Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix deprecated TrustedApplicationAccess on Macos Catalina #59

Closed
wants to merge 1 commit into from
Closed

Fix deprecated TrustedApplicationAccess on Macos Catalina #59

wants to merge 1 commit into from

Conversation

n11c
Copy link

@n11c n11c commented Jan 17, 2020

Updated keybase/go-keychain dependency to remove deprecation warnings about TrustedApplicationAccess on Macos Catalina

resolves #56

kjmph
kjmph reviewed Jan 23, 2020
View reviewed changes
keychain.go Outdated Show resolved Hide resolved
@kjmph
Copy link

kjmph commented Jan 23, 2020

I can confirm I can build again with this patch. Unfortunately, I don't know the implications of the changes though.

@mtibben
Copy link
Member

mtibben commented Feb 10, 2020

Trying this out with aws-vault, I no longer get a password prompt when aws-vault accesses the keychain

@mtibben
Copy link
Member

mtibben commented Feb 10, 2020

Before:
image

After:
image

@n11c
Copy link
Author

n11c commented Feb 10, 2020

I believe the fact that aws-vault appears in the "always allow access" section is due to clicking on the 'always allow" button when entering the password.
At least I get the same behaviour by clicking on that button with the current aws-vault release.
That would indeed cause the password prompt not to be shown anymore.

I rebuilt aws-vault with this PR and I get the following behaviour:

  • On first run I get a pass prompt to retrieve the password from the keychain
  • If I only click "allow", it prompts me twice, don't know why
  • If I click "always allow" it only prompts me once and aws-vault gets added to the list mentioned above as expected
  • The keyring entry created to store the token automatically has aws-vault in the always allowed apps list, so that subsequent calls to aws-vault retrieve the token without prompting for the password (I didn't wait until it expired, but I guess it should then try to access the aws password and prompt for the keyring password if necessary)

Now, I'm far from being an OSX expert so this should be taken with a grain of salt.
I don't really know if these tests are enough to confirm that this PR does not create a security hole.
Hopefully someone more qualified can answer that.

@mtibben
Copy link
Member

mtibben commented Feb 11, 2020

The point is to ensure that the user is prompted to "Allow" or "Always Allow". This PR changes the behaviour so that aws-vault is in the trusted list of apps by default which means the user is not prompted and is not the desired behaviour

@jonioni jonioni mentioned this pull request Mar 12, 2020
Open
@genevieve
Copy link

Hi @mtibben! We would really like to use a version of keyring that has the updated go-keychain dependency. Would you accept a PR that only updates the dependency?

@mtibben
Copy link
Member

mtibben commented Apr 23, 2020

Hey @genevieve, absolutely yes if we can demonstrate that it behaves the same way. I have not been able to confirm this yet so have committed db030e0 temporarily

@mtibben
Copy link
Member

mtibben commented Nov 20, 2020

See the comment at #66 (comment) on how to address this issue.

@mtibben mtibben closed this Nov 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kjmph kjmph kjmph left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Using the deprecated function of go-keyring
4 participants
@n11c @kjmph @mtibben @genevieve