I did a git commit and a git push this morning and realized there's a tool that I've used for many years now (or at least 4 years, depending on when I actually put it in my Brewfile).
Secretive is one of the first tools I put on any new Mac. It does one thing and does it well: it creates and stores keys and handles key signing so you don't have to think about those ssh-keygen commands, putting that lil' Secure Enclave in your Mac to work. The beauty of the Secure Enclave is that all of the signing happens within the physical hardware. There's no private key sitting around on your computer for exfiltration (or for you to do stupid things with).
My personal setup is to create two keys in Secretive when I set up a new Mac: one with biometric authentication and one without. I'll use the non-biometric one for GitHub, so I can push and pull without needing to authenticate beyond logging into macOS. I'll use the biometric one for SSH'ing into remote servers or places where I can use SSH that I might want to stop to think about what I'm doing. This gives me the peace of mind that there's some human interaction needed before I go do dangerous or destructive things. I drop the non-biometric key into my GitHub account (did you know you can do this with the gh CLI?), and set up my SSH config per Secretive's instructions, and off I go.
Secretive sits out of the way. I don't think about how I use it because it's so dang seamless. Secretive is an example of a great app that Uses The Platform™, leaning on the tools Apple provides for building secure apps that don't feel like a slog to use.
After working on GitHub Mobile two-factor which does all of the security handshakes within the Secure Enclave, I realized that more things should be happening on our devices' Secure Enclaves! Apple's CryptoKit includes the SecureEnclave APIs to do all of the signing directly on the device, quick and easy. Start by securing yourself using Secretive for your git and other SSH-based activities. Next time you reach for some sort of keypair signing or post-quantum encryption (TIL about Module-Lattice-Based Key-Encapsulation), consider how you can leverage the Secure Enclave to keep you and your customers safe.
