Comment by L-four

Comment by L-four 5 days ago

View on Hacker News

I think the correct solution is to use a keyring. On Linux there's gnome keyring and last time I worked on a IOS app there was something similar.

This does mean entering your keyring password a lot.

https://en.wikipedia.org/wiki/GNOME_Keyring

1718627440 5 days ago

> This does mean entering your keyring password a lot.

Not when you put that keyrings password into the user keyring. I think it is also cached by default.

Reply View 4 replies

masfuerte 5 days ago

Then what stops the malware accessing the keyring?

Reply View | 3 replies
- 1718627440 5 days ago
  
  The security boundary on the OS is the user of the process. If you run the malware under the same user as the key, than yes of course it has access. But in production you don't run software under the same user, and on the developer machine you wouldn't put the production key in the user keychain.
  
  Reply View | 0 replies
- mxey 5 days ago
  
  On disk, it’s encrypted. The running service, at least on macOS, only hands the item out to specific apps, based on their code signing identity.
  
  Reply View | 1 reply
  
  ElectricalUnion 5 days ago
  
  Who signs an "app" when I download it from Homebrew?
  If all Homebrew "apps" are the same key then accepting a keyring notification on one app is a lost cause at it would allows things vulnerable to RCE to read/write everything?
  
  Reply View | 0 replies