Re: #7076 - Keychain access on Mac - Mailing list pgadmin-hackers

From Dave Page
Subject Re: #7076 - Keychain access on Mac
Date
Msg-id CA+OCxoxB2a3y=QthPBRvdDv+pneK8SG6tK6rHrM=b-RJek=Enw@mail.gmail.com
Whole thread Raw
In response to Re: #7076 - Keychain access on Mac  (Yogesh Mahajan <yogesh.mahajan@enterprisedb.com>)
Responses Re: #7076 - Keychain access on Mac
Re: #7076 - Keychain access on Mac
List pgadmin-hackers


On Thu, 8 Aug 2024 at 13:38, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:


Hi,

On Thu, Aug 8, 2024 at 5:58 PM Dave Page <dpage@pgadmin.org> wrote:


On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:
Hi Hackers,

Issue #7076 has been reported by many Mac users. Issue has popped up when python binary version is changed for the pgadmin.

To save server passwords, pgadmin uses os level secret storage (in case of Mac it is keyring) and adds an entry for each save password. Whenever the python binary version is changed, keychain (python lib used to access keychain) asks for a password 2 times for accessing each entry. If you have 10 servers, then it will ask for 20 times.

To fix the issue, pgadmin will follow the same approach as chrome. 
1.An encryption key will be auto-generated and will be stored in the keychain.
2.Whenever save password request is received, encryption key will be used to encrypt password and encrypted password will be saved in the pgadmin database.
3.Similarly, while retrieving the password, encryption will be pulled from the keychain and will be used to decrypt the password.
This will reduce password asks to 2 times on python binary version change.

That sounds almost like returning to the way things used to work with the master password, except we auto-generate it, and store that in the keychain.
 
Yeah.
 
I assume we'd do the same on all platforms, using whatever the equivalent store is on each?
 
Yes we will be doing the same on all supported platforms.
 

Any idea why it asks for the login password twice per access on macOS? 

This is a known issue for keyring python lib. And this one where the keychain asks for a password for accessing each entry.

OK, thanks. 
--
Dave Page
PostgreSQL: https://www.postgresql.org

PGDay UK 2024, 11th September, London: https://2024.pgday.uk/

pgadmin-hackers by date:

Previous
From: Yogesh Mahajan
Date:
Subject: Re: #7076 - Keychain access on Mac
Next
From: Yogesh Mahajan
Date:
Subject: Re: #7076 - Keychain access on Mac