cocoaforge

Posted: **Tue Aug 15, 2006 6:32 pm**

i'm a little unsure of how growl's keychain access is supposed to work. every so often i'm prompted to enter my keychain password and immediately after, a growl notification appears.

is this a bug, or just a side effect of my keychain automatically locking after x minutes?

thx!

Posted: **Wed Aug 16, 2006 8:05 am**

Are you on 10.3 or 10.4?

Posted: **Wed Aug 16, 2006 4:15 pm**

10.4 macbook

Posted: **Wed Aug 16, 2006 11:46 pm**

Do you have network notifications enabled?

Posted: **Wed Aug 16, 2006 11:55 pm**

yes - i am listening for messages sent from remote linux machines.

my keychain auto-locks after 15 minutes, any notification that comes in after that point requires me to enter a password.

notifications that are sent locally do not require me to unlock my keychain (i just tried this).

Posted: **Fri Aug 18, 2006 9:20 pm**

any further updates on this?

thx!

Posted: **Fri Aug 18, 2006 11:46 pm**

I guess you use a password to encrypt your messages coming from the linux system. Growl stores its password in the keychain and uses it to decrypt the incoming messages. If your keychain is automatically locked after 15 minutes, you will need to authenticate again.

Posted: **Fri Aug 18, 2006 11:50 pm**

i do specify a password for the remote growl notifications, but i would think that since i say "always allow" to the keychain for the growlhelper, i would not need to reauthenticate when the keychain locks.

Posted: **Sat Aug 19, 2006 12:49 am**

jae77 wrote:i do specify a password for the remote growl notifications, but i would think that since i say "always allow" to the keychain for the growlhelper, i would not need to reauthenticate when the keychain locks.

We have to confirm that the password is correct somehow.

Posted: **Sat Aug 19, 2006 1:05 am**

For security reasons, we only keep the plaintext password in memory for the decryption process and request it from the keychain for each notification that comes over the network. If you always allow GrowlHelperApp to access the keychain, it will prompt for a password for as long as the keychain is unlocked. You'll need a password to unlock the keychain after the expiration period.

Posted: **Sat Aug 19, 2006 1:07 am**

could you expand on what you mean by that?

when i double click the growl entry in the keychain that causes the window to pop up w/ its attributes/access control - when i click the checkbox to show password, i see the password i configured growl w/ to accept network notifications.

Posted: **Sat Aug 19, 2006 1:19 am**

IngmarStein wrote:For security reasons, we only keep the plaintext password in memory for the decryption process and request it from the keychain for each notification that comes over the network. If you always allow GrowlHelperApp to access the keychain, it will prompt for a password for as long as the keychain is unlocked. You'll need a password to unlock the keychain after the expiration period.

so i guess that means if i want to receive network notifications, i'm stuck having to enter my keychain password every time (the keychain is locked)?

Posted: **Sat Aug 19, 2006 1:36 am**

jae77 wrote:
IngmarStein wrote:For security reasons, we only keep the plaintext password in memory for the decryption process and request it from the keychain for each notification that comes over the network. If you always allow GrowlHelperApp to access the keychain, it will prompt for a password for as long as the keychain is unlocked. You'll need a password to unlock the keychain after the expiration period.
so i guess that means if i want to receive network notifications, i'm stuck having to enter my keychain password every time (the keychain is locked)?

Yes, if you have a password set.

Posted: **Sat Aug 19, 2006 2:11 am**

*grumble* - well, at the moment Net::Growl won't work unless i give it a password, so i guess i'm stuck w/ this for now.

could caching the password so the keychain doesn't need to be accessed every time be added as an "advanced" feature in a future release?

Posted: **Sat Aug 19, 2006 2:21 am**

jae77 wrote:could caching the password so the keychain doesn't need to be accessed every time be added as an "advanced" feature in a future release?

No, that's insecure. Keychain is what Apple provides us, and it's what we're going to use.

Posted: **Sat Aug 19, 2006 2:30 am**

This is what the keychain API documentation says:

Important: You should not cache passwords, because the user can change them using Keychain Access or another program and the data may no longer be valid. In addition, the long-term storage of passwords by applications negates the value of the keychain.

Posted: **Sat Aug 19, 2006 6:22 am**

i'm confused - why can't growl retrieve that password from the keychain once, and not have to ask for it again?

what security implication exists from this? if someone got a hold of that password, i would guess the worst they could do is spam me w/ messages.

it seems a little purpose defeating to be able to receive growl messages via the network, but have to authenticate for them to come through.

in my case, i'm using growl to notify me about the results of tests run via a perl script on a remote box.

Posted: **Sat Aug 19, 2006 6:25 am**

IngmarStein wrote:This is what the keychain API documentation says:
Important: You should not cache passwords, because the user can change them using Keychain Access or another program and the data may no longer be valid. In addition, the long-term storage of passwords by applications negates the value of the keychain.

ah - well, there you go.

i guess i'll have to have a look at Net::Growl to make it work w/o a password.

Posted: **Tue Sep 05, 2006 9:58 pm**

having given this some more thought, would it be possible to enhance growl to support passwords on a per app basis?

this would allow my custom apps at work to send notifications at will, but still offer me the password protention for others.

Posted: **Tue Sep 05, 2006 10:15 pm**

We're not going to do that.