On Mac, the use of the security utility to add a generic password to the Keychain insecurely passes the password on the command line, allowing any other process on the system to observe the password. To make it more secure, pass the password on STDIN to security or use the Keychain API directly.

I should add: another benefit of using the Keychain API is that in the event that the Keychain is locked, the user can more easily see which app is requesting to unlock the Keychain, instead of just the security utility.

📝 using Keychain API may be worrying developers...
ref: 99designs/keyring#56

@szuecs This seems like it should be a priority issue to address, yet it's been over a year since reported without a maintainer commenting on the issue. Is there some reason the Zalando team considers password leakage to not be a problem, for a library which is supposed to be enabling the secure storing of credentials?

@intel352 There are from my side a few considerations:

1. attack vector is minor (list local processes required and if you have that access you can likely do something else to get the password)
2. I don’t have a Mac since almost 10y
3. there are Open pull requests that seem to be stale by contributors and good suggestions, that I can’t test nor develop without Mac: #26 (comment)

If that’s too complicated you can also try a tty based write to the console to not leak the cli params.

I am happy to review pull requests for the project.

@szuecs as you don't have a mac, what about pulling in another lib that is geared at osx, such as https://github.com/keybase/go-keychain ?

@intel352 from my side it’s fair enough if you would do. @mikkeloscar or I can test Linux.

Note that go-keychain requires cgo.