Comments on: Usable Keychain Scripting

By: Usable Keychain Scripting For Lion | Bookmarks

Usable Keychain Scripting For Lion | Bookmarks — Thu, 18 Aug 2011 14:37:14 +0000

[...] Snow Leopard in order to keep using it.On the other hand, I wrote an alternative years ago, called Usable Keychain Scripting. Its main advantage over Apple’s implementation is that it is (or at least, was) enormously [...]

By: Red Sweater Blog – Safari Keychain Woes

Red Sweater Blog – Safari Keychain Woes — Fri, 29 Jul 2011 20:57:30 +0000

[...] it’s NULL! What is going on, here? I decided to dust off my Usable Keychain Scripting tool, which makes it easy to use AppleScript to search and inspect the keychain. Is the inability [...]

By: Red Sweater Blog – Usable Keychain Scripting For Lion

Red Sweater Blog – Usable Keychain Scripting For Lion — Fri, 29 Jul 2011 19:15:46 +0000

[...] the other hand, I wrote an alternative years ago, called Usable Keychain Scripting. Its main advantage over Apple’s implementation is that it is (or at least, was) enormously [...]

By: Kem Tekinay

Kem Tekinay — Sat, 07 May 2011 22:22:00 +0000

I just found this. Outstanding! It also solves the problem of applets saved as bundles constantly asking for permission to access the keychain. Thanks for this.

By: Keychain scripting letting the Twitters down « A Dog’s Breakfast, part II

Fri, 23 Mar 2007 10:19:53 +0000

[...] Red Sweater Blog says : [...]

By: Daniel Jalkut

Daniel Jalkut — Thu, 17 Aug 2006 13:53:32 +0000

ssp: I see what you mean now. And yes, it’s a problem. It’s similar to the problem with command-line tools and network access. For instance, once you use “telnet” or “ssh” or “curl” to connect to a particular site and grant network permissions via Little Snitch or whatever, the tool is suddenly blessed for whoever might call it.

By: ssp

ssp — Thu, 17 Aug 2006 11:37:30 +0000

I’m not sure this was clear in my previous comment, but the main problem I am seeing is the concept of a proxy application for accessing the keychain. Usually the keychain will ask you about an application wanting to access your passwords. And even if you go for the ‘allow permanently’ option you will have to confirm access to those keys again after upgrading the application in question for example.

Once you have a proxy application in between, though, this whole security feature stops to work. Not only will you not be notified that the application getting the password in the end has changed, there could even be a completely different application asking for your passwords without you having a chance to notice that.

I am not saying that this is a practical problem today – most certainly it isn’t. But it’s mainly “security by obscurity” you are getting there. As useful as such a tool for accessing the keychain can be for private use, as dangerous it could be once it sees usage in public. I guess it all boils down to the question whether you are prepared to grant access to your passwords to an application which will just pass them on to anyone who bothers to ask.

It could be interesting to discuss what Apple could do to improve their keychain API in that respect. While I think the traditional ‘ask for each application’ approach is a good balance of security and not annoying the user too much, the very fact that OS X is a Unixy system that lets you tie applications together through little helper applications and scripting languages makes this approach a bit weak in some cases.

By: Mike Henley

Mike Henley — Wed, 16 Aug 2006 13:30:54 +0000

I got a slight improvement in speed by using the style of the last example with the built-in keychain access. If you know that something is a generic key, you can ask for “the first generic key where…”

By: Alex

Alex — Tue, 15 Aug 2006 04:57:30 +0000

I don’t know if this may be of use to anyone else, but an alternative to slow keychain scripting is doing it via the shell. Allan Odgaard wrote up a nice post about it a while back: http://macromates.com/blog/archives/2006/04/17/keychain-access-from-shell/

By: Kunal

Kunal — Sun, 13 Aug 2006 06:36:01 +0000

Talking about keychain security I was wondering, could you gain access to anyone's keychain contents if you could just lay your hands on the file?