From 91962acb8379a7cf8abd7bdf5d2370268bedda74 Mon Sep 17 00:00:00 2001 From: Jamil Date: Mon, 17 Nov 2025 08:09:09 -0800 Subject: [PATCH] chore(apple): ignore benign keychain errors (#10899) * macOS 13 and below has a known bug that prevents us from saving the token on the system keychain. To avoid Sentry noise, we ignore this specific error and continue to log other errors that aren't an exact match. * Relatedly, if we try to start the tunnel and a token is not found, it's not necessarily an error. This happens when the user signs out and then tries to activate the VPN from system settings, for example. --------- Signed-off-by: Jamil Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../FirezoneKit/Helpers/IPCClient.swift | 1 - .../PacketTunnelProvider.swift | 29 +++++++++++++++++-- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/swift/apple/FirezoneKit/Sources/FirezoneKit/Helpers/IPCClient.swift b/swift/apple/FirezoneKit/Sources/FirezoneKit/Helpers/IPCClient.swift index 3f5d76085..80ac69e45 100644 --- a/swift/apple/FirezoneKit/Sources/FirezoneKit/Helpers/IPCClient.swift +++ b/swift/apple/FirezoneKit/Sources/FirezoneKit/Helpers/IPCClient.swift @@ -73,7 +73,6 @@ enum IPCClient { let _ = try await sendProviderMessage(session: session, message: message) } - // MARK: - Low-level IPC operations @MainActor diff --git a/swift/apple/FirezoneNetworkExtension/PacketTunnelProvider.swift b/swift/apple/FirezoneNetworkExtension/PacketTunnelProvider.swift index b8d625353..f5add1648 100644 --- a/swift/apple/FirezoneNetworkExtension/PacketTunnelProvider.swift +++ b/swift/apple/FirezoneNetworkExtension/PacketTunnelProvider.swift @@ -78,11 +78,11 @@ class PacketTunnelProvider: NEPacketTunnelProvider { // If we don't have a token, we can't continue. guard let token = loadAndSaveToken(from: options) else { - throw PacketTunnelProviderError.tokenNotFoundInKeychain + return completionHandler(PacketTunnelProviderError.tokenNotFoundInKeychain) } // Try to save the token back to the Keychain but continue if we can't - do { try token.save() } catch { Log.error(error) } + handleTokenSave(token) // The firezone id should be initialized by now guard let id = UserDefaults.standard.string(forKey: "firezoneId") @@ -123,7 +123,6 @@ class PacketTunnelProvider: NEPacketTunnelProvider { self.adapter = adapter } catch { - Log.error(error) completionHandler(error) } @@ -318,6 +317,30 @@ class PacketTunnelProvider: NEPacketTunnelProvider { // 3. Generate and save new one defaults.set(UUID().uuidString, forKey: key) } + + #if os(macOS) + private func handleTokenSave(_ token: Token) { + do { + try token.save() + } catch let error as KeychainError { + // macOS 13 and below have a bug that raises an error when a root proc (such as our system extension) tries + // to add an item to the system keychain. We can safely ignore this. + if #unavailable(macOS 14.0), case .appleSecError("SecItemAdd", 100001) = error { + // ignore + } else { + Log.error(error) + } + } catch { + Log.error(error) + } + } + #endif + + #if os(iOS) + private func handleTokenSave(_ token: Token) { + do { try token.save() } catch { Log.error(error) } + } + #endif } // Increase usefulness of TunnelConfiguration now that we're over the IPC barrier