241658 – git webkit setup asks for api.github.com keychain access four times

Bug 241658 - git webkit setup asks for api.github.com keychain access four times

Summary: git webkit setup asks for api.github.com keychain access four times

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Tools / Tests (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:	239082
	Show dependency tree / graph

Reported:	2022-06-15 17:39 PDT by Alexey Proskuryakov
Modified:	2023-09-21 12:33 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexey Proskuryakov 2022-06-15 17:39:40 PDT

When I re-run `git webkit setup` to renew a GitHub access token, I'm asked to allow Python access to api.github.com in Keychain four times.

This is very annoying, as I need to type my password every time. There is an "always allow" option, but that's super insecure, as any python script would then have the access.

Comment 1 Radar WebKit Bug Importer 2022-06-22 17:40:13 PDT

<rdar://problem/95736776>

Comment 2 Elliott Williams 2023-09-21 11:04:25 PDT

One way we could work around this is by building a helper program that does the keychain access on behalf of git-webkit. I spent some time hacking on a little Swift program that would facilitate this months ago, but never finished: https://github.com/emw-apple/WebKit/tree/wip-git-webkit-credentials-program/Tools/git-webkit-credentials

Comment 3 Alexey Proskuryakov 2023-09-21 12:33:03 PDT

We'd probably want git-webkit itself to be binary, for better security. It can call out to the existing script as necessary, so we don't need to rewrite it all.

One question is how to actually get it signed.