WireGuardApp: do not delete unverifying profiles ever

The Keychain code is much too fragile, and it's better to err on the
safe side. Instead just log an error when this happens.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Sources/WireGuardApp/Tunnel/TunnelsManager.swift

@@ -56,21 +56,19 @@ class TunnelsManager {
                     tunnelManager.saveToPreferences { _ in }
                 }
                 #if os(iOS)
-                let passwordRef = proto.verifyConfigurationReference() ? proto.passwordReference : nil
+                let verify = true
                 #elseif os(macOS)
-                let passwordRef: Data?
+                let verify = proto.providerConfiguration?["UID"] as? uid_t == getuid()
-                if proto.providerConfiguration?["UID"] as? uid_t == getuid() {
-                    passwordRef = proto.verifyConfigurationReference() ? proto.passwordReference : nil
-                } else {
-                    passwordRef = proto.passwordReference // To handle multiple users in macOS, we skip verifying
-                }
                 #else
                 #error("Unimplemented")
                 #endif
-                if let ref = passwordRef {
+                if verify && !proto.verifyConfigurationReference() {
+                    wg_log(.error, message: "Unable to verify keychain entry of tunnel: \(tunnelManager.localizedDescription ?? "<unknown>")")
+                }
+                if let ref = proto.passwordReference {
                     refs.insert(ref)
                 } else {
-                    wg_log(.info, message: "Removing orphaned tunnel with non-verifying keychain entry: \(tunnelManager.localizedDescription ?? "<unknown>")")
+                    wg_log(.error, message: "Removing orphaned tunnel with missing keychain entry: \(tunnelManager.localizedDescription ?? "<unknown>")")
                     tunnelManager.removeFromPreferences { _ in }
                     tunnelManagers.remove(at: index)
                 }