When using screen on OSX keyring fails. keyring.backends._OS_X_API.Error: (-25308, "Can't fetch password from system")

[mjfwest]

When uning screen, keyring fails password gets with:
keyring.backends._OS_X_API.Error: (-25308, "Can't fetch password from system")
The corresponding system log is:

default	20:28:11.858440 +0100	python	UNIX error exception: 17
default	20:28:11.864036 +0100	python	UNIX error exception: 17
default	20:28:11.868986 +0100	python	UNIX error exception: 17
default	20:28:11.908907 +0100	securityd	0x7fc7a3738d30(0x7fc7a35191f0) unlocking for makeUnlocked()
default	20:28:11.909190 +0100	securityd	new SecurityAgentConnection(0x700004a942f8)
default	20:28:11.909281 +0100	securityd	new SecurityAgentXPCQuery(0x700004a942f8)
default	20:28:11.909671 +0100	securityd	MacOS error: -67050
default	20:28:11.911641 +0100	securityd	code requirement check failed (-67050), client is not Apple-signed
default	20:28:11.911697 +0100	securityd	activate(0x700004a942f8)
default	20:28:11.911892 +0100	securityd	CSSM Exception: 224 CSSM_ERRCODE_NO_USER_INTERACTION
default	20:28:11.913477 +0100	securityd	SecurityAgentXPCQuery(0x700004a942f8) dying
default	20:28:11.913526 +0100	securityd	SecurityAgentConnection(0x700004a942f8) dying
default	20:28:11.920532 +0100	python	CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
default	20:28:11.922648 +0100	python	CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
default	20:28:11.924116 +0100	python	caught CssmError: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
default	20:28:11.924931 +0100	python	error while checking integrity, denying access: CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION

The same code works when not attached to a screen with the system log:

default	20:32:11.084766 +0100	python	UNIX error exception: 17
default	20:32:11.090567 +0100	python	UNIX error exception: 17
default	20:32:11.094564 +0100	python	UNIX error exception: 17
default	20:32:11.146957 +0100	securityd	0x7fc7a3542dd0(0x7fc7a3710b90) is unlocked; decoding for makeUnlocked()
default	20:32:11.159870 +0100	securityd	MacOS error: -67050
default	20:32:11.161918 +0100	securityd	code requirement check failed (-67050), client is not Apple-signed
default	20:32:11.162328 +0100	securityd	MacOS error: -67050
default	20:32:11.164488 +0100	securityd	MacOS error: -67050
default	20:32:11.167144 +0100	securityd	MacOS error: -67050
default	20:32:11.169253 +0100	securityd	MacOS error: -67050
default	20:32:11.171544 +0100	securityd	MacOS error: -67050
default	20:32:11.173874 +0100	securityd	MacOS error: -67050
default	20:32:11.189010 +0100	securityd	keychain reference in server mode

[jaraco]

Thanks for the report. I’m not sure what we can do if the screen context simulates a state in which keyring access is disallowed.

Does the macOS built-in command-line client work in that context?

[mjfwest]

No, it fails both direct in OSX Terminal (when running screen) and also through ssh (when running screen), if that is what you mean.
I will check if it does the same in tmux and dvtm+dtach.
If nothing else we can leave this here to save future generations an afternoon of debugging the wrong thing. It would be even better to give a clear warning message if possible.

[jaraco]

I mean security find-generic-password -a $USER -s $SYSTEM -w.

[mjfwest]

Sorry I misunderstood. Using screen and trying security find-generic-password -a $USER -s $SYSTEM -w I get no output and the following console log.

default	23:41:20.352257 +0100	security	UNIX error exception: 17
default	23:41:20.358770 +0100	security	UNIX error exception: 17
default	23:41:20.363548 +0100	security	UNIX error exception: 17
default	23:41:20.369749 +0100	security	UNIX error exception: 17
default	23:41:20.373990 +0100	security	UNIX error exception: 17
default	23:41:20.379673 +0100	security	UNIX error exception: 17
default	23:41:20.424863 +0100	securityd	0x7fc7a35227e0(0x7fc7a35191f0) unlocking for makeUnlocked()
default	23:41:20.425168 +0100	securityd	new SecurityAgentConnection(0x700004a112f8)
default	23:41:20.425258 +0100	securityd	new SecurityAgentXPCQuery(0x700004a112f8)
default	23:41:20.431923 +0100	trustd	cert[2]: AnchorTrusted =(leaf)[force]> 0
default	23:41:20.433831 +0100	securityd	activate(0x700004a112f8)
default	23:41:20.433969 +0100	securityd	CSSM Exception: 224 CSSM_ERRCODE_NO_USER_INTERACTION
default	23:41:20.436094 +0100	securityd	SecurityAgentXPCQuery(0x700004a112f8) dying
default	23:41:20.436144 +0100	securityd	SecurityAgentConnection(0x700004a112f8) dying
default	23:41:20.444021 +0100	security	CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
default	23:41:20.447087 +0100	security	CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
default	23:41:20.449442 +0100	security	caught CssmError: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
default	23:41:20.450336 +0100	security	error while checking integrity, denying access: CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION

If I ask for a key I know is not there, it tells me that ok:

security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.

[jaraco]

It sounds to me like even the macOS security command can’t access the keychain under screen... which means it’s probably by design. You may wish to work with the developers of screen. If they can allow security to access the credentials, then we should be able to get key ring to do the same.

[micahculpepper]

I am unable to reproduce using:

• Python 3.7.1
• keyring 16.1.1
• MacOS 10.13.6
• Screen version 4.00.03 (FAU) 23-Oct-06

bash-4.4$ python3 -m venv test
bash-4.4$ cd test
bash-4.4$ source bin/activate
(test) bash-4.4$ pip install keyring
Collecting keyring
  Cache entry deserialization failed, entry ignored
  Downloading https://files.pythonhosted.org/packages/c6/75/75d9d3f45ff56e4d39a954d5694463887b24ef639c1befb5da027c5a0f0e/keyring-16.1.1-py2.py3-none-any.whl
Collecting entrypoints (from keyring)
  Using cached https://files.pythonhosted.org/packages/cc/8b/4eefa9b47f1910b3d2081da67726b066e379b04ca897acfe9f92bac56147/entrypoints-0.2.3-py2.py3-none-any.whl
Installing collected packages: entrypoints, keyring
Successfully installed entrypoints-0.2.3 keyring-16.1.1
You are using pip version 10.0.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(test) bash-4.4$ keyring set test_service test_account
Password for 'test_account' in 'test_service':
(test) bash-4.4$ screen bash

--- screen session ---

(test) bash-4.4$ which keyring
/Users/me/test/bin/keyring
(test) bash-4.4$ keyring get test_service test_account
test
(test) bash-4.4$

As an aside, a lot of my users do see the error message you mentioned from time to time. They're not using screen. Once they see the error message, it comes up on all subsequent keyring calls, whether attempting to read from the system keychain or write to it. Rebooting fixes it.

[micahculpepper]

One thing that stands out to me from your error logs is this line:

securityd	code requirement check failed (-67050), client is not Apple-signed

This reminds me of this old chestnut: #219 (comment) where the solution involved running codesign on your interpreter. I'm not 100% sure that's the solution here, but may be worth a shot.

[jaraco]

@micahculpepper Thanks for attempting to replicate the issue. It does indeed sound like there's nothing that keyring can do to assist. But if someone does indeed discover more detail, don't hesitate to post here and we can re-open if appropriate.