Skip to content

pw-9.1.0
Compare
Choose a tag to compare
@sschmid sschmid released this 19 Oct 15:03
· 70 commits to main since this release
9.1.0
e9d071f
This commit was signed with the committer’s verified signature.
sschmid Simon Schmid
GPG key ID: 429C12EC553AB56C
Learn about vigilant mode.

Upgrading to pw 9.1.0

In order to increase security, the macos_keychain plugin won't automatically
add the security command to the keychain's access control list anymore.

Typically, when accessing keychain items added by other applications, the user
is prompted to allow or always allow access. However, when keychain entries are
added using the security command itself, the command is automatically granted
access to those items without future prompts. This can be a security risk, because
other applications can use the security command to access these items without
prompting the user.

pw changes this behaviour to reduce security risks by not automatically adding
the security command to the keychain's access control list. This way you have
full control over which applications can access your keychain items and decide
whether to allow or deny access.

If you want to add the security command to the keychain's access control list
by default, you can set the environment variable
PW_MACOS_KEYCHAIN_ACCESS_CONTROL to always-allow:

export PW_MACOS_KEYCHAIN_ACCESS_CONTROL="always-allow"

Added

  • Add PW_MACOS_KEYCHAIN_ACCESS_CONTROL to control access control list behavior
  • Add "Security Considerations" section to readme

Changed

  • macos_keychain: Don't add security command to access control list by default
  • macos_keychain: Don't unlock keychain for fzf preview
  • gpg: Don't unlock keychain for fzf preview
Assets 2
Loading