Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sc2PK-003NtP-MF for pgadmin-hackers@arkaria.postgresql.org; Thu, 08 Aug 2024 12:38:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sc2PJ-00E19M-2L for pgadmin-hackers@arkaria.postgresql.org; Thu, 08 Aug 2024 12:38:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sc2PI-00E19E-Ou for pgadmin-hackers@lists.postgresql.org; Thu, 08 Aug 2024 12:38:16 +0000 Received: from mail-yw1-x112f.google.com ([2607:f8b0:4864:20::112f]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sc2PC-003nYm-0q for pgadmin-hackers@postgresql.org; Thu, 08 Aug 2024 12:38:16 +0000 Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-66a048806e6so8772027b3.3 for ; Thu, 08 Aug 2024 05:38:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1723120688; x=1723725488; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SQ+PVxeT6vRTOu+P5+YQftVVf40Tv8y8AGK7+D/Z5Vs=; b=e4xmX75ff6ags9xyfsFs8Pschz+gMAxn99z9/8rcKk/JWeH6TRGXgW+aNoWJ6r8xdW 9yDbzR+yi6CgGmhCRnXRunWa+F152Beu/KOgDc7Y6KwvKcchiKI6ibh0n3CzHU6WEkA8 zt6q+eJTXC7knkhWXe05MglPz7NdzoFljl5NuRZ7yREMErxDVkZPPPvpSjZ2Ht8325fH p4y3jx4WlJCrxKcr1Le6CKW2fbL1thazkZSJxqQXrb9QekbGZ/FDq5uKG3D1rrTVSd0E iJap86sgl6K9+9o+wZuySHuVu57DktanKAGkCY9AjOfjuqeyZ4LihBoTfE0zpjTt8H/g ZJFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723120688; x=1723725488; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SQ+PVxeT6vRTOu+P5+YQftVVf40Tv8y8AGK7+D/Z5Vs=; b=YJUzpyihAnxYQuV5UiwYxBqxF127exQKw21FB0va5wJYnZjL5p4X602bSrL2aXl7Mr 9APvcrT6+itg0RlORCTsG32gzhES4TDEvxJ8ykU0R1bnQiPwkIzEx8nBcn0n8g7Xbt/J cx7BzQJXL/laXFOMLbURlQvuFzSMK6GnW1ArKyswvVAgCZhIJwBjsJGt5owD+lrZIM4N 7TXZ9vtDsbJwDHC59Mc70cwbF2bw199gz8QRsxx2NVYP3Qc3RtVLUnlvpkmncSqeYqHD cNpQyZrsxnBmONstVj7y6BfdVvNY4u0NMkqTbqvhYdik8eU60ruyLOSOdD3gPPe7JfoJ fNsg== X-Gm-Message-State: AOJu0Yze48iOosgyWDz2/UpSrVGZh/69Pig1VWjwtf20Tp2Jsq+JBMs5 wmwiGQRBXJqT1aRgE1DQtC2ak2jtZiQdBxA/6wqSA2hlTYG4SCuLGk2mv62TGfJ0HLE79TcZV9D Lzzfd8bY4pyMLg0Tc/42WecZw1Szk+7VvjHhut/L57TlSPQxP0w== X-Google-Smtp-Source: AGHT+IFHGjtZdzZj55xw/qg/T22dX1Qiv+eCyyHH9nsqhUYRAXgiPEuy9Qy37Qw4uxyswbNdFkbWkmWJdLxwZ2lyZzM= X-Received: by 2002:a05:690c:10c:b0:673:b39a:92f0 with SMTP id 00721157ae682-69bf7d04b54mr18835337b3.11.1723120687726; Thu, 08 Aug 2024 05:38:07 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Yogesh Mahajan Date: Thu, 8 Aug 2024 18:07:30 +0530 Message-ID: Subject: Re: #7076 - Keychain access on Mac To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="0000000000007f6c99061f2b4c62" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000007f6c99061f2b4c62 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, On Thu, Aug 8, 2024 at 5:58=E2=80=AFPM Dave Page wrote: > > > On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan < > yogesh.mahajan@enterprisedb.com> wrote: > >> Hi Hackers, >> >> Issue #7076 has >> been reported by many Mac users. Issue has popped up when python binary >> version is changed for the pgadmin. >> >> To save server passwords, pgadmin uses os level secret storage (in case >> of Mac it is keyring) and adds an entry for each save password. Whenever >> the python binary version is changed, keychain (python lib used to acces= s >> keychain) asks for a password 2 times for accessing each entry. If you h= ave >> 10 servers, then it will ask for 20 times. >> >> To fix the issue, pgadmin will follow the same approach as chrome. >> 1.An encryption key will be auto-generated and will be stored in the >> keychain. >> 2.Whenever save password request is received, encryption key will be use= d >> to encrypt password and encrypted password will be saved in the pgadmin >> database. >> 3.Similarly, while retrieving the password, encryption will be pulled >> from the keychain and will be used to decrypt the password. >> This will reduce password asks to 2 times on python binary version chang= e. >> > > That sounds almost like returning to the way things used to work with the > master password, except we auto-generate it, and store that in the keycha= in. > Yeah. > I assume we'd do the same on all platforms, using whatever the equivalent > store is on each? > Yes we will be doing the same on all supported platforms. > > Any idea why it asks for the login password twice per access on macOS? > This is a known issue for keyring python lib. And this one where the keychain asks for a password for accessing each entry. > -- > Dave Page > pgAdmin: https://www.pgadmin.org > PostgreSQL: https://www.postgresql.org > EDB: https://www.enterprisedb.com > > PGDay UK 2024, 11th September, London: https://2024.pgday.uk/ > Thanks, Yogesh Mahajan EnterpriseDB --0000000000007f6c99061f2b4c62 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

<= div dir=3D"ltr" class=3D"gmail_signature">

Hi,

On Thu, Aug 8, 2024 at 5:58=E2=80=AFPM Dave Page <dpage@pgadmin.org> wrote:


On Mon, 5 Aug 20= 24 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb.com> wrote:
Hi Hackers,

Issue=C2=A0#7076 has been reported = by many Mac users. Issue has popped up when python binary version is change= d for the pgadmin.

To save server passwords, pgadmin uses os level secret storage (in = case of Mac it is keyring) and adds an entry for each save password. Whenev= er the python binary version is changed, keychain=C2=A0(python lib used to = access keychain) asks for a password=C2=A02 times for accessing each entry.= If you have 10 servers, then it will ask for 20 times.

To fix the issue, pgadmin will= follow the same approach=C2=A0as chrome.=C2=A0
1.An encryption key will be auto-ge= nerated and will be stored=C2=A0in the keychain.
2.Whenever save password request i= s received, encryption key will be used to encrypt password=C2=A0and encryp= ted password will be saved in the pgadmin database.
3.Similarly, while retrieving t= he password, encryption=C2=A0will be pulled from the keychain and will be u= sed to decrypt the password.
This will reduce password=C2=A0asks to 2 times on pyth= on binary version change.

That = sounds almost like returning to the way things used to work with the master= password, except we auto-generate it, and store that in the keychain.
=C2=A0
Yeah.
=C2=A0
I assume we'd do the same on all platforms, using whatever t= he equivalent store is on each?
=C2=A0
Yes we will be doing the same on all supported platfor= ms.
=C2=A0

Any idea why it asks for the login p= assword twice per access on macOS?=C2=A0

This is a known issue for keyring python lib. And this one where the keychain ask= s for a password=C2=A0for accessing each entry.

<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);pa= dding-left:1ex">

--
Dave Page
PostgreSQL: https://www.postgresql.org=

PGDay UK 2024,= 11th September, London: https://2024.pgday.uk/

Thanks,
Yogesh Mahajan
EnterpriseDB=C2=A0

=C2=A0
--0000000000007f6c99061f2b4c62--