From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/82107
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general
Subject: Re: Modifying Emacs to use the Mac OS X Keychain Services
Date: Sun, 29 Jul 2012 18:05:22 -0400
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
Message-ID: <87lii2ql3x.fsf@lifelogs.com>
References: <BANLkTin0NjiE1wQQg_vQLqQKBaw0uMC14A@mail.gmail.com>
	<BANLkTi=YDenda7T5F7KOk=pp5KVseiPMuQ@mail.gmail.com>
	<8739jmso4c.fsf@gmx.de>
	<BANLkTimt2=rojjHSASnBBH=VrN53Pi7=cg@mail.gmail.com>
	<87y61ekr8y.fsf@gmx.de>
	<BANLkTin1DxY33iaQ5=9KJKD_gwQvsJwJ8Q@mail.gmail.com>
	<BANLkTinEgJ9AgNMA8U5wiAjf3S=nwpEx-Q@mail.gmail.com>
	<87tyc0camo.fsf@lifelogs.com> <m2394ds026.fsf@pluto.luannocracy.com>
Reply-To: emacs-devel@gnu.org
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1343599544 25898 80.91.229.3 (29 Jul 2012 22:05:44 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Sun, 29 Jul 2012 22:05:44 +0000 (UTC)
Cc: ding@gnus.org
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jul 30 00:05:44 2012
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1SvbcN-0002YY-Bc
	for ged-emacs-devel@m.gmane.org; Mon, 30 Jul 2012 00:05:43 +0200
Original-Received: from localhost ([::1]:39942 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1SvbcM-0000Rh-Ga
	for ged-emacs-devel@m.gmane.org; Sun, 29 Jul 2012 18:05:42 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:44029)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1SvbcI-0000Pz-Up
	for emacs-devel@gnu.org; Sun, 29 Jul 2012 18:05:39 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1SvbcG-0007kw-Ja
	for emacs-devel@gnu.org; Sun, 29 Jul 2012 18:05:38 -0400
Original-Received: from plane.gmane.org ([80.91.229.3]:58472)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1SvbcG-0007k2-8i
	for emacs-devel@gnu.org; Sun, 29 Jul 2012 18:05:36 -0400
Original-Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1SvbcE-0002UZ-TE
	for emacs-devel@gnu.org; Mon, 30 Jul 2012 00:05:34 +0200
Original-Received: from c-76-28-40-19.hsd1.vt.comcast.net ([76.28.40.19])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Mon, 30 Jul 2012 00:05:34 +0200
Original-Received: from tzz by c-76-28-40-19.hsd1.vt.comcast.net with local (Gmexim 0.1
	(Debian)) id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Mon, 30 Jul 2012 00:05:34 +0200
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: emacs-devel@gnu.org
Original-Lines: 77
Original-X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: c-76-28-40-19.hsd1.vt.comcast.net
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.1.50 (gnu/linux)
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
Cancel-Lock: sha1:P3/VzCF1lqq+zr9m5zVRco3bbqE=
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.229.3
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:151964 gmane.emacs.gnus.general:82107
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/151964>

On Fri, 27 Jul 2012 11:20:17 -0400 Dave Abrahams <dave@boostpro.com> wrote: 

DA> Did anything come of this?  I am really tired of typing in my GPG key
DA> every time I start Gnus.  I'd be more than happy to have a solution that
DA> just used /usr/bin/security to look up the password; I don't need more
DA> security than that.

DA> I looked a bit at the "secrets" API but could understand it easily
DA> enough to code something up.  I just want Emacs to run

DA>    /usr/bin/security --find-internet-password -gs <hostname> <username>

DA> to get the password for my mail server.

I don't think I knew about this utility :)  Thanks!

I haven't heard from Ben Key (CC-ed on this post) in a year so I figured
it's simpler to implement this myself.  I've pushed something into the
Gnus repo, which you can test.  It doesn't support creation or deletion,
but searching works.

The fundamental problem was that internet (I've spelled it with a
lowercase 'i' to be consistent with Apple) and generic keychains behave
very differently.  So I chose to make the user decide which one he
wants; the following are valid entries in `auth-sources':

#+begin_src lisp
(auth-source-backend-parse 'macos-keychain-internet)
(auth-source-backend-parse 'macos-keychain-generic)
(auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
(auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
(auth-source-backend-parse '(:source (:macos-keychain-internet default)))
(auth-source-backend-parse '(:source (:macos-keychain-generic "/path/here.keychain")))
#+end_src

...and here you can see the very first entry in each of your default
internet and generic keychains:

#+begin_src lisp
(let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
(let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
#+end_src

The hardest part was mapping internet and generic keychains into the
common auth-source format for searching and for providing results.  For
searching, I chose to map them as explained in the docstring of
`auth-source-macos-keychain-search', using the various /usr/bin/security
parameters.  For results, the logic is simple enough to show here:

#+begin_src lisp
(defun auth-source-macos-keychain-result-append (result generic k v)
  (push v result)
  (setq k (cond
           ((equal k "acct") "user")
           ;; for generic keychains, creator is host, service is port
           ((and generic (equal k "crtr")) "host")
           ((and generic (equal k "svce")) "port")
           ;; for internet keychains, protocol is port, server is host
           ((and (not generic) (equal k "ptcl")) "port")
           ((and (not generic) (equal k "srvr")) "host")
           (t k)))

  (push (intern (format ":%s" k)) result))
#+end_src

At most one result is returned, ever.  This is due to the way
/usr/bin/security works.  If I dump the whole keychain, the user would
get a thousand popup dialogs.

It should be pretty trivial to use the native keychain calls on Mac OS X
within this framework.  Ben, if you're still interested, please let us
know.

I am far from expert on Mac OS X; this worked for me and I hope it works
for you.  Patches welcome to improve it.

Ted