Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security delete-generic-password sometimes succeeds but does not delete #531

Open
Hoverbear opened this issue Jun 26, 2023 · 2 comments
Open

security delete-generic-password sometimes succeeds but does not delete #531

Hoverbear opened this issue Jun 26, 2023 · 2 comments
Labels
MacOS Darwin/MacOS

Comments

@Hoverbear
Copy link
Contributor

In #520 we confirmed that users can experience consistent to that which we noticed during testing where calls like security delete-generic-password -a "Nix Store" -s "Nix Store" -l "disk3 encryption password" -D "Encrypted volume password" could result in output like:

❯ security delete-generic-password -a "Nix Store" -s "Nix Store" -l "disk3 encryption password" -D "Encrypted volume password"
keychain: "/Library/Keychains/System.keychain"
version: 256
class: "genp"
attributes:
    0x00000007 <blob>="disk3 encryption password"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="Nix Store"
    "cdat"<timedate>=0x32303233303632343039353331355A00  "20230624095315Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>="Encrypted volume password"
    "gena"<blob>=<NULL>
    "icmt"<blob>="Added automatically by the Nix installer for use by /Library/LaunchDaemons/org.nixos.darwin-store.plist"
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303233303632343039353331355A00  "20230624095315Z\000"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="Nix Store"
    "type"<uint32>=<NULL>
password has been deleted.

However the password does not seem to get immediately deleted. After several tries the user managed to get it to actually delete.

We must either be using it wrong, or need to actually do a poll to wait for it to be actually done.
@Hoverbear Hoverbear added the MacOS Darwin/MacOS label Jun 26, 2023
@Hoverbear Hoverbear added this to the 0.9.3 milestone Jun 26, 2023
@abathur
Copy link
Contributor

abathur commented Jun 26, 2023

Duplicating comment here from the other thread; I didn't notice you'd opened this when I posted there:

I suspect that the reason the commands are succeeding is that there's more than one credential matching the invocation from previous install attempts. (I guess it might not be deleting the credential, but I'd rule out duplicates before tilting at that possibility? Since the official installer doesn't remove creds and the user notes that they used it at some point, they may have had multiple credentials from that timeframe instead of from running the detsys installer.)

It's possible this output is out of date since it's from an older macOS, but I do get an error status if there's no matching credential:

$ security delete-generic-password -a "one" -s "two" -l "three" -D "four"; echo $?
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
44

Keeping passwords matched up with volumes is part of why the official shell installer is using the volume UUID in the credential and mounting service definition.

@Hoverbear Hoverbear modified the milestones: 0.11.0, 0.11.1 Aug 10, 2023
@Hoverbear
Copy link
Contributor Author

Noting we now include wording in our error messages related to this, so it's mitigated.

@Hoverbear Hoverbear removed this from the 0.11.1 milestone Sep 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
MacOS Darwin/MacOS
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Hoverbear @abathur