-
Notifications
You must be signed in to change notification settings - Fork 478
Apple Keychain fails over ssh #3065
Comments
we use a pretty small wrapper around
i'm not sure we want to add any specific checks for this. it seems like it should be up to the user to decide if they want to opt out of keychain usage or use it, but i'm open to being convinced. that said, one thing we could do is catch an error and then ask users if they want to continue without keychain usage. i'd suggest trying to make sure that you can run some |
Thank you! I will look into those tomorrow. |
I have been playing with the When sitting at the host machine (not ssh'd), I cannot access the password for
However, running the If I even just run a keychain dump for those items, they are not present:
Greping for other values on that same dump does produce results. So what am I missing here? I did find this StackExchange, which is similar in that it refers to the same 36 error status happening when over ssh. However, it's quite old, the interface has changed, and I was unable to find a resolution by following the answers. I did try
Interestingly, the expo items are stored in the "Local Items" keychain on a different machine I use. Both machines are able to successfully build at cli using A few questions that I don't have answers to:
|
@mattrabe - i don't really know that much about this personally and don't have much time to investigate the edge case that you're encountering, but hopefully by reading the source you can answer your questions: https://github.com/expo/expo-cli/search?q=keychain keychain service name is here: expo-cli/packages/expo-cli/src/appleApi/authenticate.ts Lines 250 to 258 in d5a20f0
|
I’ll keep digging, but maybe @EvanBacon could shed some light? |
i think these are questions related to keychain and not specific to expo-cli, so i don't think this is necessarily the best place to ask.
i think this is what we can answer for you - it should be under as for keychain type:
|
Yea, I'm finding answers to those questions via the source - thanks for pointing me toward that! While the issue is certainly related to keychain, I'm thinking there is room for improvement here on expo-cli, in that the handling of this case is not great. expo-cli just fails outright in this scenario, where it could at least allow the user to manually enter the password to complete the build. I'll grant that this is probably an edge case. Now that I know what items in keychain I am looking for, I am able to see that I am in fact getting different responses when ssh'd vs not ssh'd. I'll continue tracking that down and intend to open a PR if I can find a good method to work around this. |
i agree we can handle it better! catching the error and letting users proceed w/o keychain seems like the most simple catchall approach |
Update:I see that I am getting different responses from the When I am NOT ssh'd, I CAN retrieve the password:
But when I am ssh'd into the same machine, using the same macOS user account, I get NO OUTPUT for the same command:
(Note that node-keychain appears to use And here are the answers to my questions from a few comments ago:
So that confirms that behavior is different when ssh'd. I'll see if I can put together a good way to catch that, and allow the user to continue on with the build. |
* [expo-cli] improvement: Handle keychain save error closes issue #3065 * [expo-cli] improvement: return full error message on keychain save error
While the CLI not breaking when it can't write to the keychain is useful, for people that would like the keychain to be writable while connected via SSH, you can run Very useful for CIs and such. |
@gCardinal Thanks for the tip! I just tested it and it did work in my scenario. Agreed that this would be great for CIs. Using Still glad to see that this PR was merged, since it doesn't require documentation/remembering things. |
This issue is stale because it has been open for 60 days with no activity. If there is no activity in the next 7 days, the issue will be closed. |
This issue was closed because it has been inactive for 7 days since being marked as stale. Please open a new issue if you believe you are encountering a related problem. |
Description
When I ssh into my Mac Mini (Big Sur) and run
expo build:ios -t archive --release-channel dev
I get an error when it tries to access the keychain:Security returned a non-successful error code: 36
. Running the same command from that Mac directly (not ssh'd) works just fine.Environment
I get identical output for this whether I am ssh'd in or working directly on the host machine.
Host Machine:
2020 Mac Mini running M1 chip
macOS Big Sur v11.1
ssh setup was accomplished by turning on System Preferences -> Sharing -> Remote Login on the host, adding my client machine's key to authorized_keys, and then sshing from client to host using said key (NOT via password).
Expected Behavior
I expected that the keychain would be usable while I am running the build over ssh, or if that is not feasible, do not attempt to access the keychain and therefore do not err out.
Observed Behavior
Over ssh, I get the following error:
Workaround
Still over ssh, if I set
EXPO_NO_KEYCHAIN=1
and then run the same exact command as above, it works. However, this also has the undesirable consequence of removing the Apple ID from the keychain on the host machine.Reproducible Demo
n/a
The text was updated successfully, but these errors were encountered: