Keychain locked?

[kuhnroyal]

Your Question

I am running Tartelet on a remote Mac Mini.
When I log in via Remote Desktop everything is fine and Tartlet happily creates and removes the VMs.

But when I close the remote connection after a short while Tartelet fails to create Github runners because the private key is not available anymore. As soon as I connect & login again, the problem disappears.

So I am wondering if anyone has experienced this or has any ideas.

05:32:37.771 INFO: Start virtual machine named sk-mac-mini-1-runner-2
05:32:41.400 INFO: The private key is not available
05:32:41.403 INFO: Could not connect to the virtual machine over SSH, so the virtual machine will be shut down.
05:32:41.516 INFO: Virtual machine named sk-mac-mini-1-runner-1 stopped with message: Failed establishing SSH connection
05:32:43.895 INFO: Start virtual machine named sk-mac-mini-1-runner-1
05:33:00.217 INFO: The private key is not available
05:33:00.252 INFO: Could not connect to the virtual machine over SSH, so the virtual machine will be shut down.
05:33:00.379 INFO: Virtual machine named sk-mac-mini-1-runner-2 stopped with message: Failed establishing SSH connection
05:33:02.112 INFO: Start virtual machine named sk-mac-mini-1-runner-2
05:33:06.855 INFO: The private key is not available
05:33:06.862 INFO: Could not connect to the virtual machine over SSH, so the virtual machine will be shut down.

Any additional context?

No response

[kuhnroyal]

It looks like they keychain is getting locked due to the lock screen, is there any way to avoid this?
I don't want to remove the lock screen.

[hisaac]

Is it the host machine that's going to the lock screen, or the tart VM?

Either way, the only way I know of to work around that is to disable screen lock.

sysadminctl -screenLock off -password <password>

Maybe a good idea to disable the screensaver and system sleep as well.

defaults -currentHost write com.apple.screensaver idleTime 0
sudo systemsetup -setsleep Off

[kuhnroyal]

Yea, I am talking about the host. Tartelet on the host can not read from they keychain once the host is locked.

[kuhnroyal]

@simonbs While you are here, do you have any advise on this problem? I don't want to leave my Mac Minis unlocked.
Would it make sense to implement a second storage variant that does no rely on the keychain?

[simonbs]

Would it make sense to implement a second storage variant that does no rely on the keychain?

I'm not fond of the idea of storing the secrets outside of the keychain. However, I think I'd be OK with storing them in the keychain, loading them into memory, and referencing the secrets in memory going forward. This way, the Mac should only need to be unlocked the first time the secrets are read from the keychain.

I don't have the time to implement this right now but I'm happy to review and merge PRs.

[kuhnroyal]

I talked with Copilot for a bit and read some documentation, maybe we can set kSecAttrAccessibleAfterFirstUnlock on the keychain items.
https://developer.apple.com/documentation/security/ksecattraccessibleafterfirstunlock

As far as I understand, this can be combined with a LaunchAgent that would have access to the keychain even after reboot & automatic login.