Merge branch 'main' into sshextensions

Sources/Packages/Sources/SSHProtocolKit/OpenSSHPublicKeyWriter.swift

@@ -19,7 +19,7 @@ public struct OpenSSHPublicKeyWriter: Sendable {
             ("nistp" + String(describing: secret.keyType.size)).lengthAndData +
             secret.publicKey.lengthAndData
         case .mldsa:
-            // https://www.ietf.org/archive/id/draft-sfluhrer-ssh-mldsa-04.txt
+            // https://datatracker.ietf.org/doc/html/draft-sfluhrer-ssh-mldsa-05
             openSSHIdentifier(for: secret.keyType).lengthAndData +
             secret.publicKey.lengthAndData
         case .rsa:

Sources/Packages/Sources/SSHProtocolKit/OpenSSHReader.swift

@@ -39,6 +39,18 @@ public final class OpenSSHReader {
         return convertEndianness ? T(value.bigEndian) : T(value)
     }
 
+    public func readNextByteAsBool() throws(OpenSSHReaderError) -> Bool {
+        let size = MemoryLayout<Bool>.size
+        guard remaining.count >= size else { throw .beyondBounds }
+        let lengthRange = 0..<size
+        let lengthChunk = remaining[lengthRange]
+        remaining.removeSubrange(lengthRange)
+        if remaining.isEmpty {
+            done = true
+        }
+        return unsafe lengthChunk.bytes.unsafeLoad(as: Bool.self)
+    }
+
     public func readNextChunkAsString(convertEndianness: Bool = true) throws(OpenSSHReaderError) -> String {
         try String(decoding: readNextChunk(convertEndianness: convertEndianness), as: UTF8.self)
     }
@@ -50,5 +62,6 @@ public final class OpenSSHReader {
 }
 
 public enum OpenSSHReaderError: Error, Codable {
+    case incorrectFormat
     case beyondBounds
 }

Sources/Packages/Sources/SSHProtocolKit/OpenSSHSignatureWriter.swift

@@ -17,7 +17,7 @@ public struct OpenSSHSignatureWriter: Sendable {
             // https://datatracker.ietf.org/doc/html/rfc5656#section-3.1
             ecdsaSignature(signature, keyType: secret.keyType)
         case .mldsa:
-            // https://datatracker.ietf.org/doc/html/draft-sfluhrer-ssh-mldsa-00#name-public-key-algorithms
+            // https://datatracker.ietf.org/doc/html/draft-sfluhrer-ssh-mldsa-05
             mldsaSignature(signature, keyType: secret.keyType)
         case .rsa:
             // https://datatracker.ietf.org/doc/html/rfc4253#section-6.6

Sources/Packages/Sources/SSHProtocolKit/SSHAgentProtocol.swift

@@ -19,7 +19,7 @@ extension SSHAgent {
         case lock
         case unlock
         case addSmartcardKeyConstrained
-        case protocolExtension
+        case protocolExtension(ProtocolExtension)
         case unknown(UInt8)
 
         public var protocolID: UInt8 {
@@ -60,18 +60,82 @@ extension SSHAgent {
 
         public struct SignatureRequestContext: Sendable, Codable {
             public let keyBlob: Data
-            public let dataToSign: Data
+            public let dataToSign: SignaturePayload
 
-            public init(keyBlob: Data, dataToSign: Data) {
+            public init(keyBlob: Data, dataToSign: SignaturePayload) {
                 self.keyBlob = keyBlob
                 self.dataToSign = dataToSign
             }
 
             public static var empty: SignatureRequestContext {
-                SignatureRequestContext(keyBlob: Data(), dataToSign: Data())
+                SignatureRequestContext(keyBlob: Data(), dataToSign: SignaturePayload(raw: Data(), decoded: nil))
+            }
+
+            public struct SignaturePayload: Sendable, Codable {
+
+                public let raw: Data
+                public let decoded: DecodedPayload?
+
+                public init(
+                    raw: Data,
+                    decoded: DecodedPayload?
+                ) {
+                    self.raw = raw
+                    self.decoded = decoded
+                }
+
+                public enum DecodedPayload: Sendable, Codable {
+                    case sshConnection(SSHConnectionPayload)
+                    case sshSig(SSHSigPayload)
+
+                    public struct SSHConnectionPayload: Sendable, Codable {
+
+                        public let username: String
+                        public let hasSignature: Bool
+                        public let publicKeyAlgorithm: String
+                        public let publicKey: Data
+                        public let hostKey: Data
+
+                        public init(
+                            username: String,
+                            hasSignature: Bool,
+                            publicKeyAlgorithm: String,
+                            publicKey: Data,
+                            hostKey: Data
+                        ) {
+                            self.username = username
+                            self.hasSignature = hasSignature
+                            self.publicKeyAlgorithm = publicKeyAlgorithm
+                            self.publicKey = publicKey
+                            self.hostKey = hostKey
+                        }
+
+                    }
+
+                    public struct SSHSigPayload: Sendable, Codable {
+
+                        public let namespace: String
+                        public let hashAlgorithm: String
+                        public let hash: Data
+
+                        public init(
+                            namespace: String,
+                            hashAlgorithm: String,
+                            hash: Data,
+                        ) {
+                            self.namespace = namespace
+                            self.hashAlgorithm = hashAlgorithm
+                            self.hash = hash
+                        }
+
+                    }
+                    
+                }
+
             }
         }
 
+
     }
 
     /// The type of the SSH Agent Response, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
@@ -88,8 +152,8 @@ extension SSHAgent {
             switch self {
             case .agentFailure: "SSH_AGENT_FAILURE"
             case .agentSuccess: "SSH_AGENT_SUCCESS"
-            case .agentIdentitiesAnswer: "SSH_AGENT_IDENTITIES_ANSWER"
+            case .agentIdentitiesAnswer: "SSH2_AGENT_IDENTITIES_ANSWER"
-            case .agentSignResponse: "SSH_AGENT_SIGN_RESPONSE"
+            case .agentSignResponse: "SSH2_AGENT_SIGN_RESPONSE"
             case .agentExtensionFailure: "SSH_AGENT_EXTENSION_FAILURE"
             case .agentExtensionResponse: "SSH_AGENT_EXTENSION_RESPONSE"
             }

Sources/Packages/Sources/SSHProtocolKit/SSHProtocolExtensions.swift

@@ -0,0 +1,76 @@
+import Foundation
+
+// Extensions, as defined in https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.agent
+
+extension SSHAgent {
+
+    public enum ProtocolExtension: CustomDebugStringConvertible, Codable, Sendable {
+        case openSSH(OpenSSHExtension)
+        case unknown(String)
+
+        public var debugDescription: String {
+            switch self {
+            case let .openSSH(protocolExtension):
+                protocolExtension.debugDescription
+            case .unknown(let string):
+                "Unknown (\(string))"
+            }
+        }
+
+        public static var empty: ProtocolExtension {
+            .unknown("empty")
+        }
+
+        private struct ProtocolExtensionParsingError: Error {}
+
+    }
+
+}
+
+extension SSHAgent.ProtocolExtension {
+
+    public enum OpenSSHExtension: CustomDebugStringConvertible, Codable, Sendable {
+        case sessionBind(SessionBindContext)
+        case unknown(String)
+
+        public static var domain: String {
+            "openssh.com"
+        }
+
+        public var name: String {
+            switch self {
+            case .sessionBind:
+                "session-bind"
+            case .unknown(let name):
+                name
+            }
+        }
+
+        public var debugDescription: String {
+            "\(name)@\(OpenSSHExtension.domain)"
+        }
+    }
+
+}
+
+extension SSHAgent.ProtocolExtension.OpenSSHExtension {
+
+    public struct SessionBindContext: Codable, Sendable {
+
+        public let hostKey: Data
+        public let sessionID: Data
+        public let signature: Data
+        public let forwarding: Bool
+
+        public init(hostKey: Data, sessionID: Data, signature: Data, forwarding: Bool) {
+            self.hostKey = hostKey
+            self.sessionID = sessionID
+            self.signature = signature
+            self.forwarding = forwarding
+        }
+
+        public static let empty = SessionBindContext(hostKey: Data(), sessionID: Data(), signature: Data(), forwarding: false)
+
+    }
+
+}

Sources/Packages/Sources/SecretAgentKit/Agent.swift

@@ -14,7 +14,8 @@ public final class Agent: Sendable {
     private let signatureWriter = OpenSSHSignatureWriter()
     private let certificateHandler = OpenSSHCertificateHandler()
     private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "Agent")
-    private let authorizationCoordinator = AuthorizationCoordinator()
+
+    @MainActor private var sessionID: SSHAgent.ProtocolExtension.OpenSSHExtension.SessionBindContext?
 
     /// Initializes an agent with a store list and a witness.
     /// - Parameters:
@@ -34,6 +35,7 @@ public final class Agent: Sendable {
 extension Agent {
 
     public func handle(request: SSHAgent.Request, provenance: SigningRequestProvenance) async -> Data {
+        logger.debug("Agent received request of type \(request.debugDescription)")
         // Depending on the launch context (such as after macOS update), the agent may need to reload secrets before acting
         await reloadSecretsIfNeccessary()
         var response = Data()
@@ -44,9 +46,34 @@ extension Agent {
                 response.append(await identities())
                 logger.debug("Agent returned \(SSHAgent.Response.agentIdentitiesAnswer.debugDescription)")
             case .signRequest(let context):
+                if let boundSession = await sessionID {
+                    switch context.dataToSign.decoded {
+                    case .sshConnection(let payload):
+                        guard payload.hostKey == boundSession.hostKey else {
+                            logger.error("Agent received bind request, but host key does not match signature reqeust host key.")
+                            throw BindingFailure()
+                        }
+                    case .sshSig:
+                        // SSHSIG does not have a host binding payload.
+                        break
+                    default:
+                        break
+                    }
+                }
                 response.append(SSHAgent.Response.agentSignResponse.data)
-                response.append(try await sign(data: context.dataToSign, keyBlob: context.keyBlob, provenance: provenance))
+                response.append(try await sign(data: context.dataToSign.raw, keyBlob: context.keyBlob, provenance: provenance))
                 logger.debug("Agent returned \(SSHAgent.Response.agentSignResponse.debugDescription)")
+            case .protocolExtension(.openSSH(.sessionBind(let bind))):
+                response = try await MainActor.run {
+                    guard sessionID == nil else {
+                        logger.error("Agent received bind request, but already bound.")
+                        throw BindingFailure()
+                    }
+                    logger.debug("Agent bound")
+                    sessionID = bind
+                    return SSHAgent.Response.agentSuccess.data
+                }
+                logger.debug("Agent returned \(SSHAgent.Response.agentSuccess.debugDescription)")
             case .unknown(let value):
                 logger.error("Agent received unknown request of type \(value).")
                 throw UnhandledRequestError()
@@ -103,19 +130,8 @@ extension Agent {
             throw NoMatchingKeyError()
         }
 
-        let decision = try await authorizationCoordinator.waitForAccessIfNeeded(to: secret, provenance: provenance)
-        switch decision {
-        case .proceed:
-            break
-        case .promptForSharedAuth:
-            do {
-                try await store.persistAuthentication(secret: secret, forProvenance: provenance)
-                await authorizationCoordinator.completedPersistence(secret: secret, forProvenance: provenance)
-            } catch {
-                await authorizationCoordinator.didNotCompletePersistence(secret: secret, forProvenance: provenance)
-            }
-        }
         try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
+
         let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance)
         let signedData = signatureWriter.data(secret: secret, signature: rawRepresentation)
 
@@ -157,6 +173,7 @@ extension Agent {
 
     struct NoMatchingKeyError: Error {}
     struct UnhandledRequestError: Error {}
+    struct BindingFailure: Error {}
 
 }
 

Sources/Packages/Sources/SecretAgentKit/AuthorizationCoordinator.swift

@@ -1,105 +0,0 @@
-import Foundation
-import SecretKit
-import os
-import LocalAuthentication
-
-struct PendingRequest: Identifiable, Hashable, CustomStringConvertible {
-    let id: UUID = UUID()
-    let secret: AnySecret
-    let provenance: SigningRequestProvenance
-
-    var description: String {
-        "\(id.uuidString) - \(secret.name) \(provenance.origin.displayName)"
-    }
-
-    func batchable(with request: PendingRequest) -> Bool {
-        secret == request.secret &&
-        provenance.isSameProvenance(as: request.provenance)
-    }
-}
-
-enum Decision {
-    case proceed
-    case promptForSharedAuth
-}
-
-actor RequestHolder {
-
-    var pending: [PendingRequest] = []
-    var authorizing: PendingRequest?
-    var preauthorized: PendingRequest?
-
-    func addPending(_ request: PendingRequest) {
-        pending.append(request)
-    }
-
-    func advanceIfIdle() {
-
-    }
-
-    func shouldBlock(_ request: PendingRequest) -> Bool {
-        guard request != authorizing else { return false }
-        if let preauthorized, preauthorized.batchable(with: request) {
-            print("Batching: \(request)")
-            pending.removeAll(where: { $0 == request })
-            return false
-        }
-        return authorizing == nil && authorizing.
-    }
-
-    func clear() {
-        if let preauthorized, allBatchable(with: preauthorized).isEmpty {
-            self.preauthorized = nil
-        }
-    }
-
-    func allBatchable(with request: PendingRequest) -> [PendingRequest] {
-        pending.filter { $0.batchable(with: request) }
-    }
-
-    func completedPersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) {
-        self.preauthorized = PendingRequest(secret: secret, provenance: provenance)
-    }
-
-    func didNotCompletePersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) {
-        self.preauthorized = nil
-    }
-}
-
-final class AuthorizationCoordinator: Sendable {
-
-    private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "AuthorizationCoordinator")
-    private let holder = RequestHolder()
-
-    public func waitForAccessIfNeeded(to secret: AnySecret, provenance: SigningRequestProvenance) async throws -> Decision {
-        // Block on unknown, since we don't really have any way to check.
-        if secret.authenticationRequirement == .unknown {
-            logger.warning("\(secret.name) has unknown authentication requirement.")
-        }
-        guard secret.authenticationRequirement != .notRequired else {
-            logger.debug("\(secret.name) does not require authentication, continuing.")
-            return .proceed
-        }
-        logger.debug("\(secret.name) requires authentication.")
-        let pending = PendingRequest(secret: secret, provenance: provenance)
-        await holder.addPending(pending)
-        while await holder.shouldBlock(pending) {
-            logger.debug("\(pending) waiting.")
-            try await Task.sleep(for: .milliseconds(100))
-        }
-        if await holder.preauthorized == nil, await holder.allBatchable(with: pending).count > 0 {
-            logger.debug("\(pending) batch suggestion.")
-            return .promptForSharedAuth
-        }
-        logger.debug("\(pending) continuing")
-        return .proceed
-    }
-
-    func completedPersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async {
-        await holder.completedPersistence(secret: secret, forProvenance: provenance)
-    }
-
-    func didNotCompletePersistence(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async {
-        await holder.didNotCompletePersistence(secret: secret, forProvenance: provenance)
-    }
-}

Sources/Packages/Sources/SecretAgentKit/SSHAgentInputParser.swift

@@ -3,6 +3,8 @@ import OSLog
 import SecretKit
 import SSHProtocolKit
 
+import CryptoKit
+
 public protocol SSHAgentInputParserProtocol {
 
     func parse(data: Data) async throws -> SSHAgent.Request
@@ -53,8 +55,8 @@ public struct SSHAgentInputParser: SSHAgentInputParserProtocol {
             return .unlock
         case SSHAgent.Request.addSmartcardKeyConstrained.protocolID:
             return .addSmartcardKeyConstrained
-        case SSHAgent.Request.protocolExtension.protocolID:
+        case SSHAgent.Request.protocolExtension(.empty).protocolID:
-            return .protocolExtension
+            return .protocolExtension(try protocolExtension(from: body))
         default:
             return .unknown(rawRequestInt)
         }
@@ -64,12 +66,152 @@ public struct SSHAgentInputParser: SSHAgentInputParserProtocol {
 
 extension SSHAgentInputParser {
 
+    private enum Constants {
+        static let userAuthMagic: UInt8 = 50 // SSH2_MSG_USERAUTH_REQUEST
+        static let sshSigMagic = Data("SSHSIG".utf8)
+    }
+
     func signatureRequestContext(from data: Data) throws(OpenSSHReaderError) -> SSHAgent.Request.SignatureRequestContext {
         let reader = OpenSSHReader(data: data)
         let rawKeyBlob = try reader.readNextChunk()
         let keyBlob = certificatePublicKeyBlob(from: rawKeyBlob) ?? rawKeyBlob
-        let dataToSign = try reader.readNextChunk()
+        let rawPayload = try reader.readNextChunk()
-        return SSHAgent.Request.SignatureRequestContext(keyBlob: keyBlob, dataToSign: dataToSign)
+        let payload: SSHAgent.Request.SignatureRequestContext.SignaturePayload
+        do {
+            if rawPayload.count > 6 && rawPayload[0..<6] == Constants.sshSigMagic {
+                payload = .init(raw: rawPayload, decoded: .sshSig(try sshSigPayload(from: rawPayload[6...])))
+            } else {
+                payload = .init(raw: rawPayload, decoded: .sshConnection(try sshConnectionPayload(from: rawPayload)))
+            }
+        } catch {
+            payload = .init(raw: rawPayload, decoded: nil)
+        }
+        return SSHAgent.Request.SignatureRequestContext(keyBlob: keyBlob, dataToSign: payload)
+    }
+
+    func sshSigPayload(from data: Data) throws(OpenSSHReaderError) -> SSHAgent.Request.SignatureRequestContext.SignaturePayload.DecodedPayload.SSHSigPayload {
+        // https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig#L79
+        let payloadReader = OpenSSHReader(data: data)
+        let namespace = try payloadReader.readNextChunkAsString()
+        _ = try payloadReader.readNextChunk() // reserved
+        let hashAlgorithm = try payloadReader.readNextChunkAsString()
+        let hash = try payloadReader.readNextChunk()
+        return .init(
+            namespace: namespace,
+            hashAlgorithm: hashAlgorithm,
+            hash: hash
+        )
+    }
+
+    func sshConnectionPayload(from data: Data) throws(OpenSSHReaderError) -> SSHAgent.Request.SignatureRequestContext.SignaturePayload.DecodedPayload.SSHConnectionPayload {
+        let payloadReader = OpenSSHReader(data: data)
+        _ = try payloadReader.readNextChunk()
+        let magic = try payloadReader.readNextBytes(as: UInt8.self, convertEndianness: false)
+        guard magic == Constants.userAuthMagic else { throw .incorrectFormat }
+        let username = try payloadReader.readNextChunkAsString()
+        _ = try payloadReader.readNextChunkAsString() // "ssh-connection"
+        _ = try payloadReader.readNextChunkAsString() // "publickey-hostbound-v00@openssh.com"
+        let hasSignature = try payloadReader.readNextByteAsBool()
+        let algorithm = try payloadReader.readNextChunkAsString()
+        let publicKeyReader = try payloadReader.readNextChunkAsSubReader()
+        _ = try publicKeyReader.readNextChunk()
+        _ = try publicKeyReader.readNextChunk()
+        let publicKey = try publicKeyReader.readNextChunk()
+        let hostKeyReader = try payloadReader.readNextChunkAsSubReader()
+        _ = try hostKeyReader.readNextChunk()
+        let hostKey = try hostKeyReader.readNextChunk()
+        return .init(
+            username: username,
+            hasSignature: hasSignature,
+            publicKeyAlgorithm: algorithm,
+            publicKey: publicKey,
+            hostKey: hostKey,
+        )
+    }
+
+    func protocolExtension(from data: Data) throws(AgentParsingError) -> SSHAgent.ProtocolExtension {
+        do {
+            let reader = OpenSSHReader(data: data)
+            let nameRaw = try reader.readNextChunkAsString()
+            let nameSplit = nameRaw.split(separator: "@")
+            guard nameSplit.count == 2 else {
+                throw AgentParsingError.invalidData
+            }
+            let (name, domain) = (nameSplit[0], nameSplit[1])
+            switch domain {
+            case SSHAgent.ProtocolExtension.OpenSSHExtension.domain:
+                switch name {
+                case SSHAgent.ProtocolExtension.OpenSSHExtension.sessionBind(.empty).name:
+                    let hostkeyBlob = try reader.readNextChunkAsSubReader()
+                    let hostKeyType = try hostkeyBlob.readNextChunkAsString()
+                    let hostKeyData = try hostkeyBlob.readNextChunk()
+                    let sessionID = try reader.readNextChunk()
+                    let signatureBlob = try reader.readNextChunkAsSubReader()
+                    _ = try signatureBlob.readNextChunk() // key type again
+                    let signature = try signatureBlob.readNextChunk()
+                    let forwarding = try reader.readNextByteAsBool()
+                    switch hostKeyType {
+                        // FIXME: FACTOR OUT?
+                    case "ssh-ed25519":
+                        let hostKey = try CryptoKit.Curve25519.Signing.PublicKey(rawRepresentation: hostKeyData)
+                        guard hostKey.isValidSignature(signature, for: sessionID) else {
+                            throw AgentParsingError.incorrectSignature
+                        }
+                    case "ecdsa-sha2-nistp256":
+                        let hostKey = try CryptoKit.P256.Signing.PublicKey(rawRepresentation: hostKeyData)
+                        guard hostKey.isValidSignature(try .init(rawRepresentation: signature), for: sessionID) else {
+                            throw AgentParsingError.incorrectSignature
+                        }
+                    case "ecdsa-sha2-nistp384":
+                        let hostKey = try CryptoKit.P384.Signing.PublicKey(rawRepresentation: hostKeyData)
+                        guard hostKey.isValidSignature(try .init(rawRepresentation: signature), for: sessionID) else {
+                            throw AgentParsingError.incorrectSignature
+                        }
+                    case "ssh-mldsa-65":
+                        if #available(macOS 26.0, *) {
+                            let hostKey = try CryptoKit.MLDSA65.PublicKey(rawRepresentation: hostKeyData)
+                            guard hostKey.isValidSignature(signature, for: sessionID) else {
+                                throw AgentParsingError.incorrectSignature
+                            }
+                        } else {
+                            throw AgentParsingError.unhandledRequest
+                        }
+                    case "ssh-mldsa-87":
+                        if #available(macOS 26.0, *) {
+                            let hostKey = try CryptoKit.MLDSA65.PublicKey(rawRepresentation: hostKeyData)
+                            guard hostKey.isValidSignature(signature, for: sessionID) else {
+                                throw AgentParsingError.incorrectSignature
+                            }
+                        } else {
+                            throw AgentParsingError.unhandledRequest
+                        }
+                    case "ssh-rsa":
+                        // FIXME: HANDLE
+                        throw AgentParsingError.unhandledRequest
+                    default:
+                        throw AgentParsingError.unhandledRequest
+                    }
+                    let context = SSHAgent.ProtocolExtension.OpenSSHExtension.SessionBindContext(
+                        hostKey: hostKeyData,
+                        sessionID: sessionID,
+                        signature: signature,
+                        forwarding: forwarding
+                    )
+                    return .openSSH(.sessionBind(context))
+                default:
+                    return .openSSH(.unknown(String(name)))
+                }
+            default:
+                return .unknown(nameRaw)
+            }
+
+        } catch let error as OpenSSHReaderError {
+            throw .openSSHReader(error)
+        } catch let error as AgentParsingError {
+            throw error
+        } catch {
+            throw .unknownRequest
+        }
     }
 
     func certificatePublicKeyBlob(from hash: Data) -> Data? {
@@ -104,6 +246,7 @@ extension SSHAgentInputParser {
         case unknownRequest
         case unhandledRequest
         case invalidData
+        case incorrectSignature
         case openSSHReader(OpenSSHReaderError)
     }
 

Sources/Packages/Sources/SecretKit/Convenience/PersistentAuthenticationHandler.swift

@@ -1,7 +1,7 @@
 import LocalAuthentication
 
 /// A context describing a persisted authentication.
-package struct PersistentAuthenticationContext<SecretType: Secret>: PersistedAuthenticationContext {
+package final class PersistentAuthenticationContext<SecretType: Secret>: PersistedAuthenticationContext {
 
     /// The Secret to persist authentication for.
     let secret: SecretType
@@ -35,27 +35,16 @@ package struct PersistentAuthenticationContext<SecretType: Secret>: PersistedAut
     }
 }
 
-struct ScopedPersistentAuthenticationContext<SecretType: Secret>: Hashable {
-    let provenance: SigningRequestProvenance
-    let secret: SecretType
-}
-
 package actor PersistentAuthenticationHandler<SecretType: Secret>: Sendable {
 
-    private var unscopedPersistedAuthenticationContexts: [SecretType: PersistentAuthenticationContext<SecretType>] = [:]
+    private var persistedAuthenticationContexts: [SecretType: PersistentAuthenticationContext<SecretType>] = [:]
-    private var scopedPersistedAuthenticationContexts: [ScopedPersistentAuthenticationContext<SecretType>: PersistentAuthenticationContext<SecretType>] = [:]
 
     package init() {
     }
 
-    package func existingPersistedAuthenticationContext(secret: SecretType, provenance: SigningRequestProvenance) -> PersistentAuthenticationContext<SecretType>? {
+    package func existingPersistedAuthenticationContext(secret: SecretType) -> PersistentAuthenticationContext<SecretType>? {
-        if let unscopedPersistence = unscopedPersistedAuthenticationContexts[secret], unscopedPersistence.valid {
+        guard let persisted = persistedAuthenticationContexts[secret], persisted.valid else { return nil }
-            return unscopedPersistence
+        return persisted
-        }
-        if let scopedPersistence = scopedPersistedAuthenticationContexts[.init(provenance: provenance, secret: secret)], scopedPersistence.valid {
-            return scopedPersistence
-        }
-        return nil
     }
 
     package func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws {
@@ -73,22 +62,7 @@ package actor PersistentAuthenticationHandler<SecretType: Secret>: Sendable {
         let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
         guard success else { return }
         let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
-        unscopedPersistedAuthenticationContexts[secret] = context
+        persistedAuthenticationContexts[secret] = context
-    }
-
-    package func persistAuthentication(secret: SecretType, provenance: SigningRequestProvenance) async throws {
-        let newContext = LAContext()
-
-        // FIXME: TEMPORARY
-        let duration: TimeInterval = 10000
-        newContext.touchIDAuthenticationAllowableReuseDuration = duration
-        newContext.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
-
-        newContext.localizedReason = "Batch requests"
-        let success = try await newContext.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: newContext.localizedReason)
-        guard success else { return }
-        let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
-        scopedPersistedAuthenticationContexts[.init(provenance: provenance, secret: secret)] = context
     }
 
 }

Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift

@@ -9,9 +9,8 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
     private let _name: @MainActor @Sendable () -> String
     private let _secrets: @MainActor @Sendable () -> [AnySecret]
     private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance) async throws -> Data
-    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret, SigningRequestProvenance) async -> PersistedAuthenticationContext?
+    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret) async -> PersistedAuthenticationContext?
-    private let _persistAuthenticationForDuration: @Sendable (AnySecret, TimeInterval) async throws -> Void
+    private let _persistAuthentication: @Sendable (AnySecret, TimeInterval) async throws -> Void
-    private let _persistAuthenticationForProvenance: @Sendable (AnySecret, SigningRequestProvenance) async throws -> Void
     private let _reloadSecrets: @Sendable () async -> Void
 
     public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
@@ -21,9 +20,8 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
         _id = { secretStore.id }
         _secrets = { secretStore.secrets.map { AnySecret($0) } }
         _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
-        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType, provenance: $1) }
+        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) }
-        _persistAuthenticationForDuration = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
+        _persistAuthentication = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
-        _persistAuthenticationForProvenance = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forProvenance: $1) }
         _reloadSecrets = { await secretStore.reloadSecrets() }
     }
 
@@ -47,16 +45,12 @@ open class AnySecretStore: SecretStore, @unchecked Sendable {
         try await _sign(data, secret, provenance)
     }
 
-    public func existingPersistedAuthenticationContext(secret: AnySecret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+    public func existingPersistedAuthenticationContext(secret: AnySecret) async -> PersistedAuthenticationContext? {
-        await _existingPersistedAuthenticationContext(secret, provenance)
+        await _existingPersistedAuthenticationContext(secret)
     }
 
     public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) async throws {
-        try await _persistAuthenticationForDuration(secret, duration)
+        try await _persistAuthentication(secret, duration)
-    }
-
-    public func persistAuthentication(secret: AnySecret, forProvenance provenance: SigningRequestProvenance) async throws {
-        try await _persistAuthenticationForProvenance(secret, provenance)
     }
 
     public func reloadSecrets() async {

Sources/Packages/Sources/SecretKit/Types/SecretStore.swift

@@ -26,7 +26,7 @@ public protocol SecretStore<SecretType>: Identifiable, Sendable {
     /// - Parameters:
     ///   - secret: The ``Secret`` to check if there is a persisted authentication for.
     /// - Returns: A persisted authentication context, if a valid one exists.
-    func existingPersistedAuthenticationContext(secret: SecretType, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext?
+    func existingPersistedAuthenticationContext(secret: SecretType) async -> PersistedAuthenticationContext?
 
     /// Persists user authorization for access to a secret.
     /// - Parameters:
@@ -35,8 +35,6 @@ public protocol SecretStore<SecretType>: Identifiable, Sendable {
     ///  - Note: This is used for temporarily unlocking access to a secret which would otherwise require authentication every single use. This is useful for situations where the user anticipates several rapid accesses to a authorization-guarded secret.
     func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) async throws
 
-    func persistAuthentication(secret: SecretType, forProvenance provenance: SigningRequestProvenance) async throws
-
     /// Requests that the store reload secrets from any backing store, if neccessary.
     func reloadSecrets() async
 

Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift

@@ -2,7 +2,7 @@ import Foundation
 import AppKit
 
 /// Describes the chain of applications that requested a signature operation.
-public struct SigningRequestProvenance: Equatable, Sendable, Hashable {
+public struct SigningRequestProvenance: Equatable, Sendable {
 
     /// A list of processes involved in the request.
     /// - Note: A chain will typically consist of many elements even for a simple request. For example, running `git fetch` in Terminal.app would generate a request chain of `ssh` -> `git` -> `zsh` -> `login` -> `Terminal.app`
@@ -25,16 +25,12 @@ extension SigningRequestProvenance {
         chain.allSatisfy { $0.validSignature }
     }
 
-    public func isSameProvenance(as other: SigningRequestProvenance) -> Bool {
-        zip(chain, other.chain).allSatisfy { $0.isSameProcess(as: $1) }
-    }
-
 }
 
 extension SigningRequestProvenance {
 
     /// Describes a process in a `SigningRequestProvenance` chain.
-    public struct Process: Equatable, Sendable, Hashable {
+    public struct Process: Equatable, Sendable {
 
         /// The pid of the process.
         public let pid: Int32
@@ -75,15 +71,6 @@ extension SigningRequestProvenance {
             appName ?? processName
         }
 
-        // Whether the
-        public func isSameProcess(as other: Process) -> Bool {
-            processName == other.processName &&
-            appName == other.appName &&
-            iconURL == other.iconURL &&
-            path == other.path &&
-            validSignature == other.validSignature
-        }
-
     }
 
 }

Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift

@@ -39,7 +39,7 @@ extension SecureEnclave {
         
         public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
             var context: LAContext
-            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) {
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret) {
                 context = unsafe existing.context
             } else {
                 let newContext = LAContext()
@@ -88,18 +88,14 @@ extension SecureEnclave {
 
         }
 
-        public func existingPersistedAuthenticationContext(secret: Secret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+        public func existingPersistedAuthenticationContext(secret: Secret) async -> PersistedAuthenticationContext? {
-            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance)
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret)
         }
 
         public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
             try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
         }
 
-        public func persistAuthentication(secret: SecureEnclave.Secret, forProvenance provenance: SigningRequestProvenance) async throws {
-            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, provenance: provenance)
-        }
-
         @MainActor public func reloadSecrets() {
             let before = secrets
             secrets.removeAll()

Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift

@@ -60,7 +60,7 @@ extension SmartCard {
         public func sign(data: Data, with secret: Secret, for provenance: SigningRequestProvenance) async throws -> Data {
             guard let tokenID = await state.tokenID else { fatalError() }
             var context: LAContext
-            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) {
+            if let existing = await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret) {
                 context = unsafe existing.context
             } else {
                 let newContext = LAContext()
@@ -93,18 +93,14 @@ extension SmartCard {
             return signature as Data
         }
         
-        public func existingPersistedAuthenticationContext(secret: Secret, provenance: SigningRequestProvenance) async -> PersistedAuthenticationContext? {
+        public func existingPersistedAuthenticationContext(secret: Secret) async -> PersistedAuthenticationContext? {
-            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret, provenance: provenance)
+            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret)
         }
 
         public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) async throws {
             try await persistentAuthenticationHandler.persistAuthentication(secret: secret, forDuration: duration)
         }
 
-        public func persistAuthentication(secret: Secret, forProvenance provenance: SigningRequestProvenance) async throws {
-            try await persistentAuthenticationHandler.persistAuthentication(secret: secret, provenance: provenance)
-        }
-
         /// Reloads all secrets from the store.
         @MainActor public func reloadSecrets() {
             reloadSecretsInternal()

Sources/Packages/Sources/XPCWrappers/TeamID.swift

@@ -11,7 +11,7 @@ extension ProcessInfo {
         }
 
         guard let value = SecTaskCopyValueForEntitlement(task, "com.apple.developer.team-identifier" as CFString, nil) as? String else {
-//            assertionFailure("SecTaskCopyValueForEntitlement(com.apple.developer.team-identifier) failed")
+            assertionFailure("SecTaskCopyValueForEntitlement(com.apple.developer.team-identifier) failed")
             return fallbackTeamID
         }
 

Sources/SecretAgent/Notifier.swift

@@ -69,7 +69,7 @@ final class Notifier: Sendable {
         notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
         notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
         notificationContent.interruptionLevel = .timeSensitive
-        if await store.existingPersistedAuthenticationContext(secret: secret, provenance: provenance) == nil && secret.authenticationRequirement.required {
+        if await store.existingPersistedAuthenticationContext(secret: secret) == nil && secret.authenticationRequirement.required {
             notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
         }
         if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
@@ -79,25 +79,6 @@ final class Notifier: Sendable {
         try? await notificationCenter.add(request)
     }
 
-    func notify(pendingAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async {
-        await notificationDelegate.state.setPending(secret: secret, store: store)
-        let notificationCenter = UNUserNotificationCenter.current()
-        let notificationContent = UNMutableNotificationContent()
-        notificationContent.title = "pending" //String(localized: .signedNotificationTitle(appName: provenance.origin.displayName))
-        notificationContent.subtitle = "pending" //String(localized: .signedNotificationDescription(secretName: secret.name))
-        notificationContent.userInfo[Constants.persistSecretIDKey] = secret.id.description
-        notificationContent.userInfo[Constants.persistStoreIDKey] = store.id.description
-        notificationContent.interruptionLevel = .timeSensitive
-        notificationContent.categoryIdentifier = Constants.persistAuthenticationCategoryIdentitifier
-        notificationContent.threadIdentifier = "\(secret.id)_\(provenance.hashValue)"
-        if let iconURL = provenance.origin.iconURL, let attachment = try? UNNotificationAttachment(identifier: "icon", url: iconURL, options: nil) {
-            notificationContent.attachments = [attachment]
-        }
-        let request = UNNotificationRequest(identifier: UUID().uuidString, content: notificationContent, trigger: nil)
-        try? await notificationCenter.add(request)
-
-    }
-
     func notify(update: Release, ignore: (@Sendable (Release) async -> Void)?) async {
         await notificationDelegate.state.prepareForNotification(release: update, ignoreAction: ignore)
         let notificationCenter = UNUserNotificationCenter.current()
@@ -122,10 +103,6 @@ extension Notifier: SigningWitness {
     func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
     }
 
-    func witness(pendingAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
-        await notify(pendingAccessTo: secret, from: store, by: provenance)
-    }
-
     func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) async throws {
         await notify(accessTo: secret, from: store, by: provenance)
     }