It appears that the private key isn't saved to the keychain

[bsrz]

Overview

macOS: 13.2.1
tartelet: 0.2.0

The app appears to not be saving the private key as indicated in point 8 and the screenshot:

CleanShot000034.mp4

[simonbs]

Thanks for reporting this issue. I'm unsure why this happens. I have tried on several machines and have always succeeded in saving the private key to the keychain.

In order to solve this issue, I think I'll need to understand it better so I'm thinking to make a build that adds some error logging. I'd appreciate if you'll reproduce the issue then and let me know of the error message you are seeing.

[bsrz]

@simonbs sorry I ran out of time last week. I'm trying to make this work today and I'm running into the same issue.
I have a brand new MacStadium instance. I installed tart, then installed tartelet.

I followed the instructions and when it comes to select the cert, I get the error above. So I tried doing this on my work laptop, not doing anything through VNC and it worked.

I'm not sure if I'm missing a setting/configuration in the MacStadium instance that would prevent this from happening... I'm happy to try any build you have that may help figure this out. I'm also happy to give you the creds to my instance if it helps. We can use Slack to DM each other. Let me know!

[simonbs]

@bsrz Sorry I haven't followed up earlier. I'm a bit hung up these days.

It's odd that it doesn't work on MacStadium. We're using MacStadium instances as well. I'm aware it wouldn't solve the root problem but have you tried rebooting your machine at MacStadium?

I still have a todo to make a build with more error logging but I haven't had the time yet. I hope to have some time by the end of the month.

[ffittschen]

Got the same error.

I cloned the project and changed the development team and bundle ID so that I can run it locally. Afterwards I checked a couple of status codes returned by the keychain operations.

SecKeyCreateWithData within RSAPrivateKey succeeds in my case, so I checked the KeychainLive implementation.

After modifying the method to store the return codes before comparing them, resultAdd got an OSStatus of -34018 aka errSecMissingEntitlement.

Therefore, I updated the accessGroup in the CompositionRoot to match my team and my bundle ID and also added my bundle ID in the Keychain Access Group entitlements, when re-running the app, I could successfully import the private key in the Tartelet Settings.

This is just a hunch, but Is there any chance the zipped Tartelet.app attached to the latest GitHub release is having some misconfigured access group, team ID ore bundle ID?

[simonbs]

@ffittschen Thanks for looking into this 🙏

Is there any chance the zipped Tartelet.app attached to the latest GitHub release is having some misconfigured access group, team ID ore bundle ID?

I won't rule it out yet but if that's the case then it seems odd to me that the zipped Tartelet.app works in some cases and not in others. @bsrz reports that it works on their laptop but not on a machine rented from MacStadium. It's also working fine on a handful of the machines that I have tested on.

I'm guessing that the reason you got the errSecMissingEntitlement error was that you changed the signing settings and therefore need to change the access group as well. That makes me think the root cause is different here.

Is there any chance that you declined Tartelet from accessing the keychain when using the downloaded Tartelet.app file but approved after changing the bundle ID?

[ffittschen]

Hmm interesting, I didn't try the zipped Tartelet.app on my laptop and directly went to the debugging 😄 Now that I tried that, importing the private key also worked on my laptop.

So I just checked the Console.app while trying to import the private key on the MacStadium machine and it shows some secd error. This error led me to check the Keychain Access app and for some reason while the login keychain was unlocked, the Local Items keychain was locked and I wasn't able to unlock it... I also wasn't able to perform the "Reset Default Keychains..." action from the Keychain Access Settings.

As we don't store anything in these two keychains, I simply deleted the ~/Library/Keychains/<UUID> directory and restarted the Mac mini (which will recreate the directory).

Now I was able to import the private key 🥳

@bsrz Maybe in your case the Local Items keychain is also locked?

[bsrz]

@ffittschen wow that fixed it!

1. deleted ~/Library/Keychains/<UUID>
2. rebooted the MacStadium instance
3. open tartelet
4. go to setting, select cert
5. just worked 🎉

@simonbs maybe it's just worth adding some kind of error message when this happens. Easy to fix though.

[simonbs]

I have added some logging in #19 that will make it easier for users to debug this. I'd like to one day introduce an error alert but the logging does at least making things a bit better.

I'll take the liberty to close this issue. Please don't hesitate to reopen the issue if the problem remains.