Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sc2Xf-003Omt-5u for pgadmin-hackers@arkaria.postgresql.org; Thu, 08 Aug 2024 12:46:55 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sc2Xc-00E48p-QK for pgadmin-hackers@arkaria.postgresql.org; Thu, 08 Aug 2024 12:46:52 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sc2Xc-00E48h-H9 for pgadmin-hackers@lists.postgresql.org; Thu, 08 Aug 2024 12:46:52 +0000 Received: from mail-yw1-x1129.google.com ([2607:f8b0:4864:20::1129]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sc2XZ-003ncj-8o for pgadmin-hackers@postgresql.org; Thu, 08 Aug 2024 12:46:51 +0000 Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-661d7e68e89so7409227b3.0 for ; Thu, 08 Aug 2024 05:46:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1723121207; x=1723726007; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QIzyIFCj1W5DwfkQhkRzA6wO4B3dM92lyWcSqoJ6oUw=; b=dJEjZfKyePiv0iTgMERwSSTHiP7lWfDcelnN8VV9ouQE9IYUq6qbDWGE7youd/jsjK W/CogZNIwCB0seBDRV9lY4QdDzP1YmtHYt0qB5fVcdQGh2UiHimOKWPAEZ3fyUoCa2qC noJ1ycYnrlwdr43dn9lKOGsBCSyDY87pFhOabIREccwy90a3ntmUas6G5z+PgSjWi/IK gIpcG3vcu6ak5M9UBnD8FZ1wnJ+nMYix414cl+Q9rLtTPJb4fsslcc0SMOcXnaBYuay4 DWZFVU3EDauBBokZPe1VZ6XgAYnZjr0exQk3SsnTY0PYw8fv8Otnsgk0R10zqrgS3r93 Hr1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723121207; x=1723726007; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QIzyIFCj1W5DwfkQhkRzA6wO4B3dM92lyWcSqoJ6oUw=; b=quznCuBU/Xda7SBzRlA8Du863+SoQHekLw6uu+S3y59MBWekaawBVJ+2asYaNVDm1V s9+ivqcBePGDMCyQQ9w5PyuzS2cBFwMtDBg4uqKPk5eyJKASMP7HPDLHmqEpBWawGsPq 1BUlUkXEMcqhhJOMKlLehjqOq3HY1pEGTiGKZlYZiQCLaLyrGYTjwMdf5gdLVqm9TnPs jkBDCsOj48J+jx6GLM7snYFPifbrXgSUiHKFsF5uWZBJKjGJXXxvMP/qTysgexMMIc1s fns3nB+eSZ+VTTCydFDW1J7MbMEr/ETBHMz4wLD31NhBQhVoWV3RnjI1SOh9iqTyzNCY totg== X-Gm-Message-State: AOJu0Yz/mJl8KRjdrnWdYSaBksUH8Gq/5BmrA1USMw4eFFauMzipliMI iQRm4jn2a0b1xGUJFB/Kd1FgmAFE8NU/9oS5STfMYND4v43LkL606HyirxrunPePbCWQ5Mtr92V ij5UUaRqMGdOiya3nZmRsFzTsC5UF2xfe7B+c X-Google-Smtp-Source: AGHT+IE4fmr4Hvp1/oEoqqOfuHl1SRVUNbm1E8r2gJEZi0QdgoavT2nuL9NnBsLwe4o4e/JxnWM7wUtPAvwLVaUFzk4= X-Received: by 2002:a05:690c:3581:b0:64b:82d6:75b9 with SMTP id 00721157ae682-69c0e5613bcmr9536317b3.7.1723121206907; Thu, 08 Aug 2024 05:46:46 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Yogesh Mahajan Date: Thu, 8 Aug 2024 18:16:10 +0530 Message-ID: Subject: Re: #7076 - Keychain access on Mac To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000717fd6061f2b6be7" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000717fd6061f2b6be7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Dave, Should I proceed with this approach? Thanks, Yogesh Mahajan EnterpriseDB On Thu, Aug 8, 2024 at 6:14=E2=80=AFPM Dave Page wrote: > > > On Thu, 8 Aug 2024 at 13:38, Yogesh Mahajan < > yogesh.mahajan@enterprisedb.com> wrote: > >> >> >> Hi, >> >> On Thu, Aug 8, 2024 at 5:58=E2=80=AFPM Dave Page wro= te: >> >>> >>> >>> On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan < >>> yogesh.mahajan@enterprisedb.com> wrote: >>> >>>> Hi Hackers, >>>> >>>> Issue #7076 has >>>> been reported by many Mac users. Issue has popped up when python binar= y >>>> version is changed for the pgadmin. >>>> >>>> To save server passwords, pgadmin uses os level secret storage (in cas= e >>>> of Mac it is keyring) and adds an entry for each save password. Whenev= er >>>> the python binary version is changed, keychain (python lib used to acc= ess >>>> keychain) asks for a password 2 times for accessing each entry. If you= have >>>> 10 servers, then it will ask for 20 times. >>>> >>>> To fix the issue, pgadmin will follow the same approach as chrome. >>>> 1.An encryption key will be auto-generated and will be stored in the >>>> keychain. >>>> 2.Whenever save password request is received, encryption key will be >>>> used to encrypt password and encrypted password will be saved in the >>>> pgadmin database. >>>> 3.Similarly, while retrieving the password, encryption will be pulled >>>> from the keychain and will be used to decrypt the password. >>>> This will reduce password asks to 2 times on python binary version >>>> change. >>>> >>> >>> That sounds almost like returning to the way things used to work with >>> the master password, except we auto-generate it, and store that in the >>> keychain. >>> >> >> Yeah. >> >> >>> I assume we'd do the same on all platforms, using whatever the >>> equivalent store is on each? >>> >> >> Yes we will be doing the same on all supported platforms. >> >> >>> >>> Any idea why it asks for the login password twice per access on macOS? >>> >> >> This is a known issue for >> keyring python lib. And this >> one where the keychain >> asks for a password for accessing each entry. >> > > OK, thanks. > -- > Dave Page > pgAdmin: https://www.pgadmin.org > PostgreSQL: https://www.postgresql.org > EDB: https://www.enterprisedb.com > > PGDay UK 2024, 11th September, London: https://2024.pgday.uk/ > > --000000000000717fd6061f2b6be7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Dave,

Should I proceed with this approach?

Thanks,
Yogesh Mahajan
EnterpriseDB


On T= hu, Aug 8, 2024 at 6:14=E2=80=AFPM Dave Page <dpage@pgadmin.org> wrote:


On Thu, 8 Aug 2024 at 13:38, Yogesh Mahaja= n <= yogesh.mahajan@enterprisedb.com> wrote:
=

=
Hi,

On Thu, Aug 8, 2024 at 5:58=E2=80=AFPM Dave = Page <dpage@pgadm= in.org> wrote:


On Mon, 5 Aug 2024 at 13:27, Yogesh Mahajan <yogesh.mahajan@enterprisedb= .com> wrote:
Hi Hackers,

Issue=C2=A0#707= 6 has been reported by many Mac users. Issue has popped up when python = binary version is changed for the pgadmin.

To save server passwords, pgadmin uses os l= evel secret storage (in case of Mac it is keyring) and adds an entry for ea= ch save password. Whenever the python binary version is changed, keychain= =C2=A0(python lib used to access keychain) asks for a password=C2=A02 times= for accessing each entry. If you have 10 servers, then it will ask for 20 = times.
<= br>
To f= ix the issue, pgadmin will follow the same approach=C2=A0as chrome.=C2=A0
1.An encr= yption key will be auto-generated and will be stored=C2=A0in the keychain.<= /div>
2.Whenev= er save password request is received, encryption key will be used to encryp= t password=C2=A0and encrypted password will be saved in the pgadmin databas= e.
3.Sim= ilarly, while retrieving the password, encryption=C2=A0will be pulled from = the keychain and will be used to decrypt the password.
This will reduce password=C2= =A0asks to 2 times on python binary version change.

That sounds almost like returning to the way things us= ed to work with the master password, except we auto-generate it, and store = that in the keychain.
=C2=A0
<= span class=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-s= ize:small">Yeah.
=C2=A0
I assume we'd do the same on all p= latforms, using whatever the equivalent store is on each?
=
=C2=A0
Yes we will be doing the sam= e on all supported platforms.
=C2=A0

Any idea w= hy it asks for the login password twice per access on macOS?=C2=A0

This is a known issue for keyring python lib. A= nd this one where the keychain asks for a password=C2=A0for accessing e= ach entry.

OK, thanks.=C2= =A0
--
--000000000000717fd6061f2b6be7--