thats because the code signing its invalid. you are signing the whole app? or only the binary. could be many reasons, one is the lack of the provisioning profile on your computer (for your key).
it's SE limitation :(. also makes me sad, will be awesome if you can import a key generated by yourself. so if you reinstall you can import again to the enclave
It's common for hardware security tokens like this to limit themselves to self-generated private keys. The intent is the device needs to provide a guarantee that the private key is not otherwise accessible, whereas it would be if the user generated it, perhaps wrote it to disk, provided it to the SE, and perhaps SEs on other devices.
I was thinking more in terms of: I trust openssl to generate a non-broken key. (Yeah, even with all its faults...) But if SE turns out to use generate bad keys, like the recent popular issue, I can't use a better one instead.
This shouldn't be a problem. Backing up a securely stored key is not a great solution. Instead you can generate a backup key that you provision everywhere as well, (the public part) but store completely offline.
Basically treat this the same as you would a physical 2fa token.
I'm thinking more about whether this could be used to store cryptocurrency keys, in place of a hardware wallet. It's a different elliptic curve (according to another HN commenter recently) but that's not necessarily a deal killer forever.
Without an export it could maybe be one key in a multisig.
I may be talking shit, but for what I understand of SE, it wouldn't make sense to loose the data if you reinstall macOS.
I tried to look up the info, but the only thing I found was this: "But because its backing storage is physically part of the Secure Enclave, you can never inspect the key’s data."
That means that it get stored in SE instead of your computer's hard drive.
Also, Apple have instructions to clean Secure Enclave if you're going to sell your macbook pro with touchid.
