fcheung / keychain Goto Github PK
View Code? Open in Web Editor NEWBindings for the OS X keychain
License: MIT License
Bindings for the OS X keychain
License: MIT License
This is a feature request (unless I'm missing something and this already does exist).
Essentially my question is, is it possible to add a trusted application when creating a keychain item? This would behave exactly like the -T
option when using the security
command line tool with add-internet-password
. For reference, here are all the options provided by security add-internet-password
:
$ security add-internet-password
Usage: add-internet-password [-a account] [-s server] [-w password] [options...] [-A|-T appPath] [keychain]
-a Specify account name (required)
-c Specify item creator (optional four-character code)
-C Specify item type (optional four-character code)
-d Specify security domain string (optional)
-D Specify kind (default is "Internet password")
-j Specify comment string (optional)
-l Specify label (if omitted, server name is used as default label)
-p Specify path string (optional)
-P Specify port number (optional)
-r Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ")
-s Specify server name (required)
-t Specify authentication type (as a four-character SecAuthenticationType, default is "dflt")
-w Specify password to be added
-A Allow any application to access this item without warning (insecure, not recommended!)
-T Specify an application which may access this item (multiple -T options are allowed)
-U Update item if it already exists (if omitted, the item cannot already exist)
By default, the application which creates an item is trusted to access its data without warning.
You can remove this default access by explicitly specifying an empty app pathname: -T ""
If no keychain is specified, the password is added to the default keychain.
@fcheung Thank you for this useful gem!
I'm gonna use it for automation purposes, in community "cookbook" for Chef (https://chef.io), the popular configuration management tool.
Could you please release a new version of 'ruby-keychain' on rubygems.org? It will allow us to get the latest changes.
Also, adding a git tags to this repo will make a release cycle a little bit clearer and will help other contributors to track changes between different versions.
Currently, allowing a Ruby application to have access to a keychain item means that ALL ruby scripts will have access to that keychain item. This seems like a big security hole.
Is there any way around this? Perhaps a way to compile a ruby script to a native binary that would then be recognized as a separate app?
it would be nice if it could access the iCloud keychain
Ruby 3.1 started emitting errors in ffi finalizers to stderr and the version of corefoundation this gem is pegged to (~>0.2.0
) had a bug that resulted in these being noisily emitted repeatedly:
warning: Exception in finalizer #<CF::Base::Releaser:0x0000000104693570 @address=105553129341824>
/Users/justin/.rbenv/versions/3.1.1/lib/ruby/gems/3.1.0/gems/corefoundation-0.2.0/lib/corefoundation/base.rb:55:in `release': :pointer argument is not a valid pointer (ArgumentError)
It was fixed in corefoundation chef/corefoundation#35 in 0.3.13. Would you consider upgrading?
If I enumerate the identities available like:
v = Keychain::Scope.new(Sec::Classes::IDENTITY)
v.all.each{|identity|
if (this_is_the_cert) then
identity.private_key.export("", :kSecFormatPEMSequence
end
end
The export here generates:
[...]/ruby-keychain-0.1.2/lib/keychain/sec.rb:191:in `check_osstatus': The contents of this item cannot be retrieved. (-25316) (Keychain::Error)
Oddly, if I enumerate keys (Sec::Classes::KEY), then I can export it. In my Keychain Access, I see the certificate (under My Certificates), with an expand error that shows my key. That key has a label (I'm not sure where this comes from). In keys, there's an expand arrow that shows my certificate.
I cannot figure out how to get a private key from a given certificate (and vice versa). I could go through all the keys and export them and compare the public keys to the certificate's public key, but every time I export() a key, I have to input my password.
I also wish I could get the public key directly from the Key class, or that the private_key method on the Identity and Certificate classes worked.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.