-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keyring v3 #7043
Keyring v3 #7043
Conversation
@@ -242,16 +242,17 @@ func handleRequests(ctx context.Context, server *Server, channel ssh.Channel, re | |||
errc := make(chan error, 1) | |||
go func() { | |||
for req := range reqs { | |||
if req.WantReply { | |||
if err := req.Reply(true, nil); err != nil { | |||
r := req |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an unrelated change but was giving a diagnostics lint warning that we were using req
in the function call to forwardStream
. Using the loop iteration variable in function calls like that is a common source of Go bugs.
af63064
to
77d6396
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for taking this work over 🙏
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This isn't *great*, but it does significantly improve local developer ergonomics. Prior to this change, things worked just fine (WRT the keychain parts), but the ergonomics kinda sucked. This is because, by default, only the application that writes the keychain entry is allowed to read from it. So what would happen during development is that you'd compile, go through the oauth device flow then realize you have to fix some bug, fix the bug, then try to run the application again: 💥 macOS password prompt. The changes here in this commit work around the issue by using `security` (the macOS built-in CLI for handling this stuff). That results in the keychain entry always being read/written by a stable binary so debug builds/re-builds don't have issue. The downside here, is that "anyone" that can execute `security` can read the password. For what it's worth, this is exactly what `gh` does. See some references below: - cli/cli#7043 - https://github.com/zalando/go-keyring - cli/cli#7123 - cli/cli#7023 (comment)
Previously, upon completing
gh auth login
, GitHub CLI was storing the GitHub API authentication token in its~/.config/gh/hosts.yml
file:This introduces a change where the token can now be stored in the system keyring (encrypted storage) instead:
We have chosen the zalando/go-keyring library for this because it's pure Go, i.e. does not require cgo to be enabled. Currently we disable cgo in our precompiled binaries to increase portability.
If none of the storage providers were found, or the store operation failed, the token will be written to the config file as before to ensure as little disruption to our users as possible should something go wrong with the new approach.
After this change, after completing
gh auth login --secure-storage
orgh auth refresh --secure-storage
, the config file will look like this:Note the omission of the
oauth_token
key. Instead, the key is saved in encrypted storage. Note that depending on the OS and circumstances, gh communicating with encrypted store might spawn a system dialog to approve access. The recommended setting is to “always allow”.Those who use environment variables (e.g. GH_TOKEN) to authenticate gh will not be affected, as in the case of environment variables, the token is neither read nor stored in the config file.
--secure-storage
flag but the intention is that this will be the default and only option in the near future. The reason for this intermediate step is to decrease the risk to extensions which is outlined below.oauth_token
key will not be found anymore.Supersedes: #7023
Depends on: #7033
Fixes #449