Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail to load system keyring on Mac OS version 8.1 #7076

Closed
martinrm77 opened this issue Dec 21, 2023 · 73 comments
Closed

Fail to load system keyring on Mac OS version 8.1 #7076

martinrm77 opened this issue Dec 21, 2023 · 73 comments
Assignees
Milestone

Comments

@martinrm77
Copy link

Please note that security bugs or issues should be reported to security@pgadmin.org.

Describe the bug

After upgrading to version 8.1 it will not load my system keyring. It keeps asking for password, and asking for password, again and again. If I type wrong password it says failed password, if I type correct password it asks again.

To Reproduce
Install pgAdmin 4 v8.0 on Mac OS.
Create server connetions.
Upgrade to v8.1
Try to start pgAdmin 4 and enter login password to open system keyring

Steps to reproduce the behavior:

  1. Start pgAdmin 4
  2. Enter requested login password in the prompt
  3. Go to 2 for a password loop.

Expected behavior

Should just open up pgadmin 4 without a prompt for password as I am already logged in and the system keyring is available.

Error message

No error message, just a repeating password prompt.

Screenshots

Desktop (please complete the following information):

  • OS: Mac OS Sonoma
  • Version: 14.2.1 (23C71)
  • Mode: Desktop
  • Browser (if running in server mode): N/A
  • Package type: DMG

Additional context

@nikhil-mohite
Copy link
Contributor

Hi @martinrm77 ,

I am unable to reproduce the issue with the upgrade and normal installation, can you please provide the steps or a short video recording?

@barbalex
Copy link

barbalex commented Jan 1, 2024

I have the exact same issue. I simply downloaded and installed the pgadmin4-8.1-arm64.dmg. From that moment on it is unusable.

I had to:

  • reinstall v8.0
  • re-enter password twice

...then it worked again.

@ROSeaboyer
Copy link

As someone else with the same issue, I upgraded to 8.1 and saw the issue immediately. At this point, I downgraded back to 8.0, got the pop-up a single time with 8.0, and then access to my Keychain remained (including across closing/reopening pgadmin). This is using both the arm64 and x86-64 builds.

@ShedPlant
Copy link

I also saw this opn Mac OS Sonoma 14.2.1 and rolled back to pgadmin4 8.0 😞

@JordanXtern
Copy link

JordanXtern commented Jan 3, 2024

I have the same issue, 8.1 (via brew), asks for my keychain password in an loop, no matter how many times I enter it.
Downgrading to 8.0 (via dmg) fixes the issue.

@mheironimus-rgare
Copy link

I saw the same issue on macOS Sonoma 14.2.1 with pgAdmin 4 v8.1. Downgrading to v8.0 resolved the issue for me as well.

@andrew-parsons-janus
Copy link

andrew-parsons-janus commented Jan 5, 2024

Same issue. I installed 8.1 via the ARM .dmg. FWIW, it looks like I may have installed 8.0 via Homebrew, but forgot.

EDIT: resolved by downgrading to pgAdmin 4 8.0 via .dmg

@hwalker
Copy link

hwalker commented Jan 8, 2024

Same issue here. To reproduce, try installing 8.0 (ARM), then add some servers with saved passwords, then upgrade to 8.1 (ARM). Keep getting a popup that says:

Python wants to use your confidential information stored in "pgAdmin4" in your keychain. To allow this, enter the "login" keychain password.

Have to roll back to 8.0 in order to use the application.

@JuanMiranda
Copy link

Same issue here.
SONOMA 14.2.1 - x86 build.

@thestelz
Copy link

@nikhil-mohite I'm having the same issue and I have a screen recording of it below:

pgAdmin4_keychainIssue.mov

MacOS Ventura 13.5.1 (M2)
pgAdmin4: 8.2

Downloaded pgadmin4-8.2-arm64.dmg

My steps to replicate:

  1. Have 7.8 installed
  2. Upgrade to 8.1
  3. Have the issue described above, then see that 8.2 was just released
  4. Update to 8.2 (the above screen recording was using 8.2)

@nikhil-mohite
Copy link
Contributor

This is an issue while accessing the keychain in macOS, A Similar issue is already logged in Python's keyring(https://github.com/jaraco/keyring) library that pgAdmin is using. issue

@adityatoshniwal
Copy link
Contributor

Hi @thestelz,
How many servers do you have? And how many of them have saved passwords?

@thestelz
Copy link

@adityatoshniwal I have 10 servers all with saved passwords. I took a look at the keyring issue above and read that it isn't a loop, but asks each time for each saved password. After I read that I reinstalled 8.2 and entered my password 10 times and clicked allow all each time. After I did that everything appears to be working as expected now.

@mazar
Copy link

mazar commented Jan 11, 2024

This is an issue while accessing the keychain in macOS, A Similar issue is already logged in Python's keyring(https://github.com/jaraco/keyring) library that pgAdmin is using. issue

If it's an issue with keychain in macOS, how come downgrading to v8.0 fixes it?

@hwalker
Copy link

hwalker commented Jan 11, 2024

I tested this on new version 8.2 (ARM) that just came out on Jan 9, 2024. (Upgraded from 8.0 to 8.2)

Now, if you hit "Deny" on the keychain popup, it then asks you for your master password. When you enter this, another popup immediately asks you for your Pgadmin master password. When you enter this, it seems to work.

When you reboot the application, the keychain popup comes back, and you have to hit deny again and enter your master password again.

At least you don't have to roll it back now, but it's still not working correctly...

@nikhil-mohite
Copy link
Contributor

I tested this on new version 8.2 (ARM) that just came out on Jan 9, 2024. (Upgraded from 8.0 to 8.2)

Now, if you hit "Deny" on the keychain popup, it then asks you for your master password. When you enter this, another popup immediately asks you for your Pgadmin master password. When you enter this, it seems to work.

When you reboot the application, the keychain popup comes back, and you have to hit deny again and enter your master password again.

At least you don't have to roll it back now, but it's still not working correctly...

If pgAdmin is unable to use the KeyChain on macOS (When you click on the Deny button on the permissions dialog it will be unable to use KeyChain) it will ask for the master password and will use that to store the server passwords if the user selects Save Password checkbox when connecting to the server, and it will not use KeyChain to store the passwords.

@nikhil-mohite
Copy link
Contributor

nikhil-mohite commented Jan 12, 2024

This is an issue while accessing the keychain in macOS, A Similar issue is already logged in Python's keyring(https://github.com/jaraco/keyring) library that pgAdmin is using. issue

If it's an issue with keychain in macOS, how come downgrading to v8.0 fixes it?

The issue is when the Python binary updates (or a new virtual environment is created), You will receive a popup asking for a login/keychain password. It will ask for permission per record it will try to access from KeyChain. If you have 3 records it will ask 3 times to allow you to access the keychain each per record.

You can check the access in KeyChain by Opening the KeyChain application and selecting any entry from KeyChain for pgAdmin, right-clicking and selecting Get info for more details, and going to the Access Control tab can see all the entries that allow for access to the specific record in KeyChain, so if you have already allowed KeyChain for pgAdmin 4 v8.0 that entry is already present the Access Control so it will not ask to allow KeyChain access again and due to that it is working fine if you downgrade pgAdmin to version 8.0.

@miskr-instructure
Copy link

miskr-instructure commented Jan 22, 2024

There is a more severe problem with this - apps must not expect the Mac user to know their "login" keychain password. The MacOS API allows apps to add entries into the keychain without ever prompting the user for their keychain password, but it will prompt the user when the secret is read by a non-allowlisted app or by the human user themselves via the Keychain UI.

My Macbook is managed by corporate IT and my Sign-On password is apparently not my keychain password. I lost access to all secrets saved by pgadmin, probably permanently because downgrading hasn't recovered the saved passwords (I get past the popup but have to re-enter all the passwords).

I think the correct solution would be one of these:

  1. let users choose whether to use key store at all
    • if they say no, use master password solution like before (7.x versions?)
    • if they say yes, make a prompt for them where have to prove they know their login keychain password before proceeding (if they don't have access to it due to IT policies, then don't let them choose this option, or they lock themselves out like me)
  2. Only store the master password in keychain, encrypt individual passwords the same way they were encrypted before keychain got integrated. This way if the MacOS keychain craps the bed, the user will only need to enter their master password manually for pgAdmin to work as normal - no dozens of annoying prompts and lockout/downgrade needed.

Other chromium-based apps (VS Code, Google Chrome) seem to be doing something similar to option 2 by the way - they only create one item in the keychain called "[...] Safe Storage" (though they aren't using it via a python script but directly).
image

@thekeviv
Copy link

I'm having this same issue with version 8.2 today and downgraded back to 8.0.

@tauhidul35
Copy link

It will ask to enter the correct password for each saved server. You must enter the correct password as many times as your saved password. I had 15 saved servers before updating the software. I had to enter the password 30 times, and now it is working fine.

@yogeshmahajan-1903
Copy link
Contributor

This is behaviour enforced by Mac itself. For every saved server, once it will ask for password.

@yogeshmahajan-1903 yogeshmahajan-1903 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 2, 2024
@miskr-instructure
Copy link

@yogeshmahajan-1903 can pgAdmin project provide the option to disable the usage of MacOS Keychain at least? This is a UX issue and will happen every time pgAdmin upgrades the python binary in future releases. It's not even just having to enter the password dozens of times, but also losing your data if you don't have admin access to the keychain (can easily happen if you don't have high privileges on your MacOS).

@mheironimus-rgare
Copy link

@yogeshmahajan-1903 - Are you sure this issue cannot be addressed? It is not an issue for 8.0. It only started happening in 8.1. That implies something changed in 8.1 that caused it to start happening.

@nuno
Copy link

nuno commented Feb 2, 2024

Same here

@anilsahoo20
Copy link
Contributor

Issue tested and verified on snapshot build: https://www.postgresql.org/ftp/pgadmin/pgadmin4/snapshots/2024-09-10/
Package: arm64, pip wheel with webserver authentication
Environment: macOs Ventura 13.5.1

@anilsahoo20 anilsahoo20 moved this from In Testing to ✅ Done in Current Sprint (184) Sep 11, 2024
@miskr-instructure
Copy link

Could you share some summary of what you guys implemented as a fix? Storing a master password in keychain instead of storing individual server passwords?

@yogeshmahajan-1903
Copy link
Contributor

Could you share some summary of what you guys implemented as a fix? Storing a master password in keychain instead of storing individual server passwords?

We have followed way described here - #7076 (comment)

@OneideLuizSchneider
Copy link

same here v8.12...

@yogeshmahajan-1903
Copy link
Contributor

@OneideLuizSchneider
Can you please elaborate more abut issue you are facing? Please share pgadmin logs.

@OneideLuizSchneider
Copy link

As I said, the same issue everyone is having here, I just downgraded to 8.0 and now it is working again..

Basically the same as this comment: #7076 (comment)

@yogeshmahajan-1903
Copy link
Contributor

@OneideLuizSchneider
Can you please share screens recording for issue with version 8.12? We have now changed the way yo store password with keyring, hence does not expect that pgadmin is asking system password to access keyring twice the number of servers with saved password. It should ask twice only.

@cyberelfo
Copy link

Same issue here!

  • MacBook Pro M1 (2021)
  • MacOS 15.0.1
  • PGAdmin 8.13
pgAdmin Runtime Environment
--------------------------------------------------------
Python Path: "/Applications/pgAdmin 4.app/Contents/Frameworks/Python.framework/Versions/Current/bin/python3"
Runtime Config File: "/Users/franklinamorim/Library/Application Support/pgAdmin 4/config.json"
Webapp Path: "/Applications/pgAdmin 4.app/Contents/Resources/web/pgAdmin4.py"
pgAdmin Command: "/Applications/pgAdmin 4.app/Contents/Frameworks/Python.framework/Versions/Current/bin/python3 -s /Applications/pgAdmin 4.app/Contents/Resources/web/pgAdmin4.py"
Environment: 
  - MallocNanoZone: 0
  - USER: franklinamorim
  - COMMAND_MODE: unix2003
  - __CFBundleIdentifier: org.pgadmin.pgadmin4
  - PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
  - LOGNAME: franklinamorim
  - SYSTEM_VERSION_COMPAT: 0
  - SSH_AUTH_SOCK: /private/tmp/com.apple.launchd.Jx5GXLUZRO/Listeners
  - HOME: /Users/franklinamorim
  - SHELL: /bin/zsh
  - TMPDIR: /var/folders/14/6q4lx7ys2mv1ng7wcv549r_80000gq/T/
  - __CF_USER_TEXT_ENCODING: 0x1F7:0x0:0x0
  - XPC_SERVICE_NAME: application.org.pgadmin.pgadmin4.101750953.101766501
  - XPC_FLAGS: 0x0
  - ORIGINAL_XDG_CURRENT_DESKTOP: undefined
  - ELECTRON_ENABLE_SECURITY_WARNINGS: false
  - PGADMIN_INT_PORT: 63338
  - PGADMIN_INT_KEY: 0855e55b-9373-4352-a62a-0eb6bee35e04
  - PGADMIN_SERVER_MODE: OFF
--------------------------------------------------------

Total spawn time to start the pgAdmin4 server: 0.002 Sec
2024-11-14 11:33:37,111: WARNING	werkzeug:	Werkzeug appears to be used in a production deployment. Consider switching to a production web server instead.

 * Serving Flask app 'pgadmin'
 * Debug mode: off

------------------------------------------
Total time taken to ping pgAdmin4 server: 2.028 Sec
------------------------------------------
Total launch time of pgAdmin4: 2.148 Sec
------------------------------------------
Application Server URL: http://127.0.0.1:63338/?key=0855e55b-9373-4352-a62a-0eb6bee35e04
2024-11-14 11:33:47,437: ERROR	pgadmin:	Failed to get/set encryption key using OS password manager because of exception. Error: Can't get password from keychain: (-128, 'Keychain Access Denied')
Traceback (most recent call last):
  File "/Applications/pgAdmin 4.app/Contents/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/keyring/backends/macOS/__init__.py", line 61, in get_password
    return api.find_generic_password(self.keychain, service, username)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/pgAdmin 4.app/Contents/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/keyring/backends/macOS/api.py", line 156, in find_generic_password
    Error.raise_for_status(status)
  File "/Applications/pgAdmin 4.app/Contents/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/keyring/backends/macOS/api.py", line 119, in raise_for_status
    raise KeychainDenied(status, "Keychain Access Denied")
keyring.backends.macOS.api.KeychainDenied: (-128, 'Keychain Access Denied')

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/Applications/pgAdmin 4.app/Contents/Resources/web/pgadmin/browser/__init__.py", line 724, in set_master_password
    migrated_save_passwords, error = migrate_saved_passwords(
                                     ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/pgAdmin 4.app/Contents/Resources/web/pgadmin/browser/server_groups/servers/utils.py", line 371, in migrate_saved_passwords
    servers_with_pwd_in_pgadmin_db = get_servers_with_saved_passwords()
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/pgAdmin 4.app/Contents/Resources/web/pgadmin/browser/server_groups/servers/utils.py", line 325, in get_servers_with_saved_passwords
    spassword = keyring.get_password(
                ^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/pgAdmin 4.app/Contents/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/keyring/core.py", line 63, in get_password
    return get_keyring().get_password(service_name, username)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/pgAdmin 4.app/Contents/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/keyring/backends/macOS/__init__.py", line 21, in wrapper
    return func(self, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/pgAdmin 4.app/Contents/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/keyring/backends/macOS/__init__.py", line 65, in get_password
    raise KeyringLocked(f"Can't get password from keychain: {e}") from e
keyring.errors.KeyringLocked: Can't get password from keychain: (-128, 'Keychain Access Denied')

@yogeshmahajan-1903
Copy link
Contributor

@cyberelfo
pgadmin uses keychain to store encryption key which is used for password encryption before saving them. Kindly click 'Always Allow' in pop the up 'Python wants to use.....' when you open the pgadmin.
Something like below -
Screenshot 2024-11-14 at 5 23 47 PM

@OneideLuizSchneider
Copy link

@yogeshmahajan-1903
Yep, that is the message, and I did click on Always Allow .. it didn't work...
And downgrading it to 8.0 works.

@cyberelfo
Copy link

cyberelfo commented Nov 15, 2024

@cyberelfo pgadmin uses keychain to store encryption key which is used for password encryption before saving them. Kindly click 'Always Allow' in pop the up 'Python wants to use.....' when you open the pgadmin.

As @OneideLuizSchneider mentioned, even after clicking Always Allow the popup keeps showing up.

Also downgraded to 8.0.

@yogeshmahajan-1903
Copy link
Contributor

@cyberelfo pgadmin uses keychain to store encryption key which is used for password encryption before saving them. Kindly click 'Always Allow' in pop the up 'Python wants to use.....' when you open the pgadmin.

As @OneideLuizSchneider mentioned, even after clicking Always Allow the popup keeps showing up.

How many times did pop up shown. Can you please share the logs? If you have upgraded from version before 8.11 to 8.13, it will show the pop 2 * number of servers with saved password.(E.g. if you have 2 servers with saved password , then it will ask you 4 times. Once this done in 8.12/8.13, it should show you pop up 2 times.) Kindly try by clicking always allow for all such pop up. Kindly let me know number of times pop up shown.

Also downgraded to 8.0.

@PK-AIM
Copy link

PK-AIM commented Nov 15, 2024

I am confused by the following:

If you have upgraded from version before 8.11 to 8.13, it will show the pop 2 * number of servers with saved password.(E.g. if you have 2 servers with saved password , then it will ask you 4 times. Once this done in 8.12/8.13, it should show you pop up 2 times.)

But if it just storing the encryption password, then why is it asking more than once for access to the keychain?

@yogeshmahajan-1903
Copy link
Contributor

I am confused by the following:

If you have upgraded from version before 8.11 to 8.13, it will show the pop 2 * number of servers with saved password.(E.g. if you have 2 servers with saved password , then it will ask you 4 times. Once this done in 8.12/8.13, it should show you pop up 2 times.)

But if it just storing the encryption password, then why is it asking more than once for access to the keychain?

Before 8.13 all passwords used to get save in keychain. From 8.13 pgadmin now stores only encryption key in keychain. But to migrates existing saved password with keychain, it will ask 2 * number of servers with saved password. Also its Mac behaviour which asks you 2 times password to retrieve single entry from keychain.

@PK-AIM
Copy link

PK-AIM commented Nov 18, 2024

Before 8.13 all passwords used to get save in keychain. From 8.13 pgadmin now stores only encryption key in keychain. But to migrates existing saved password with keychain, it will ask 2 * number of servers with saved password. Also its Mac behaviour which asks you 2 times password to retrieve single entry from keychain.

Thank you for the answer.

@yogeshmahajan-1903
Copy link
Contributor

Before 8.13 all passwords used to get save in keychain. From 8.13 pgadmin now stores only encryption key in keychain. But to migrates existing saved password with keychain, it will ask 2 * number of servers with saved password. Also its Mac behaviour which asks you 2 times password to retrieve single entry from keychain.

Thank you for the answer.

Is your issue resolved?

@PK-AIM
Copy link

PK-AIM commented Nov 19, 2024

Before 8.13 all passwords used to get save in keychain. From 8.13 pgadmin now stores only encryption key in keychain. But to migrates existing saved password with keychain, it will ask 2 * number of servers with saved password. Also its Mac behaviour which asks you 2 times password to retrieve single entry from keychain.

Thank you for the answer.

Is your issue resolved?

Yes.

@iremozdemr
Copy link

iremozdemr commented Nov 23, 2024

Open Keychain Access and search for pgAdmin 4 under the All Items section. Click on it, then navigate to the Access Control tab, and select Allow all applications to access this item.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests