolKitTests",
+            dependencies: ["SSHProtocolKit"],
+        ),
+        .target(
+            name: "Common",
+            dependencies: [],
+            resources: [localization],
+            swiftSettings: swiftSettings,
+        ),
         .target(
             name: "Brief",
-            dependencies: ["XPCWrappers"],
+            dependencies: ["XPCWrappers", "SSHProtocolKit"],
             resources: [localization],
             swiftSettings: swiftSettings,
         ),

Sources/Packages/Sources/Brief/Release.swift

@@ -1,7 +1,8 @@
 import Foundation
+import SwiftUI
 
 /// A release is a representation of a downloadable update.
-public struct Release: Codable, Sendable {
+public struct Release: Codable, Sendable, Hashable {
 
     /// The user-facing name of the release. Typically "Secretive 1.2.3"
     public let name: String
@@ -15,6 +16,8 @@ public struct Release: Codable, Sendable {
     /// A user-facing description of the contents of the update.
     public let body: String
 
+    public let attributedBody: AttributedString
+
     /// Initializes a Release.
     /// - Parameters:
     ///   - name: The user-facing name of the release.
@@ -26,6 +29,56 @@ public struct Release: Codable, Sendable {
         self.prerelease = prerelease
         self.html_url = html_url
         self.body = body
+        self.attributedBody = AttributedString(_markdown: body)
+    }
+
+    public init(_ release: GitHubRelease) {
+        self.name = release.name
+        self.prerelease = release.prerelease
+        self.html_url = release.html_url
+        self.body = release.body
+        self.attributedBody = AttributedString(_markdown: release.body)
+    }
+
+}
+
+public struct GitHubRelease: Codable, Sendable {
+    let name: String
+    let prerelease: Bool
+    let html_url: URL
+    let body: String
+}
+
+fileprivate extension AttributedString {
+
+    init(_markdown markdown: String) {
+        let split = markdown.split(whereSeparator: \.isNewline)
+        let lines = split
+            .compactMap {
+                try? AttributedString(markdown: String($0), options: .init(allowsExtendedAttributes: true, interpretedSyntax: .full))
+            }
+            .map { (string: AttributedString) in
+                guard case let .header(level) = string.runs.first?.presentationIntent?.components.first?.kind else { return string }
+                return AttributedString("\n") + string
+                    .transformingAttributes(\.font) { font in
+                        font.value = switch level {
+                        case 2: .headline.bold()
+                        case 3: .headline
+                        default: .subheadline
+                        }
+                    }
+                    .transformingAttributes(\.underlineStyle) { underline in
+                        underline.value = switch level {
+                        case 2: .single
+                        default: .none
+                        }
+                    }
+                + AttributedString("\n")
+            }
+        self = lines.reduce(into: AttributedString()) { partialResult, next in
+            partialResult.append(next)
+            partialResult.append(AttributedString("\n"))
+        }
     }
 
 }

Sources/Packages/Sources/Brief/Updater.swift

@@ -75,14 +75,14 @@ extension Updater {
                 .reversed()
                 .filter({ !$0.prerelease })
                 .first(where: { $0.minimumOSVersion <= osVersion }) else { return }
-        guard !userIgnored(release: release) else { return }
-        guard !release.prerelease else { return }
-        let latestVersion = SemVer(release.name)
-        if latestVersion > currentVersion {
+//        guard !userIgnored(release: release) else { return }
+//        guard !release.prerelease else { return }
+//        let latestVersion = SemVer(release.name)
+//        if latestVersion > currentVersion {
             await MainActor.run {
                 state.update = release
             }
-        }
+//        }
     }
 
     /// Checks whether the user has ignored a release.

Sources/Packages/Sources/CertificateKit/Certificate.swift

@@ -0,0 +1,15 @@
+import Foundation
+//import SecretKit
+
+//extension SecureEnclave {
+
+public struct Certificate: Sendable, Codable, Equatable, Hashable, Identifiable {
+
+    public var id: Int { hashValue }
+    public var type: String
+    public let name: String?
+    public let data: Data
+
+}
+
+//}

Sources/Packages/Sources/CertificateKit/CertificateMigrator.swift

@@ -0,0 +1,91 @@
+import Foundation
+import Security
+import CryptoTokenKit
+import CryptoKit
+import os
+import SSHProtocolKit
+
+public struct CertificateKitMigrator {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.migration", category: "CertificateKitMigrator")
+    let directory: URL
+
+    /// Initializes a PublicKeyFileStoreController.
+    public init(homeDirectory: URL) {
+        directory = homeDirectory.appending(component: "PublicKeys")
+    }
+
+    @MainActor public func migrate() throws {
+        let fileCerts = try FileManager.default
+            .contentsOfDirectory(atPath: directory.path())
+            .filter { $0.hasSuffix("-cert.pub") }
+        Task {
+            for path in fileCerts {
+                let url = directory.appending(component: path)
+                let data = try! Data(contentsOf: url)
+//                let parser = try! await XPCCertificateParser()
+                let parser = OpenSSHCertificateParser()
+                let cert = try! await parser.parse(data: data)
+                print(cert)
+//                let secret = storeList.allSecrets.first { secret in
+//                    secret.name == cert.name
+//                }
+//                guard let secret = secret ?? storeList.allSecrets.first else { return }
+//                print(cert.data.formatted(.hex()))
+//                certificateStore.saveCertificate(cert.data, for: secret)
+                print(cert)
+            }
+
+        }
+
+//        let privateAttributes = KeychainDictionary([
+//            kSecClass: kSecClassKey,
+//            kSecAttrKeyType: Constants.oldKeyType,
+//            kSecAttrApplicationTag: SecureEnclave.Store.Constants.keyTag,
+//            kSecAttrKeyClass: kSecAttrKeyClassPrivate,
+//            kSecReturnRef: true,
+//            kSecMatchLimit: kSecMatchLimitAll,
+//            kSecReturnAttributes: true
+//        ])
+//        var privateUntyped: CFTypeRef?
+//        unsafe SecItemCopyMatching(privateAttributes, &privateUntyped)
+//        guard let privateTyped = privateUntyped as? [[CFString: Any]] else { return }
+//        let migratedPublicKeys = Set(store.secrets.map(\.publicKey))
+//        var migratedAny = false
+//        for key in privateTyped {
+//            let name = key[kSecAttrLabel] as? String ?? String(localized: .unnamedSecret)
+//            let id = key[kSecAttrApplicationLabel] as! Data
+//            guard !id.contains(Constants.migrationMagicNumber) else {
+//                logger.log("Skipping \(name), already migrated.")
+//                continue
+//            }
+//            let ref = key[kSecValueRef] as! SecKey
+//            let attributes = SecKeyCopyAttributes(ref) as! [CFString: Any]
+//            let tokenObjectID = unsafe attributes[Constants.tokenObjectID] as! Data
+//            let accessControl = attributes[kSecAttrAccessControl] as! SecAccessControl
+//            // Best guess.
+//            let auth: AuthenticationRequirement = String(describing: accessControl)
+//                .contains("DeviceOwnerAuthentication") ? .presenceRequired : .unknown
+//            do {
+//                let parsed = try CryptoKit.SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: tokenObjectID)
+//                let secret = Secret(id: UUID().uuidString, name: name, publicKey: parsed.publicKey.x963Representation, attributes: Attributes(keyType: .init(algorithm: .ecdsa, size: 256), authentication: auth))
+//                guard !migratedPublicKeys.contains(parsed.publicKey.x963Representation) else {
+//                    logger.log("Skipping \(name), public key already present. Marking as migrated.")
+//                    markMigrated(secret: secret, oldID: id)
+//                    continue
+//                }
+//                logger.log("Migrating \(name).")
+//                try store.saveKey(tokenObjectID, name: name, attributes: secret.attributes)
+//                logger.log("Migrated \(name).")
+//                markMigrated(secret: secret, oldID: id)
+//                migratedAny = true
+//            } catch {
+//                logger.error("Failed to migrate \(name): \(error.localizedDescription).")
+//            }
+//        }
+//        if migratedAny {
+//            store.reloadSecrets()
+//        }
+    }
+
+}

Sources/Packages/Sources/CertificateKit/CertificateStore.swift

@@ -0,0 +1,134 @@
+import Foundation
+import Observation
+import Security
+import os
+import SecretKit
+
+@Observable public final class CertificateStore {
+
+    @MainActor private var certificates: [Certificate] = []
+
+    /// Initializes a Store.
+    @MainActor public init() {
+        loadCertificates()
+        Task {
+//            for await note in DistributedNotificationCenter.default().notifications(named: .certificateStoreUpdated) {
+//                guard Constants.notificationToken != (note.object as? String) else {
+//                    // Don't reload if we're the ones triggering this by reloading.
+//                    continue
+//                }
+//                loadCertificates()
+//            }
+        }
+    }
+
+    @MainActor public func reloadCertificates() {
+        let before = certificates
+        certificates.removeAll()
+        loadCertificates()
+        if certificates != before {
+//            NotificationCenter.default.post(name: .certificateStoreReloaded, object: self)
+//            DistributedNotificationCenter.default().postNotificationName(.certificateStoreUpdated, object: Constants.notificationToken, deliverImmediately: true)
+        }
+    }
+
+    @MainActor public func saveCertificate(_ data: Data, for secret: any Secret) {
+        let certificate = SecCertificateCreateWithData(nil, data as CFData)
+        print(certificate as Any)
+    }
+
+    @MainActor public func certificates(for secret: any Secret) -> [Certificate] {
+        []
+    }
+
+
+}
+
+extension CertificateStore {
+
+    /// Loads all certificates from the store.
+    @MainActor private func loadCertificates() {
+//        let queryAttributes = KeychainDictionary([
+//            kSecClass: Constants.keyClass,
+//            kSecAttrService: Constants.keyTag,
+//            kSecUseDataProtectionKeychain: true,
+//            kSecReturnData: true,
+//            kSecMatchLimit: kSecMatchLimitAll,
+//            kSecReturnAttributes: true
+//            ])
+//        var untyped: CFTypeRef?
+//        unsafe SecItemCopyMatching(queryAttributes, &untyped)
+//        guard let typed = untyped as? [[CFString: Any]] else { return }
+//        let wrapped: [SecureEnclave.Certificates] = typed.compactMap {
+//            do {
+//                let name = $0[kSecAttrLabel] as? String ?? String(localized: "unnamed_certificate")
+//                guard let attributesData = $0[kSecAttrGeneric] as? Data,
+//                let id = $0[kSecAttrAccount] as? String else {
+//                    throw MissingAttributesError()
+//                }
+//                let attributes = try JSONDecoder().decode(Attributes.self, from: attributesData)
+//                let keyData = $0[kSecValueData] as! Data
+//                let publicKey: Data
+//                switch attributes.keyType {
+//                case .ecdsa256:
+//                    let key = try CryptoKit.SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: keyData)
+//                    publicKey = key.publicKey.x963Representation
+//                case .mldsa65:
+//                    guard #available(macOS 26.0, *)  else { throw UnsupportedAlgorithmError() }
+//                    let key = try CryptoKit.SecureEnclave.MLDSA65.PrivateKey(dataRepresentation: keyData)
+//                    publicKey = key.publicKey.rawRepresentation
+//                case .mldsa87:
+//                    guard #available(macOS 26.0, *)  else { throw UnsupportedAlgorithmError() }
+//                    let key = try CryptoKit.SecureEnclave.MLDSA87.PrivateKey(dataRepresentation: keyData)
+//                    publicKey = key.publicKey.rawRepresentation
+//                default:
+//                    throw UnsupportedAlgorithmError()
+//                }
+//                return SecureEnclave.Certificates(id: id, name: name, publicKey: publicKey, attributes: attributes)
+//            } catch {
+//                return nil
+//            }
+//        }
+//        certificates.append(contentsOf: wrapped)
+    }
+
+    /// Saves a public key.
+    /// - Parameters:
+    ///   - key: The data representation key to save.
+    ///   - name: A user-facing name for the key.
+    ///   - attributes: Attributes of the key.
+    /// - Note: Despite the name, the "Data" of the key is _not_ actual key material. This is an opaque data representation that the SEP can manipulate.
+//    @discardableResult
+//    func saveKey(_ key: Data, name: String, attributes: Attributes) throws -> String {
+//        let attributes = try JSONEncoder().encode(attributes)
+//        let id = UUID().uuidString
+//        let keychainAttributes = KeychainDictionary([
+//            kSecClass: Constants.keyClass,
+//            kSecAttrService: Constants.keyTag,
+//            kSecUseDataProtectionKeychain: true,
+//            kSecAttrAccessible: kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+//            kSecAttrAccount: id,
+//            kSecValueData: key,
+//            kSecAttrLabel: name,
+//            kSecAttrGeneric: attributes
+//        ])
+//        let status = SecItemAdd(keychainAttributes, nil)
+//        if status != errSecSuccess {
+//            throw KeychainError(statusCode: status)
+//        }
+//        return id
+//    }
+    
+}
+
+extension CertificateStore {
+
+    enum Constants {
+        static let keyClass = kSecClassCertificate as String
+        static let keyTag = Data("com.maxgoedjen.certificateive.certificate".utf8)
+        static let notificationToken = UUID().uuidString
+    }
+    
+    struct UnsupportedAlgorithmError: Error {}
+
+}

Sources/Packages/Sources/Common/URLs.swift

@@ -2,19 +2,23 @@ import Foundation
 
 extension URL {
 
-    static var agentHomeURL: URL {
+    public static var agentHomeURL: URL {
         URL(fileURLWithPath: URL.homeDirectory.path().replacingOccurrences(of: Bundle.hostBundleID, with: Bundle.agentBundleID))
     }
 
-    static var socketPath: String {
+    public static var socketPath: String {
+        #if DEBUG
+        URL.agentHomeURL.appendingPathComponent("socket-debug.ssh").path()
+        #else
         URL.agentHomeURL.appendingPathComponent("socket.ssh").path()
+        #endif
     }
 
 }
 
 extension String {
 
-    var normalizedPathAndFolder: (String, String) {
+    public var normalizedPathAndFolder: (String, String) {
         // All foundation-based normalization methods replace this with the container directly.
         let processedPath = replacingOccurrences(of: "~", with: "/Users/\(NSUserName())")
         let url = URL(filePath: processedPath)

Sources/Packages/Sources/SSHProtocolKit/Data+Hex.swift

@@ -0,0 +1,37 @@
+import Foundation
+import CryptoKit
+
+public struct HexDataStyle<SequenceType: Sequence>: Hashable, Codable {
+
+    let separator: String
+
+    public init(separator: String) {
+        self.separator = separator
+    }
+
+}
+
+extension HexDataStyle: FormatStyle where SequenceType.Element == UInt8 {
+
+    public func format(_ value: SequenceType) -> String {
+        value
+            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
+            .joined(separator: separator)
+    }
+
+}
+
+extension FormatStyle where Self == HexDataStyle<Data> {
+
+    public static func hex(separator: String = "") -> HexDataStyle<Data> {
+        HexDataStyle(separator: separator)
+    }
+
+}
+extension FormatStyle where Self == HexDataStyle<Insecure.MD5Digest> {
+
+    public static func hex(separator: String = ":") -> HexDataStyle<Insecure.MD5Digest> {
+        HexDataStyle(separator: separator)
+    }
+
+}

Sources/Packages/Sources/SSHProtocolKit/OpenSSHCertificate.swift

@@ -0,0 +1,102 @@
+import Foundation
+import OSLog
+import CryptoKit
+
+public struct OpenSSHCertificate: Sendable, Codable, Equatable, Hashable, Identifiable, CustomDebugStringConvertible {
+
+    public var id: Int { hashValue }
+    public var type: CertificateType
+    public let name: String?
+    public let data: Data
+
+    public var publicKey: Data
+    public var principals: [String]
+    public var keyID: String
+    public var serial: UInt64
+    public var validityRange: Range<Date>?
+
+    public var debugDescription: String {
+        "OpenSSH Certificate \(name, default: "Unnamed"): \(data.formatted(.hex()))"
+    }
+
+}
+
+extension OpenSSHCertificate {
+
+    public enum CertificateType: String, Sendable, Codable {
+        case ecdsa256 = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+        case ecdsa384 = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+        case nistp521 = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+
+        var keyIdentifier: String {
+            rawValue.replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
+        }
+    }
+
+}
+
+public protocol OpenSSHCertificateParserProtocol {
+    func parse(data: Data) async throws -> OpenSSHCertificate
+}
+
+public struct OpenSSHCertificateParser: OpenSSHCertificateParserProtocol, Sendable {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "OpenSSHCertificateParser")
+
+    public init() {
+    }
+
+    public func parse(data: Data) throws(OpenSSHCertificateError) -> OpenSSHCertificate {
+        let string = String(decoding: data, as: UTF8.self)
+        var elements = string
+            .trimmingCharacters(in: .whitespacesAndNewlines)
+            .components(separatedBy: " ")
+        guard elements.count >= 2 else {
+            throw OpenSSHCertificateError.parsingFailed
+        }
+        let typeString = elements.removeFirst()
+        guard let type = OpenSSHCertificate.CertificateType(rawValue: typeString) else { throw .unsupportedType }
+        let encodedKey = elements.removeFirst()
+        guard let decoded = Data(base64Encoded: encodedKey)  else {
+            throw OpenSSHCertificateError.parsingFailed
+        }
+        let name = elements.first
+        do {
+            let dataParser = OpenSSHReader(data: decoded)
+            _ = try dataParser.readNextChunkAsString() // Redundant key type
+            _ = try dataParser.readNextChunk() // Nonce
+            _ = try dataParser.readNextChunkAsString() // curve
+            let publicKey = try dataParser.readNextChunk()
+            let serialNumber = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
+            let role = try dataParser.readNextBytes(as: UInt32.self, convertEndianness: true)
+            let keyIdentifier = try dataParser.readNextChunkAsString()
+            let principalsReader = try dataParser.readNextChunkAsSubReader()
+            var principals: [String] = []
+            while !principalsReader.done {
+                try principals.append(principalsReader.readNextChunkAsString())
+            }
+            let validAfter = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
+            let validBefore = try dataParser.readNextBytes(as: UInt64.self, convertEndianness: true)
+            let validityRange = Date(timeIntervalSince1970: TimeInterval(validAfter))..<Date(timeIntervalSince1970: TimeInterval(validBefore))
+
+            return OpenSSHCertificate(
+                type: type,
+                name: name,
+                data: data,
+                publicKey: publicKey,
+                principals: principals,
+                keyID: keyIdentifier,
+                serial: serialNumber,
+                validityRange: validityRange
+            )
+        } catch {
+            throw .parsingFailed
+        }
+    }
+
+}
+
+public enum OpenSSHCertificateError: Error, Codable {
+    case unsupportedType
+    case parsingFailed
+}

Sources/Packages/Sources/SSHProtocolKit/OpenSSHPublicKeyWriter.swift

@@ -1,5 +1,6 @@
 import Foundation
 import CryptoKit
+import SecretKit
 
 /// Generates OpenSSH representations of the public key sof secrets.
 public struct OpenSSHPublicKeyWriter: Sendable {
@@ -49,9 +50,7 @@ public struct OpenSSHPublicKeyWriter: Sendable {
     /// Generates an OpenSSH MD5 fingerprint string.
     /// - Returns: OpenSSH MD5 fingerprint string.
     public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
-        Insecure.MD5.hash(data: data(secret: secret))
-            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
-            .joined(separator: ":")
+        Insecure.MD5.hash(data: data(secret: secret)).formatted(.hex(separator: ":"))
     }
 
     public func comment<SecretType: Secret>(secret: SecretType) -> String {

Sources/Packages/Sources/SSHProtocolKit/OpenSSHReader.swift

@@ -4,6 +4,7 @@ import Foundation
 final class OpenSSHReader {
 
     var remaining: Data
+    var done = false
 
     /// Initialize the reader with an OpenSSH data payload.
     /// - Parameter data: The data to read.
@@ -14,22 +15,28 @@ final class OpenSSHReader {
     /// Reads the next chunk of data from the playload.
     /// - Returns: The next chunk of data.
     func readNextChunk(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> Data {
-        let littleEndianLength = try readNextBytes(as: UInt32.self)
-        let length = convertEndianness ? Int(littleEndianLength.bigEndian) : Int(littleEndianLength)
+        let length = try readNextBytes(as: UInt32.self, convertEndianness: convertEndianness)
         guard remaining.count >= length else { throw .beyondBounds }
-        let dataRange = 0..<length
+        let dataRange = 0..<Int(length)
         let ret = Data(remaining[dataRange])
         remaining.removeSubrange(dataRange)
+        if remaining.isEmpty {
+            done = true
+        }
         return ret
     }
 
-    func readNextBytes<T>(as: T.Type) throws(OpenSSHReaderError) -> T {
+    func readNextBytes<T: FixedWidthInteger>(as: T.Type, convertEndianness: Bool = true) throws(OpenSSHReaderError) -> T {
         let size = MemoryLayout<T>.size
         guard remaining.count >= size else { throw .beyondBounds }
         let lengthRange = 0..<size
         let lengthChunk = remaining[lengthRange]
         remaining.removeSubrange(lengthRange)
-        return unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
+        if remaining.isEmpty {
+            done = true
+        }
+        let value = unsafe lengthChunk.bytes.unsafeLoad(as: T.self)
+        return convertEndianness ? T(value.bigEndian) : T(value)
     }
 
     func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {

Sources/Packages/Sources/SSHProtocolKit/OpenSSHSignatureWriter.swift

@@ -1,5 +1,6 @@
 import Foundation
 import CryptoKit
+import SecretKit
 
 /// Generates OpenSSH representations of Secrets.
 public struct OpenSSHSignatureWriter: Sendable {

Sources/Packages/Sources/SSHProtocolKit/PublicKeyStandinFileController.swift

@@ -1,5 +1,6 @@
 import Foundation
 import OSLog
+import SecretKit
 
 /// Controller responsible for writing public keys to disk, so that they're easily accessible by scripts.
 public final class PublicKeyFileStoreController: Sendable {
@@ -19,9 +20,10 @@ public final class PublicKeyFileStoreController: Sendable {
     public func generatePublicKeys(for secrets: [AnySecret], clear: Bool = false) throws {
         logger.log("Writing public keys to disk")
         if clear {
-            let validPaths = Set(secrets.map { publicKeyPath(for: $0) }).union(Set(secrets.map { sshCertificatePath(for: $0) }))
+            let validPaths = Set(secrets.map { publicKeyPath(for: $0) })
+                .union(Set(secrets.map { sshCertificatePath(for: $0) }))
             let contentsOfDirectory = (try? FileManager.default.contentsOfDirectory(atPath: directory.path())) ?? []
-            let fullPathContents = contentsOfDirectory.map { "\(directory)/\($0)" }
+            let fullPathContents = contentsOfDirectory.map { directory.appending(path: $0).path() }
 
             let untracked = Set(fullPathContents)
                 .subtracting(validPaths)

Sources/Packages/Sources/SSHProtocolKit/SSHAgentInputParser.swift

@@ -74,21 +74,16 @@ extension SSHAgentInputParser {
     func certificatePublicKeyBlob(from hash: Data) -> Data? {
         let reader = OpenSSHReader(data: hash)
         do {
-            let certType = String(decoding: try reader.readNextChunk(), as: UTF8.self)
-            switch certType {
-            case "ecdsa-sha2-nistp256-cert-v01@openssh.com",
-                "ecdsa-sha2-nistp384-cert-v01@openssh.com",
-                "ecdsa-sha2-nistp521-cert-v01@openssh.com":
-                _ = try reader.readNextChunk() // nonce
-                let curveIdentifier = try reader.readNextChunk()
-                let publicKey = try reader.readNextChunk()
-                let openSSHIdentifier = certType.replacingOccurrences(of: "-cert-v01@openssh.com", with: "")
-                return openSSHIdentifier.lengthAndData +
-                curveIdentifier.lengthAndData +
+            let certType = try reader.readNextChunkAsString()
+            guard let certType = OpenSSHCertificate.CertificateType(rawValue: certType) else { return nil }
+            _ = try reader.readNextChunk() // nonce
+            let curveIdentifier = try reader.readNextChunk()
+            let publicKey = try reader.readNextChunk()
+            let openSSHIdentifier = certType.keyIdentifier
+            return openSSHIdentifier.lengthAndData +
+            curveIdentifier.lengthAndData +
                 publicKey.lengthAndData
-            default:
-                return nil
-            }
+            
         } catch {
             return nil
         }

Sources/Packages/Sources/SecretAgentKit/Agent.swift

@@ -3,6 +3,7 @@ import CryptoKit
 import OSLog
 import SecretKit
 import AppKit
+import SSHProtocolKit
 
 /// The `Agent` is an implementation of an SSH agent. It manages coordination and access between a socket, traces requests, notifies witnesses and passes requests to stores.
 public final class Agent: Sendable {
@@ -11,7 +12,7 @@ public final class Agent: Sendable {
     private let witness: SigningWitness?
     private let publicKeyWriter = OpenSSHPublicKeyWriter()
     private let signatureWriter = OpenSSHSignatureWriter()
-    private let certificateHandler = OpenSSHCertificateHandler()
+//    private let certificateHandler = OpenSSHCertificateHandler()
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
 
     /// Initializes an agent with a store list and a witness.
@@ -23,7 +24,7 @@ public final class Agent: Sendable {
         self.storeList = storeList
         self.witness = witness
         Task { @MainActor in
-            await certificateHandler.reloadCertificates(for: storeList.allSecrets)
+//            await certificateHandler.reloadCertificates(for: storeList.allSecrets)
         }
     }
     
@@ -47,6 +48,7 @@ extension Agent {
                 logger.debug("Agent returned \(SSHAgent.Response.agentSignResponse.debugDescription)")
             case .unknown(let value):
                 logger.error("Agent received unknown request of type \(value).")
+                throw UnhandledRequestError()
             default:
                 logger.debug("Agent received valid request of type \(request.debugDescription), but not currently supported.")
                 throw UnhandledRequestError()
@@ -66,7 +68,7 @@ extension Agent {
     /// - Returns: An OpenSSH formatted Data payload listing the identities available for signing operations.
     func identities() async -> Data {
         let secrets = await storeList.allSecrets
-        await certificateHandler.reloadCertificates(for: secrets)
+//        await certificateHandler.reloadCertificates(for: secrets)
         var count = 0
         var keyData = Data()
 
@@ -75,12 +77,12 @@ extension Agent {
             keyData.append(keyBlob.lengthAndData)
             keyData.append(publicKeyWriter.comment(secret: secret).lengthAndData)
             count += 1
-
-            if let (certificateData, name) = try? await certificateHandler.keyBlobAndName(for: secret) {
-                keyData.append(certificateData.lengthAndData)
-                keyData.append(name.lengthAndData)
-                count += 1
-            }
+            
+//            if let (certificateData, name) = try? await certificateHandler.keyBlobAndName(for: secret) {
+//                keyData.append(certificateData.lengthAndData)
+//                keyData.append(name.lengthAndData)
+//                count += 1
+//            }
         }
         logger.log("Agent enumerated \(count) identities")
         var countBigEndian = UInt32(count).bigEndian
@@ -95,7 +97,7 @@ extension Agent {
     /// - Returns: An OpenSSH formatted Data payload containing the signed data response.
     func sign(data: Data, keyBlob: Data, provenance: SigningRequestProvenance) async throws -> Data {
         guard let (secret, store) = await secret(matching: keyBlob) else {
-            let keyBlobHex = keyBlob.compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }.joined()
+            let keyBlobHex = keyBlob.formatted(.hex())
             logger.debug("Agent did not have a key matching \(keyBlobHex)")
             throw NoMatchingKeyError()
         }

Sources/Packages/Sources/SecretAgentKit/OpenSSHCertificateHandler.swift

@@ -1,6 +1,7 @@
 import Foundation
 import OSLog
 import SecretKit
+import SSHProtocolKit
 
 /// Manages storage and lookup for OpenSSH certificates.
 public actor OpenSSHCertificateHandler: Sendable {
@@ -21,9 +22,6 @@ public actor OpenSSHCertificateHandler: Sendable {
             logger.log("No certificates, short circuiting")
             return
         }
-        keyBlobsAndNames = secrets.reduce(into: [:]) { partialResult, next in
-            partialResult[next] = try? loadKeyblobAndName(for: next)
-        }
     }
 
     /// Attempts to find an OpenSSH Certificate  that corresponds to a ``Secret``
@@ -32,57 +30,6 @@ public actor OpenSSHCertificateHandler: Sendable {
     public func keyBlobAndName<SecretType: Secret>(for secret: SecretType) throws -> (Data, Data)? {
         keyBlobsAndNames[AnySecret(secret)]
     }
-    
-    /// Attempts to find an OpenSSH Certificate  that corresponds to a ``Secret``
-    /// - Parameter secret: The secret to search for a certificate with
-    /// - Returns: A (``Data``, ``Data``) tuple containing the certificate and certificate name, respectively.
-    private func loadKeyblobAndName<SecretType: Secret>(for secret: SecretType) throws -> (Data, Data)? {
-        let certificatePath = publicKeyFileStoreController.sshCertificatePath(for: secret)
-        guard FileManager.default.fileExists(atPath: certificatePath) else {
-            return nil
-        }
-
-        logger.debug("Found certificate for \(secret.name)")
-        let certContent = try String(contentsOfFile:certificatePath, encoding: .utf8)
-        let certElements = certContent.trimmingCharacters(in: .whitespacesAndNewlines).components(separatedBy: " ")
-
-        guard certElements.count >= 2 else {
-            logger.warning("Certificate found for \(secret.name) but failed to load")
-            throw OpenSSHCertificateError.parsingFailed
-        }
-        guard let certDecoded = Data(base64Encoded: certElements[1] as String)  else {
-            logger.warning("Certificate found for \(secret.name) but failed to decode base64 key")
-            throw OpenSSHCertificateError.parsingFailed
-        }
-
-        if certElements.count >= 3 {
-            let certName = Data(certElements[2].utf8)
-            return (certDecoded, certName)
-        }
-        let certName = Data(secret.name.utf8)
-        logger.info("Certificate for \(secret.name) does not have a name tag, using secret name instead")
-        return (certDecoded, certName)
-    }
 
 }
 
-extension OpenSSHCertificateHandler {
-
-    enum OpenSSHCertificateError: LocalizedError {
-        case unsupportedType
-        case parsingFailed
-        case doesNotExist
-
-        public var errorDescription: String? {
-            switch self {
-            case .unsupportedType:
-                return "The key type was unsupported"
-            case .parsingFailed:
-                return "Failed to properly parse the SSH certificate"
-            case .doesNotExist:
-                return "Certificate does not exist"
-            }
-        }
-    }
-
-}

Sources/Packages/Sources/SecretAgentKit/SigningRequestTracer.swift

@@ -36,7 +36,7 @@ extension SigningRequestTracer {
     /// - Parameter pid: The process ID to look up.
     /// - Returns: A ``SecretKit.SigningRequestProvenance.Process`` describing the process.
     func process(from pid: Int32) -> SigningRequestProvenance.Process {
-        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
+        var pidAndNameInfo = unsafe self.pidAndNameInfo(from: pid)
         let ppid = unsafe pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
         let procName = unsafe withUnsafeMutablePointer(to: &pidAndNameInfo.kp_proc.p_comm.0) { pointer in
             unsafe String(cString: pointer)

Sources/Packages/Sources/SecretAgentKit/SocketController.swift

@@ -36,16 +36,21 @@ public struct SocketController {
         logger.debug("Socket controller path is clear")
         port = SocketPort(path: path)
         fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
-        Task { [fileHandle, sessionsContinuation, logger] in
-            for await notification in NotificationCenter.default.notifications(named: .NSFileHandleConnectionAccepted) {
+        Task { @MainActor [fileHandle, sessionsContinuation, logger] in
+            // Create the sequence before triggering the notification to
+            // ensure it will not be missed.
+            let connectionAcceptedNotifications = NotificationCenter.default.notifications(named: .NSFileHandleConnectionAccepted)
+
+            fileHandle.acceptConnectionInBackgroundAndNotify()
+
+            for await notification in connectionAcceptedNotifications {
                 logger.debug("Socket controller accepted connection")
                 guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { continue }
                 let session = Session(fileHandle: new)
                 sessionsContinuation.yield(session)
-                await fileHandle.acceptConnectionInBackgroundAndNotifyOnMainActor()
+                fileHandle.acceptConnectionInBackgroundAndNotify()
             }
         }
-        fileHandle.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.Mode.common])
         logger.debug("Socket listening at \(path)")
     }
 
@@ -77,8 +82,14 @@ extension SocketController {
             self.fileHandle = fileHandle
             provenance = SigningRequestTracer().provenance(from: fileHandle)
             (messages, messagesContinuation) = AsyncStream.makeStream()
-            Task { [messagesContinuation, logger] in
-                for await _ in NotificationCenter.default.notifications(named: .NSFileHandleDataAvailable, object: fileHandle) {
+            Task { @MainActor [messagesContinuation, logger] in
+                // Create the sequence before triggering the notification to
+                // ensure it will not be missed.
+                let dataAvailableNotifications = NotificationCenter.default.notifications(named: .NSFileHandleDataAvailable, object: fileHandle)
+
+                fileHandle.waitForDataInBackgroundAndNotify()
+
+                for await _ in dataAvailableNotifications {
                     let data = fileHandle.availableData
                     guard !data.isEmpty else {
                         logger.debug("Socket controller received empty data, ending continuation.")
@@ -90,16 +101,13 @@ extension SocketController {
                     logger.debug("Socket controller yielded data.")
                 }
             }
-            Task {
-                await fileHandle.waitForDataInBackgroundAndNotifyOnMainActor()
-            }
         }
         
         /// Writes new data to the socket.
         /// - Parameter data: The data to write.
-        public func write(_ data: Data) async throws {
-            try fileHandle.write(contentsOf: data)
-            await fileHandle.waitForDataInBackgroundAndNotifyOnMainActor()
+        @MainActor public func write(_ data: Data) throws {
+          try fileHandle.write(contentsOf: data)
+          fileHandle.waitForDataInBackgroundAndNotify()
         }
         
         /// Closes the socket and cleans up resources.
@@ -113,22 +121,6 @@ extension SocketController {
 
 }
 
-private extension FileHandle {
-
-    /// Ensures waitForDataInBackgroundAndNotify will be called on the main actor.
-    @MainActor func waitForDataInBackgroundAndNotifyOnMainActor() {
-        waitForDataInBackgroundAndNotify()
-    }
-
-
-    /// Ensures acceptConnectionInBackgroundAndNotify will be called on the main actor.
-    /// - Parameter modes: the runloop modes to use.
-    @MainActor func acceptConnectionInBackgroundAndNotifyOnMainActor(forModes modes: [RunLoop.Mode]? = [RunLoop.Mode.common]) {
-        acceptConnectionInBackgroundAndNotify(forModes: modes)
-    }
-
-}
-
 private extension SocketPort {
 
     convenience init(path: String) {

Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift

@@ -64,7 +64,7 @@ public final class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiab
     private let _create: @Sendable (String, Attributes) async throws -> AnySecret
     private let _delete: @Sendable (AnySecret) async throws -> Void
     private let _update: @Sendable (AnySecret, String, Attributes) async throws -> Void
-    private let _supportedKeyTypes: @Sendable () -> [KeyType]
+    private let _supportedKeyTypes: @Sendable () -> KeyAvailability
 
     public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStoreModifiable {
         _create = { AnySecret(try await secretStore.create(name: $0, attributes: $1)) }
@@ -87,7 +87,7 @@ public final class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiab
         try await _update(secret, name, attributes)
     }
 
-    public var supportedKeyTypes: [KeyType] {
+    public var supportedKeyTypes: KeyAvailability {
         _supportedKeyTypes()
     }
 

Sources/Packages/Sources/SecretKit/Types/SecretStore.swift

@@ -62,10 +62,37 @@ public protocol SecretStoreModifiable<SecretType>: SecretStore {
     ///   - attributes: The new attributes for the secret.
     func update(secret: SecretType, name: String, attributes: Attributes) async throws
 
-    var supportedKeyTypes: [KeyType] { get }
+    var supportedKeyTypes: KeyAvailability { get }
 
 }
 
+public struct KeyAvailability: Sendable {
+
+    public let available: [KeyType]
+    public let unavailable: [UnavailableKeyType]
+
+    public init(available: [KeyType], unavailable: [UnavailableKeyType]) {
+        self.available = available
+        self.unavailable = unavailable
+    }
+
+    public struct UnavailableKeyType: Sendable {
+        public let keyType: KeyType
+        public let reason: Reason
+
+        public init(keyType: KeyType, reason: Reason) {
+            self.keyType = keyType
+            self.reason = reason
+        }
+
+        public enum Reason: Sendable {
+            case macOSUpdateRequired
+        }
+    }
+
+}
+
+
 extension NSNotification.Name {
 
     // Distributed notification that keys were modified out of process (ie, that the management tool added/removed secrets)

Sources/Packages/Sources/SecureEnclaveSecretKit/CryptoKitMigrator.swift

@@ -50,16 +50,16 @@ extension SecureEnclave {
                     let secret = Secret(id: UUID().uuidString, name: name, publicKey: parsed.publicKey.x963Representation, attributes: Attributes(keyType: .init(algorithm: .ecdsa, size: 256), authentication: auth))
                     guard !migratedPublicKeys.contains(parsed.publicKey.x963Representation) else {
                         logger.log("Skipping \(name), public key already present. Marking as migrated.")
-                        try markMigrated(secret: secret, oldID: id)
+                        markMigrated(secret: secret, oldID: id)
                         continue
                     }
                     logger.log("Migrating \(name).")
                     try store.saveKey(tokenObjectID, name: name, attributes: secret.attributes)
                     logger.log("Migrated \(name).")
-                    try markMigrated(secret: secret, oldID: id)
+                    markMigrated(secret: secret, oldID: id)
                     migratedAny = true
                 } catch {
-                    logger.error("Failed to migrate \(name): \(error).")
+                    logger.error("Failed to migrate \(name): \(error.localizedDescription).")
                 }
             }
             if migratedAny {
@@ -69,10 +69,10 @@ extension SecureEnclave {
 
 
 
-        public func markMigrated(secret: Secret, oldID: Data) throws {
+        public func markMigrated(secret: Secret, oldID: Data) {
             let updateQuery = KeychainDictionary([
                 kSecClass: kSecClassKey,
-                kSecAttrApplicationLabel: secret.id
+                kSecAttrApplicationLabel: oldID
             ])
 
             let newID = oldID + Constants.migrationMagicNumber
@@ -82,7 +82,7 @@ extension SecureEnclave {
 
             let status = SecItemUpdate(updateQuery, updatedAttributes)
             if status != errSecSuccess {
-                throw KeychainError(statusCode: status)
+                logger.warning("Failed to mark \(secret.name) as migrated: \(status).")
             }
         }
 

Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift

@@ -186,17 +186,22 @@ extension SecureEnclave {
             await reloadSecrets()
         }
         
-        public var supportedKeyTypes: [KeyType] {
-            if #available(macOS 26, *) {
-                [
-                    .ecdsa256,
-                    .mldsa65,
-                    .mldsa87,
-                ]
+        public let supportedKeyTypes: KeyAvailability = {
+            let macOS26Keys: [KeyType] = [.mldsa65, .mldsa87]
+            let isAtLeastMacOS26 = if #available(macOS 26, *) {
+                true
             } else {
-                [.ecdsa256]
+                false
             }
-        }
+            return KeyAvailability(
+                available: [
+                    .ecdsa256,
+                ] + (isAtLeastMacOS26 ? macOS26Keys : []),
+                unavailable: (isAtLeastMacOS26 ? [] : macOS26Keys).map {
+                    KeyAvailability.UnavailableKeyType(keyType: $0, reason: .macOSUpdateRequired)
+                }
+            )
+        }()
     }
 
 }

Sources/Packages/Sources/XPCWrappers/XPCServiceDelegate.swift

@@ -34,7 +34,9 @@ public final class XPCServiceDelegate: NSObject, NSXPCListenerDelegate {
                     if let error = error as? Codable & Error {
                         reply(nil, NSError(error))
                     } else {
-                        reply(nil, error)
+                        // Sending cast directly tries to serialize it and crashes XPCEncoder.
+                        let cast = error as NSError
+                        reply(nil, NSError(domain: cast.domain, code: cast.code, userInfo: [NSLocalizedDescriptionKey: error.localizedDescription]))
                     }
                 }
             }

Sources/SecretAgent/AppDelegate.swift

@@ -6,6 +6,9 @@ import SmartCardSecretKit
 import SecretAgentKit
 import Brief
 import Observation
+import SSHProtocolKit
+import CertificateKit
+import Common
 
 @main
 class AppDelegate: NSObject, NSApplicationDelegate {
@@ -15,6 +18,8 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         let cryptoKit = SecureEnclave.Store()
         let migrator = SecureEnclave.CryptoKitMigrator()
         try? migrator.migrate(to: cryptoKit)
+        let certsMigrator = CertificateKitMigrator(homeDirectory: URL.homeDirectory)
+        try? certsMigrator.migrate()
         list.add(store: cryptoKit)
         list.add(store: SmartCard.Store())
         return list
@@ -26,7 +31,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         Agent(storeList: storeList, witness: notifier)
     }()
     private lazy var socketController: SocketController = {
-        let path = (NSHomeDirectory() as NSString).appendingPathComponent("socket.ssh") as String
+        let path = URL.socketPath as String
         return SocketController(path: path)
     }()
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AppDelegate")
@@ -41,7 +46,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
                         for await message in session.messages {
                             let request = try await inputParser.parse(data: message)
                             let agentResponse = await agent.handle(request: request, provenance: session.provenance)
-                            try await session.write(agentResponse)
+                            try session.write(agentResponse)
                         }
                     } catch {
                         try session.close()

Sources/SecretAgent/SecretAgent.entitlements

@@ -2,6 +2,16 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.security.hardened-process</key>
+	<true/>
+	<key>com.apple.security.hardened-process.dyld-ro</key>
+	<true/>
+	<key>com.apple.security.hardened-process.enhanced-security-version</key>
+	<integer>1</integer>
+	<key>com.apple.security.hardened-process.hardened-heap</key>
+	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions</key>
+	<integer>2</integer>
 	<key>com.apple.security.smartcard</key>
 	<true/>
 	<key>keychain-access-groups</key>

Sources/SecretAgent/XPCInputParser.swift

@@ -1,19 +1,25 @@
 import Foundation
-import SecretAgentKit
+import OSLog
+import SSHProtocolKit
 import Brief
 import XPCWrappers
 
 /// Delegates all agent input parsing to an XPC service which wraps OpenSSH
 public final class XPCAgentInputParser: SSHAgentInputParserProtocol {
 
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "XPCAgentInputParser")
     private let session: XPCTypedSession<SSHAgent.Request, SSHAgentInputParser.AgentParsingError>
 
     public init() async throws {
+        logger.debug("Creating XPCAgentInputParser")
         session = try await XPCTypedSession(serviceName: "com.maxgoedjen.Secretive.SecretAgentInputParser", warmup: true)
+        logger.debug("XPCAgentInputParser is warmed up.")
     }
 
     public func parse(data: Data) async throws -> SSHAgent.Request {
-        try await session.send(data)
+        logger.debug("Parsing input")
+        defer { logger.debug("Parsed input") }
+        return try await session.send(data)
     }
 
     deinit {

Sources/SecretAgentInputParser/SecretAgentInputParser.entitlements

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.hardened-process</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
+	<true/>
+	<key>com.apple.security.hardened-process.dyld-ro</key>
+	<true/>
+	<key>com.apple.security.hardened-process.enhanced-security-version</key>
+	<integer>1</integer>
+	<key>com.apple.security.hardened-process.hardened-heap</key>
+	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions</key>
+	<integer>2</integer>
+</dict>
+</plist>

Sources/SecretAgentInputParser/SecretAgentInputParser.swift

@@ -1,7 +1,7 @@
 import Foundation
 import OSLog
 import XPCWrappers
-import SecretAgentKit
+import SSHProtocolKit
 
 final class SecretAgentInputParser: NSObject, XPCProtocol {
 

Sources/Secretive.xcodeproj/project.pbxproj

@@ -9,7 +9,6 @@
 /* Begin PBXBuildFile section */
 		2C4A9D2F2636FFD3008CC8E2 /* EditSecretView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 2C4A9D2E2636FFD3008CC8E2 /* EditSecretView.swift */; };
 		50020BB024064869003D4025 /* AppDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50020BAF24064869003D4025 /* AppDelegate.swift */; };
-		50033AC327813F1700253856 /* BundleIDs.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50033AC227813F1700253856 /* BundleIDs.swift */; };
 		5003EF3B278005E800DF2006 /* SecretKit in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3A278005E800DF2006 /* SecretKit */; };
 		5003EF3D278005F300DF2006 /* Brief in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3C278005F300DF2006 /* Brief */; };
 		5003EF3F278005F300DF2006 /* SecretAgentKit in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF3E278005F300DF2006 /* SecretAgentKit */; };
@@ -19,7 +18,6 @@
 		5003EF632780081B00DF2006 /* SecureEnclaveSecretKit in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF622780081B00DF2006 /* SecureEnclaveSecretKit */; };
 		5003EF652780081B00DF2006 /* SmartCardSecretKit in Frameworks */ = {isa = PBXBuildFile; productRef = 5003EF642780081B00DF2006 /* SmartCardSecretKit */; };
 		5008C23E2E525D8900507AC2 /* Localizable.xcstrings in Resources */ = {isa = PBXBuildFile; fileRef = 5008C23D2E525D8200507AC2 /* Localizable.xcstrings */; };
-		5008C2402E52792400507AC2 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 50617D8623FCE48E0099B055 /* Assets.xcassets */; };
 		5008C2412E52D18700507AC2 /* Localizable.xcstrings in Resources */ = {isa = PBXBuildFile; fileRef = 5008C23D2E525D8200507AC2 /* Localizable.xcstrings */; };
 		501421622781262300BBAA70 /* Brief in Frameworks */ = {isa = PBXBuildFile; productRef = 501421612781262300BBAA70 /* Brief */; };
 		501421652781268000BBAA70 /* SecretAgent.app in CopyFiles */ = {isa = PBXBuildFile; fileRef = 50A3B78A24026B7500D209EA /* SecretAgent.app */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
@@ -27,22 +25,20 @@
 		50153E22250DECA300525160 /* SecretListItemView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50153E21250DECA300525160 /* SecretListItemView.swift */; };
 		501578132E6C0479004A37D0 /* XPCInputParser.swift in Sources */ = {isa = PBXBuildFile; fileRef = 501578122E6C0479004A37D0 /* XPCInputParser.swift */; };
 		5018F54F24064786002EB505 /* Notifier.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5018F54E24064786002EB505 /* Notifier.swift */; };
-		504788EC2E680DC800B4556F /* URLs.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504788EB2E680DC400B4556F /* URLs.swift */; };
 		504788F22E681F3A00B4556F /* Instructions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504788F12E681F3A00B4556F /* Instructions.swift */; };
 		504788F42E681F6900B4556F /* ToolConfigurationView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504788F32E681F6900B4556F /* ToolConfigurationView.swift */; };
 		504788F62E68206F00B4556F /* GettingStartedView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504788F52E68206F00B4556F /* GettingStartedView.swift */; };
 		504789232E697DD300B4556F /* BoxBackgroundStyle.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504789222E697DD300B4556F /* BoxBackgroundStyle.swift */; };
 		50571E0324393C2600F76F6C /* JustUpdatedChecker.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50571E0224393C2600F76F6C /* JustUpdatedChecker.swift */; };
-		50571E0524393D1500F76F6C /* LaunchAgentController.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50571E0424393D1500F76F6C /* LaunchAgentController.swift */; };
+		505993512E7E59FB0092CFFA /* XPCCertificateParser.swift in Sources */ = {isa = PBXBuildFile; fileRef = 505993502E7E59F70092CFFA /* XPCCertificateParser.swift */; };
+		505993532E7E70C90092CFFA /* CertificateKit in Frameworks */ = {isa = PBXBuildFile; productRef = 505993522E7E70C90092CFFA /* CertificateKit */; };
 		50617D8323FCE48E0099B055 /* App.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50617D8223FCE48E0099B055 /* App.swift */; };
 		50617D8523FCE48E0099B055 /* ContentView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50617D8423FCE48E0099B055 /* ContentView.swift */; };
-		50617D8723FCE48E0099B055 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 50617D8623FCE48E0099B055 /* Assets.xcassets */; };
 		50617D8A23FCE48E0099B055 /* Preview Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 50617D8923FCE48E0099B055 /* Preview Assets.xcassets */; };
 		50617DD223FCEFA90099B055 /* PreviewStore.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50617DD123FCEFA90099B055 /* PreviewStore.swift */; };
 		5065E313295517C500E16645 /* ToolbarButtonStyle.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5065E312295517C500E16645 /* ToolbarButtonStyle.swift */; };
 		5066A6C22516F303004B5A36 /* SetupView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5066A6C12516F303004B5A36 /* SetupView.swift */; };
 		5066A6C82516FE6E004B5A36 /* CopyableView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5066A6C72516FE6E004B5A36 /* CopyableView.swift */; };
-		506772C72424784600034DED /* Credits.rtf in Resources */ = {isa = PBXBuildFile; fileRef = 506772C62424784600034DED /* Credits.rtf */; };
 		506772C92425BB8500034DED /* NoStoresView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 506772C82425BB8500034DED /* NoStoresView.swift */; };
 		50692D1D2E6FDB880043C7BB /* SecretiveUpdater.xpc in Embed XPC Services */ = {isa = PBXBuildFile; fileRef = 50692D122E6FDB880043C7BB /* SecretiveUpdater.xpc */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
 		50692D282E6FDB8D0043C7BB /* main.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50692D242E6FDB8D0043C7BB /* main.swift */; };
@@ -52,7 +48,6 @@
 		50692E5B2E6FF9D20043C7BB /* SecretAgentInputParser.xpc in Embed XPC Services */ = {isa = PBXBuildFile; fileRef = 50692E502E6FF9D20043C7BB /* SecretAgentInputParser.xpc */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
 		50692E682E6FF9E20043C7BB /* main.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50692E632E6FF9E20043C7BB /* main.swift */; };
 		50692E692E6FF9E20043C7BB /* SecretAgentInputParser.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50692E642E6FF9E20043C7BB /* SecretAgentInputParser.swift */; };
-		50692E6C2E6FFA510043C7BB /* SecretAgentKit in Frameworks */ = {isa = PBXBuildFile; productRef = 50692E6B2E6FFA510043C7BB /* SecretAgentKit */; };
 		50692E6D2E6FFA5F0043C7BB /* SecretiveUpdater.xpc in Embed XPC Services */ = {isa = PBXBuildFile; fileRef = 50692D122E6FDB880043C7BB /* SecretiveUpdater.xpc */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
 		50692E702E6FFA6E0043C7BB /* SecretAgentInputParser.xpc in Embed XPC Services */ = {isa = PBXBuildFile; fileRef = 50692E502E6FF9D20043C7BB /* SecretAgentInputParser.xpc */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
 		5079BA0F250F29BF00EA86F4 /* StoreListView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5079BA0E250F29BF00EA86F4 /* StoreListView.swift */; };
@@ -73,6 +68,19 @@
 		50BDCB762E6450950072D2E7 /* ConfigurationItemView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50BDCB752E6450950072D2E7 /* ConfigurationItemView.swift */; };
 		50C385A52407A76D00AF2719 /* SecretDetailView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50C385A42407A76D00AF2719 /* SecretDetailView.swift */; };
 		50CF4ABC2E601B0F005588DC /* ActionButtonStyle.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50CF4ABB2E601B0F005588DC /* ActionButtonStyle.swift */; };
+		50E0145C2EDB9CDF00B121F1 /* Common in Frameworks */ = {isa = PBXBuildFile; productRef = 50E0145B2EDB9CDF00B121F1 /* Common */; };
+		50E0145E2EDB9CE400B121F1 /* Common in Frameworks */ = {isa = PBXBuildFile; productRef = 50E0145D2EDB9CE400B121F1 /* Common */; };
+		50E4C4532E73C78C00C73783 /* WindowBackgroundStyle.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50E4C4522E73C78900C73783 /* WindowBackgroundStyle.swift */; };
+		50E4C4C32E7765DF00C73783 /* AboutView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50E4C4C22E7765DF00C73783 /* AboutView.swift */; };
+		50E4C4C82E777E4200C73783 /* AppIcon.icon in Resources */ = {isa = PBXBuildFile; fileRef = 50E4C4C72E777E4200C73783 /* AppIcon.icon */; };
+		50E4C4C92E777E4200C73783 /* AppIcon.icon in Resources */ = {isa = PBXBuildFile; fileRef = 50E4C4C72E777E4200C73783 /* AppIcon.icon */; };
+		50E4C4D92E77C4B300C73783 /* SecretiveCertificateParser.xpc in Embed XPC Services */ = {isa = PBXBuildFile; fileRef = 50E4C4CE2E77C4B300C73783 /* SecretiveCertificateParser.xpc */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
+		50E4C4E82E77C53000C73783 /* main.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50E4C4E32E77C53000C73783 /* main.swift */; };
+		50E4C4E92E77C53000C73783 /* SecretiveCertificateParser.swift in Sources */ = {isa = PBXBuildFile; fileRef = 50E4C4E52E77C53000C73783 /* SecretiveCertificateParser.swift */; };
+		50E4C4ED2E77C55E00C73783 /* XPCWrappers in Frameworks */ = {isa = PBXBuildFile; productRef = 50E4C4EC2E77C55E00C73783 /* XPCWrappers */; };
+		50E4C4EF2E77C8FC00C73783 /* SSHProtocolKit in Frameworks */ = {isa = PBXBuildFile; productRef = 50E4C4EE2E77C8FC00C73783 /* SSHProtocolKit */; };
+		50E4C4F12E77C90300C73783 /* SSHProtocolKit in Frameworks */ = {isa = PBXBuildFile; productRef = 50E4C4F02E77C90300C73783 /* SSHProtocolKit */; };
+		50E4C4F32E77CAC600C73783 /* XPCWrappers in Frameworks */ = {isa = PBXBuildFile; productRef = 50E4C4F22E77CAC600C73783 /* XPCWrappers */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -118,6 +126,13 @@
 			remoteGlobalIDString = 50692E4F2E6FF9D20043C7BB;
 			remoteInfo = SecretAgentInputParser;
 		};
+		50E4C4D72E77C4B300C73783 /* PBXContainerItemProxy */ = {
+			isa = PBXContainerItemProxy;
+			containerPortal = 50617D7723FCE48D0099B055 /* Project object */;
+			proxyType = 1;
+			remoteGlobalIDString = 50E4C4CD2E77C4B300C73783;
+			remoteInfo = SecretiveCertificateParser;
+		};
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXCopyFilesBuildPhase section */
@@ -128,6 +143,7 @@
 			dstSubfolderSpec = 16;
 			files = (
 				50692D1D2E6FDB880043C7BB /* SecretiveUpdater.xpc in Embed XPC Services */,
+				50E4C4D92E77C4B300C73783 /* SecretiveCertificateParser.xpc in Embed XPC Services */,
 				50692E5B2E6FF9D20043C7BB /* SecretAgentInputParser.xpc in Embed XPC Services */,
 			);
 			name = "Embed XPC Services";
@@ -180,24 +196,22 @@
 /* Begin PBXFileReference section */
 		2C4A9D2E2636FFD3008CC8E2 /* EditSecretView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EditSecretView.swift; sourceTree = "<group>"; };
 		50020BAF24064869003D4025 /* AppDelegate.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppDelegate.swift; sourceTree = "<group>"; };
-		50033AC227813F1700253856 /* BundleIDs.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BundleIDs.swift; sourceTree = "<group>"; };
 		5003EF39278005C800DF2006 /* Packages */ = {isa = PBXFileReference; lastKnownFileType = wrapper; path = Packages; sourceTree = "<group>"; };
 		5008C23D2E525D8200507AC2 /* Localizable.xcstrings */ = {isa = PBXFileReference; lastKnownFileType = text.json.xcstrings; name = Localizable.xcstrings; path = Packages/Resources/Localizable.xcstrings; sourceTree = SOURCE_ROOT; };
 		50153E1F250AFCB200525160 /* UpdateView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UpdateView.swift; sourceTree = "<group>"; };
 		50153E21250DECA300525160 /* SecretListItemView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SecretListItemView.swift; sourceTree = "<group>"; };
 		501578122E6C0479004A37D0 /* XPCInputParser.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = XPCInputParser.swift; sourceTree = "<group>"; };
 		5018F54E24064786002EB505 /* Notifier.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Notifier.swift; sourceTree = "<group>"; };
-		504788EB2E680DC400B4556F /* URLs.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = URLs.swift; sourceTree = "<group>"; };
 		504788F12E681F3A00B4556F /* Instructions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Instructions.swift; sourceTree = "<group>"; };
 		504788F32E681F6900B4556F /* ToolConfigurationView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ToolConfigurationView.swift; sourceTree = "<group>"; };
 		504788F52E68206F00B4556F /* GettingStartedView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GettingStartedView.swift; sourceTree = "<group>"; };
 		504789222E697DD300B4556F /* BoxBackgroundStyle.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BoxBackgroundStyle.swift; sourceTree = "<group>"; };
 		50571E0224393C2600F76F6C /* JustUpdatedChecker.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = JustUpdatedChecker.swift; sourceTree = "<group>"; };
-		50571E0424393D1500F76F6C /* LaunchAgentController.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LaunchAgentController.swift; sourceTree = "<group>"; };
+		5059933F2E7A3B5B0092CFFA /* en */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = en; path = en.lproj/Main.storyboard; sourceTree = "<group>"; };
+		505993502E7E59F70092CFFA /* XPCCertificateParser.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = XPCCertificateParser.swift; sourceTree = "<group>"; };
 		50617D7F23FCE48E0099B055 /* Secretive.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Secretive.app; sourceTree = BUILT_PRODUCTS_DIR; };
 		50617D8223FCE48E0099B055 /* App.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = App.swift; sourceTree = "<group>"; };
 		50617D8423FCE48E0099B055 /* ContentView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ContentView.swift; sourceTree = "<group>"; };
-		50617D8623FCE48E0099B055 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = "<group>"; };
 		50617D8923FCE48E0099B055 /* Preview Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = "Preview Assets.xcassets"; sourceTree = "<group>"; };
 		50617D8E23FCE48E0099B055 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		50617D8F23FCE48E0099B055 /* Secretive.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = Secretive.entitlements; sourceTree = "<group>"; };
@@ -205,7 +219,6 @@
 		5065E312295517C500E16645 /* ToolbarButtonStyle.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ToolbarButtonStyle.swift; sourceTree = "<group>"; };
 		5066A6C12516F303004B5A36 /* SetupView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SetupView.swift; sourceTree = "<group>"; };
 		5066A6C72516FE6E004B5A36 /* CopyableView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CopyableView.swift; sourceTree = "<group>"; };
-		506772C62424784600034DED /* Credits.rtf */ = {isa = PBXFileReference; lastKnownFileType = text.rtf; path = Credits.rtf; sourceTree = "<group>"; };
 		506772C82425BB8500034DED /* NoStoresView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NoStoresView.swift; sourceTree = "<group>"; };
 		50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = InternetAccessPolicy.plist; sourceTree = "<group>"; };
 		50692D122E6FDB880043C7BB /* SecretiveUpdater.xpc */ = {isa = PBXFileReference; explicitFileType = "wrapper.xpc-service"; includeInIndex = 0; path = SecretiveUpdater.xpc; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -228,7 +241,6 @@
 		5099A02323FD2AAA0062B6F2 /* CreateSecretView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CreateSecretView.swift; sourceTree = "<group>"; };
 		50A3B78A24026B7500D209EA /* SecretAgent.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = SecretAgent.app; sourceTree = BUILT_PRODUCTS_DIR; };
 		50A3B79324026B7600D209EA /* Preview Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = "Preview Assets.xcassets"; sourceTree = "<group>"; };
-		50A3B79624026B7600D209EA /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = "<group>"; };
 		50A3B79824026B7600D209EA /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		50A3B79924026B7600D209EA /* SecretAgent.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretAgent.entitlements; sourceTree = "<group>"; };
 		50AE96FF2E5C1A420018C710 /* IntegrationsView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = IntegrationsView.swift; sourceTree = "<group>"; };
@@ -239,6 +251,16 @@
 		50BDCB752E6450950072D2E7 /* ConfigurationItemView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ConfigurationItemView.swift; sourceTree = "<group>"; };
 		50C385A42407A76D00AF2719 /* SecretDetailView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SecretDetailView.swift; sourceTree = "<group>"; };
 		50CF4ABB2E601B0F005588DC /* ActionButtonStyle.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ActionButtonStyle.swift; sourceTree = "<group>"; };
+		50E4C4522E73C78900C73783 /* WindowBackgroundStyle.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = WindowBackgroundStyle.swift; sourceTree = "<group>"; };
+		50E4C4C22E7765DF00C73783 /* AboutView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AboutView.swift; sourceTree = "<group>"; };
+		50E4C4C72E777E4200C73783 /* AppIcon.icon */ = {isa = PBXFileReference; lastKnownFileType = folder.iconcomposer.icon; path = AppIcon.icon; sourceTree = "<group>"; };
+		50E4C4CE2E77C4B300C73783 /* SecretiveCertificateParser.xpc */ = {isa = PBXFileReference; explicitFileType = "wrapper.xpc-service"; includeInIndex = 0; path = SecretiveCertificateParser.xpc; sourceTree = BUILT_PRODUCTS_DIR; };
+		50E4C4E02E77C4EE00C73783 /* SecretAgentInputParser.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretAgentInputParser.entitlements; sourceTree = "<group>"; };
+		50E4C4E12E77C4FA00C73783 /* SecretiveUpdater.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretiveUpdater.entitlements; sourceTree = "<group>"; };
+		50E4C4E22E77C53000C73783 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
+		50E4C4E32E77C53000C73783 /* main.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = main.swift; sourceTree = "<group>"; };
+		50E4C4E42E77C53000C73783 /* SecretiveCertificateParser.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SecretiveCertificateParser.entitlements; sourceTree = "<group>"; };
+		50E4C4E52E77C53000C73783 /* SecretiveCertificateParser.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SecretiveCertificateParser.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -246,8 +268,10 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				50E0145C2EDB9CDF00B121F1 /* Common in Frameworks */,
 				5003EF3B278005E800DF2006 /* SecretKit in Frameworks */,
 				501421622781262300BBAA70 /* Brief in Frameworks */,
+				505993532E7E70C90092CFFA /* CertificateKit in Frameworks */,
 				5003EF5F2780081600DF2006 /* SecureEnclaveSecretKit in Frameworks */,
 				5003EF612780081600DF2006 /* SmartCardSecretKit in Frameworks */,
 			);
@@ -266,7 +290,8 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				50692E6C2E6FFA510043C7BB /* SecretAgentKit in Frameworks */,
+				50E4C4F32E77CAC600C73783 /* XPCWrappers in Frameworks */,
+				50E4C4F12E77C90300C73783 /* SSHProtocolKit in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -279,29 +304,32 @@
 				5003EF652780081B00DF2006 /* SmartCardSecretKit in Frameworks */,
 				5003EF3F278005F300DF2006 /* SecretAgentKit in Frameworks */,
 				5003EF41278005FA00DF2006 /* SecretKit in Frameworks */,
+				50E0145E2EDB9CE400B121F1 /* Common in Frameworks */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		50E4C4CB2E77C4B300C73783 /* Frameworks */ = {
+			isa = PBXFrameworksBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+				50E4C4EF2E77C8FC00C73783 /* SSHProtocolKit in Frameworks */,
+				50E4C4ED2E77C55E00C73783 /* XPCWrappers in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
 /* End PBXFrameworksBuildPhase section */
 
 /* Begin PBXGroup section */
-		50033AC427813F1C00253856 /* Helpers */ = {
-			isa = PBXGroup;
-			children = (
-				50033AC227813F1700253856 /* BundleIDs.swift */,
-			);
-			path = Helpers;
-			sourceTree = "<group>";
-		};
-		504788ED2E681EB200B4556F /* Styles */ = {
+		504788ED2E681EB200B4556F /* Modifiers */ = {
 			isa = PBXGroup;
 			children = (
+				50E4C4522E73C78900C73783 /* WindowBackgroundStyle.swift */,
 				50CF4ABB2E601B0F005588DC /* ActionButtonStyle.swift */,
 				50BDCB732E6436C60072D2E7 /* ErrorStyle.swift */,
 				504789222E697DD300B4556F /* BoxBackgroundStyle.swift */,
 				5065E312295517C500E16645 /* ToolbarButtonStyle.swift */,
 			);
-			path = Styles;
+			path = Modifiers;
 			sourceTree = "<group>";
 		};
 		504788EE2E681EC300B4556F /* Secrets */ = {
@@ -335,6 +363,7 @@
 		504788F02E681F0100B4556F /* Views */ = {
 			isa = PBXGroup;
 			children = (
+				50E4C4C22E7765DF00C73783 /* AboutView.swift */,
 				50BDCB712E63BAF20072D2E7 /* AgentStatusView.swift */,
 				50617D8423FCE48E0099B055 /* ContentView.swift */,
 				5066A6C72516FE6E004B5A36 /* CopyableView.swift */,
@@ -352,6 +381,7 @@
 				508A58AF241E144C0069DC07 /* Config */,
 				50692D272E6FDB8D0043C7BB /* SecretiveUpdater */,
 				50692E662E6FF9E20043C7BB /* SecretAgentInputParser */,
+				50E4C4E72E77C53000C73783 /* SecretiveCertificateParser */,
 				50617D8023FCE48E0099B055 /* Products */,
 				5099A08B240243730062B6F2 /* Frameworks */,
 			);
@@ -364,6 +394,7 @@
 				50A3B78A24026B7500D209EA /* SecretAgent.app */,
 				50692D122E6FDB880043C7BB /* SecretiveUpdater.xpc */,
 				50692E502E6FF9D20043C7BB /* SecretAgentInputParser.xpc */,
+				50E4C4CE2E77C4B300C73783 /* SecretiveCertificateParser.xpc */,
 			);
 			name = Products;
 			sourceTree = "<group>";
@@ -374,12 +405,10 @@
 				50617D8223FCE48E0099B055 /* App.swift */,
 				508A58B0241ED1C40069DC07 /* Views */,
 				508A58B1241ED1EA0069DC07 /* Controllers */,
-				50033AC427813F1C00253856 /* Helpers */,
-				50617D8623FCE48E0099B055 /* Assets.xcassets */,
 				50617D8E23FCE48E0099B055 /* Info.plist */,
 				508BF28D25B4F005009EFB7E /* InternetAccessPolicy.plist */,
+				50E4C4C72E777E4200C73783 /* AppIcon.icon */,
 				50617D8F23FCE48E0099B055 /* Secretive.entitlements */,
-				506772C62424784600034DED /* Credits.rtf */,
 				5008C23D2E525D8200507AC2 /* Localizable.xcstrings */,
 				50617D8823FCE48E0099B055 /* Preview Content */,
 			);
@@ -400,6 +429,7 @@
 		50692D272E6FDB8D0043C7BB /* SecretiveUpdater */ = {
 			isa = PBXGroup;
 			children = (
+				50E4C4E12E77C4FA00C73783 /* SecretiveUpdater.entitlements */,
 				50692D232E6FDB8D0043C7BB /* Info.plist */,
 				50692BA52E6D5CC90043C7BB /* InternetAccessPolicy.plist */,
 				50692D242E6FDB8D0043C7BB /* main.swift */,
@@ -411,6 +441,7 @@
 		50692E662E6FF9E20043C7BB /* SecretAgentInputParser */ = {
 			isa = PBXGroup;
 			children = (
+				50E4C4E02E77C4EE00C73783 /* SecretAgentInputParser.entitlements */,
 				50692E622E6FF9E20043C7BB /* Info.plist */,
 				50692E632E6FF9E20043C7BB /* main.swift */,
 				50692E642E6FF9E20043C7BB /* SecretAgentInputParser.swift */,
@@ -432,7 +463,7 @@
 			children = (
 				504788EF2E681ED700B4556F /* Configuration */,
 				504788EE2E681EC300B4556F /* Secrets */,
-				504788ED2E681EB200B4556F /* Styles */,
+				504788ED2E681EB200B4556F /* Modifiers */,
 				504788F02E681F0100B4556F /* Views */,
 			);
 			path = Views;
@@ -441,11 +472,10 @@
 		508A58B1241ED1EA0069DC07 /* Controllers */ = {
 			isa = PBXGroup;
 			children = (
-				504788EB2E680DC400B4556F /* URLs.swift */,
 				508A58B2241ED2180069DC07 /* AgentStatusChecker.swift */,
 				5091D2BB25183B830049FD9B /* ApplicationDirectoryController.swift */,
 				50571E0224393C2600F76F6C /* JustUpdatedChecker.swift */,
-				50571E0424393D1500F76F6C /* LaunchAgentController.swift */,
+				505993502E7E59F70092CFFA /* XPCCertificateParser.swift */,
 			);
 			path = Controllers;
 			sourceTree = "<group>";
@@ -480,6 +510,17 @@
 			path = "Preview Content";
 			sourceTree = "<group>";
 		};
+		50E4C4E72E77C53000C73783 /* SecretiveCertificateParser */ = {
+			isa = PBXGroup;
+			children = (
+				50E4C4E42E77C53000C73783 /* SecretiveCertificateParser.entitlements */,
+				50E4C4E22E77C53000C73783 /* Info.plist */,
+				50E4C4E32E77C53000C73783 /* main.swift */,
+				50E4C4E52E77C53000C73783 /* SecretiveCertificateParser.swift */,
+			);
+			path = SecretiveCertificateParser;
+			sourceTree = "<group>";
+		};
 /* End PBXGroup section */
 
 /* Begin PBXNativeTarget section */
@@ -500,6 +541,7 @@
 				50142167278126B500BBAA70 /* PBXTargetDependency */,
 				50692D1C2E6FDB880043C7BB /* PBXTargetDependency */,
 				50692E5A2E6FF9D20043C7BB /* PBXTargetDependency */,
+				50E4C4D82E77C4B300C73783 /* PBXTargetDependency */,
 			);
 			name = Secretive;
 			packageProductDependencies = (
@@ -507,6 +549,8 @@
 				5003EF5E2780081600DF2006 /* SecureEnclaveSecretKit */,
 				5003EF602780081600DF2006 /* SmartCardSecretKit */,
 				501421612781262300BBAA70 /* Brief */,
+				505993522E7E70C90092CFFA /* CertificateKit */,
+				50E0145B2EDB9CDF00B121F1 /* Common */,
 			);
 			productName = Secretive;
 			productReference = 50617D7F23FCE48E0099B055 /* Secretive.app */;
@@ -547,7 +591,8 @@
 			);
 			name = SecretAgentInputParser;
 			packageProductDependencies = (
-				50692E6B2E6FFA510043C7BB /* SecretAgentKit */,
+				50E4C4F02E77C90300C73783 /* SSHProtocolKit */,
+				50E4C4F22E77CAC600C73783 /* XPCWrappers */,
 			);
 			productName = SecretAgentInputParser;
 			productReference = 50692E502E6FF9D20043C7BB /* SecretAgentInputParser.xpc */;
@@ -577,11 +622,33 @@
 				5003EF40278005FA00DF2006 /* SecretKit */,
 				5003EF622780081B00DF2006 /* SecureEnclaveSecretKit */,
 				5003EF642780081B00DF2006 /* SmartCardSecretKit */,
+				50E0145D2EDB9CE400B121F1 /* Common */,
 			);
 			productName = SecretAgent;
 			productReference = 50A3B78A24026B7500D209EA /* SecretAgent.app */;
 			productType = "com.apple.product-type.application";
 		};
+		50E4C4CD2E77C4B300C73783 /* SecretiveCertificateParser */ = {
+			isa = PBXNativeTarget;
+			buildConfigurationList = 50E4C4DB2E77C4B300C73783 /* Build configuration list for PBXNativeTarget "SecretiveCertificateParser" */;
+			buildPhases = (
+				50E4C4CA2E77C4B300C73783 /* Sources */,
+				50E4C4CB2E77C4B300C73783 /* Frameworks */,
+				50E4C4CC2E77C4B300C73783 /* Resources */,
+			);
+			buildRules = (
+			);
+			dependencies = (
+			);
+			name = SecretiveCertificateParser;
+			packageProductDependencies = (
+				50E4C4EC2E77C55E00C73783 /* XPCWrappers */,
+				50E4C4EE2E77C8FC00C73783 /* SSHProtocolKit */,
+			);
+			productName = SecretiveCertificateParser;
+			productReference = 50E4C4CE2E77C4B300C73783 /* SecretiveCertificateParser.xpc */;
+			productType = "com.apple.product-type.xpc-service";
+		};
 /* End PBXNativeTarget section */
 
 /* Begin PBXProject section */
@@ -605,6 +672,9 @@
 					50A3B78924026B7500D209EA = {
 						CreatedOnToolsVersion = 11.4;
 					};
+					50E4C4CD2E77C4B300C73783 = {
+						CreatedOnToolsVersion = 26.0;
+					};
 				};
 			};
 			buildConfigurationList = 50617D7A23FCE48D0099B055 /* Build configuration list for PBXProject "Secretive" */;
@@ -613,7 +683,6 @@
 			hasScannedForEncodings = 0;
 			knownRegions = (
 				en,
-				Base,
 				it,
 				fr,
 				de,
@@ -633,6 +702,7 @@
 				50A3B78924026B7500D209EA /* SecretAgent */,
 				50692D112E6FDB880043C7BB /* SecretiveUpdater */,
 				50692E4F2E6FF9D20043C7BB /* SecretAgentInputParser */,
+				50E4C4CD2E77C4B300C73783 /* SecretiveCertificateParser */,
 			);
 		};
 /* End PBXProject section */
@@ -643,9 +713,8 @@
 			buildActionMask = 2147483647;
 			files = (
 				50617D8A23FCE48E0099B055 /* Preview Assets.xcassets in Resources */,
+				50E4C4C82E777E4200C73783 /* AppIcon.icon in Resources */,
 				5008C23E2E525D8900507AC2 /* Localizable.xcstrings in Resources */,
-				50617D8723FCE48E0099B055 /* Assets.xcassets in Resources */,
-				506772C72424784600034DED /* Credits.rtf in Resources */,
 				508BF28E25B4F005009EFB7E /* InternetAccessPolicy.plist in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -671,8 +740,15 @@
 				50A3B79724026B7600D209EA /* Main.storyboard in Resources */,
 				5008C2412E52D18700507AC2 /* Localizable.xcstrings in Resources */,
 				50A3B79424026B7600D209EA /* Preview Assets.xcassets in Resources */,
+				50E4C4C92E777E4200C73783 /* AppIcon.icon in Resources */,
 				508BF2AA25B4F1CB009EFB7E /* InternetAccessPolicy.plist in Resources */,
-				5008C2402E52792400507AC2 /* Assets.xcassets in Resources */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		50E4C4CC2E77C4B300C73783 /* Resources */ = {
+			isa = PBXResourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -685,26 +761,26 @@
 			files = (
 				504788F22E681F3A00B4556F /* Instructions.swift in Sources */,
 				50BDCB742E6436CA0072D2E7 /* ErrorStyle.swift in Sources */,
+				50E4C4C32E7765DF00C73783 /* AboutView.swift in Sources */,
 				2C4A9D2F2636FFD3008CC8E2 /* EditSecretView.swift in Sources */,
+				50E4C4532E73C78C00C73783 /* WindowBackgroundStyle.swift in Sources */,
 				5091D2BC25183B830049FD9B /* ApplicationDirectoryController.swift in Sources */,
-				504788EC2E680DC800B4556F /* URLs.swift in Sources */,
 				504789232E697DD300B4556F /* BoxBackgroundStyle.swift in Sources */,
 				5066A6C22516F303004B5A36 /* SetupView.swift in Sources */,
 				5065E313295517C500E16645 /* ToolbarButtonStyle.swift in Sources */,
 				50617D8523FCE48E0099B055 /* ContentView.swift in Sources */,
 				504788F62E68206F00B4556F /* GettingStartedView.swift in Sources */,
 				50CF4ABC2E601B0F005588DC /* ActionButtonStyle.swift in Sources */,
+				505993512E7E59FB0092CFFA /* XPCCertificateParser.swift in Sources */,
 				50571E0324393C2600F76F6C /* JustUpdatedChecker.swift in Sources */,
 				5079BA0F250F29BF00EA86F4 /* StoreListView.swift in Sources */,
 				50617DD223FCEFA90099B055 /* PreviewStore.swift in Sources */,
-				50033AC327813F1700253856 /* BundleIDs.swift in Sources */,
 				50BDCB722E63BAF20072D2E7 /* AgentStatusView.swift in Sources */,
 				508A58B3241ED2180069DC07 /* AgentStatusChecker.swift in Sources */,
 				50C385A52407A76D00AF2719 /* SecretDetailView.swift in Sources */,
 				5099A02423FD2AAA0062B6F2 /* CreateSecretView.swift in Sources */,
 				50AE97002E5C1A420018C710 /* IntegrationsView.swift in Sources */,
 				50153E20250AFCB200525160 /* UpdateView.swift in Sources */,
-				50571E0524393D1500F76F6C /* LaunchAgentController.swift in Sources */,
 				5066A6C82516FE6E004B5A36 /* CopyableView.swift in Sources */,
 				50B8550D24138C4F009958AC /* DeleteSecretView.swift in Sources */,
 				50BB046B2418AAAE00D6E079 /* EmptyStoreView.swift in Sources */,
@@ -746,6 +822,15 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+		50E4C4CA2E77C4B300C73783 /* Sources */ = {
+			isa = PBXSourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+				50E4C4E82E77C53000C73783 /* main.swift in Sources */,
+				50E4C4E92E77C53000C73783 /* SecretiveCertificateParser.swift in Sources */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 /* End PBXSourcesBuildPhase section */
 
 /* Begin PBXTargetDependency section */
@@ -778,13 +863,18 @@
 			target = 50692E4F2E6FF9D20043C7BB /* SecretAgentInputParser */;
 			targetProxy = 50692E712E6FFA6E0043C7BB /* PBXContainerItemProxy */;
 		};
+		50E4C4D82E77C4B300C73783 /* PBXTargetDependency */ = {
+			isa = PBXTargetDependency;
+			target = 50E4C4CD2E77C4B300C73783 /* SecretiveCertificateParser */;
+			targetProxy = 50E4C4D72E77C4B300C73783 /* PBXContainerItemProxy */;
+		};
 /* End PBXTargetDependency section */
 
 /* Begin PBXVariantGroup section */
 		50A3B79524026B7600D209EA /* Main.storyboard */ = {
 			isa = PBXVariantGroup;
 			children = (
-				50A3B79624026B7600D209EA /* Base */,
+				5059933F2E7A3B5B0092CFFA /* en */,
 			);
 			name = Main.storyboard;
 			sourceTree = "<group>";
@@ -1021,6 +1111,7 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
+				CODE_SIGN_ENTITLEMENTS = SecretiveUpdater/SecretiveUpdater.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
@@ -1028,9 +1119,11 @@
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
 				ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
@@ -1045,7 +1138,7 @@
 				INFOPLIST_KEY_CFBundleDisplayName = SecretiveUpdater;
 				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Max Goedjen. All rights reserved.";
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 26.0;
+				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1060,49 +1153,11 @@
 			};
 			name = Debug;
 		};
-		50692D212E6FDB880043C7BB /* Test */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
-				CODE_SIGN_STYLE = Automatic;
-				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 1;
-				ENABLE_APP_SANDBOX = YES;
-				ENABLE_HARDENED_RUNTIME = YES;
-				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
-				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
-				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
-				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
-				ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
-				ENABLE_RESOURCE_ACCESS_CAMERA = NO;
-				ENABLE_RESOURCE_ACCESS_CONTACTS = NO;
-				ENABLE_RESOURCE_ACCESS_LOCATION = NO;
-				ENABLE_RESOURCE_ACCESS_PRINTING = NO;
-				ENABLE_RESOURCE_ACCESS_USB = NO;
-				GCC_C_LANGUAGE_STANDARD = gnu17;
-				GENERATE_INFOPLIST_FILE = YES;
-				INFOPLIST_FILE = SecretiveUpdater/Info.plist;
-				INFOPLIST_KEY_CFBundleDisplayName = SecretiveUpdater;
-				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Max Goedjen. All rights reserved.";
-				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 26.0;
-				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
-				PRODUCT_NAME = "$(TARGET_NAME)";
-				REGISTER_APP_GROUPS = YES;
-				SKIP_INSTALL = YES;
-				STRING_CATALOG_GENERATE_SYMBOLS = YES;
-				SWIFT_APPROACHABLE_CONCURRENCY = YES;
-				SWIFT_EMIT_LOC_STRINGS = YES;
-				SWIFT_UPCOMING_FEATURE_MEMBER_IMPORT_VISIBILITY = YES;
-				SWIFT_VERSION = 5.0;
-			};
-			name = Test;
-		};
 		50692D222E6FDB880043C7BB /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
+				CODE_SIGN_ENTITLEMENTS = SecretiveUpdater/SecretiveUpdater.entitlements;
 				CODE_SIGN_IDENTITY = "Developer ID Application";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
@@ -1110,9 +1165,11 @@
 				DEVELOPMENT_TEAM = "";
 				"DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
 				ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
@@ -1127,7 +1184,7 @@
 				INFOPLIST_KEY_CFBundleDisplayName = SecretiveUpdater;
 				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Max Goedjen. All rights reserved.";
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 26.0;
+				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveUpdater;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1146,20 +1203,23 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
+				CODE_SIGN_ENTITLEMENTS = SecretAgentInputParser/SecretAgentInputParser.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
 				GENERATE_INFOPLIST_FILE = YES;
 				INFOPLIST_FILE = SecretAgentInputParser/Info.plist;
 				INFOPLIST_KEY_CFBundleDisplayName = SecretAgentInputParser;
 				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Max Goedjen. All rights reserved.";
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 26.0;
+				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1174,39 +1234,11 @@
 			};
 			name = Debug;
 		};
-		50692E5F2E6FF9D20043C7BB /* Test */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
-				CODE_SIGN_STYLE = Automatic;
-				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 1;
-				ENABLE_APP_SANDBOX = YES;
-				ENABLE_HARDENED_RUNTIME = YES;
-				GCC_C_LANGUAGE_STANDARD = gnu17;
-				GENERATE_INFOPLIST_FILE = YES;
-				INFOPLIST_FILE = SecretAgentInputParser/Info.plist;
-				INFOPLIST_KEY_CFBundleDisplayName = SecretAgentInputParser;
-				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Max Goedjen. All rights reserved.";
-				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 26.0;
-				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
-				PRODUCT_NAME = "$(TARGET_NAME)";
-				REGISTER_APP_GROUPS = YES;
-				SKIP_INSTALL = YES;
-				STRING_CATALOG_GENERATE_SYMBOLS = YES;
-				SWIFT_APPROACHABLE_CONCURRENCY = YES;
-				SWIFT_EMIT_LOC_STRINGS = YES;
-				SWIFT_UPCOMING_FEATURE_MEMBER_IMPORT_VISIBILITY = YES;
-				SWIFT_VERSION = 5.0;
-			};
-			name = Test;
-		};
 		50692E602E6FF9D20043C7BB /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
+				CODE_SIGN_ENTITLEMENTS = SecretAgentInputParser/SecretAgentInputParser.entitlements;
 				CODE_SIGN_IDENTITY = "Developer ID Application";
 				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
@@ -1214,14 +1246,16 @@
 				DEVELOPMENT_TEAM = "";
 				"DEVELOPMENT_TEAM[sdk=macosx*]" = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
 				GENERATE_INFOPLIST_FILE = YES;
 				INFOPLIST_FILE = SecretAgentInputParser/Info.plist;
 				INFOPLIST_KEY_CFBundleDisplayName = SecretAgentInputParser;
 				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Max Goedjen. All rights reserved.";
 				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 26.0;
+				MACOSX_DEPLOYMENT_TARGET = 14.0;
 				MARKETING_VERSION = 1.0;
 				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgentInputParser;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1236,152 +1270,6 @@
 			};
 			name = Release;
 		};
-		508A5914241EF1A00069DC07 /* Test */ = {
-			isa = XCBuildConfiguration;
-			baseConfigurationReference = 508A58AB241E121B0069DC07 /* Config.xcconfig */;
-			buildSettings = {
-				ALWAYS_SEARCH_USER_PATHS = NO;
-				ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES;
-				CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED = YES;
-				CLANG_ANALYZER_NONNULL = YES;
-				CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
-				CLANG_CXX_LANGUAGE_STANDARD = "gnu++14";
-				CLANG_CXX_LIBRARY = "libc++";
-				CLANG_ENABLE_MODULES = YES;
-				CLANG_ENABLE_OBJC_ARC = YES;
-				CLANG_ENABLE_OBJC_WEAK = YES;
-				CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
-				CLANG_WARN_BOOL_CONVERSION = YES;
-				CLANG_WARN_COMMA = YES;
-				CLANG_WARN_CONSTANT_CONVERSION = YES;
-				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
-				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
-				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
-				CLANG_WARN_EMPTY_BODY = YES;
-				CLANG_WARN_ENUM_CONVERSION = YES;
-				CLANG_WARN_INFINITE_RECURSION = YES;
-				CLANG_WARN_INT_CONVERSION = YES;
-				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
-				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
-				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
-				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
-				CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
-				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
-				CLANG_WARN_STRICT_PROTOTYPES = YES;
-				CLANG_WARN_SUSPICIOUS_MOVE = YES;
-				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
-				CLANG_WARN_UNREACHABLE_CODE = YES;
-				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				COPY_PHASE_STRIP = NO;
-				DEAD_CODE_STRIPPING = YES;
-				DEBUG_INFORMATION_FORMAT = dwarf;
-				ENABLE_ENHANCED_SECURITY = YES;
-				ENABLE_POINTER_AUTHENTICATION = YES;
-				ENABLE_STRICT_OBJC_MSGSEND = YES;
-				ENABLE_TESTABILITY = YES;
-				ENABLE_USER_SCRIPT_SANDBOXING = YES;
-				GCC_C_LANGUAGE_STANDARD = gnu11;
-				GCC_DYNAMIC_NO_PIC = NO;
-				GCC_NO_COMMON_BLOCKS = YES;
-				GCC_OPTIMIZATION_LEVEL = 0;
-				GCC_PREPROCESSOR_DEFINITIONS = (
-					"DEBUG=1",
-					"$(inherited)",
-				);
-				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
-				GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
-				GCC_WARN_UNDECLARED_SELECTOR = YES;
-				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
-				GCC_WARN_UNUSED_FUNCTION = YES;
-				GCC_WARN_UNUSED_VARIABLE = YES;
-				MACOSX_DEPLOYMENT_TARGET = 15.0;
-				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
-				MTL_FAST_MATH = YES;
-				ONLY_ACTIVE_ARCH = YES;
-				OTHER_SWIFT_FLAGS = "";
-				SDKROOT = macosx;
-				STRING_CATALOG_GENERATE_SYMBOLS = YES;
-				STRIP_INSTALLED_PRODUCT = NO;
-				STRIP_SWIFT_SYMBOLS = NO;
-				SWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG;
-				SWIFT_EMIT_LOC_STRINGS = YES;
-				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
-				SWIFT_STRICT_MEMORY_SAFETY = YES;
-				SWIFT_TREAT_WARNINGS_AS_ERRORS = YES;
-				SWIFT_VERSION = 6.0;
-			};
-			name = Test;
-		};
-		508A5915241EF1A00069DC07 /* Test */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
-				CODE_SIGN_ENTITLEMENTS = Secretive/Secretive.entitlements;
-				CODE_SIGN_STYLE = Manual;
-				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 1;
-				DEAD_CODE_STRIPPING = YES;
-				DEVELOPMENT_ASSET_PATHS = "\"Secretive/Preview Content\"";
-				ENABLE_APP_SANDBOX = YES;
-				ENABLE_ENHANCED_SECURITY = YES;
-				ENABLE_HARDENED_RUNTIME = NO;
-				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
-				ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
-				ENABLE_POINTER_AUTHENTICATION = YES;
-				ENABLE_PREVIEWS = YES;
-				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
-				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
-				ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
-				ENABLE_RESOURCE_ACCESS_CAMERA = NO;
-				ENABLE_RESOURCE_ACCESS_CONTACTS = NO;
-				ENABLE_RESOURCE_ACCESS_LOCATION = NO;
-				ENABLE_RESOURCE_ACCESS_PRINTING = NO;
-				ENABLE_RESOURCE_ACCESS_USB = NO;
-				INFOPLIST_FILE = Secretive/Info.plist;
-				LD_RUNPATH_SEARCH_PATHS = (
-					"$(inherited)",
-					"@executable_path/../Frameworks",
-				);
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
-				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.Host;
-				PRODUCT_NAME = "$(TARGET_NAME)";
-			};
-			name = Test;
-		};
-		508A5917241EF1A00069DC07 /* Test */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
-				CODE_SIGN_STYLE = Manual;
-				COMBINE_HIDPI_IMAGES = YES;
-				DEAD_CODE_STRIPPING = YES;
-				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
-				ENABLE_APP_SANDBOX = YES;
-				ENABLE_HARDENED_RUNTIME = YES;
-				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
-				ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
-				ENABLE_PREVIEWS = YES;
-				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
-				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
-				ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
-				ENABLE_RESOURCE_ACCESS_CAMERA = NO;
-				ENABLE_RESOURCE_ACCESS_CONTACTS = NO;
-				ENABLE_RESOURCE_ACCESS_LOCATION = NO;
-				ENABLE_RESOURCE_ACCESS_PRINTING = NO;
-				ENABLE_RESOURCE_ACCESS_USB = NO;
-				INFOPLIST_FILE = SecretAgent/Info.plist;
-				LD_RUNPATH_SEARCH_PATHS = (
-					"$(inherited)",
-					"@executable_path/../Frameworks",
-				);
-				MACOSX_DEPLOYMENT_TARGET = 14.0;
-				MARKETING_VERSION = 1;
-				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretAgent;
-				PRODUCT_NAME = "$(TARGET_NAME)";
-			};
-			name = Test;
-		};
 		50A3B79B24026B7600D209EA /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
@@ -1393,9 +1281,11 @@
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
 				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
@@ -1429,9 +1319,11 @@
 				DEVELOPMENT_ASSET_PATHS = "\"SecretAgent/Preview Content\"";
 				DEVELOPMENT_TEAM = Z72PRUAWF6;
 				ENABLE_APP_SANDBOX = YES;
+				ENABLE_ENHANCED_SECURITY = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
+				ENABLE_POINTER_AUTHENTICATION = YES;
 				ENABLE_PREVIEWS = YES;
 				ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
 				ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
@@ -1454,6 +1346,76 @@
 			};
 			name = Release;
 		};
+		50E4C4DC2E77C4B300C73783 /* Debug */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
+				CODE_SIGN_ENTITLEMENTS = SecretiveCertificateParser/SecretiveCertificateParser.entitlements;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				CODE_SIGN_STYLE = Automatic;
+				COMBINE_HIDPI_IMAGES = YES;
+				CURRENT_PROJECT_VERSION = 1;
+				DEVELOPMENT_TEAM = Z72PRUAWF6;
+				ENABLE_APP_SANDBOX = YES;
+				ENABLE_ENHANCED_SECURITY = YES;
+				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
+				GCC_C_LANGUAGE_STANDARD = gnu17;
+				GENERATE_INFOPLIST_FILE = YES;
+				INFOPLIST_FILE = SecretiveCertificateParser/Info.plist;
+				INFOPLIST_KEY_CFBundleDisplayName = SecretiveCertificateParser;
+				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Max Goedjen. All rights reserved.";
+				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
+				MACOSX_DEPLOYMENT_TARGET = 26.0;
+				MARKETING_VERSION = 1.0;
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveCertificateParser;
+				PRODUCT_NAME = "$(TARGET_NAME)";
+				REGISTER_APP_GROUPS = YES;
+				SKIP_INSTALL = YES;
+				STRING_CATALOG_GENERATE_SYMBOLS = YES;
+				SWIFT_ACTIVE_COMPILATION_CONDITIONS = "DEBUG $(inherited)";
+				SWIFT_APPROACHABLE_CONCURRENCY = YES;
+				SWIFT_EMIT_LOC_STRINGS = YES;
+				SWIFT_UPCOMING_FEATURE_MEMBER_IMPORT_VISIBILITY = YES;
+				SWIFT_VERSION = 5.0;
+			};
+			name = Debug;
+		};
+		50E4C4DE2E77C4B300C73783 /* Release */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
+				CODE_SIGN_ENTITLEMENTS = SecretiveCertificateParser/SecretiveCertificateParser.entitlements;
+				CODE_SIGN_IDENTITY = "Developer ID Application";
+				CODE_SIGN_STYLE = Manual;
+				COMBINE_HIDPI_IMAGES = YES;
+				CURRENT_PROJECT_VERSION = 1;
+				DEVELOPMENT_TEAM = "";
+				ENABLE_APP_SANDBOX = YES;
+				ENABLE_ENHANCED_SECURITY = YES;
+				ENABLE_HARDENED_RUNTIME = YES;
+				ENABLE_POINTER_AUTHENTICATION = YES;
+				GCC_C_LANGUAGE_STANDARD = gnu17;
+				GENERATE_INFOPLIST_FILE = YES;
+				INFOPLIST_FILE = SecretiveCertificateParser/Info.plist;
+				INFOPLIST_KEY_CFBundleDisplayName = SecretiveCertificateParser;
+				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Max Goedjen. All rights reserved.";
+				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
+				MACOSX_DEPLOYMENT_TARGET = 26.0;
+				MARKETING_VERSION = 1.0;
+				PRODUCT_BUNDLE_IDENTIFIER = com.maxgoedjen.Secretive.SecretiveCertificateParser;
+				PRODUCT_NAME = "$(TARGET_NAME)";
+				PROVISIONING_PROFILE_SPECIFIER = "";
+				REGISTER_APP_GROUPS = YES;
+				SKIP_INSTALL = YES;
+				STRING_CATALOG_GENERATE_SYMBOLS = YES;
+				SWIFT_APPROACHABLE_CONCURRENCY = YES;
+				SWIFT_EMIT_LOC_STRINGS = YES;
+				SWIFT_UPCOMING_FEATURE_MEMBER_IMPORT_VISIBILITY = YES;
+				SWIFT_VERSION = 5.0;
+			};
+			name = Release;
+		};
 /* End XCBuildConfiguration section */
 
 /* Begin XCConfigurationList section */
@@ -1461,7 +1423,6 @@
 			isa = XCConfigurationList;
 			buildConfigurations = (
 				50617D9B23FCE48E0099B055 /* Debug */,
-				508A5914241EF1A00069DC07 /* Test */,
 				50617D9C23FCE48E0099B055 /* Release */,
 			);
 			defaultConfigurationIsVisible = 0;
@@ -1471,7 +1432,6 @@
 			isa = XCConfigurationList;
 			buildConfigurations = (
 				50617D9E23FCE48E0099B055 /* Debug */,
-				508A5915241EF1A00069DC07 /* Test */,
 				50617D9F23FCE48E0099B055 /* Release */,
 			);
 			defaultConfigurationIsVisible = 0;
@@ -1481,7 +1441,6 @@
 			isa = XCConfigurationList;
 			buildConfigurations = (
 				50692D202E6FDB880043C7BB /* Debug */,
-				50692D212E6FDB880043C7BB /* Test */,
 				50692D222E6FDB880043C7BB /* Release */,
 			);
 			defaultConfigurationIsVisible = 0;
@@ -1491,7 +1450,6 @@
 			isa = XCConfigurationList;
 			buildConfigurations = (
 				50692E5E2E6FF9D20043C7BB /* Debug */,
-				50692E5F2E6FF9D20043C7BB /* Test */,
 				50692E602E6FF9D20043C7BB /* Release */,
 			);
 			defaultConfigurationIsVisible = 0;
@@ -1501,12 +1459,20 @@
 			isa = XCConfigurationList;
 			buildConfigurations = (
 				50A3B79B24026B7600D209EA /* Debug */,
-				508A5917241EF1A00069DC07 /* Test */,
 				50A3B79C24026B7600D209EA /* Release */,
 			);
 			defaultConfigurationIsVisible = 0;
 			defaultConfigurationName = Release;
 		};
+		50E4C4DB2E77C4B300C73783 /* Build configuration list for PBXNativeTarget "SecretiveCertificateParser" */ = {
+			isa = XCConfigurationList;
+			buildConfigurations = (
+				50E4C4DC2E77C4B300C73783 /* Debug */,
+				50E4C4DE2E77C4B300C73783 /* Release */,
+			);
+			defaultConfigurationIsVisible = 0;
+			defaultConfigurationName = Release;
+		};
 /* End XCConfigurationList section */
 
 /* Begin XCSwiftPackageProductDependency section */
@@ -1546,6 +1512,10 @@
 			isa = XCSwiftPackageProductDependency;
 			productName = Brief;
 		};
+		505993522E7E70C90092CFFA /* CertificateKit */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = CertificateKit;
+		};
 		50692D2C2E6FDC000043C7BB /* XPCWrappers */ = {
 			isa = XCSwiftPackageProductDependency;
 			productName = XPCWrappers;
@@ -1554,9 +1524,29 @@
 			isa = XCSwiftPackageProductDependency;
 			productName = Brief;
 		};
-		50692E6B2E6FFA510043C7BB /* SecretAgentKit */ = {
+		50E0145B2EDB9CDF00B121F1 /* Common */ = {
 			isa = XCSwiftPackageProductDependency;
-			productName = SecretAgentKit;
+			productName = Common;
+		};
+		50E0145D2EDB9CE400B121F1 /* Common */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = Common;
+		};
+		50E4C4EC2E77C55E00C73783 /* XPCWrappers */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = XPCWrappers;
+		};
+		50E4C4EE2E77C8FC00C73783 /* SSHProtocolKit */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = SSHProtocolKit;
+		};
+		50E4C4F02E77C90300C73783 /* SSHProtocolKit */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = SSHProtocolKit;
+		};
+		50E4C4F22E77CAC600C73783 /* XPCWrappers */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = XPCWrappers;
 		};
 /* End XCSwiftPackageProductDependency section */
 	};

Sources/Secretive.xcodeproj/xcshareddata/xcschemes/Secretive.xcscheme

@@ -23,7 +23,7 @@
       </BuildActionEntries>
    </BuildAction>
    <TestAction
-      buildConfiguration = "Test"
+      buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       shouldUseLaunchSchemeArgsEnv = "YES">

Sources/Secretive/App.swift

@@ -3,6 +3,90 @@ import SecretKit
 import SecureEnclaveSecretKit
 import SmartCardSecretKit
 import Brief
+import CertificateKit
+
+@main
+struct Secretive: App {
+    
+    @Environment(\.agentLaunchController) var agentLaunchController
+    @Environment(\.justUpdatedChecker) var justUpdatedChecker
+
+    @SceneBuilder var body: some Scene {
+        WindowGroup {
+            ContentView()
+                .environment(EnvironmentValues._secretStoreList)
+                .environment(EnvironmentValues._certificateStore)
+                .onReceive(NotificationCenter.default.publisher(for: NSApplication.didBecomeActiveNotification)) { _ in
+                    Task {
+                        @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
+                        @AppStorage("explicitlyDisabled") var explicitlyDisabled = false
+                        guard hasRunSetup && !explicitlyDisabled else { return }
+                        agentLaunchController.check()
+                        guard !agentLaunchController.developmentBuild else { return }
+                        if justUpdatedChecker.justUpdatedBuild || !agentLaunchController.running {
+                            // Relaunch the agent, since it'll be running from earlier update still
+                            try await agentLaunchController.forceLaunch()
+                        }
+                    }
+                }
+        }
+        .commands {
+            AppCommands()
+        }
+        WindowGroup(id: String(describing: IntegrationsView.self)) {
+            IntegrationsView()
+        }
+        .windowResizability(.contentMinSize)
+        WindowGroup(id: String(describing: AboutView.self)) {
+            AboutView()
+        }
+        .windowStyle(.hiddenTitleBar)
+        .windowResizability(.contentSize)
+    }
+
+}
+
+extension Secretive {
+
+    struct AppCommands: Commands {
+
+        @Environment(\.openWindow) var openWindow
+        @Environment(\.openURL) var openURL
+        @FocusedValue(\.showCreateSecret) var showCreateSecret
+
+        var body: some Commands {
+            CommandGroup(replacing: .appInfo) {
+                Button(.aboutMenuBarTitle, systemImage: "info.circle") {
+                    openWindow(id: String(describing: AboutView.self))
+                }
+            }
+            CommandGroup(before: CommandGroupPlacement.appSettings) {
+                Button(.integrationsMenuBarTitle, systemImage: "app.connected.to.app.below.fill") {
+                    openWindow(id: String(describing: IntegrationsView.self))
+                }
+            }
+            CommandGroup(after: CommandGroupPlacement.newItem) {
+                Button(.appMenuNewSecretButton, systemImage: "plus") {
+                    showCreateSecret?()
+                }
+                .keyboardShortcut(KeyboardShortcut(KeyEquivalent("N"), modifiers: [.command, .shift]))
+                .disabled(showCreateSecret?.isEnabled == false)
+            }
+            CommandGroup(replacing: .help) {
+                Button(.appMenuHelpButton) {
+                    openURL(Constants.helpURL)
+                }
+            }
+            SidebarCommands()
+        }
+    }
+
+}
+
+private enum Constants {
+    static let helpURL = URL(string: "https://github.com/maxgoedjen/secretive/blob/main/FAQ.md")!
+}
+
 
 extension EnvironmentValues {
 
@@ -10,15 +94,18 @@ extension EnvironmentValues {
     @MainActor fileprivate static let _secretStoreList: SecretStoreList = {
         let list = SecretStoreList()
         let cryptoKit = SecureEnclave.Store()
-        let migrator = SecureEnclave.CryptoKitMigrator()
-        try? migrator.migrate(to: cryptoKit)
+        let cryptoKitMigrator = SecureEnclave.CryptoKitMigrator()
+        try? cryptoKitMigrator.migrate(to: cryptoKit)
         list.add(store: cryptoKit)
         list.add(store: SmartCard.Store())
         return list
     }()
 
-    private static let _agentStatusChecker = AgentStatusChecker()
-    @Entry var agentStatusChecker: any AgentStatusCheckerProtocol = _agentStatusChecker
+    @MainActor fileprivate static let _certificateStore: CertificateStore = CertificateStore()
+    
+    private static let _agentLaunchController = AgentLaunchController()
+    @Entry var agentLaunchController: any AgentLaunchControllerProtocol = _agentLaunchController
+
     private static let _updater: any UpdaterProtocol = {
         @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
         return Updater(checkOnLaunch: hasRunSetup)
@@ -31,90 +118,28 @@ extension EnvironmentValues {
     @MainActor var secretStoreList: SecretStoreList {
         EnvironmentValues._secretStoreList
     }
+
+    @MainActor var certificateStore: CertificateStore {
+        EnvironmentValues._certificateStore
+    }
 }
 
-@main
-struct Secretive: App {
-    
-    @Environment(\.agentStatusChecker) var agentStatusChecker
-    @Environment(\.justUpdatedChecker) var justUpdatedChecker
-    @AppStorage("defaultsHasRunSetup") var hasRunSetup = false
-    @State private var showingSetup = false
-    @State private var showingIntegrations = false
-    @State private var showingCreation = false
+extension FocusedValues {
+    @Entry var showCreateSecret: OpenSheet?
+}
 
-    @SceneBuilder var body: some Scene {
-        WindowGroup {
-            ContentView(showingCreation: $showingCreation, runningSetup: $showingSetup, hasRunSetup: $hasRunSetup)
-                .environment(EnvironmentValues._secretStoreList)
-                .onAppear {
-                    if !hasRunSetup {
-                        showingSetup = true
-                    }
-                }
-                .onReceive(NotificationCenter.default.publisher(for: NSApplication.didBecomeActiveNotification)) { _ in
-                    guard hasRunSetup else { return }
-                    agentStatusChecker.check()
-                    if agentStatusChecker.running && justUpdatedChecker.justUpdatedBuild {
-                        // Relaunch the agent, since it'll be running from earlier update still
-                        reinstallAgent()
-                    } else if !agentStatusChecker.running && !agentStatusChecker.developmentBuild {
-                        forceLaunchAgent()
-                    }
-                }
-                .sheet(isPresented: $showingIntegrations) {
-                    IntegrationsView()
-                }
-        }
-        .commands {
-            CommandGroup(before: CommandGroupPlacement.appSettings) {
-                Button(.integrationsMenuBarTitle, systemImage: "app.connected.to.app.below.fill") {
-                    showingIntegrations = true
-                }
-            }
-            CommandGroup(after: CommandGroupPlacement.newItem) {
-                Button(.appMenuNewSecretButton) {
-                    showingCreation = true
-                }
-                .keyboardShortcut(KeyboardShortcut(KeyEquivalent("N"), modifiers: [.command, .shift]))
-            }
-            CommandGroup(replacing: .help) {
-                Button(.appMenuHelpButton) {
-                    NSWorkspace.shared.open(Constants.helpURL)
-                }
-            }
-            SidebarCommands()
-        }
+final class OpenSheet {
+
+    let closure: () -> Void
+    let isEnabled: Bool
+
+    init(isEnabled: Bool = true, closure: @escaping () -> Void) {
+        self.isEnabled = isEnabled
+        self.closure = closure
+    }
+
+    func callAsFunction() {
+        closure()
     }
 
 }
-
-extension Secretive {
-
-    private func reinstallAgent() {
-        Task {
-            _ = await LaunchAgentController().install()
-            try? await Task.sleep(for: .seconds(1))
-            agentStatusChecker.check()
-            if !agentStatusChecker.running {
-                forceLaunchAgent()
-            }
-        }
-    }
-
-    private func forceLaunchAgent() {
-        // We've run setup, we didn't just update, launchd is just not doing it's thing.
-        // Force a launch directly.
-        Task {
-            _ = await LaunchAgentController().forceLaunch()
-            agentStatusChecker.check()
-        }
-    }
-
-}
-
-
-private enum Constants {
-    static let helpURL = URL(string: "https://github.com/maxgoedjen/secretive/blob/main/FAQ.md")!
-}
-

Sources/Secretive/Assets.xcassets/AppIcon.appiconset/Contents.json

@@ -1,68 +0,0 @@
-{
-  "images" : [
-    {
-      "filename" : "Icon-macOS-ClearDark-16x16@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "16x16"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-16x16@2x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "16x16"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-32x32@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "32x32"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-32x32@2x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "32x32"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-128x128@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "128x128"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-128x128@2x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "128x128"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-256x256@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "256x256"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-256x256@2x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "256x256"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-512x512@1x.png",
-      "idiom" : "mac",
-      "scale" : "1x",
-      "size" : "512x512"
-    },
-    {
-      "filename" : "Icon-macOS-ClearDark-1024x1024@1x.png",
-      "idiom" : "mac",
-      "scale" : "2x",
-      "size" : "512x512"
-    }
-  ],
-  "info" : {
-    "author" : "xcode",
-    "version" : 1
-  }
-}

Sources/Secretive/Assets.xcassets/Contents.json

@@ -1,6 +0,0 @@
-{
-  "info" : {
-    "author" : "xcode",
-    "version" : 1
-  }
-}

Sources/Secretive/Controllers/AgentStatusChecker.swift

@@ -2,18 +2,26 @@ import Foundation
 import AppKit
 import SecretKit
 import Observation
+import OSLog
+import ServiceManagement
+import Common
 
-@MainActor protocol AgentStatusCheckerProtocol: Observable, Sendable {
+@MainActor protocol AgentLaunchControllerProtocol: Observable, Sendable {
     var running: Bool { get }
     var developmentBuild: Bool { get }
     var process: NSRunningApplication? { get }
     func check()
+    func install() async throws
+    func uninstall() async throws
+    func forceLaunch() async throws
 }
 
-@Observable @MainActor final class AgentStatusChecker: AgentStatusCheckerProtocol {
+@Observable @MainActor final class AgentLaunchController: AgentLaunchControllerProtocol {
 
     var running: Bool = false
     var process: NSRunningApplication? = nil
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "LaunchAgentController")
+    private let service = SMAppService.loginItem(identifier: Bundle.agentBundleID)
 
     nonisolated init() {
         Task { @MainActor in
@@ -33,7 +41,7 @@ import Observation
 
     // The process corresponding to this instance of Secretive
     var instanceSecretAgentProcess: NSRunningApplication? {
-        // FIXME: CHECK VERSION
+        // TODO: CHECK VERSION
         let agents = allSecretAgentProcesses
         for agent in agents {
             guard let url = agent.bundleURL else { continue }
@@ -49,6 +57,47 @@ import Observation
         Bundle.main.bundleURL.isXcodeURL
     }
 
+    func install() async throws {
+        logger.debug("Installing agent")
+        try? await service.unregister()
+        // This is definitely a bit of a "seems to work better" thing but:
+        // Seems to more reliably hit if these are on separate runloops, otherwise it seems like it sometimes doesn't kill old
+        // and start new?
+        try await Task.sleep(for: .seconds(1))
+        try service.register()
+        try await Task.sleep(for: .seconds(1))
+        check()
+    }
+
+    func uninstall() async throws {
+        logger.debug("Uninstalling agent")
+        try await Task.sleep(for: .seconds(1))
+        try await service.unregister()
+        try await Task.sleep(for: .seconds(1))
+        check()
+    }
+
+    func forceLaunch() async throws {
+        logger.debug("Agent is not running, attempting to force launch by reinstalling")
+        try await install()
+        if running {
+            logger.debug("Agent successfully force launched by reinstalling")
+            return
+        }
+        logger.debug("Agent is not running, attempting to force launch by launching directly")
+        let url = Bundle.main.bundleURL.appendingPathComponent("Contents/Library/LoginItems/SecretAgent.app")
+        let config = NSWorkspace.OpenConfiguration()
+        config.activates = false
+        do {
+            try await NSWorkspace.shared.openApplication(at: url, configuration: config)
+            logger.debug("Agent force launched")
+            try await Task.sleep(for: .seconds(1))
+        } catch {
+            logger.error("Error force launching \(error.localizedDescription)")
+        }
+        check()
+    }
+
 }
 
 extension URL {

Sources/Secretive/Controllers/LaunchAgentController.swift

@@ -1,65 +0,0 @@
-import Foundation
-import ServiceManagement
-import AppKit
-import OSLog
-import SecretKit
-
-struct LaunchAgentController {
-    
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "LaunchAgentController")
-
-    func install() async -> Bool {
-        logger.debug("Installing agent")
-        _ = setEnabled(false)
-        // This is definitely a bit of a "seems to work better" thing but:
-        // Seems to more reliably hit if these are on separate runloops, otherwise it seems like it sometimes doesn't kill old
-        // and start new?
-        try? await Task.sleep(for: .seconds(1))
-        let result = await MainActor.run {
-            setEnabled(true)
-        }
-        try? await Task.sleep(for: .seconds(1))
-        return result
-    }
-
-    func uninstall() async -> Bool {
-        logger.debug("Uninstalling agent")
-        try? await Task.sleep(for: .seconds(1))
-        let result = await MainActor.run {
-            setEnabled(false)
-        }
-        try? await Task.sleep(for: .seconds(1))
-        return result
-    }
-
-    func forceLaunch() async -> Bool {
-        logger.debug("Agent is not running, attempting to force launch")
-        let url = Bundle.main.bundleURL.appendingPathComponent("Contents/Library/LoginItems/SecretAgent.app")
-        let config = NSWorkspace.OpenConfiguration()
-        config.activates = false
-        do {
-            try await NSWorkspace.shared.openApplication(at: url, configuration: config)
-            logger.debug("Agent force launched")
-            try? await Task.sleep(for: .seconds(1))
-            return true
-        } catch {
-            logger.error("Error force launching \(error.localizedDescription)")
-            return false
-        }
-    }
-
-    private func setEnabled(_ enabled: Bool) -> Bool {
-        let service = SMAppService.loginItem(identifier: Bundle.agentBundleID)
-        do {
-            if enabled {
-                try service.register()
-            } else {
-                try service.unregister()
-            }
-            return true
-        } catch {
-            return false
-        }
-    }
-
-}

Sources/Secretive/Controllers/XPCCertificateParser.swift

@@ -0,0 +1,29 @@
+import Foundation
+import OSLog
+import SSHProtocolKit
+import Brief
+import XPCWrappers
+
+/// Delegates all agent input parsing to an XPC service which wraps OpenSSH
+public final class XPCCertificateParser: OpenSSHCertificateParserProtocol {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive", category: "XPCCertificateParser")
+    private let session: XPCTypedSession<OpenSSHCertificate, OpenSSHCertificateError>
+
+    public init() async throws {
+        logger.debug("Creating XPCCertificateParser")
+        session = try await XPCTypedSession(serviceName: "com.maxgoedjen.Secretive.SecretiveCertificateParser", warmup: true)
+        logger.debug("XPCCertificateParser is warmed up.")
+    }
+
+    public func parse(data: Data) async throws -> OpenSSHCertificate {
+        logger.debug("Parsing input")
+        defer { logger.debug("Parsed input") }
+        return try await session.send(data)
+    }
+
+    deinit {
+        session.complete()
+    }
+
+}

Sources/Secretive/Credits.rtf

@@ -1,36 +0,0 @@
-{\rtf1\ansi\ansicpg1252\cocoartf2580
-\cocoatextscaling0\cocoaplatform0{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
-{\colortbl;\red255\green255\blue255;}
-{\*\expandedcolortbl;;}
-\margl1440\margr1440\vieww9000\viewh8400\viewkind0
-\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6119\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
-{\field{\*\fldinst{HYPERLINK "https://github.com/maxgoedjen/secretive"}}{\fldrslt 
-\f0\fs24 \cf0 GitHub Repository}}
-\f0\fs24 \
-\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
-\cf0 \
-{\field{\*\fldinst{HYPERLINK "GITHUB_BUILD_URL"}}{\fldrslt Build Log}}\
-\
-Special Thanks To:\
-\
-{\field{\*\fldinst{HYPERLINK "https://github.com/maxgoedjen/secretive/graphs/contributors"}}{\fldrslt Contributors}}:\
-{\field{\*\fldinst{HYPERLINK "https://github.com/0xflotus"}}{\fldrslt 0xflotus}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/aaron-trout"}}{\fldrslt Aaron Trout}}\
-\pard\pardeftab720\partightenfactor0
-{\field{\*\fldinst{HYPERLINK "https://github.com/EppO"}}{\fldrslt \cf0 Florent Monbillard}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/vladimyr"}}{\fldrslt Dario Vladovi\uc0\u263 }}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/lavalleeale"}}{\fldrslt Alex Lavallee}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/joshheyse"}}{\fldrslt Josh}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/diesal11"}}{\fldrslt Dylan Lundy}}\
-\
-\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
-\cf0 Testers:\
-{\field{\*\fldinst{HYPERLINK "https://github.com/bdash"}}{\fldrslt Mark Rowe}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/danielctull"}}{\fldrslt Daniel Tull}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/davedelong"}}{\fldrslt Dave DeLong}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/esttorhe"}}{\fldrslt Esteban Torres}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/joeblau"}}{\fldrslt Joe Blau}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/marksands"}}{\fldrslt Mark Sands}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/mergesort"}}{\fldrslt Joe Fabisevich}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/phillco"}}{\fldrslt Phil Cohen}}\
-{\field{\*\fldinst{HYPERLINK "https://github.com/zackdotcomputer"}}{\fldrslt Zack Sheppard}}}

Sources/Secretive/Info.plist

@@ -20,6 +20,8 @@
 	<string>$(CI_VERSION)</string>
 	<key>CFBundleVersion</key>
 	<string>$(CI_BUILD_NUMBER)</string>
+	<key>GitHubBuildLog</key>
+	<string>https://$(CI_BUILD_LINK)</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
 	<key>NSHumanReadableCopyright</key>

Sources/Secretive/Preview Content/PreviewAgentStatusChecker.swift

@@ -1,7 +1,7 @@
 import Foundation
 import AppKit
 
-class PreviewAgentStatusChecker: AgentStatusCheckerProtocol {
+class PreviewAgentLaunchController: AgentLaunchControllerProtocol {
 
     let running: Bool
     let process: NSRunningApplication?
@@ -15,4 +15,13 @@ class PreviewAgentStatusChecker: AgentStatusCheckerProtocol {
     func check() {
     }
 
+    func install() async throws {
+    }
+
+    func uninstall() async throws {
+    }
+
+    func forceLaunch() async throws {
+    }
+
 }

Sources/Secretive/Preview Content/PreviewStore.swift

@@ -60,16 +60,17 @@ extension Preview {
         let id = UUID()
         var name: String { "Modifiable Preview Store" }
         let secrets: [Secret]
-        var supportedKeyTypes: [KeyType] {
-            if #available(macOS 26, *) {
-                [
+        var supportedKeyTypes: KeyAvailability {
+            return KeyAvailability(
+                available: [
                     .ecdsa256,
                     .mldsa65,
-                    .mldsa87,
+                    .mldsa87
+                ],
+                unavailable: [
+                    .init(keyType: .ecdsa384, reason: .macOSUpdateRequired)
                 ]
-            } else {
-                [.ecdsa256]
-            }
+            )
         }
         
         init(secrets: [Secret]) {

Sources/Secretive/Views/Configuration/ConfigurationItemView.swift

@@ -32,7 +32,7 @@ struct ConfigurationItemView<Content: View>: View {
                 Spacer()
                 switch action {
                 case .copy(let string):
-                    Button(.copyableClickToCopyButton, systemImage: "document.on.document") {
+                    Button(.copyableClickToCopyButton, systemImage: "doc.on.doc") {
                         NSPasteboard.general.declareTypes([.string], owner: nil)
                         NSPasteboard.general.setString(string, forType: .string)
                     }

Sources/Secretive/Views/Configuration/IntegrationsView.swift

@@ -21,47 +21,19 @@ struct IntegrationsView: View {
                 }
             }
         } detail: {
-                IntegrationsDetailView(selectedInstruction: $selectedInstruction)
-                .fauxToolbar {
-                    Button(.setupDoneButton) {
-                        dismiss()
-                    }
-                    .normalButton()
-                }
+            IntegrationsDetailView(selectedInstruction: $selectedInstruction)
         }
+        .toolbar {
+            Button(.setupDoneButton) {
+                dismiss()
+            }
+        }
+        .hiddenToolbar()
+        .windowBackgroundStyle(.thinMaterial)
         .onAppear {
             selectedInstruction = instructions.gettingStarted
         }
-        .frame(minHeight: 500)
-    }
-
-}
-
-extension View {
-
-    func fauxToolbar<Content: View>(content: () -> Content) -> some View {
-        modifier(FauxToolbarModifier(toolbarContent: content()))
-    }
-
-}
-
-struct FauxToolbarModifier<ToolbarContent: View>: ViewModifier {
-
-    var toolbarContent: ToolbarContent
-
-    func body(content: Content) -> some View {
-        VStack(alignment: .leading, spacing: 0) {
-            content
-            Divider()
-            HStack {
-                Spacer()
-                toolbarContent
-                .padding(.top, 8)
-                .padding(.trailing, 16)
-                .padding(.bottom, 16)
-            }
-        }
-
+        .frame(minWidth: 400, minHeight: 400)
     }
 
 }

Sources/Secretive/Views/Configuration/SetupView.swift

@@ -3,6 +3,7 @@ import SwiftUI
 struct SetupView: View {
 
     @Environment(\.dismiss) private var dismiss
+    @Environment(\.agentLaunchController) private var agentLaunchController
     @Binding var setupComplete: Bool
 
     @State var showingIntegrations = false
@@ -31,7 +32,7 @@ struct SetupView: View {
                     ) {
                         installed = true
                         Task {
-                            await LaunchAgentController().install()
+                            try? await agentLaunchController.install()
                         }
                     }
                 }
@@ -85,7 +86,10 @@ struct SetupView: View {
             integrations = true
         }, content: {
             IntegrationsView()
+                .frame(minWidth: 500, minHeight: 400)
         })
+        .frame(idealWidth: 600)
+        .fixedSize(horizontal: false, vertical: true)
     }
 }
 
@@ -172,10 +176,13 @@ struct StepView<Content: View>: View {
                 .frame(width: 20)
             VStack(alignment: .leading, spacing: 4) {
                 Text(title)
+                    .fixedSize(horizontal: false, vertical: true)
                     .bold()
                 Text(description)
+                    .fixedSize(horizontal: false, vertical: true)
                 if let detail {
                     Text(detail)
+                        .fixedSize(horizontal: false, vertical: true)
                         .font(.callout)
                         .italic()
                 }

Sources/Secretive/Views/Configuration/ToolConfigurationView.swift

@@ -1,5 +1,6 @@
 import SwiftUI
 import SecretKit
+import SSHProtocolKit
 
 struct ToolConfigurationView: View {
 
@@ -10,6 +11,7 @@ struct ToolConfigurationView: View {
 
     @State var creating = false
     @State var selectedSecret: AnySecret?
+    @State var email = ""
 
     init(selectedInstruction: ConfigurationFileInstructions) {
         self.selectedInstruction = selectedInstruction
@@ -32,6 +34,7 @@ struct ToolConfigurationView: View {
                                         selectedSecret = created
                                     }
                                 }
+                                .fixedSize()
                             }
                         }
                     }
@@ -47,6 +50,12 @@ struct ToolConfigurationView: View {
                                     .tag(secret)
                             }
                         }
+                        TextField(text: $email, prompt: Text(.integrationsConfigureUsingEmailPlaceholder)) {
+                            Text(.integrationsConfigureUsingEmailTitle)
+                            Text(.integrationsConfigureUsingEmailSubtitle)
+                                .font(.subheadline)
+                                .foregroundStyle(.secondary)
+                        }
                     } header: {
                         Text(.integrationsConfigureUsingSecretHeader)
                     }
@@ -59,7 +68,7 @@ struct ToolConfigurationView: View {
                 Section {
                     ConfigurationItemView(title: .integrationsPathTitle, value: stepGroup.path, action: .revealInFinder(stepGroup.path))
                     ForEach(stepGroup.steps, id: \.self.key) { step in
-                        ConfigurationItemView(title: .integrationsAddThisTitle, action: .copy(String(localized: step))) {
+                        ConfigurationItemView(title: .integrationsAddThisTitle, action: .copy(placeholdersReplaced(text: String(localized: step)))) {
                             HStack {
                                 Text(placeholdersReplaced(text: String(localized: step)))
                                     .padding(8)
@@ -101,9 +110,11 @@ struct ToolConfigurationView: View {
     func placeholdersReplaced(text: String) -> String {
         guard let selectedSecret else { return text }
         let writer = OpenSSHPublicKeyWriter()
+        let gitAllowedSignersString = [email.isEmpty ? String(localized: .integrationsConfigureUsingEmailPlaceholder) : email, writer.openSSHString(secret: selectedSecret)]
+            .joined(separator: " ")
         let fileController = PublicKeyFileStoreController(homeDirectory: URL.agentHomeURL)
         return text
-            .replacingOccurrences(of: Instructions.Constants.publicKeyPlaceholder, with: writer.openSSHString(secret: selectedSecret))
+            .replacingOccurrences(of: Instructions.Constants.publicKeyPlaceholder, with: gitAllowedSignersString)
             .replacingOccurrences(of: Instructions.Constants.publicKeyPathPlaceholder, with: fileController.publicKeyPath(for: selectedSecret))
     }
 

Sources/Secretive/Views/Modifiers/ActionButtonStyle.swift

@@ -24,7 +24,7 @@ extension View {
 
 }
 
-struct MenuButtonModifier: ViewModifier {
+struct ToolbarCircleButtonModifier: ViewModifier {
 
     func body(content: Content) -> some View {
         if #available(macOS 26.0, *) {
@@ -40,8 +40,8 @@ struct MenuButtonModifier: ViewModifier {
 
 extension View {
 
-    func menuButton() -> some View {
-        modifier(MenuButtonModifier())
+    func toolbarCircleButton() -> some View {
+        modifier(ToolbarCircleButtonModifier())
     }
 
 }

Sources/Secretive/Views/Modifiers/ToolbarButtonStyle.swift

@@ -1,6 +1,6 @@
 import SwiftUI
 
-struct ToolbarButtonStyle: ButtonStyle {
+struct ToolbarStatusButtonStyle: ButtonStyle {
 
     private let lightColor: Color
     private let darkColor: Color
@@ -39,6 +39,7 @@ struct ToolbarButtonStyle: ButtonStyle {
         } else {
             configuration
                 .label
+                .padding(EdgeInsets(top: 6, leading: 8, bottom: 6, trailing: 8))
                 .background(colorScheme == .light ? lightColor : darkColor)
                 .foregroundColor(.white)
                 .clipShape(RoundedRectangle(cornerRadius: 5))
@@ -55,3 +56,27 @@ struct ToolbarButtonStyle: ButtonStyle {
         }
     }
 }
+
+struct ToolbarButtonStyle: PrimitiveButtonStyle {
+
+    var tint: Color = .white.opacity(0.1)
+
+    func makeBody(configuration: Configuration) -> some View {
+        if #available(macOS 26.0, *) {
+            configuration
+                .label
+                .padding(.vertical, 10)
+                .padding(.horizontal, 12)
+                .glassEffect(.regular.interactive().tint(tint))
+                .onTapGesture {
+                    configuration.trigger()
+                }
+        } else {
+            BorderedButtonStyle().makeBody(configuration: configuration)
+                .padding(EdgeInsets(top: 6, leading: 8, bottom: 6, trailing: 8))
+                .foregroundColor(.white)
+                .clipShape(RoundedRectangle(cornerRadius: 5))
+        }
+    }
+}
+

Sources/Secretive/Views/Modifiers/WindowBackgroundStyle.swift

@@ -0,0 +1,47 @@
+import SwiftUI
+
+struct WindowBackgroundStyleModifier: ViewModifier {
+
+    let shapeStyle: any ShapeStyle
+
+    func body(content: Content) -> some View {
+        if #available(macOS 15.0, *) {
+            content
+                .containerBackground(
+                    shapeStyle, for: .window
+                )
+        } else {
+            content
+        }
+    }
+
+}
+
+extension View {
+
+    func windowBackgroundStyle(_ style: some ShapeStyle) -> some View {
+        modifier(WindowBackgroundStyleModifier(shapeStyle: style))
+    }
+
+}
+
+struct HiddenToolbarModifier: ViewModifier {
+
+    func body(content: Content) -> some View {
+        if #available(macOS 15.0, *) {
+            content
+                .toolbarBackgroundVisibility(.hidden, for: .automatic)
+        } else {
+            content
+        }
+    }
+
+}
+
+extension View {
+
+    func hiddenToolbar() -> some View {
+        modifier(HiddenToolbarModifier())
+    }
+
+}

Sources/Secretive/Views/Secrets/CreateSecretView.swift

@@ -75,10 +75,23 @@ struct CreateSecretView<StoreType: SecretStoreModifiable>: View {
                     Section {
                         VStack {
                             Picker(.createSecretKeyTypeLabel, selection: $keyType) {
-                                ForEach(store.supportedKeyTypes, id: \.self) { option in
+                                ForEach(store.supportedKeyTypes.available, id: \.self) { option in
                                     Text(String(describing: option))
                                         .tag(option)
-                                        .font(.caption)
+                                }
+                                Divider()
+                                ForEach(store.supportedKeyTypes.unavailable, id: \.keyType) { option in
+                                    VStack {
+                                        Button {
+                                        } label: {
+                                            Text(String(describing: option.keyType))
+                                            switch option.reason {
+                                            case .macOSUpdateRequired:
+                                                Text(.createSecretKeyTypeMacOSUpdateRequiredLabel)
+                                            }
+                                        }
+                                    }
+                                    .selectionDisabled()
                                 }
                             }
                             if keyType?.algorithm == .mldsa {
@@ -119,7 +132,7 @@ struct CreateSecretView<StoreType: SecretStoreModifiable>: View {
             .padding()
         }
         .onAppear {
-            keyType = store.supportedKeyTypes.first
+            keyType = store.supportedKeyTypes.available.first
         }
         .formStyle(.grouped)
     }

Sources/Secretive/Views/Secrets/SecretDetailView.swift

@@ -1,5 +1,6 @@
 import SwiftUI
 import SecretKit
+import SSHProtocolKit
 
 struct SecretDetailView<SecretType: Secret>: View {
     

Sources/Secretive/Views/Secrets/SecretListItemView.swift

@@ -24,6 +24,18 @@ struct SecretListItemView: View {
                 Text(secret.name)
             }
         }
+        .sheet(isPresented: $isRenaming, onDismiss: {
+            renamedSecret(secret)
+        }, content: {
+            if let modifiable = store as? AnySecretStoreModifiable {
+                EditSecretView(store: modifiable, secret: secret)
+            }
+        })
+        .showingDeleteConfirmation(isPresented: $isDeleting, secret, store as? AnySecretStoreModifiable) { deleted in
+            if deleted {
+                deletedSecret(secret)
+            }
+        }
         .contextMenu {
             if store is AnySecretStoreModifiable {
                 Button(action: { isRenaming = true }) {
@@ -36,17 +48,5 @@ struct SecretListItemView: View {
                 }
             }
         }
-        .showingDeleteConfirmation(isPresented: $isDeleting, secret, store as? AnySecretStoreModifiable) { deleted in
-            if deleted {
-                deletedSecret(secret)
-            }
-        }
-        .sheet(isPresented: $isRenaming, onDismiss: {
-            renamedSecret(secret)
-        }, content: {
-            if let modifiable = store as? AnySecretStoreModifiable {
-                EditSecretView(store: modifiable, secret: secret)
-            }
-        })
     }
 }

Sources/Secretive/Views/Views/AboutView.swift

@@ -0,0 +1,69 @@
+import SwiftUI
+
+struct AboutView: View {
+    var body: some View {
+        if #available(macOS 15.0, *) {
+            AboutViewContent()
+                .containerBackground(
+                    .thinMaterial, for: .window
+                )
+        } else {
+            AboutViewContent()
+        }
+    }
+}
+
+struct AboutViewContent: View {
+
+    @Environment(\.openURL) var openURL
+    var body: some View {
+        VStack(spacing: 10) {
+            HStack {
+                Image(nsImage: NSApplication.shared.applicationIconImage)
+                VStack(alignment: .leading) {
+                    Text(verbatim: "Secretive")
+                        .font(.system(.largeTitle, weight: .bold))
+                    Text("**\(Bundle.main.versionNumber)** (\(Bundle.main.buildNumber))")
+                        .fixedSize(horizontal: true, vertical: false)
+                    HStack {
+                        Button(.aboutViewOnGithubButton) {
+                            openURL(URL(string: "https://github.com/maxgoedjen/secretive")!)
+                        }
+                            .normalButton()
+                        Button(.aboutBuildLogButton) {
+                            openURL(Bundle.main.buildLog)
+                        }
+                        .normalButton()
+                    }
+                }
+            }
+            Text(.aboutThanks(contributorsLink: "https://github.com/maxgoedjen/secretive/graphs/contributors", sponsorsLink: "https://github.com/sponsors/maxgoedjen"))
+                .font(.headline)
+            Text(.aboutOpenSourceNotice)
+                .font(.subheadline)
+        }
+        .padding(EdgeInsets(top: 10, leading: 30, bottom: 30, trailing: 30))
+    }
+
+}
+
+private extension Bundle {
+
+    var buildLog: URL {
+        URL(string: infoDictionary!["GitHubBuildLog"] as! String)!
+    }
+
+    var versionNumber: String {
+        infoDictionary?["CFBundleShortVersionString"] as? String ?? "0.0.0"
+    }
+
+    var buildNumber: String {
+        infoDictionary?["CFBundleVersion"] as? String ?? "0.0"
+    }
+
+}
+
+#Preview {
+    AboutView()
+        .frame(width: 500, height: 250)
+}

Sources/Secretive/Views/Views/AgentStatusView.swift

@@ -2,10 +2,10 @@ import SwiftUI
 
 struct AgentStatusView: View {
 
-    @Environment(\.agentStatusChecker) private var agentStatusChecker: any AgentStatusCheckerProtocol
+    @Environment(\.agentLaunchController) private var agentLaunchController: any AgentLaunchControllerProtocol
 
     var body: some View {
-        if agentStatusChecker.running {
+        if agentLaunchController.running {
             AgentRunningView()
         } else {
             AgentNotRunningView()
@@ -14,12 +14,13 @@ struct AgentStatusView: View {
 }
 struct AgentRunningView: View {
 
-    @Environment(\.agentStatusChecker) private var agentStatusChecker: any AgentStatusCheckerProtocol
+    @Environment(\.agentLaunchController) private var agentLaunchController: any AgentLaunchControllerProtocol
+    @AppStorage("explicitlyDisabled") var explicitlyDisabled = false
 
     var body: some View {
         Form {
             Section {
-                if let process = agentStatusChecker.process {
+                if let process = agentLaunchController.process {
                     ConfigurationItemView(
                         title: .agentDetailsLocationTitle,
                         value: process.bundleURL!.path(),
@@ -53,19 +54,14 @@ struct AgentRunningView: View {
                         Menu(.agentDetailsRestartAgentButton) {
                             Button(.agentDetailsDisableAgentButton) {
                                 Task {
-                                    _ = await LaunchAgentController()
+                                    explicitlyDisabled = true
+                                    try? await agentLaunchController
                                         .uninstall()
-                                    agentStatusChecker.check()
                                 }
                             }
                         } primaryAction: {
                             Task {
-                                let controller = LaunchAgentController()
-                                let installed = await controller.install()
-                                if !installed {
-                                    _ = await controller.forceLaunch()
-                                }
-                                agentStatusChecker.check()
+                                try? await agentLaunchController.forceLaunch()
                             }
                         }
                     }
@@ -82,9 +78,10 @@ struct AgentRunningView: View {
 
 struct AgentNotRunningView: View {
 
-    @Environment(\.agentStatusChecker) private var agentStatusChecker: any AgentStatusCheckerProtocol
+    @Environment(\.agentLaunchController) private var agentLaunchController
     @State var triedRestart = false
     @State var loading = false
+    @AppStorage("explicitlyDisabled") var explicitlyDisabled = false
 
     var body: some View {
         Form {
@@ -100,18 +97,14 @@ struct AgentNotRunningView: View {
                         if !triedRestart {
                             Spacer()
                             Button {
+                                explicitlyDisabled = false
                                 guard !loading else { return }
                                 loading = true
                                 Task {
-                                    let controller = LaunchAgentController()
-                                    let installed = await controller.install()
-                                    if !installed {
-                                        _ = await controller.forceLaunch()
-                                    }
-                                    agentStatusChecker.check()
+                                    try await agentLaunchController.forceLaunch()
                                     loading = false
 
-                                    if !agentStatusChecker.running {
+                                    if !agentLaunchController.running {
                                         triedRestart = true
                                     }
                                 }
@@ -145,9 +138,9 @@ struct AgentNotRunningView: View {
 
 //#Preview {
 //    AgentStatusView()
-//        .environment(\.agentStatusChecker, PreviewAgentStatusChecker(running: false))
+//        .environment(\.agentLaunchController, PreviewAgentLaunchController(running: false))
 //}
 //#Preview {
 //    AgentStatusView()
-//        .environment(\.agentStatusChecker, PreviewAgentStatusChecker(running: true, process: .current))
+//        .environment(\.agentLaunchController, PreviewAgentLaunchController(running: true, process: .current))
 //}

Sources/Secretive/Views/Views/ContentView.swift

@@ -3,22 +3,26 @@ import SecretKit
 import SecureEnclaveSecretKit
 import SmartCardSecretKit
 import Brief
+import SSHProtocolKit
 
 struct ContentView: View {
 
-    @Binding var showingCreation: Bool
-    @Binding var runningSetup: Bool
-    @Binding var hasRunSetup: Bool
-    @State var showingAgentInfo = false
     @State var activeSecret: AnySecret?
-    @Environment(\.colorScheme) var colorScheme
-
-    @Environment(\.secretStoreList) private var storeList
-    @Environment(\.updater) private var updater: any UpdaterProtocol
-    @Environment(\.agentStatusChecker) private var agentStatusChecker: any AgentStatusCheckerProtocol
 
     @State private var selectedUpdate: Release?
+
+    @Environment(\.colorScheme) private var colorScheme
+    @Environment(\.openWindow) private var openWindow
+    @Environment(\.secretStoreList) private var storeList
+    @Environment(\.certificateStore) private var certificateStore
+    @Environment(\.updater) private var updater
+    @Environment(\.agentLaunchController) private var agentLaunchController
+
+    @AppStorage("defaultsHasRunSetup") private var hasRunSetup = false
+    @State private var showingCreation = false
     @State private var showingAppPathNotice = false
+    @State private var runningSetup = false
+    @State private var showingAgentInfo = false
 
     var body: some View {
         VStack {
@@ -35,6 +39,39 @@ struct ContentView: View {
             toolbarItem(appPathNoticeView, id: "appPath")
             toolbarItem(newItemView, id: "new")
         }
+        .onAppear {
+            if !hasRunSetup {
+                runningSetup = true
+            }
+        }
+        .dropDestination(for: URL.self) { items, location in
+                guard let url = items.first, url.pathExtension == "pub" else { return false }
+            Task {
+                let data = try! Data(contentsOf: url)
+                let parser = try! await XPCCertificateParser()
+                let cert = try! await parser.parse(data: data)
+                let secret = storeList.allSecrets.first { secret in
+                    secret.name == cert.name
+                }
+                guard let secret = secret ?? storeList.allSecrets.first else { return }
+                print(cert.data.formatted(.hex()))
+                certificateStore.saveCertificate(cert.data, for: secret)
+                print(cert)
+            }
+            return true
+        } isTargeted: { _ in }
+        .focusedSceneValue(\.showCreateSecret,  .init(isEnabled: !runningSetup) {
+            showingCreation = true
+        })
+        .sheet(isPresented: $showingCreation) {
+            if let modifiable = storeList.modifiableStore {
+                CreateSecretView(store: modifiable) { created in
+                    if let created {
+                        activeSecret = created
+                    }
+                }
+            }
+        }
         .sheet(isPresented: $runningSetup) {
             SetupView(setupComplete: $hasRunSetup)
         }
@@ -85,24 +122,9 @@ extension ContentView {
                     .font(.headline)
                     .foregroundColor(.white)
             })
-            .buttonStyle(ToolbarButtonStyle(color: color))
+            .buttonStyle(ToolbarStatusButtonStyle(color: color))
             .sheet(item: $selectedUpdate) { update in
-                VStack {
-                    if updater.currentVersion.isTestBuild {
-                        VStack {
-                            if let description = updater.currentVersion.previewDescription {
-                                Text(description)
-                            }
-                            Link(destination: URL(string: "https://github.com/maxgoedjen/secretive/actions/workflows/nightly.yml")!) {
-                                Button(.updaterDownloadLatestNightlyButton) {}
-                                    .frame(maxWidth: .infinity)
-                                    .primaryButton()
-                            }
-                        }
-                        .padding()
-                    }
-                    UpdateDetailView(update: update)
-                }
+                UpdateDetailView(update: update)
             }
         }
     }
@@ -113,16 +135,7 @@ extension ContentView {
             Button(.appMenuNewSecretButton, systemImage: "plus") {
                 showingCreation = true
             }
-            .menuButton()
-            .sheet(isPresented: $showingCreation) {
-                if let modifiable = storeList.modifiableStore {
-                    CreateSecretView(store: modifiable) { created in
-                        if let created {
-                            activeSecret = created
-                        }
-                    }
-                }
-            }
+            .toolbarCircleButton()
         }
     }
 
@@ -132,7 +145,7 @@ extension ContentView {
             showingAgentInfo = true
         }, label: {
             HStack {
-                if agentStatusChecker.running {
+                if agentLaunchController.running {
                     Text(.agentRunningNoticeTitle)
                         .font(.headline)
                         .foregroundColor(colorScheme == .light ? Color(white: 0.3) : .white)
@@ -149,9 +162,9 @@ extension ContentView {
             }
         })
         .buttonStyle(
-            ToolbarButtonStyle(
-                lightColor: agentStatusChecker.running ? .black.opacity(0.05) : .red.opacity(0.75),
-                darkColor: agentStatusChecker.running ? .white.opacity(0.05) : .red.opacity(0.5),
+            ToolbarStatusButtonStyle(
+                lightColor: agentLaunchController.running ? .black.opacity(0.05) : .red.opacity(0.75),
+                darkColor: agentLaunchController.running ? .white.opacity(0.05) : .red.opacity(0.5),
             )
         )
         .popover(isPresented: $showingAgentInfo, attachmentAnchor: attachmentAnchor, arrowEdge: .bottom) {
@@ -171,18 +184,18 @@ extension ContentView {
                 .font(.headline)
                 .foregroundColor(.white)
             })
-            .buttonStyle(ToolbarButtonStyle(color: .orange))
-            .popover(isPresented: $showingAppPathNotice, attachmentAnchor: attachmentAnchor, arrowEdge: .bottom) {
-                VStack {
-                    Image(systemName: "exclamationmark.triangle")
-                        .resizable()
-                        .aspectRatio(contentMode: .fit)
-                        .frame(width: 64)
-                    Text(.appNotInApplicationsNoticeDetailDescription)
-                        .frame(maxWidth: 300)
+            .buttonStyle(ToolbarStatusButtonStyle(color: .orange))
+            .confirmationDialog(.appNotInApplicationsNoticeTitle, isPresented: $showingAppPathNotice) {
+                Button(.appNotInApplicationsNoticeCancelButton, role:  .cancel) {
                 }
-                .padding()
+                Button(.appNotInApplicationsNoticeQuitButton) {
+                    NSWorkspace.shared.selectFile(Bundle.main.bundlePath, inFileViewerRootedAtPath: Bundle.main.bundlePath)
+                    NSApplication.shared.terminate(nil)
+                }
+            } message: {
+                Text(.appNotInApplicationsNoticeDetailDescription)
             }
+            .dialogIcon(Image(systemName: "folder.fill.badge.questionmark"))
         }
     }
 

Sources/Secretive/Views/Views/CopyableView.swift

@@ -11,7 +11,7 @@ struct CopyableView: View {
     @State private var interactionState: InteractionState = .normal
     
     var content: some View {
-        VStack(alignment: .leading) {
+        VStack(alignment: .leading, spacing: 15) {
             HStack {
                 image
                     .renderingMode(.template)
@@ -28,20 +28,19 @@ struct CopyableView: View {
                         }
                         copyButton
                     }
-                        .foregroundColor(secondaryTextColor)
-                        .transition(.opacity)
+                    .foregroundColor(secondaryTextColor)
+                    .transition(.opacity)
                 }
-
             }
-            .padding(EdgeInsets(top: 20, leading: 20, bottom: 10, trailing: 20))
             Divider()
+                .ignoresSafeArea()
             Text(text)
                 .fixedSize(horizontal: false, vertical: true)
                 .foregroundColor(primaryTextColor)
-                .padding(EdgeInsets(top: 10, leading: 20, bottom: 20, trailing: 20))
                 .multilineTextAlignment(.leading)
                 .font(.system(.body, design: .monospaced))
         }
+        .safeAreaPadding(20)
         ._background(interactionState: interactionState)
         .frame(minWidth: 150, maxWidth: .infinity)
     }
@@ -53,12 +52,12 @@ struct CopyableView: View {
                 interactionState = hovering ? .hovering : .normal
             }
         }
-        .onDrag({
-            NSItemProvider(item: NSData(data: text.data(using: .utf8)!), typeIdentifier: UTType.utf8PlainText.identifier)
-        }, preview: {
-            content
+        .draggable(text) {
+                content
+                .lineLimit(3)
+                .frame(maxWidth: 300)
                 ._background(interactionState: .dragging)
-        })
+        }
         .onTapGesture {
             copy()
             withAnimation {
@@ -79,7 +78,7 @@ struct CopyableView: View {
     var copyButton: some View {
         switch interactionState {
         case .hovering:
-            Button(.copyableClickToCopyButton, systemImage: "document.on.document") {
+            Button(.copyableClickToCopyButton, systemImage: "doc.on.doc") {
                 withAnimation {
                     // Button will eat the click, so we set interaction state manually.
                     interactionState = .clicking
@@ -159,7 +158,8 @@ fileprivate struct BackgroundViewModifier: ViewModifier {
                 // Very thin opacity lets user hover anywhere over the view, glassEffect doesn't allow.
                     .background(.white.opacity(0.01), in: RoundedRectangle(cornerRadius: 15))
                     .glassEffect(.regular.tint(backgroundColor(interactionState: interactionState)), in: RoundedRectangle(cornerRadius: 15))
-                
+                    .mask(RoundedRectangle(cornerRadius: 15))
+                    .shadow(color: .black.opacity(0.1), radius: 5)
             } else {
                 content
                     .background(backgroundColor(interactionState: interactionState))
@@ -170,13 +170,25 @@ fileprivate struct BackgroundViewModifier: ViewModifier {
     
     func backgroundColor(interactionState: InteractionState) -> Color {
         guard appearsActive else { return Color.clear }
-        switch interactionState {
-        case .normal:
-            return colorScheme == .dark ? Color(white: 0.2) : Color(white: 0.885)
-        case .hovering, .dragging:
-            return colorScheme == .dark ? Color(white: 0.275) : Color(white: 0.82)
-        case .clicking:
-            return .accentColor
+        if #available(macOS 26.0, *) {
+            let base = colorScheme == .dark ? Color(white: 0.2) : Color(white: 1)
+            switch interactionState {
+            case .normal:
+                return base
+            case .hovering:
+                return base.mix(with: .accentColor, by: colorScheme == .dark ? 0.2 : 0.1)
+            case .clicking, .dragging:
+                return base.mix(with: .accentColor, by: 0.8)
+            }
+        } else {
+            switch interactionState {
+            case .normal:
+                return colorScheme == .dark ? Color(white: 0.2) : Color(white: 0.885)
+            case .hovering:
+                return colorScheme == .dark ? Color(white: 0.275) : Color(white: 0.82)
+            case .clicking, .dragging:
+                return .accentColor
+            }
         }
     }
 
@@ -184,7 +196,10 @@ fileprivate struct BackgroundViewModifier: ViewModifier {
 }
 
 #Preview {
-    CopyableView(title: .secretDetailSha256FingerprintLabel, image: Image(systemName: "figure.wave"), text: "Hello world.")
+    VStack {
+        CopyableView(title: .secretDetailSha256FingerprintLabel, image: Image(systemName: "figure.wave"), text: "Hello world.")
+        CopyableView(title: .secretDetailSha256FingerprintLabel, image: Image(systemName: "figure.wave"), text: "Hello world.")
+    }
         .padding()
 }
 

Sources/Secretive/Views/Views/UpdateView.swift

@@ -3,61 +3,50 @@ import Brief
 
 struct UpdateDetailView: View {
 
-    @Environment(\.updater) var updater: any UpdaterProtocol
+    @Environment(\.updater) var updater
+    @Environment(\.openURL) var openURL
 
     let update: Release
 
     var body: some View {
-        VStack {
-            Text(.updateVersionName(updateName: update.name)).font(.title)
-            GroupBox(label: Text(.updateReleaseNotesTitle)) {
-                ScrollView {
-                    attributedBody
-                }
-            }
-            HStack {
-                if !update.critical {
-                    Button(.updateIgnoreButton) {
-                        Task {
-                            await updater.ignore(release: update)
+            VStack(spacing: 0) {
+                HStack {
+                    if !update.critical {
+                        Button(.updateIgnoreButton) {
+                            Task {
+                                await updater.ignore(release: update)
+                            }
                         }
+                        .buttonStyle(ToolbarButtonStyle())
                     }
                     Spacer()
+                    if updater.currentVersion.isTestBuild {
+                        Button(.updaterDownloadLatestNightlyButton) {
+                            openURL(URL(string: "https://github.com/maxgoedjen/secretive/actions/workflows/nightly.yml")!)
+                        }
+                        .buttonStyle(ToolbarButtonStyle(tint: .accentColor))
+                    }
+                    Button(.updateUpdateButton) {
+                        openURL(update.html_url)
+                    }
+                    .buttonStyle(ToolbarButtonStyle(tint: .accentColor))
+                    .keyboardShortcut(.defaultAction)
                 }
-                Button(.updateUpdateButton) {
-                    NSWorkspace.shared.open(update.html_url)
+                .padding()
+                Divider()
+                Form {
+                    Section {
+                        Text(update.attributedBody)
+                    } header: {
+                        Text(.updateVersionName(updateName: update.name))                    .headerProminence(.increased)
+                    }
                 }
-                .keyboardShortcut(.defaultAction)
-            }
-            
+                .formStyle(.grouped)
         }
-        .padding()
-        .frame(maxWidth: 500)
-    }
-
-    var attributedBody: Text {
-        var text = Text(verbatim: "")
-        for line in update.body.split(whereSeparator: \.isNewline) {
-            let attributed: Text
-            let split = line.split(separator: " ")
-            let unprefixed = split.dropFirst().joined(separator: " ")
-            if let prefix = split.first {
-                switch prefix {
-                case "#":
-                    attributed = Text(unprefixed).font(.title) + Text(verbatim: "\n")
-                case "##":
-                    attributed = Text(unprefixed).font(.title2) + Text(verbatim: "\n")
-                case "###":
-                    attributed = Text(unprefixed).font(.title3) + Text(verbatim: "\n")
-                default:
-                    attributed = Text(line) + Text(verbatim: "\n\n")
-                }
-            } else {
-                attributed = Text(line) + Text(verbatim: "\n\n")
-            }
-            text = text + attributed
-        }
-        return text
     }
 
 }
+
+#Preview {
+    UpdateDetailView(update: .init(name: "3.0.0", prerelease: false, html_url: URL(string: "https://example.com")!, body: "Hello"))
+}

Sources/SecretiveCertificateParser/Info.plist

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>XPCService</key>
+	<dict>
+		<key>ServiceType</key>
+		<string>Application</string>
+	</dict>
+</dict>
+</plist>

Sources/SecretiveCertificateParser/SecretiveCertificateParser.entitlements

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.hardened-process</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
+	<true/>
+	<key>com.apple.security.hardened-process.dyld-ro</key>
+	<true/>
+	<key>com.apple.security.hardened-process.enhanced-security-version</key>
+	<integer>1</integer>
+	<key>com.apple.security.hardened-process.hardened-heap</key>
+	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions</key>
+	<integer>2</integer>
+</dict>
+</plist>

Sources/SecretiveCertificateParser/SecretiveCertificateParser.swift

@@ -0,0 +1,17 @@
+import Foundation
+import OSLog
+import XPCWrappers
+import SSHProtocolKit
+
+final class SecretiveCertificateParser: NSObject, XPCProtocol {
+
+    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.SecretiveCertificateParser", category: "SecretiveCertificateParser")
+
+    func process(_ data: Data) async throws -> OpenSSHCertificate {
+        let parser = OpenSSHCertificateParser()
+        let result = try parser.parse(data: data)
+        logger.log("Parser parsed certificate \(result.debugDescription)")
+        return result
+    }
+
+}

Sources/SecretiveCertificateParser/main.swift

@@ -0,0 +1,7 @@
+import Foundation
+import XPCWrappers
+
+let delegate = XPCServiceDelegate(exportedObject: SecretiveCertificateParser())
+let listener = NSXPCListener.service()
+listener.delegate = delegate
+listener.resume()

Sources/SecretiveUpdater/SecretiveUpdater.entitlements

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.hardened-process</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.enable-pure-data</key>
+	<true/>
+	<key>com.apple.security.hardened-process.checked-allocations.no-tagged-receive</key>
+	<true/>
+	<key>com.apple.security.hardened-process.dyld-ro</key>
+	<true/>
+	<key>com.apple.security.hardened-process.enhanced-security-version</key>
+	<integer>1</integer>
+	<key>com.apple.security.hardened-process.hardened-heap</key>
+	<true/>
+	<key>com.apple.security.hardened-process.platform-restrictions</key>
+	<integer>2</integer>
+</dict>
+</plist>

Sources/SecretiveUpdater/SecretiveUpdater.swift

@@ -11,7 +11,9 @@ final class SecretiveUpdater: NSObject, XPCProtocol {
 
     func process(_: Data) async throws -> [Release] {
         let (data, _) = try await URLSession.shared.data(from: Constants.updateURL)
-        return try JSONDecoder().decode([Release].self, from: data)
+        return try JSONDecoder()
+            .decode([GitHubRelease].self, from: data)
+            .map(Release.init)
     }
 
 }