fcheung / keychain Goto Github PK

This is a feature request (unless I'm missing something and this already does exist).

Essentially my question is, is it possible to add a trusted application when creating a keychain item? This would behave exactly like the -T option when using the security command line tool with add-internet-password. For reference, here are all the options provided by security add-internet-password:

$ security add-internet-password
Usage: add-internet-password [-a account] [-s server] [-w password] [options...] [-A|-T appPath] [keychain]
    -a  Specify account name (required)
    -c  Specify item creator (optional four-character code)
    -C  Specify item type (optional four-character code)
    -d  Specify security domain string (optional)
    -D  Specify kind (default is "Internet password")
    -j  Specify comment string (optional)
    -l  Specify label (if omitted, server name is used as default label)
    -p  Specify path string (optional)
    -P  Specify port number (optional)
    -r  Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ")
    -s  Specify server name (required)
    -t  Specify authentication type (as a four-character SecAuthenticationType, default is "dflt")
    -w  Specify password to be added
    -A  Allow any application to access this item without warning (insecure, not recommended!)
    -T  Specify an application which may access this item (multiple -T options are allowed)
    -U  Update item if it already exists (if omitted, the item cannot already exist)

By default, the application which creates an item is trusted to access its data without warning.
You can remove this default access by explicitly specifying an empty app pathname: -T ""
If no keychain is specified, the password is added to the default keychain.

@fcheung Thank you for this useful gem!
I'm gonna use it for automation purposes, in community "cookbook" for Chef (https://chef.io), the popular configuration management tool.

Could you please release a new version of 'ruby-keychain' on rubygems.org? It will allow us to get the latest changes.

Also, adding a git tags to this repo will make a release cycle a little bit clearer and will help other contributors to track changes between different versions.

Currently, allowing a Ruby application to have access to a keychain item means that ALL ruby scripts will have access to that keychain item. This seems like a big security hole.

Is there any way around this? Perhaps a way to compile a ruby script to a native binary that would then be recognized as a separate app?

it would be nice if it could access the iCloud keychain

Ruby 3.1 started emitting errors in ffi finalizers to stderr and the version of corefoundation this gem is pegged to (~>0.2.0) had a bug that resulted in these being noisily emitted repeatedly:

warning: Exception in finalizer #<CF::Base::Releaser:0x0000000104693570 @address=105553129341824>
/Users/justin/.rbenv/versions/3.1.1/lib/ruby/gems/3.1.0/gems/corefoundation-0.2.0/lib/corefoundation/base.rb:55:in `release': :pointer argument is not a valid pointer (ArgumentError)

It was fixed in corefoundation chef/corefoundation#35 in 0.3.13. Would you consider upgrading?

If I enumerate the identities available like:

v = Keychain::Scope.new(Sec::Classes::IDENTITY)

v.all.each{|identity|
    if (this_is_the_cert) then
        identity.private_key.export("", :kSecFormatPEMSequence
    end
end

The export here generates:

[...]/ruby-keychain-0.1.2/lib/keychain/sec.rb:191:in `check_osstatus': The contents of this item cannot be retrieved. (-25316) (Keychain::Error)

Oddly, if I enumerate keys (Sec::Classes::KEY), then I can export it. In my Keychain Access, I see the certificate (under My Certificates), with an expand error that shows my key. That key has a label (I'm not sure where this comes from). In keys, there's an expand arrow that shows my certificate.

I cannot figure out how to get a private key from a given certificate (and vice versa). I could go through all the keys and export them and compare the public keys to the certificate's public key, but every time I export() a key, I have to input my password.

I also wish I could get the public key directly from the Key class, or that the private_key method on the Identity and Certificate classes worked.