Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot access credentials if python interpreter changes on macOS #40

Open
jjhelmus opened this issue Dec 13, 2024 · 1 comment
Open

Cannot access credentials if python interpreter changes on macOS #40

jjhelmus opened this issue Dec 13, 2024 · 1 comment

Comments

@jjhelmus
Copy link

jjhelmus commented Dec 13, 2024
edited
Loading

What happened?

When running on macOS, if the python binary changes (for example from an update or change in channels) items already saved into the keychain are not accessible. Attempting to remove them raises an CondaAuthError error.

Example:

❯ conda create --prefix ./new_base python=3.11 conda-auth
...
❯ conda activate ./new_base
❯ eval $(./new_base/condabin/conda shell.zsh hook)
❯ conda auth login https://repo.example.com --token 1234
Successfully stored credentials
❯ conda install python=3.12 --yes
...
❯ conda auth logout https://repo.example.com

CondaAuthError: Unable to remove secret: Can't delete password in keychain: (-25244, 'Unknown Error')

The stored token can only be accessed using keyring if permission to the keychain is granted for the item.

For example

python -c "import keyring; print(keyring.get_password('conda-auth::token::https://repo.example.com', 'token'))"

Will display a dialog asking the user to grant the application access to the item stored in the keychain.

From my testing items in the macOS keychain have their access control set so that only the binary that created them initially has access. Other binaries must be granted access.

Conda Info

❯ conda info

     active environment : base
    active env location : /Users/jhelmus/bug/new_base
            shell level : 2
       user config file : /Users/jhelmus/.condarc
 populated config files : /Users/jhelmus/.condarc
          conda version : 24.11.1
    conda-build version : not installed
         python version : 3.11.11.final.0
                 solver : libmamba (default)
       virtual packages : __archspec=1=m1
                          __conda=24.11.1=0
                          __osx=14.6.1=0
                          __unix=0=0
       base environment : /Users/jhelmus/bug/new_base  (writable)
      conda av data dir : /Users/jhelmus/bug/new_base/etc/conda
  conda av metadata url : None
           channel URLs : https://repo.anaconda.com/pkgs/main/osx-arm64
                          https://repo.anaconda.com/pkgs/main/noarch
                          https://repo.anaconda.com/pkgs/r/osx-arm64
                          https://repo.anaconda.com/pkgs/r/noarch
          package cache : /Users/jhelmus/bug/new_base/pkgs
                          /Users/jhelmus/.conda/pkgs
       envs directories : /Users/jhelmus/bug/new_base/envs
                          /Users/jhelmus/.conda/envs
               platform : osx-arm64
             user-agent : conda/24.11.1 requests/2.32.3 CPython/3.11.11 Darwin/23.6.0 OSX/14.6.1 solver/libmamba conda-libmamba-solver/24.9.0 libmambapy/1.5.11
                UID:GID : 502:20
             netrc file : None
           offline mode : False

Conda Config

==> /Users/jhelmus/.condarc <==
changeps1: False
ssl_verify: True
channels:
  - defaults
report_errors: False

Conda list

# packages in environment at /Users/jhelmus/bug/new_base:
#
# Name                    Version                   Build  Channel
archspec                  0.2.3              pyhd3eb1b0_0    defaults
boltons                   23.0.0          py311hca03da5_0    defaults
brotli-python             1.0.9           py311h313beb8_8    defaults
bzip2                     1.0.8                h80987f9_6    defaults
c-ares                    1.19.1               h80987f9_0    defaults
ca-certificates           2024.11.26           hca03da5_0    defaults
certifi                   2024.8.30       py311hca03da5_0    defaults
cffi                      1.17.1          py311h3eb5a62_0    defaults
charset-normalizer        3.3.2              pyhd3eb1b0_0    defaults
click                     8.1.7           py311hca03da5_0    defaults
conda                     24.11.1         py311hca03da5_0    defaults
conda-auth                0.2.1           py311hca03da5_0    defaults
conda-libmamba-solver     24.9.0             pyhd3eb1b0_0    defaults
conda-package-handling    2.4.0           py311hca03da5_0    defaults
conda-package-streaming   0.11.0          py311hca03da5_0    defaults
distro                    1.9.0           py311hca03da5_0    defaults
fmt                       9.1.0                h48ca7d4_1    defaults
frozendict                2.4.2           py311hca03da5_0    defaults
icu                       73.1                 h313beb8_0    defaults
idna                      3.7             py311hca03da5_0    defaults
importlib-metadata        8.5.0           py311hca03da5_0    defaults
importlib_metadata        8.5.0                hd3eb1b0_0    defaults
jaraco.classes            3.2.1              pyhd3eb1b0_0    defaults
jsonpatch                 1.33            py311hca03da5_1    defaults
jsonpointer               2.1                pyhd3eb1b0_0    defaults
keyring                   24.3.1          py311hca03da5_0    defaults
krb5                      1.20.1               hf3e1bf2_1    defaults
libarchive                3.7.7                h8f13d7a_0    defaults
libcurl                   8.9.1                h3e2b118_0    defaults
libcxx                    14.0.6               h848a8c0_0    defaults
libedit                   3.1.20230828         h80987f9_0    defaults
libev                     4.33                 h1a28f6b_1    defaults
libffi                    3.4.4                hca03da5_1    defaults
libiconv                  1.16                 h80987f9_3    defaults
libmamba                  1.5.11               haeffa04_1    defaults
libmambapy                1.5.11          py311h15e39b3_1    defaults
libnghttp2                1.57.0               h62f6fdd_0    defaults
libsolv                   0.7.24               h514c7bf_1    defaults
libssh2                   1.11.1               h3e2b118_0    defaults
libxml2                   2.13.5               h0b34f26_0    defaults
lz4-c                     1.9.4                h313beb8_1    defaults
menuinst                  2.2.0           py311hca03da5_0    defaults
more-itertools            10.3.0          py311hca03da5_0    defaults
ncurses                   6.4                  h313beb8_0    defaults
openssl                   3.0.15               h80987f9_0    defaults
packaging                 24.1            py311hca03da5_0    defaults
pcre2                     10.42                hb066dcc_1    defaults
pip                       24.2            py311hca03da5_0    defaults
platformdirs              3.10.0          py311hca03da5_0    defaults
pluggy                    1.5.0           py311hca03da5_0    defaults
pybind11-abi              4                    hd3eb1b0_1    defaults
pycosat                   0.6.6           py311h80987f9_1    defaults
pycparser                 2.21               pyhd3eb1b0_0    defaults
pysocks                   1.7.1           py311hca03da5_0    defaults
python                    3.11.11              hb885b13_0    defaults
readline                  8.2                  h1a28f6b_0    defaults
reproc                    14.2.4               h313beb8_2    defaults
reproc-cpp                14.2.4               h313beb8_2    defaults
requests                  2.32.3          py311hca03da5_1    defaults
ruamel.yaml               0.18.6          py311h80987f9_0    defaults
ruamel.yaml.clib          0.2.8           py311h80987f9_0    defaults
setuptools                75.1.0          py311hca03da5_0    defaults
sqlite                    3.45.3               h80987f9_0    defaults
tk                        8.6.14               h6ba3021_0    defaults
tqdm                      4.66.5          py311hb6e6a13_0    defaults
truststore                0.8.0           py311hca03da5_0    defaults
tzdata                    2024b                h04d1e81_0    defaults
urllib3                   2.2.3           py311hca03da5_0    defaults
wheel                     0.44.0          py311hca03da5_0    defaults
xz                        5.4.6                h80987f9_1    defaults
yaml-cpp                  0.8.0                h313beb8_1    defaults
zipp                      3.21.0          py311hca03da5_0    defaults
zlib                      1.2.13               h18a0788_1    defaults
zstandard                 0.23.0          py311h1a4646a_1    defaults
zstd                      1.5.6                hfb09047_0    defaults

Additional Context

No response
@jjhelmus
Copy link
Author

Note that this issue also prevents credentials stored in the keychain from being access by other conda environments unless the user grants the python binary installed in that environment access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jjhelmus