Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sc2Fc-003Mj9-Ey for pgadmin-hackers@arkaria.postgresql.org; Thu, 08 Aug 2024 12:28:16 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sc2Fb-00E08d-0f for pgadmin-hackers@arkaria.postgresql.org; Thu, 08 Aug 2024 12:28:15 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sc2Fa-00E08V-LI for pgadmin-hackers@lists.postgresql.org; Thu, 08 Aug 2024 12:28:14 +0000 Received: from mail-lf1-x135.google.com ([2a00:1450:4864:20::135]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sc2FX-003hsq-QN for pgadmin-hackers@postgresql.org; Thu, 08 Aug 2024 12:28:13 +0000 Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-52efa16aad9so1151754e87.0 for ; Thu, 08 Aug 2024 05:28:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin.org; s=google; t=1723120090; x=1723724890; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=461/gdEjeenLN1ih5Dw1uYtclrJXNpvQfcanF8MT29A=; b=klhiI6tMBVmyB4knb6AYQHlE2IGQrEWZp2mqHLx8Fa7lGotwTkEsF/VG0jydxvjLOJ fEBz1rXkXKLFUZiGfJtzHRHoWacmHTLrqc4yjk4VOLDLOW8+RHdvRrE2ug52ct49e+P8 +yg8OP4CsQ3cpRKYqpVIz7gKUmM/PBZnhJAnR8IchvPDOCMFM56PkjOkeYtuXIQ69ObR TqSNxXcchPOEeCZLiR2j9+/ppPny2gjTogwAtVGVy111JGRJO5tWo2a3IcAot5Xgqmy+ 651Z07xxDCtyf5HrTKsV1VxhhSue1IJhjev8xCVASiPVfqYxWHwWcnwYJRla7iEI7Ubx YJlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723120090; x=1723724890; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=461/gdEjeenLN1ih5Dw1uYtclrJXNpvQfcanF8MT29A=; b=eP3VFYLM50vFeWEQQBIMkAw6BqORXER1HRc7KtL5iDfGrasLQP4r40GoQMFr9cUUl8 Tx4jR0/GvC5GMyA0L6dyJmeQdw906VA08Z1NibqdPYmss1isB8i+3u+SAtz0DGF6w7cz 0JaTfy9S+/djWTRl3fgGR/SNSyRXJ027KZWu6xnkNdsvfxo9+WcN2g3TrKF64LMURzAU 8dYZYgDNFis2Ku84b2rgtYug+F/g0fhUFrHeQXm9lvKy6P/v8ANbuxDZF2KmzvuEYKyu 37VlmGUq/8Ta5sYTRwlklez4ixyzSkm5mNK5ap5EwCid2Lad64g/c04pJbD7mEJy5enU fNzA== X-Gm-Message-State: AOJu0YwMuuRwFx7lpEXz8zDfOeSi/nHquNuZJ4m5n6ILs+2nW0DQl7bx BstLIu/7Xbu5Yl6DSaIgFWOH0WW5EE22/xGBXZpGc35PeePaUPY+cHgHWBqvvm9Mjm7iGLJkilH U6rta8x+InK8XrzEu6CaJlIa/Yyg+hCOQ2Ud4 X-Google-Smtp-Source: AGHT+IFlvzdbsqTi2ZJk8oYNa85ux3pAR1OTUicI4dIgp6nGaPRbxeo1bwwSMrIJBKCNnKU+rgdk5NeBcCy+2VqF2PE= X-Received: by 2002:a05:6512:b96:b0:52c:f2e0:db23 with SMTP id 2adb3069b0e04-530e58900b9mr1323372e87.40.1723120089574; Thu, 08 Aug 2024 05:28:09 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dave Page Date: Thu, 8 Aug 2024 13:27:58 +0100 Message-ID: Subject: Re: #7076 - Keychain access on Mac To: Yogesh Mahajan Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000d849c8061f2b28e4" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000d849c8061f2b28e4 Content-Type: text/plain; charset="UTF-8" On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan wrote: > Hi Hackers, > > Issue #7076 has > been reported by many Mac users. Issue has popped up when python binary > version is changed for the pgadmin. > > To save server passwords, pgadmin uses os level secret storage (in case of > Mac it is keyring) and adds an entry for each save password. Whenever the > python binary version is changed, keychain (python lib used to access > keychain) asks for a password 2 times for accessing each entry. If you have > 10 servers, then it will ask for 20 times. > > To fix the issue, pgadmin will follow the same approach as chrome. > 1.An encryption key will be auto-generated and will be stored in the > keychain. > 2.Whenever save password request is received, encryption key will be used > to encrypt password and encrypted password will be saved in the pgadmin > database. > 3.Similarly, while retrieving the password, encryption will be pulled from > the keychain and will be used to decrypt the password. > This will reduce password asks to 2 times on python binary version change. > That sounds almost like returning to the way things used to work with the master password, except we auto-generate it, and store that in the keychain. I assume we'd do the same on all platforms, using whatever the equivalent store is on each? Any idea why it asks for the login password twice per access on macOS? -- Dave Page pgAdmin: https://www.pgadmin.org PostgreSQL: https://www.postgresql.org EDB: https://www.enterprisedb.com PGDay UK 2024, 11th September, London: https://2024.pgday.uk/ --000000000000d849c8061f2b28e4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Mon, 5 Aug 2024 at 13:27, Yogesh M= ahajan <yogesh.mahaja= n@enterprisedb.com> wrote:
Hi Hackers,=

Issue=C2= =A0#7076 has been reported by many Mac users. Issue has popped = up when python binary version is changed for the pgadmin.

To save server passwords, = pgadmin uses os level secret storage (in case of Mac it is keyring) and add= s an entry for each save password. Whenever the python binary version is ch= anged, keychain=C2=A0(python lib used to access keychain) asks for a passwo= rd=C2=A02 times for accessing each entry. If you have 10 servers, then it w= ill ask for 20 times.

To fix the issue, pgadmin will follow the same approach=C2=A0as = chrome.=C2=A0
1.An encryption key will be auto-generated and will be stored=C2=A0in= the keychain.
2.Whenever save password request is received, encryption key will be= used to encrypt password=C2=A0and encrypted password will be saved in the = pgadmin database.
3.Similarly, while retrieving the password, encryption=C2=A0will = be pulled from the keychain and will be used to decrypt the password.
=
This will red= uce password=C2=A0asks to 2 times on python binary version change.

That sounds almost like returning to th= e way things used to work with the master password, except we auto-generate= it, and store that in the keychain. I assume we'd do the same on all p= latforms, using whatever the equivalent store is on each?

Any idea why it asks for the login password twice per access on mac= OS?=C2=A0

= --
D= ave Page
PostgreSQL: https://www.postgresql.org

PGDay UK 2024, 11th Septem= ber, London: https://2= 024.pgday.uk/

--000000000000d849c8061f2b28e4--