Skip to content

feat(cli): replace keytar with cross-keychain for token storage#1950

Open
gnugomez wants to merge 5 commits into
eclipse-openvsx:mainfrom
gnugomez:gnugomez/main/replace-keytar-with-cross-keychain
Open

feat(cli): replace keytar with cross-keychain for token storage#1950
gnugomez wants to merge 5 commits into
eclipse-openvsx:mainfrom
gnugomez:gnugomez/main/replace-keytar-with-cross-keychain

Conversation

@gnugomez

@gnugomez gnugomez commented Jul 7, 2026

Copy link
Copy Markdown
Member

keytar is archived and unmaintained, for now the approach was to fallback to plaintext if for whatever reason the system store fails to bind. That was a likely situation given the unmaintained/archived status of such dependency.

This patch changes the store library to use a cross-keychain, a library that's in active development and should work better cross-platfom-wise.

The old implmentation was already failing to me in macos (in dev environment) and falling back to plain text, I'm not sure about other systems, the tool already migrates plaintext secrets to system keychain as soon as it's available.

A good test would be to run since this command only interacts with the store and not with the registry, if it replies with unknown namespace it's likely not finding the old token.

In macOS is working fine:

image

@gnugomez gnugomez requested a review from netomi July 7, 2026 15:43
@gnugomez gnugomez force-pushed the gnugomez/main/replace-keytar-with-cross-keychain branch from 2848585 to 06005ae Compare July 7, 2026 15:46
@netomi netomi force-pushed the gnugomez/main/replace-keytar-with-cross-keychain branch from 06005ae to 05ac08d Compare July 8, 2026 06:26
@gnugomez

gnugomez commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

note: https://github.com/magarcia/cross-keychain is not being so well-maintained, for the native backends is using https://github.com/Brooooooklyn/keyring-node, that is a project that looks pretty up to date. So cross-keychain provides a wrapper API around this rust bindings.

@netomi

netomi commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

whether its well maintained is hard to decide from the commit history. Both projects mainly update dependencies since a while, so its clearly in maintenance mode. I would still go with cross-chain as the overall source is pretty much polished.

Comment thread cli/src/store.ts
gnugomez added 2 commits July 9, 2026 10:21
keytar is archived and unmaintained, for now the approach was to fallback to plaintext if for whatever reason the system store fails to bind. That was a likely situation given the unmaintained/archived status of such dependency.

This patch changes the store library to use a cross-keychain, a library that's in active development and should work better cross-platfom-wise.

The old implmentation was already failing to me in macos and falling back to plain text, I'm not sure about other systems, the tool already migrates plaintext secrets to system keychain as soon as it's available.

A good test would be to run  since this command only interacts with the store and not with the registry, if it replies with unknown namespace it's likely not finding the old token.
@gnugomez gnugomez force-pushed the gnugomez/main/replace-keytar-with-cross-keychain branch from 05ac08d to a39a190 Compare July 9, 2026 08:21
@gnugomez gnugomez requested a review from netomi July 9, 2026 08:22
@netomi

netomi commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

I tested it on my linux system (Ubuntu 24.04) and it worked well.

Verified with

secret-tool lookup service ovsx username <namespace>

that the PAT I stored for a namespace is in the secret service.

The library supports different backends included an encrypted file fallback if all the other methods do not work. So I think we should utilize that and use that instead of our own poor mans file storage.

You can detect which backend is used with the diagnose method, and specify the location of the secret file.

That way we could also get rid of the unsecure plan text File storage backend as a fallback.

@gnugomez

Copy link
Copy Markdown
Member Author

@netomi yeah, I agree - I'll take a look and apply that change too

@gnugomez

Copy link
Copy Markdown
Member Author

hey @netomi I added a change to fallback to the encrypted cross-keychain's backend implementation, as a last resort I'm leaving the plain-text version.

also the OVSX_STORE=file will now use the encrypted store.

by default this encrypted store Encrypted file storage (AES-256-GCM) is creating an encryption key in ~/.config/keyring/file.key and storing the secrets at ~/.local/share/keyring/secrets.json the paths are slightly different in windows.

if the user was falling-back to the plain-text because the system one was not working for them, this store will be migrated to the encrypted one if working.

Assisted-By: anthropic:claude-opus-4-8[1m]
@gnugomez gnugomez force-pushed the gnugomez/main/replace-keytar-with-cross-keychain branch from f3a7792 to 51316ac Compare July 13, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants