Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incompatible encoding on darwin #115

Open
Makpoc opened this issue Oct 16, 2024 · 4 comments
Open

Incompatible encoding on darwin #115

Makpoc opened this issue Oct 16, 2024 · 4 comments

Comments

@Makpoc
Copy link

Makpoc commented Oct 16, 2024

Hello.

It looks like this change 5205e6f#diff-14c4aa5420de20b1ef5b174be7c1d389e4bdbbf71719ca66bf308caf38c60d1d is backwards incompatible on Darwin. The default prefix when Setting values is now go-keyring-base64: and clients that use older version of the go-keyring library would not have that prefix stripped and end up with a bad value.

Steps to reproduce:

main.go:

package main

import (
	"errors"
	"fmt"

	"github.com/zalando/go-keyring"
)

func main() {
	secret, err := keyring.Get("myservice", "myuser")
	if err != nil {
		if !errors.Is(err, keyring.ErrNotFound) {
			panic(err)
		}
		err = keyring.Set("myservice", "myuser", "very-secret")
		if err != nil {
			panic(err)
		}
	}
	fmt.Println(secret)
}

Build it once with [email protected] -> keyring_old.bin

  • go get github.com/zolando/[email protected]
  • go mod tidy && go mod vendor
  • GOOS=darwin GOARCH=arm64 go build -o keyring_old.bin ./...

Build it with [email protected] -> keyring_new.bin

  • go get github.com/zolando/[email protected]
  • go mod tidy && go mod vendor
  • GOOS=darwin GOARCH=arm64 go build -o keyring_new.bin ./...
  1. Run keyring_new.bin first, then run keyring_old.bin.

Result:

># ./keyring_new.bin
very-secret
># ./keyring_old.bin
go-keyring-base64:dmVyeS1zZWNyZXQ=

  1. Clean the "myservice" credentials

  2. Run keyring_old.bin first, then run keyring_new.bin

># ./keyring_old.bin
very-secret
># ./keyring_new.bin
very-secret
@mikkeloscar
Copy link
Member

I'm not sure how we could solve this. It's forwards compatible but not backwards. If people use an older version for the same secrets I think it's reasonable to expect there can be problems.

@Makpoc
Copy link
Author

Makpoc commented Oct 17, 2024
edited
Loading

I have not had much time to think about the possible solution, but off the top of my head it may be possible to provide a function where we set the preferred encoding algorithm so that we can control the prefix (e.g. newer versions would be able to keep writing new secrets as hex instead of base64).

@mikkeloscar
Copy link
Member

What is the use case for using and old AND a new version for go-keyring for the same secrets? There need to be a good use case before it makes sense to implement and maintain such a thing like a switch between hex and base64.

@Makpoc
Copy link
Author

Makpoc commented Oct 17, 2024

The use case is related to multiple independent applications that rely on the shared secret to communicate. We cannot ensure they are all up-to date if they are shipped to clients.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikkeloscar @Makpoc