search

jaraco / keyring

MIT License
1.24k stars 152 forks source link

two keyring password dialogs are triggered #644

Closed bwagner closed 9 months ago

bwagner commented 1 year ago

Describe the bug

If name1 is a substring of name2, two dialogs are triggered to retrieve either of their passwords. The first dialog reads: python3.11 wants to use your confidential information stored in "myorg" in your keychain. image After entering the keyring password, the second dialog appears: python3.11 wants to access key "myorg" in your keychain. image

To Reproduce Steps to reproduce the behavior:

  1. Start Keychain Access application.

  2. Create two passwords, where the name of one is a substring of the other name, e.g. "myorg"and "myorg-api".

    image

  3. retrieve one of the passwords, e.g. python -c 'import keyring;print(keyring.get_password("myorg", "user1"))'

  4. See two dialogs

Expected behavior The keyring password should only be requested once.

Environment

keyring 24.2.0
...
keyring.backends.fail.Keyring (priority: 0)
keyring.backends.chainer.ChainerBackend (priority: -1)
keyring.backends.macOS.Keyring (priority: 5)
...

Strangely, when creating those entries in keyring using python and after deleting "python3.11" from "Access Control" within the Keychain Access app, the keychain password is requested only once, as expected!

jaraco commented 9 months ago

I suspect the issue is unrelated to the presence of a substring. I use the macOS keyring and it frequently prompts me twice for the keychain password with two different prompts.

To test this assumption, I added just one password to my keychain:

image

I then ran the command as indicated and was prompted for the password twice. I have a habit of selecting Always Allow because if I select simply Allow, it frequently prompts twice, as it did here. If I chose Always Allow, I'm prompted only once. Regardless, it appears the substring is a red herring. The issue is that macOS prompts twice for a single credential retrieval. Even after retrieving the password, I'm repeatedly prompted twice for the keyring password to retrieve the credential.

jaraco commented 9 months ago

Tracing the code for the macOS backend, the "get" operation only calls the API once (here). There's nothing that Keyring is doing that's triggering the multiple password prompts. It's Apple's own logic that's forcing the password prompt twice. I don't know why it does it.

Most users have the keyring configured with the same password as the user's login, so the keychain is unlocked by default and password prompts are bypassed. I'm unsure why that's not the case for your application. The only reason I notice it is because I keep a separate keychain, "home".

I don't think there's anything keyring can do to overcome Apple's limitations here.

I welcome ideas or suggestions or further lines of inquiry.

jaraco commented 9 months ago

See also #619, which is slightly related.