search

electron-userland / electron-builder

A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box
https://www.electron.build
MIT License
13.64k stars 1.74k forks source link

Temporary keychains created by electron-builder #3685

Closed paulbennet closed 5 years ago

paulbennet commented 5 years ago

screenshot- 2019-02-12 23 45 45

Just noticed these temporary keychains being created in my machine. Though the keychain files are not physically available in the specified locations, this still shows up in the "Keychain access" utility.

  1. Does electron-builder create these temporary keychains ?

    • If so how to avoid these or cleanup once build process is done

  2. Should I be worried about these ?

Note: Been using electron-builder for a while ( 1+ yrs ). So, not sure from which version these happened. I tried safe booting the mac ( which was suggested to cleanup temporary cache files ), but still didn't work.

mikerogne commented 5 years ago

I noticed that every time build/publish a new release, a new entry like this is created in my ~/Library/Preferences/com.apple.security.plist file:

<dict>
  <key>DbName</key>
  <string>/private/var/folders/_g/c03jtl312n1bv8jmklvb8wjc0000gn/T/t-77iass/2.keychain</string>
  <key>GUID</key>
  <string>{...}</string>
  <key>SubserviceType</key>
  <integer>6</integer>
</dict>

And the more entries in this file, the longer code signing takes each time. It got to the point where it would take 5+ minutes just for codesign to run... and when I removed all of the duplicates in that file, codesign would only take a few seconds to run.

Discovered this "fix" via: https://stackoverflow.com/questions/40257968/slow-app-compilation-with-new-sierra-update/40605435#40605435

Curious why electron-builder is having this effect?

rosso-ptg commented 2 years ago

I was able to reproduce a situation where temporary keychains will not be properly cleaned up from ~/Library/Preferences/com.apple.security.plist resulting in what is described in the comments above.

  1. Log in with the user that executes the build
  2. Change the user password using the passwd command line utility - this will NOT change the keychain password
  3. Log out
  4. Log in (from the UI)

It seems that when logging in MacOS tries to unlock the login keychain using the login password. This obviously fails, since user and keychain passwords have now diverged. The login utility will silently nuke your old login keychain and create a new one. The file ~/Library/Preferences/com.apple.security.plist will be recreated and now be owned by root, not by the user.

I have not checked how electron-builder deletes temporary keychains from ~/Library/Preferences/com.apple.security.plist, but it now fails to do it properly - I assume due to the wrong file ownership.

This looks like a bug in MacOS to me.