Why does SSH authentication fail when adding a host to Noxen?

Most common cause: the bundled key isn't on the remote host's authorized_keys. Run ssh-copy-id from your Mac. Second cause: Noxen v1.0 supports Ed25519 only — RSA / ECDSA / encrypted keys land in v1.1.

What causes a Manifest signature mismatch error?

Either the bundled public key was rotated and your Noxen build is stale (update via Sparkle), or the upstream feed was rebuilt with a stale signing key (we notice and fix server-side). Restart Noxen after the next feed rebuild.

Why isn't my license key activating?

Most likely a copy-paste artefact (smart quotes, leading whitespace) — paste into a plain-text field first, re-copy. Or the key is bound to a different Mac — deactivate from that Mac's Settings → Account first.

Reference · 8 min read

Troubleshooting

Most error states answer to one of the recipes below. If yours isn't here, check Settings → Advanced → Runtime audit for any anomalies, then ask in support.

SSH connection issues

"SSH authentication failed": Most common cause: the bundled key isn't on the remote host's ~/.ssh/authorized_keys. Run ssh-copy-id -i <path-to-key> <user>@<host> from your Mac, then retry. Second cause: RSA / ECDSA keys aren't supported in v1.0 — only Ed25519. Generate one with ssh-keygen -t ed25519 -f ~/.ssh/noxen_id, copy it across, and re-import the host.
"Connection refused": Port mismatch (the SSH daemon isn't listening on the port Noxen is trying — edit the host's port field), firewall blocking (ufw / firewalld / router), or sshd is genuinely down. Disambiguate with nc -vz <host> <port> from Terminal.app.
"Operation timed out": Routing or DNS — the hostname doesn't resolve to a reachable IP. ping <host> first; if that fails you're on a different subnet or VPN-disconnected.
"Host key verification failed": The host's SSH host key has changed since you last connected (legitimate: the box was reinstalled; suspicious: someone's MITM-ing). Edit ~/.ssh/known_hosts on your Mac to remove the old entry, then re-scan to accept the new key.

CVE feed errors

"Manifest signature did not match the bundled public key": The signature on the live manifest doesn't verify against Noxen's bundled public key. Either: (a) the bundled key was rotated and your Noxen build is stale — check for an update via Noxen → Check for Updates…; or (b) the upstream feed was rebuilt with a stale signing key — usually we notice within hours and fix server-side. Wait 30 minutes and retry; if it persists, file a support ticket.
"Snapshot SHA-256 mismatch": The downloaded snapshot's hash doesn't match the manifest's. Either the download was corrupted (Cloudflare edge had a hiccup) or someone's tampering with the snapshot in transit. Restart Noxen — the next download attempt retries from a fresh edge node, which usually clears it.
"Manifest fetch failed: HTTP 503": Cloudflare or our Worker is briefly unreachable. Wait a minute and retry. The manifest endpoint is the canonical source — if you can curl it successfully but Noxen still fails, check macOS network permissions for Noxen.
Feed staleness banner ("CVE feed is stale"): Your last successful feed update was > 36 hours ago. Click Refresh in the banner, or Settings → Updates → Check now. If the check itself is failing, see the previous entries.

License activation

"License key invalid or already used": Most common: a copy-paste artefact — smart quotes from the email client, leading or trailing whitespace, or a partial key. Paste into a plain-text editor (TextEdit → Format → Make Plain Text), inspect, re-copy. Second cause: the key was activated on Mac A and is bound there. Deactivate from Mac A's Settings → Account before activating on Mac B.
"License server unreachable": The Lemon Squeezy validation endpoint is briefly down or your network is blocking it (corporate firewalls sometimes block api.lemonsqueezy.com). The grace mode kicks in: Noxen treats your last successful validation as valid for 14 days while the server's down. Restart later.
Tier shows "Free" but I bought a license: Activation didn't fully complete. Try the deep-link from your Lemon Squeezy email again (noxen://activate?key=…) — it bypasses the manual paste flow. If that fails, paste manually into Settings → Account.

Scheduled scans not running

Agent never fires at 03:00: Most common cause: the Mac was asleep when the trigger fired and isn't configured for Power Nap / Wake-for-network access. macOS won't fire LaunchAgents on a fully-asleep Mac. Enable Wake for Wi-Fi network access in System Settings → Battery / Energy Saver. Second cause: the agent is configured but the AC-power-only flag is set and you're on battery — scheduled scans skip on battery by default.
Agent ran but no findings appeared: The agent writes results to ~/Library/Group Containers/group.com.paulsnyman.noxen/agent/results/ and the main app drains them on next launch. Quit and relaunch Noxen; the merge happens during startup.
Two agents running at once: Shouldn't happen — there's an advisory lockfile at agent/agent.lock that the second invocation respects and exits cleanly. If you suspect a stuck lock, quit Noxen, delete the lockfile, restart.

iCloud / CloudKit sync

iOS companion shows zero hosts: Both Macs and iPhone need to be signed into the same iCloud account, and both need Noxen-iCloud sync enabled. On the Mac: Settings → iCloud → enable. On iPhone: launch the iOS companion → it inherits the same iCloud account. Replication is eventual — first-pull can take 30–120 seconds.
"Unable to initialize without an iCloud account": The Mac isn't signed into iCloud. Either sign in (System Settings → Apple Account) or run Noxen offline — iCloud sync is optional, the app works fully without it.
CloudKit container quota exceeded: You've hit the per-container CloudKit limit (Apple's ceiling, not Noxen's). Most likely cause: many years of scan history. Cull old scans from Settings → Data → Prune scans older than….

Performance issues

SQLite import takes > 1 minute: Normal for the first import after a fresh install (the full ~95 MB feed gets imported into a SQLite snapshot). Subsequent imports are incremental and complete in seconds. If a re-import keeps doing the slow path, the local schema version is stale — Noxen rebuilds the SQLite file fully when the importer's schema version bumps.
App "hangs" during a scan: Almost always a stuck SSH probe — the underlying /usr/bin/ssh handshake is waiting on a host that's not responding. Press Esc or click Cancel; the probe unwinds in < 5 seconds.
Scan-all takes hours on a small fleet: Per-host scans are sequential, not parallel — see Batch scan. Per-host time is dominated by open-port count; a wide-open NAS can take 60+ seconds. For very wide-open hosts, consider narrowing the custom port range in Settings → Scan.

Still stuck?

noxen.app/support for direct help. Or check the changelog — your issue may be a known regression that's already fixed in the next release.