Fail to load system keyring on Mac OS version 8.1 #7076
Comments
|
Hi @martinrm77 , I am unable to reproduce the issue with the upgrade and normal installation, can you please provide the steps or a short video recording? |
|
I have the exact same issue. I simply downloaded and installed the pgadmin4-8.1-arm64.dmg. From that moment on it is unusable. I had to:
...then it worked again. |
|
As someone else with the same issue, I upgraded to 8.1 and saw the issue immediately. At this point, I downgraded back to 8.0, got the pop-up a single time with 8.0, and then access to my Keychain remained (including across closing/reopening pgadmin). This is using both the arm64 and x86-64 builds. |
|
I also saw this opn Mac OS Sonoma 14.2.1 and rolled back to pgadmin4 8.0 😞 |
|
I have the same issue, 8.1 (via brew), asks for my keychain password in an loop, no matter how many times I enter it. |
|
I saw the same issue on macOS Sonoma 14.2.1 with pgAdmin 4 v8.1. Downgrading to v8.0 resolved the issue for me as well. |
|
Same issue. I installed 8.1 via the ARM EDIT: resolved by downgrading to pgAdmin 4 8.0 via |
|
Same issue here. To reproduce, try installing 8.0 (ARM), then add some servers with saved passwords, then upgrade to 8.1 (ARM). Keep getting a popup that says:
Have to roll back to 8.0 in order to use the application. |
|
Same issue here. |
|
@nikhil-mohite I'm having the same issue and I have a screen recording of it below: pgAdmin4_keychainIssue.movMacOS Ventura 13.5.1 (M2) Downloaded pgadmin4-8.2-arm64.dmg My steps to replicate:
|
|
This is an issue while accessing the keychain in macOS, A Similar issue is already logged in Python's |
|
Hi @thestelz, |
|
@adityatoshniwal I have 10 servers all with saved passwords. I took a look at the keyring issue above and read that it isn't a loop, but asks each time for each saved password. After I read that I reinstalled 8.2 and entered my password 10 times and clicked allow all each time. After I did that everything appears to be working as expected now. |
If it's an issue with keychain in macOS, how come downgrading to v8.0 fixes it? |
|
I tested this on new version 8.2 (ARM) that just came out on Jan 9, 2024. (Upgraded from 8.0 to 8.2) Now, if you hit "Deny" on the keychain popup, it then asks you for your master password. When you enter this, another popup immediately asks you for your Pgadmin master password. When you enter this, it seems to work. When you reboot the application, the keychain popup comes back, and you have to hit deny again and enter your master password again. At least you don't have to roll it back now, but it's still not working correctly... |
If pgAdmin is unable to use the KeyChain on macOS (When you click on the |
The issue is when the Python binary updates (or a new virtual environment is created), You will receive a popup asking for a login/keychain password. It will ask for permission per record it will try to access from KeyChain. If you have 3 records it will ask 3 times to allow you to access the keychain each per record. You can check the access in |
|
There is a more severe problem with this - apps must not expect the Mac user to know their "login" keychain password. The MacOS API allows apps to add entries into the keychain without ever prompting the user for their keychain password, but it will prompt the user when the secret is read by a non-allowlisted app or by the human user themselves via the Keychain UI. My Macbook is managed by corporate IT and my Sign-On password is apparently not my keychain password. I lost access to all secrets saved by pgadmin, probably permanently because downgrading hasn't recovered the saved passwords (I get past the popup but have to re-enter all the passwords). I think the correct solution would be one of these:
Other chromium-based apps (VS Code, Google Chrome) seem to be doing something similar to option 2 by the way - they only create one item in the keychain called "[...] Safe Storage" (though they aren't using it via a python script but directly). |
|
I'm having this same issue with version 8.2 today and downgraded back to 8.0. |
|
It will ask to enter the correct password for each saved server. You must enter the correct password as many times as your saved password. I had 15 saved servers before updating the software. I had to enter the password 30 times, and now it is working fine. |
|
This is behaviour enforced by Mac itself. For every saved server, once it will ask for password. |
|
@yogeshmahajan-1903 can pgAdmin project provide the option to disable the usage of MacOS Keychain at least? This is a UX issue and will happen every time pgAdmin upgrades the python binary in future releases. It's not even just having to enter the password dozens of times, but also losing your data if you don't have admin access to the keychain (can easily happen if you don't have high privileges on your MacOS). |
|
@yogeshmahajan-1903 - Are you sure this issue cannot be addressed? It is not an issue for 8.0. It only started happening in 8.1. That implies something changed in 8.1 that caused it to start happening. |
|
Same here |
It can be addressed in the ways I suggested to them earlier, by changing how pgAdmin uses the MacOS keystore. It just seems that the maintainers do not want to make changes to that, based on how this ticket got closed abruptly without any deeper reasoning.
They most likely upgraded the embedded python binary between 8.1 and 8.0. The issue will not happen for users who did a fresh install of 8.1 without upgrading, obviously. If I am right, this will happen in the future whenever the user upgrades their pgAdmin and it contains yet another new python version (which could happen like a few times a year). We all transparently got opted into using MacOS keystore around June 2023 or so (#5123) with no way to opt out. |
@miskr-instructure It is a replacement to master password which most users didn't want to enter. Keeping both master password and keychain makes it extremely complex to maintain. pgAdmin do have a |
You're totally right, however other apps I've seen do it differently in two ways:
Thank you for the consideration! |
|
Pretty annoying issue, I got it working by: killing the app, deleted app, nuked ~/.pgadmin directory, reinstalled, and then it worked. |
|
This is how Chromium does it:
I suggest we change our code to follow a similar approach. It will also remove code complexity as we already have master password implementation. Only change will be that master password will auto generated, and stored in keyring. |
|
That sounds nice. Please do not forget to make it possible to recover from the keystore entry being unavailable/deleted, by allowing users to provide the master key/password directly to the app. This implies it should be possible to set a specific master key/password (that is also stored in keystore), instead of it being a completely random value. |
@miskr-instructure |
The difference is that other chromium-based apps access their keyring from a process spawned from the main executable (ie. the one that is launched by MacOS when we open the "app"), not from a different embedded executable (python) subprocess. This is almost certainly the reason for the keyring popups after the upgrades too (=MacOS considering a different embedded python binary as a completely separate program). So if you are thinking of completely removing master password, the random password/key should be accessed from the pgAdmin chromium process , not from the embedded python subprocess. This seems difficult to pull off though, considering pgAdmin's design, but it is how every other electron/chromium solution does it to my knowledge (and they do not have keystore prompts after upgrades). |
I understand your concern. The difference between Chromium and pgAdmin here is, chromium autofills the password in the password input boxes and doesn't directly use it. pgAdmin however uses the server password to connect. For that, python process has to get the password. UI won't help. It won't be an issue unless there is a change in the Python version of the embedded binary which doesn't happen on every release. |
|
I mean, the pgAdmin backend could prompt the front-end to fetch the master password/key on its behalf one time per application start, similarly to how it did so for master password (I assume, since there the frontend was asking for the user to enter it, then it must have been forwarded to the backend). |
Interesting approach, basically going back to master password but instead of asking the user get it from system keyring from the front end. We'll need to try more on this, whichever works best and compatible across multiple platforms. |
|
Thanks for considering it! One other minor benefit of that approach would be that if you check in key chain app, the listed application in "Access Control" would say "pgAdmin" (executable/app name), not "python". That would be more intuitive. |
|
@miskr-instructure I suspect even that would ask for keyring access once you replace the pgAdmin 4 version just like python version right? |
|
I doubt it would prompt, because then all the electron/chromium apps would run into the issue as well? I have never encountered prompts with Slack/Zoom/Chrome/VSC after updates, even though all of those have a key chain entry and are based on chromium (and their chromium executable does get updated by their occasional auto-updates). The only other difference I can think of between those apps and pgAdmin (other than the embedded executable) would be that those apps self-trigger their updates as opposed to the user reinstalling from a |
|
➕ same issue |
|
same issue |
|
Uninstalling, nuking OS: 14.3.1 |
|
I checked the feasibility of accessing keychain from front end but unfortunately the front end container - NWjs doesn't have any API to access it. We're thinking of porting to Electron which will allow to do this. |
and others
Please note that security bugs or issues should be reported to security@pgadmin.org.
Describe the bug
After upgrading to version 8.1 it will not load my system keyring. It keeps asking for password, and asking for password, again and again. If I type wrong password it says failed password, if I type correct password it asks again.
To Reproduce
Install pgAdmin 4 v8.0 on Mac OS.
Create server connetions.
Upgrade to v8.1
Try to start pgAdmin 4 and enter login password to open system keyring
Steps to reproduce the behavior:
Expected behavior
Should just open up pgadmin 4 without a prompt for password as I am already logged in and the system keyring is available.
Error message
No error message, just a repeating password prompt.
Screenshots
Desktop (please complete the following information):
Additional context
The text was updated successfully, but these errors were encountered: