Is it a no-no to get/set from an Electron renderer process? #250
Comments
aguynamedben
changed the title
|
Here are some screenshots that demonstrate what's going on in macOS keychain. Keychain Access details, Version A of my app w/ Electron 5, after a keytar set from the renderer Version B of my app w/ Electron 7, during a keytar get from the renderer. Note the new name, Command E Helper (Renderer) Keychain Access details after typing my password clicking Always Allow |
This is fine, and a very common scenario. It's just that keytar doesn't care about where it gets run from - as long as its something resembling a Node runtime. As @MarshallOfSound pointed out in the upstream issue, there were changes to how the app works on macOS with Electron 6 that mean the bundle ID for the renderer process has changed, and the operating system now sees it as different to the previous app that it granted permission to read and write to the keychain. Hence the new warning. I'm not 100% sure of the fix here (I haven't kept up with the latest in the Electron space in the previous few months), but keytar doesn't have any process-specific checks that you can control. I'd recommend checking how your app is packaged, and what hooks you have to maintain compatibility across the Electron upgrade process. Gonna leave this open for a bit because I suspect others may encounter the same problem. |
|
@shiftkey Thank you for the very helpful reply. It's nice to know that I'm not just going insane. :) You're exactly right. I'm packing my app with electron-builder, the For those trying to understand this issue, here are some helpful commands that will help you introspect your packaged Electron app, each process' plist file, and the bundleIdentifier value macOS depends on when deciding if it will show a permissions dialog or not. For Electron 5 and before, using electron-builder: # Dump the .plist file to JSON
plutil -convert json -o /tmp/wat.json /Applications/Command\ E.app/Contents/Frameworks/Command\ E\ Helper.app/Contents/Info.plist
# View the JSON
cat /tmp/wat.json | python -mjson.tool
# (inspect the CFBundleIdentifier value)If you do this with various installed builds of your app using Electron 5 and Electron 6, you'll see CFBundleIdentifier doesn't actually change. It will be something like For Electron 6+, using electron-builder: # Dump the .plist file to JSON
# Note the path is different! (Renderer)
plutil -convert json -o /tmp/wat.json /Applications/Command\ E.app/Contents/Frameworks/Command\ E\ Helper\ \(Renderer\).app/Contents/Info.plist
# View the JSON
cat /tmp/wat.json | python -mjson.tool
# (inspect the CFBundleIdentifier value)THIS process has a CFBundleIdentifier value of If this is affecting your keytar calls from the renderer in Electron 6+, see my PR. You need to:
"helperBundleId": "io.hypertools.Command-E.helperGeneric",
"helperRendererBundleId": "io.hypertools.Command-E.helper",Shameless plug: I'm the founder of Command E, if you like this helpful information and want to work on some fun Electron stuff, hit me up!!! :) |
|
Slightly related question to @shiftkey and maybe @BinaryMuse: so far in VSCode we have been using Basically I am trying to understand if it is save to have |
Correct, most of the work (calling platform specific systems calls etc) happens in async workers. |
|
Great thanks for clarifying 👍 |
Prerequisites
Description
I've worked myself into a slight pickle with my keytar usage due to the fact that I was setting keys in the Electron renderer, and the Electron renderer process name changed formats in Electron 6.
More details here: electron/electron#22317
Summary:
My main question is: Is is a no-no to keytar get/set from renderer process? I don't really see any warnings about this in the README.
Thanks for any feedback or ways out you can offer. I really appreciate keytar and Electron, thank you for the work you do on these excellent projects.
The text was updated successfully, but these errors were encountered: