Secretive seams to have deleted all keys

[mo-cmyk]

My Secretive App on my M1 MacBook Pro running macOS 12.4 seemed to have deleted all my SSH keys or access to those. I then wanted to recreate a Key to be able to use GitHub still, and the app quit on me after I tried to create a key; it just crashed. The Error became obvious after trying to push some code to GitHub. I tried reinstalling and using HomeBrew and the release on GitHub, but the Error persists.

This is the Debugging output provided while running ssh -Tv git@github.com

OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to github.com port 22.
debug1: Connection established.
debug1: identity file /Users/moritz/.ssh/id_rsa type 0
debug1: identity file /Users/moritz/.ssh/id_rsa-cert type -1
debug1: identity file /Users/moritz/.ssh/id_dsa type -1
debug1: identity file /Users/moritz/.ssh/id_dsa-cert type -1
debug1: identity file /Users/moritz/.ssh/id_ecdsa type -1
debug1: identity file /Users/moritz/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/moritz/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/moritz/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/moritz/.ssh/id_ed25519 type -1
debug1: identity file /Users/moritz/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/moritz/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/moritz/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/moritz/.ssh/id_xmss type -1
debug1: identity file /Users/moritz/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version babeld-7f91b4d6
debug1: compat_banner: no match: babeld-7f91b4d6
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /Users/moritz/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen /Users/moritz/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/moritz/.ssh/known_hosts:10
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: ecdsa-sha2-nistp256 ECDSA SHA256:T/PFCesRK/z8anOuhTVtnPUwg3JuBFEZuC5IhM3aIEE agent
debug1: Will attempt key: ecdsa-sha2-nistp256 ECDSA SHA256:j9IoF3g4cSbtoTrj1/CWFnNCobl5HBZczlIaatefOSw agent
debug1: Will attempt key: /Users/moritz/.ssh/id_rsa RSA SHA256:4T7OMLuiNCKh5FtV1HGiqN0UUhMYjfDbBmFpOBy0Lpg
debug1: Will attempt key: /Users/moritz/.ssh/id_dsa
debug1: Will attempt key: /Users/moritz/.ssh/id_ecdsa
debug1: Will attempt key: /Users/moritz/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/moritz/.ssh/id_ed25519
debug1: Will attempt key: /Users/moritz/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/moritz/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:T/PFCesRK/z8anOuhTVtnPUwg3JuBFEZuC5IhM3aIEE agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:j9IoF3g4cSbtoTrj1/CWFnNCobl5HBZczlIaatefOSw agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /Users/moritz/.ssh/id_rsa RSA SHA256:4T7OMLuiNCKh5FtV1HGiqN0UUhMYjfDbBmFpOBy0Lpg
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/moritz/.ssh/id_dsa
debug1: Trying private key: /Users/moritz/.ssh/id_ecdsa
debug1: Trying private key: /Users/moritz/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/moritz/.ssh/id_ed25519
debug1: Trying private key: /Users/moritz/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/moritz/.ssh/id_xmss
debug1: No more authentication methods to try.
git@github.com: Permission denied (public key).

[maxgoedjen]

Can you try rebooting? We've had the occasional report of the SEP stopping working for some reason #378

[mo-cmyk]

It seems that not the first but the second reboot solved the issue. Thanks for the help. Any idea what seems to be the reason for this bug?

[maxgoedjen]

Not really unfortunately - I've never had it happen on one of my personal machines - my guess is that macOS just gets into some bad state and forgets how to talk to the SEP (although I'd expect a LOT of other system level bugs in that case). Thanks for confirming that fixed it though 🙏

[c10l]

@maxgoedjen I have this issue relatively frequently (a couple times a month, maybe a bit more). Can we reopen this issue? I'm happy to help with debugging if you can guide me.

[maxgoedjen]

@c10l basically I closed this because I don't think I have any fix to the root cause – I suspect there's nothing I can do on an application-level to resolve this state (though I could be wrong there). I've opened #415 to deal with getting into this state better though.

[maxgoedjen]

@c10l just OOC since it's happening to you often: do you notice any other issues with your Mac when it gets into this state? I'm curious if it affects other apps, or if it's ONLY Secretive. Are you able to authenticate with Touch ID in other apps, for example?

[c10l]

Thanks. I haven't noticed any other impact. I can definitely use TouchID - I would have noticed that as I use it frequently on my password manager, for unlocking, etc.

I'll keep an eye out for the next time I see the issue. What other things can I check apart from TouchID?

[maxgoedjen]

@c10l basically the state (as near as I can tell from other descriptions) of the computer is either "the SEP doesn't respond to Secretive at all" or "the keychain APIs that we use to communicate with the SEP claim that there are no stored keys at all").

Touch ID in things like the setting page (like triggering that little lock on the Security page) would be the easiest case to verify SEP interaction is okay, for general keychain functionality, any apps that you're logged into (eg, Twitter or something), if you quit and reopen those apps, are you still logged in? That'd be a quick test.

I definitely won't rule out the possibility that I'm doing something wrong here, it's certainly possible. I'll reopen this ticket just for tracking and think of some logging changes I can make to get more info next time it happens.

[c10l]

I remember of at least one instance where this happened and I exported the public key from Secretive so I didn't have to reboot. Secretive asked me for TouchID to use the key and it all worked.

I suspect it's only the part where it tries to read the public keys that has a problem.

[maxgoedjen]

That's helpful – it implies that it's a simple keychain issue and not anything really SEP specific, or that signature request wouldn't go through.

[c10l]

@maxgoedjen This issue just happened to me again now. I went into System Settings and confirmed that TouchID works fine. So it does for 1Password.

Here's an interesting thing though. Public keys exported from Secretive are giving me this error:

debug2: Passphrase not found in the keychain.
Load key "/path/to/pubkey": invalid format

I copy-pasted the pub key from Secretive again just to be sure and got the same error.

[cedws]

Also encountered this. Key has disappeared in the GUI. Tried rebooting but to no avail.

$ echo $SSH_AUTH_SOCK
/Users/connor.edwards/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
$ ssh-add -L
ecdsa-sha2-nistp256 (...) ecdsa-sha2-nistp256
$ ssh git@github.com
sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: agent refused operation
git@github.com: Permission denied (publickey).