Re: Modifying Emacs to use the Mac OS X Keychain Services

[Dave Abrahams <dave@boostpro.com>]

on Sun Jul 29 2012, Ted Zlatanov <tzz-AT-lifelogs.com> wrote:

> On Fri, 27 Jul 2012 11:20:17 -0400 Dave Abrahams <dave@boostpro.com> wrote: 
>
> DA> Did anything come of this?  I am really tired of typing in my GPG key
> DA> every time I start Gnus.  I'd be more than happy to have a solution that
> DA> just used /usr/bin/security to look up the password; I don't need more
> DA> security than that.
>
> DA> I looked a bit at the "secrets" API but could understand it easily
> DA> enough to code something up.  I just want Emacs to run
>
> DA>    /usr/bin/security --find-internet-password -gs <hostname> <username>
>
> DA> to get the password for my mail server.
>
> I don't think I knew about this utility :)  Thanks!
>
> I haven't heard from Ben Key (CC-ed on this post) in a year so I figured
> it's simpler to implement this myself.  I've pushed something into the
> Gnus repo, which you can test.  It doesn't support creation or deletion,
> but searching works.
>
> The fundamental problem was that internet (I've spelled it with a
> lowercase 'i' to be consistent with Apple) and generic keychains behave
> very differently.  So I chose to make the user decide which one he
> wants; the following are valid entries in `auth-sources':
>
> #+begin_src lisp
> (auth-source-backend-parse 'macos-keychain-internet)
> (auth-source-backend-parse 'macos-keychain-generic)
> (auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
> (auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
> (auth-source-backend-parse '(:source (:macos-keychain-internet default)))
> (auth-source-backend-parse '(:source (:macos-keychain-generic "/path/here.keychain")))
> #+end_src

And despite that, I am seeing 

auth-source-backend-parse: invalid backend spec: (quote macos-keychain-generic)
auth-source-backend-parse: invalid backend spec: (quote macos-keychain-internet)

>
> ...and here you can see the very first entry in each of your default
> internet and generic keychains:
>
> #+begin_src lisp
> (let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
> (let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
> #+end_src
>
> The hardest part was mapping internet and generic keychains into the
> common auth-source format for searching and for providing results.  For
> searching, I chose to map them as explained in the docstring of
> `auth-source-macos-keychain-search', using the various /usr/bin/security
> parameters.  For results, the logic is simple enough to show here:
>
> #+begin_src lisp
> (defun auth-source-macos-keychain-result-append (result generic k v)
>   (push v result)
>   (setq k (cond
>            ((equal k "acct") "user")
>            ;; for generic keychains, creator is host, service is port
>            ((and generic (equal k "crtr")) "host")
>            ((and generic (equal k "svce")) "port")
>            ;; for internet keychains, protocol is port, server is host
>            ((and (not generic) (equal k "ptcl")) "port")
>            ((and (not generic) (equal k "srvr")) "host")
>            (t k)))
>
>   (push (intern (format ":%s" k)) result))
> #+end_src
>
> At most one result is returned, ever.  This is due to the way
> /usr/bin/security works.  If I dump the whole keychain, the user would
> get a thousand popup dialogs.
>
> It should be pretty trivial to use the native keychain calls on Mac OS X
> within this framework.  Ben, if you're still interested, please let us
> know.
>
> I am far from expert on Mac OS X; this worked for me and I hope it works
> for you.  Patches welcome to improve it.
>
> Ted

-- 
Dave Abrahams
BoostPro Computing                  Software Development        Training
http://www.boostpro.com             Clang/LLVM/EDG Compilers  C++  Boost