Bug: No prompt for keychain on macos

[jaredcat]

Consent

• I verified that there is no open/closed issue for the same subject.
• I understand that YTMDesktop have NO affiliation with Google or YouTube

Current Behavior

Open integration settings on macos and lastfm is disabled because of secure storage is not available.
It works with yarn start but doesn't work with production app or yarn make

Expected Behavior

The user should be prompted to allow the app access to secure storage for these features.

Steps To Reproduce

Install app
Open app
Open settings
go to integrations

YTMDesktop

v2.0

OS

MacOs

OS Version

14.4

Arch

aarch64

Installation way

drag and drop

Anything else?

I manually approved the app by opening Keychain Access, but this was a hurdle when making #1286

Might be related to: #1186

[Alipoodle]

Did you have this issue prior to your PR for Last.fm #1286 ? I feel like this issue would have shown up earlier.

[jaredcat]

@Alipoodle I just started using this project a few days ago at v2 so i can't really say, but it was like that when i installed it.
I don't really care too much about lastfm myself, so maybe there just a lack of visibility from the community of mac + lastfm users that use this project.
It could also be effected by other factors like os version. maybe theres new requirements to request this or something.

[gotgenes]

@jaredkotoff Did you manually create that entry in the Keychain Access, or was it already existing?

I didn't see such an entry named that in my login keychain. I tried to create it manually, but I'm not sure what value to enter for the password. So, I put in a random string, and set Access Control to "Allow all applications to access this item". But I'm not seeing the value of that entry get modified by YTMD.

I was expecting when I sign out, then sign back in, that YTMD would write a new value to this entry, but so far, it hasn't. And the Integrations under YTMD Settings still say "This integration cannot be enabled due to safeStorage being unavailable".

[jaredcat]

It was already there for me. Just used the search to find it.
I'll try to see if there's something I did to get it to show up

[Alipoodle]

From @cortesi who has provided some helpful information~

Possibly relevant: I had to use "xattr -c" to get around an error starting the app from the release packages after installation.

[main][info] Created electron store
[4858:0209/142953.477578:ERROR:keychain_password_mac.mm(113)] Keychain lookup for suffixed key failed: Error Domain=NSOSStatusErrorDomain Code=-67030 "(null)" (-67030)
2024-02-09 14:29:53.487 youtube-music-desktop-app[4858:54685] WARNING: Secure coding is automatically enabled for restorable state! However, not on all supported macOS versions of this application. Opt-in to secure coding explicitly by implementing NSApplicationDelegate.applicationSupportsSecureRestorableState:.
[main][info] Application ready

If we look up the error code 67030 we get for keychain access we see this:
https://www.osstatus.com/search/results?platform=all&framework=all&search=67030

And if we then look it up in the header file here:
https://opensource.apple.com/source/libsecurity_codesigning/libsecurity_codesigning-55032/lib/CSCommon.h.auto.html
... the matching comment is "invalid Info.plist (plist or signature have been modified)"

This looks like a code-signing error on plist access to me. So I think the fact that keychain access is denied is probably due to the fact that the application is unsigned. I'm sorry, but I don't have time to sign up for a developer account and test this at the moment, but perhaps it can provide a direction to look in for someone down the track.

[Alipoodle]

After borrowing a MacBook from Work I've been able to play and work a bit on the flow and feeling of the MacOS version of the application.

First of all F*** Apple...

Through the build process they've had a lot of minor little things with Development which have just made the process of developing for it a pain in the butt... Lack of being able to build + test on a "non-mac" device, their model for "broken application" and a few "design choices".

With that out the way. The main problem I have found is that the ARM build of the application is a mess and is to the point of not even worth sharing and using the x64 version with Rosetta is a better experience and fully functional (to my knowledge) with the features it needs and doesn't block the ability for SafeStorage in Electron.

It seems like there's a problem with how the ARM version of the application~ where in the chain of the application it breaks (Electron, Electron Forge compiling it all or some other thing), it's not going to be a task that can be diagnose by Myself or Novus as neither of us are a primary Mac user and lack of being able to compile & test for it off platform.

[gotgenes]

I can sympathize.

I use an M1 MacBook Pro as my main computer and am happy to help. I'm not yet familiar with Electron but I do have experience in application development.

Do you have a recommendation of where to start looking where the build is failing to meet expected behavior?

[jaredcat]

fwiw, I used xattr -c from the start and don't seem to have many issues outside this with my m1 mac. I wouldn't consider it "terribly broken" but understand the frustration with Apple.

It makes sense to only offer x64 if it works with secure storage until someone can figure out if there's away to get it to work with ARM
OR update the README with instructions for manually allowing access like I did (although I'm not sure if I did something special to get it to show up there since @gotgenes said it wasnt there for them)

And just to note: after manually allowing the app access I don't have issues with being logged out or using the integrations like lastfm, so I think everything is working as it should for me.

[gotgenes]

I discovered that running the project from the repository's source code will create the keychain value.

Specifically:

1. From the terminal, clone the YTMD repository.

   git clone https://github.com/ytmdesktop/ytmdesktop.git
   

2. cd into the repository.

   cd ytmdesktop
   

3. Install the project dependencies.

   yarn install
   

4. Run the app from the command line.

   yarn start
   

5. Sign in to your YouTube account in the YTMD application instance that you launched from the command line.

   This results in the entry in keychain, and for me, it allows access from Electron, as shown below.
   

6. Quit that instance launched from the command line.

7. In Keychain Access, manually add to the list of applications allowed access the YTMD Application that I downloaded from MacOS arm64 artifact on the Releases. (Specifically, I have this one in /Applications/YouTube\ Music\ Desktop\ App.app/.)

8. Open finder, and open the downloaded YTMD (in /Applications/).

9. Observe that it has me signed in.

10. Quit and reopen the app and observe I am still signed in.

[LockonF]

@gotgenes I just saw this and can confirm that the solution works when launching electron from the source code app and manually allowing access. Thanks!

[jaredcat]

Ah, that makes sense since I was running from source.
I wonder if running intel build once would also work instead of having to pull down the repo

[gotgenes]

I wonder if running intel build once would also work instead of having to pull down the repo

I wondered the same thing. For reasons I don't yet understand, the answer for me is, "No."

Here's the combinations I tried:

1. Launching the x64 artifact from ~/Downloads/ from Finder, signing in, quitting, adding the arm64 application in /Applications/ to the keychain access, and launching the arm64 artifact in /Applications/.
2. Copying the x64 artifact to /Applications/, launching it, signing in, quitting, and replacing with the arm64 artifact.

Prior to each combination, I deleted the YouTube Music Desktop App Safe Storage entry from the login keychain, and removed prior data for YTMD with

rm -rf ~/Library/Application\ Support/YouTube\ Music\ Desktop\ App ~/Library/Saved\ Application\ State/com.electron.youtube-music-desktop-app.savedState/ ~/Library/Logs/YouTube\ Music\ Desktop\ App/

After launching the x64 artifact, I confirmed there was an entry in the login keychain, and I granted access to the /Applications/YouTube\ Music\ Desktop\ App.app/ artifact.

These didn't work. As soon as I launched the arm64 artifact, I was no longer signed in. Signing in the arm64 artifact, then quitting, resulted in me being signed out the next time I launched the arm64 artifact.

After wiping everything again, I tried running the source code locally, as described above, and my sign in is preserved again.

🤷‍♂️