store/keychain: require a serviceName and serviceGroup#32
Merged
Conversation
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
wmluke
reviewed
Jun 23, 2025
| // Changing the service name can be done, but would require migrating existing credentials. | ||
| // | ||
| // [Factory] is a function used to instantiate new secrets of type T. | ||
| func New[T store.Secret](serviceGroup, serviceName string, factory Factory[T]) (store.Store, error) { |
There was a problem hiding this comment.
Do we have any secrets stored in the wild that will need to be migrated?
There was a problem hiding this comment.
Minor nit: should/do we have functional tests to validate this behavior across platforms?
Member
Author
There was a problem hiding this comment.
Do we have any secrets stored in the wild that will need to be migrated?
Not here, we aren't storing any secrets with the keychain library yet, so nothing to be migrated. But someone implementing this library would need to be made aware of it.
Minor nit: should/do we have functional tests to validate this behavior across platforms?
Not yet, tests will come once we have a baseline.
joe0BAB
approved these changes
Jun 23, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The macOS keychain scopes items based on the application bundle ID, managed by XCode. The macOS keychain service also supports setting a Keychain group which shares keychain items between applications. On Linux any application can prompt the user for any credential stored inside the keychain.
For us to support a wide range of use cases we need to require the
serviceNameandserviceGroup. This helps make credentials searchable via their attributes field (support by macOS and Linux).