Why no direct Keychain importing/sync'ing?

robzr
robzr
Community Member

Given that Apple has made the Keychain format and code open source, why does 1Password not have native functionality to import - or even better - sync with Mac OS X Keychains?

In this forum I've seen Agile Bits team members refer people to an 89 line ruby script, and of course there is MrC's Convert to 1Password, both of which can convert from Keychain exported format.

Point being, this does not appear to be a technical challenge. Why not include native 1Password sync'ing with OS X Keychains?

Rob

Comments

  • Good question, Rob!

    The main issue is the way the OS X Keychain is designed. Any app that tries to access an item in the keychain will cause OS X to pop up a window asking if you want to allow 1Password to access the item. You would need to manually click Allow. The thing is, the keychain will require you to click Allow on every single item.

    It's actually a really bad experience so we didn't want to include it in the standard 1Password.

    I guess we could fork the Convert OS X Keychain exported entries into logins for 1Password import project you referenced and review the code to ensure it's solid. Would that help?

  • Ah, while reading the comments on the OS X Keychain ruby script I'm reminded of how much trouble this can be. We literally spent years fighting with the OS X Keychain and I really don't want to revisit that. It's extremely old technology and we're hoping Apple replaces it someday soon. We'd love to integrate closer with the system keychain.

  • MrC
    MrC
    Volunteer Moderator

    That ruby script has a very serious limitation, due to its simplistic parsing:

    3) THIS IS IMPORTANT None of your passwords, usernames or site names contains a comma. It's
    highly unlikely that a site name will contain a comma, fairly unlikely that usernames will,
    but eminently possible that your passwords might. If they do, this script will not work
    as supplied. You can modify it to quote all the values (there's a function for this already
    in the script) before it outputs them, but beware: if any of your passwords contains a "
    character it will break if you do this. If you have both quotes and commas in your passwords,
    well, damn, you're fresh out of luck. The best you can do is to find the passwords with commas
    in and remove them manually from the exported keychain (I'll mention where to do this below)

    That's why I wrote a more robust converter. :-)

  • robzr
    robzr
    Community Member

    I doubt Apple replaces it anytime too soon since they just doubled down on it with iCloud Keychain. And I have no doubt the ruby script has some limitations and issues, my point was simply that it doesn't look like there are insurmountable technical obstacles, but it is functionality that I'm sure every Mac user wishes 1Password offered. It's a pain to use two password management tools that are largely redundant.

    1Password, being third party and largely at the mercy of Apple clearly has limitations with integration, but I prefer to use it exclusively for any passwords I really care to protect, like online banking, etc. It's great software, I've raved about it to a lot of people, a number of whom have started using it.

    In typical Apple fashion, their solution is simplistic and deeply integrated into the OS, and now cloud connected and works on mobile and desktop seamlessly. So I understand you simply can't integrate as closely as Keychain is simply because Apple doesn't offer the APIs to do so, and probably won't anytime soon.

    But theres got to be some area for compromise, and some at least partial functionality that could be incorporated? Since the Keychain file format is open source, can't you bypass the API and interact with the keychain file directly? That way it may only have to pop up a single access request (assuming the file requires root privileges to read/write the file)?

    Or how about this - when you create a new entry there is another option to "sync with Keychain", and whenever that one password is updated in 1Password it does use the API to update the password in Keychain as well. Since it's only doing one change at time, the OS X pop-up requesting access wouldn't be too onerous. And since it's coming from OS X, nobody would blame Agile Bits for the shortcoming, they'd blame Apple, and maybe that would eventually pressure Apple into offering a better API.

    Rob

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2015

    @robzr: iCloud was off to a rocky start, but it seems like they've got some good people working on it that have made it much more solid. I would be surprised if the iCloud Keychain API were inextricably linked to the OS X keychain format.

    Since the Keychain file format is open source, can't you bypass the API and interact with the keychain file directly?

    Even Apple's own Keychain Access has to jump through all the hoops (I had to fight with it the other day). If they're not even going to do this themselves I would really be shocked if Apple allowed an app that did this into their Store. Yikes.

    And that gets me thinking...part of the issue I had with Keychain was that it failed to update some items when I changed my administrative password. That was a real headache, even after I figured out what was going on. And this is sort of the situation you would be in if Keychain items were imported into 1Password and then you updated the login credentials. If there isn't a way to 'sync' the changes back, you'd have obsolete data in Keychain; and if you could 'sync' it back, you'd lose all of the extra data that 1Password supports in the process. In the end, you'd still be trying to reconcile the two. I wouldn't wish that experience on anyone.

    But then again all of this may change in the future. I'm not holding my breath, but there's always hope. :)

  • robzr
    robzr
    Community Member
    edited April 2015

    Yeah, iCloud and iCloud Keychain has definitely not been without it's quirks, I've had issues with it sync'ing up across instances, even in the past week or two I updated a password and it still hasn't been sync'd across everything. I had a very similar thing happen with the 1Password database (on iCloud) within the past month, hopefully the recent update (the Apple update addressing iCloud drive synchronization improvement) will improve it's consistency.

    Re: App Store limitations, that does make sense, how about an optional helper app that worked in conjunction with the App Store versions; that seemed pretty commonplace when the App Store was new to get out of the sandbox. If it's entirely an opt-in, optional install - just added functionality for those who seek it out - that could be a reasonable (and officially sanctioned) way of interacting...?

    I guess my main frustration is that there is zero integration now. Even a native import functionality to help people manually migrate would be something. But as time goes on and more and more people get further tied into iCloud keychain, it just seems to me that it's not in Agile's best interest to completely ignore the existence of iCloud keychain / OS X Keychains in general. Something would be better than nothing...

    Rob

  • Megan
    Megan
    1Password Alumni

    Hi Rob ( @robzr ),

    Thanks so much for sharing your feedback here! Of course, we can't promise anything, but I'll be sure to let our development team know that you'd like to see some sort of integration between 1Password and the iCloud keychain in the future.

  • robzr
    robzr
    Community Member

    Hi Megan. FWIW I have been playing with the OS X command line tool "security", and it seems very flexible as far as keychain manipulation. I've been able to create and add passwords, and dump an entire decrypted keychain with only a single password prompt from the OS to unlock it. I also noticed there is a framework to authorize applications to access passwords. It seems to me that if this program is offering functionality the API does not, it could be usable to sync to a keychain. Another option would be to create a 1Password keychain and sync to that; then the user would have the ability to optionally add it to their keychain search path.

    I'm a novice and just spent a little time on this but it certainly seems to me that this would be a technically feasible challenge, and I would love it if 1Password had some functionality in this regard!

    regards

    Rob

  • Megan
    Megan
    1Password Alumni

    Hi Rob ( @robzr ),

    (Just a note, this discussion has been moved from the Saving and Filling in Browsers category to the 1Password for Mac category, as we're not dealing with a filling issue here)

    I'm not a developer, so I can't comment on the technical aspects of this (any more than has already been stated above.) But I will share your thoughts with our team.

This discussion has been closed.