-
Type: Task
-
Resolution: Fixed
-
Priority: Critical - P2
-
Affects Version/s: 1.19.0
-
Component/s: Connectivity, Favorites, Security
-
3
-
Needed
-
-
Iteration Bison, Iteration Manatee
The multiple keychain password prompt has been a long-running unexplained behavior we haven't been able to get to the bottom of. A roll-up of bug reports:
My hunch after re-reading these tickets is this happens after an auto-update or a manual upgrade. What's most likely is that we simply need to call keytar methods from the main process via ipc rather than from the renderer as we do today. See this example on stackoverflow.
One other important note: I recommend you only call node-keytar from the main process. If you set a password from the main process and then attempt to get it from a renderer process, it’ll prompt a permissions dialog for the user (this is macOS only, Windows doesn’t seem to mind either way). Additionally, I think it’s cleaner and clearer to the user if the access control list has your app name and it’s icon, instead of MyApp Helper and the generic app icon which is what you get when a renderer sets it.
More notes from previous tickets rolled up below.
—
SecKeychainFindGenericPassword, which is the method keytar uses to read a stored connection password. In the discussion:
This function automatically calls the function SecKeychainUnlock to display the Unlock Keychain dialog box if the keychain is currently locked.
A few ideas on what might need to happen:
- Maybe something in the keytar bindings is too specific?
Maybe when we run app-migrations today, macOS needs to re-validate or something? - Maybe a bulk-read call to fetch all passwords with FindPassword would guarantee this unlock dialog is shown once and only once in all cases (a single, implicit SecKeychainUnlock call), but there are some potential security implications to consider.
- is related to
-
COMPASS-3469 Compass Not Pulling Passwords from Keychain
- Closed
-
COMPASS-3091 Investigate Password Storage Regression on 1.15.0
- Closed
-
COMPASS-3147 Clicking allow, deny, or always allow does not cause keychain access prompt to close
- Closed
-
COMPASS-3710 Connections/Favorites are not persisted in VDI and other Windows environments
- Closed
-
COMPASS-1767 Keychain approval appears many times after initial install
- Closed
-
COMPASS-3215 Repeated request for keychain password
- Closed