lifepillar
commented
6 years ago Commit https://github.com/lifepillar/CSVKeychain/commit/f713a2ae240f22ec0939bc7c4d4162570cf2e863 has introduced an AppleScript dialog that prompts for a keychain's password. That is not a system dialog, it is a dialog under control of the script. The typed password is stored in a script variable. This means that the password is written to the script process's memory. Since AppleScript does not have explicit memory management, AFAIK it is not possible to control the persistence of the password in memory.
The change was (reluctantly) made to make the script work in High Sierra (and possibly Sierra as well), where Keychain Access kept prompting for passwords regardless of Access Control settings. It seems to me that Mojave has fixed Keychain Access behaviour, so it might be possible to revert that change. I have to check, though.
nickpapadonis
You mention that the "script always asks for the password to unlock your keychain (you recognise the dialog by the Script Editor icon). Since that dialog is not very secure, it is recommended that you change your keychain's password in Keychain.app before exporting your keychain, and restore the original password afterwards."
Do you have further information on the attack vector here? Is it based on: o Unknown origin of this script? o Applescript security vulnerability? o Memory storage of the password? But then, how would Keychain app handle this?
I'm trying to keep a portable backup of my Keychain data and was hoping this script would solve this. I'm just concerned about security implications and having to change the Keychain login password every time.
Thanks for the pointers.