feat(cli): replace keytar with cross-keychain for token storage#1950
feat(cli): replace keytar with cross-keychain for token storage#1950gnugomez wants to merge 5 commits into
Conversation
2848585 to
06005ae
Compare
06005ae to
05ac08d
Compare
|
note: https://github.com/magarcia/cross-keychain is not being so well-maintained, for the native backends is using https://github.com/Brooooooklyn/keyring-node, that is a project that looks pretty up to date. So cross-keychain provides a wrapper API around this rust bindings. |
|
whether its well maintained is hard to decide from the commit history. Both projects mainly update dependencies since a while, so its clearly in maintenance mode. I would still go with cross-chain as the overall source is pretty much polished. |
keytar is archived and unmaintained, for now the approach was to fallback to plaintext if for whatever reason the system store fails to bind. That was a likely situation given the unmaintained/archived status of such dependency. This patch changes the store library to use a cross-keychain, a library that's in active development and should work better cross-platfom-wise. The old implmentation was already failing to me in macos and falling back to plain text, I'm not sure about other systems, the tool already migrates plaintext secrets to system keychain as soon as it's available. A good test would be to run since this command only interacts with the store and not with the registry, if it replies with unknown namespace it's likely not finding the old token.
05ac08d to
a39a190
Compare
|
I tested it on my linux system (Ubuntu 24.04) and it worked well. Verified with that the PAT I stored for a namespace is in the secret service. The library supports different backends included an encrypted file fallback if all the other methods do not work. So I think we should utilize that and use that instead of our own poor mans file storage. You can detect which backend is used with the That way we could also get rid of the unsecure plan text File storage backend as a fallback. |
|
@netomi yeah, I agree - I'll take a look and apply that change too |
|
hey @netomi I added a change to fallback to the encrypted cross-keychain's backend implementation, as a last resort I'm leaving the plain-text version. also the by default this encrypted store if the user was falling-back to the plain-text because the system one was not working for them, this store will be migrated to the encrypted one if working. |
Assisted-By: anthropic:claude-opus-4-8[1m]
f3a7792 to
51316ac
Compare
keytar is archived and unmaintained, for now the approach was to fallback to plaintext if for whatever reason the system store fails to bind. That was a likely situation given the unmaintained/archived status of such dependency.
This patch changes the store library to use a cross-keychain, a library that's in active development and should work better cross-platfom-wise.
The old implmentation was already failing to me in macos (in dev environment) and falling back to plain text, I'm not sure about other systems, the tool already migrates plaintext secrets to system keychain as soon as it's available.
A good test would be to run since this command only interacts with the store and not with the registry, if it replies with unknown namespace it's likely not finding the old token.
In macOS is working fine: