Comparison with 99designs/keyring

[ghost]

Hey there! It appears to me that 99designs/keyring supports more backends compared to go-keyring. Other than that, are there any differences between both of them? Looks like 99designs/keyring also supports KWallet as well custom keyring names while go-keyring has open PRs for a while now.

[erdaltsksn]

Hey there! It appears to me that 99designs/keyring supports more backends compared to go-keyring. Other than that, are there any differences between both of them? Looks like 99designs/keyring also supports KWallet as well custom keyring names while go-keyring has open PRs for a while now.

zalando/go-keyring uses pure go implementation but 99designs uses C bindings so you have to use the CGO flag properly. I've experienced many problems while using it, so I returned to use this library.

[vicecea]

99designs uses C bindings

At least for Linux, this is untrue, try CGO_ENABLED=0 GOOS=linux go build in https://github.com/99designs/keyring and it will work, there's no direct code within 99designs/keyring that uses cgo, what OS are you building it for?

What other problems have you experienced aside from failing to enable cgo at build time?

[erdaltsksn]

99designs uses C bindings

At least for Linux, this is untrue, try CGO_ENABLED=0 GOOS=linux go build in https://github.com/99designs/keyring and it will work, there's no direct code within 99designs/keyring that uses cgo, what OS are you building it for?

What other problems have you experienced aside from failing to enable cgo at build time?

I haven't had any other problem. I use GoRelaser to build it for Windows, macOS and Linux

[maidul98]

We switched to 99designs/keyring but now are switching back to this package

[tekumara]

On macOS, 99designs/keyring uses CGO (via https://github.com/99designs/go-keychain) to access the keychain while zalando/go-keyring shells out to the security command.

The disadvantage of zalando/go-keyring's approach are:

1. When prompting for a password the process using the keychain is obfuscated and reported as security, eg:

   

2. If the user grants "Always Allow" access to security, any process including a bash script can read keychain items without a password prompt.

Because 99designs/keyring accesses the keychain directly through CGO instead of shelling out, an "Always Allow" grant only gives access to the specific binary using 99designs/keyring. So 99designs/keyring's approach is more secure, assuming the binary has a smaller attack surface area than security.

[szuecs]

@tekumara we agree with your summary.

I think we are happy to get PRs that advance MacOS integration. As we (maintainers) are no Mac users we rely on PR authors in this case. If you can build a PR that does not change the interface and build only with CGO for MacOS, then I think there is nothing that would stop the PR from being merged.