New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use native keychain bindings if possible #7743
base: trunk
Are you sure you want to change the base?
Conversation
Using patch to make access to Keychain more secure, see cli/cli#7743
36ff598
to
d10a0de
Compare
To address the concern raised by @samcoe in #7123 (comment) that user would have to re-authenticate to switch to the new library, I've added the code that detects token stored by old library and uses it to fetch it properly and overwrite it with plain token with the new library. This should address issue on the macOS. |
Note that user will still have to authorise access to the keychain item for the new binary after switch and on each subsequent upgrade of |
AFAIK the trusting of the binary for each release only has to be done if you don't sign your binaries. If you're releasing signed binaries, it's enough to trust developer once. |
See docs for how aws-vault does it (they're the guys responsible for the lib you're using): https://github.com/99designs/aws-vault/blob/e22aea12b03e8ce036e9af87dda9303806fa2a9e/README.md#development Alternatively, on ARM macs if you distribute via homebrew, kegs are automatically codesigned on installation. |
@reegnz Looks like release binaries are already signed here: cli/.github/workflows/deployment.yml Lines 76 to 93 in e0d2fc8
I'm installing gh via Nix, so that's probably why I'm getting confirmation dialogs from Keychain on each binary update. I'm also fine with it.
|
@YorikSar Apologies for letting this PR languish in review limbo for so long. Just wanted to give you a bit of a status update from our end. We are still interested in moving to the |
I use this patch myself since I’ve published it (I’ve overridden it in my dotfiles), so there is little detriment to myself from having this PR hanging. I’m fine with rebasing it when needed since I will have to rebase it anyway when I want to update my gh, which didn’t happen so far. |
This is something I will bring up with the team to see how we feel about getting this in first. |
Switch from github.com/zalando/go-keyring to github.com/99designs/keyring that uses native bindings on macOS and Windows. On darwin, github.com/zalando/go-keyring encodes secret data in hex or base64, adding a prefix indicating that. If new library returns this prefix, convert the secret to plain data to keep using existing token and not require reauthentication. Originally suggested in cli#7023 (comment) Fixes cli#7123
d10a0de
to
38c90e6
Compare
@samcoe any updates? |
@reegnz No updates on this right now. As we just shipped multi-account this is unblocked now, but with holidays coming up it is unlikely that this work gets prioritized before then. |
Switch from github.com/zalando/go-keyring to github.com/99designs/keyring that uses native bindings on macOS and Windows.
Originally suggested in #7023 (comment)
Fixes #7123
cc @mislav who opened the issue and @reegnz who originally suggested this library.