Skip to content

Fix Keychain access prompts after Homebrew upgrades #404

Description

@rianjs

Summary

cr keeps triggering macOS credential-manager prompts after Homebrew upgrades, even after the user chooses Always Allow.

Recent investigation shows:

  • darwin release binaries are being code-signed correctly with a stable designated requirement
  • Homebrew installs each cask version under a versioned Caskroom path
  • Keychain ACLs on codereview/* generic-password items can retain stale trusted-application paths and stale partition_id entries across upgrades
  • config show and other read paths can also prompt unnecessarily because credential presence checks currently read secret data instead of using metadata/ref-only existence checks

Desired outcome

For codereview-cli, complete one end-to-end fix/verification cycle before applying the pattern to sibling CLIs.

The ticket is only complete when we have:

  1. an implementation that addresses unnecessary prompt amplification in cr
  2. focused tests for the changed behavior
  3. a merged release build
  4. a real post-merge install/upgrade verification on the Homebrew-installed CLI
  5. a clear conclusion, based on empirical evidence, about what self-signed signing can and cannot fix for Keychain ACL / partition behavior

Scope

  • implement the codereview-cli side of the fix train first
  • use cli-common changes as needed
  • do not start the other affected CLIs until the installed cr build has been verified after merge/release/upgrade

Acceptance criteria

  • cr config show does not read secret values just to determine credential presence
  • the chosen fix path is covered by tests
  • release artifacts are built and published successfully
  • brew upgrade --cask open-cli-collective/tap/codereview-cli is run against the merged release
  • the installed binary and the corresponding Keychain item state are inspected after upgrade
  • the ticket records whether the post-upgrade behavior is actually fixed, partially mitigated, or still blocked by self-signed partition_id behavior

Notes for implementation

  • prefer evidence over assumptions when dealing with Keychain ACLs
  • if self-signed auto-repair cannot survive upgrade in practice, document the limitation plainly and stop short of claiming a durable fix
  • stale local Keychain garbage from repeated manual Always Allow attempts can be cleaned up as a post-merge local step, but that cleanup is not itself the product fix

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions