SecretManagement.KeyChain icon indicating copy to clipboard operation
SecretManagement.KeyChain copied to clipboard
verified publisher icon SteveL-MSFT

Get-KeyChainConfiguration - is not set - how do I 'reset' it back to 'default'?

Open TheBigBear opened this issue 5 years ago • 7 comments

If I run Get-KeyChainConfiguration I get an exception, expect this should not happen?

 Get-KeyChainConfiguration
Exception: /usr/local/share/powershell/Modules/SecretManagement.KeyChain/0.1.2/SecretManagement.KeyChain.psm1:53
Line |
  53 |          throw "Could not parse KeyChain configuration info"
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Could not parse KeyChain configuration info

How do I now reset the KeyChain configuration back to it's defaults, presumably with the help of the right parameters passed to Set -KeyChainConfiguration ? ( removing, uninstalling and re-installing didn't do the trick )

PS: and FYI my PS Modules are at following versions: SecretManagement.KeyChain is at version 0.1.2 Microsoft.PowerShell.SecretManagement is at version 0.9.0 Microsoft.PowerShell.SecretStore is at version 0.9.0

TheBigBear avatar Feb 13 '21 12:02 TheBigBear

I have seen an error similar to this one when I responded to a password entry dialog box by pressing the cancel button several times. You obviously had the KeyChain module imported, but have you tried

  • Get-SecretVault output should show a vault with ModuleName of SecretManagement.KeyChain. If not, do Register-SecretVault -Name keychain -ModuleName SecretManagement.KeyChain
  • Unlock-KeyChain this should prompt you for your keychain password. If it does not, run Get-Command security and confirm it can be found. The security cli tool is used by the cmdlets and must be accessible within your pwsh session.

The Get|Set KeyChainConfiguration functions only control the PasswordTimeout. The Register-SecretVault does the creation of a separate KeyChain that is used via pwsh. Your existing key chains (login, iCloud) are not used by the SecretManagement.KeyChain cmdlets.

BTW - There is a menu option in KeyChain Access (Apple GUI tool for keychains) that will let you add SecretManagement.KeyChain-db to the Keychains viewable by this tool. File | Add Keychain...

DonPwrShellHunt avatar Feb 14 '21 18:02 DonPwrShellHunt

@DonPwrShellHunt thanks. But even after running Register-SecretVault -Name keychain -ModuleName SecretManagement.KeyChain there is still no SecretManagement.Keychain or Keychain configuration.

Is there a step by step and failsafe way to remove all parts of this module and then re-install it in such a way that I will end up with the module installed and the Keychain vault registered?

 Uninstall-Module SecretManagement.KeyChain -Verbose -AllVersions -Force

 Get-SecretVault

Name         ModuleName                       IsDefaultVault
----         ----------                       --------------
DefaultVault Microsoft.PowerShell.SecretStore True

Install-Module SecretManagement.KeyChain -Verbose -Force

 Get-SecretVault

Name         ModuleName                       IsDefaultVault
----         ----------                       --------------
DefaultVault Microsoft.PowerShell.SecretStore True

Register-SecretVault -Verbose -Name KeyChain -ModuleName SecretManagement.KeyChain

 Get-SecretVault

Name         ModuleName                       IsDefaultVault
----         ----------                       --------------
DefaultVault Microsoft.PowerShell.SecretStore True
KeyChain     SecretManagement.KeyChain        False

Get-KeyChainConfiguration

Exception: /Users/user/.local/share/powershell/Modules/SecretManagement.KeyChain/0.1.2/SecretManagement.KeyChain.psm1:53
Line |
  53 |          throw "Could not parse KeyChain configuration info"
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Could not parse KeyChain configuration info


Set-Secret -Vault KeyChain -name test1 -Secret test1
Get-Secret -Vault KeyChain -name test1

Get-Secret: Unable to get secret test1 from vault KeyChain
Get-Secret: The secret test1 was not found.

Get-SecretInfo -Vault KeyChain

It looks to me that this module does not ever create the keychain db file ?

Unlock-KeyChain
password to unlock SecretManagement.KeyChain: 

security: SecKeychainUnlock SecretManagement.KeyChain: The specified keychain could not be found.

But a test seems to work ok?

Test-SecretVault  -Verbose

VERBOSE: Invoking command Test-SecretVault on module Microsoft.PowerShell.SecretStore.Extension
VERBOSE: Vault DefaultVault succeeded validation test
VERBOSE: Invoking command Test-SecretVault on module SecretManagement.KeyChain.Extension
VERBOSE: Vault KeyChain succeeded validation test
True

TheBigBear avatar Feb 22 '21 10:02 TheBigBear

@TheBigBear - There is an incorrect conditional test in Test-SecretVault for creating the keychain db file. Thanks for posting this issue. Since I wrote that conditional test, I'll submit a fix.

If you want to experiment until this fix is published, run> security create-keychain -P SecretManagement.KeyChain

A dialog asking for a new password for this keychain will pop up. You need to enter the new password twice.

DonPwrShellHunt avatar Feb 23 '21 12:02 DonPwrShellHunt

My original question still stands. How can I reset this to the default? As-is both the Register-SecretVault and the Unregister-SecretVault cmdlets fail because of various reasons.

How can I manually go in and what do I have to edit or what cmd line cmds or pwsh cmdlets do I have to run, so the KeyChain vault disappears 100% from the Mac OS level as well as on the pwsh modules registration and the SecretsManagement Vault definition levels?

TheBigBear avatar Sep 03 '23 07:09 TheBigBear

BTW - There is a menu option in KeyChain Access (Apple GUI tool for keychains) that will let you add SecretManagement.KeyChain-db to the Keychains viewable by this tool. File | Add Keychain...

Thanks for that info.

TheBigBear avatar Sep 03 '23 07:09 TheBigBear

Microsoft.PowerShell.SecretManagement module handles the Register-SecretVault and Unregister-SecretVault commands and stores the vault details in the file under your MacOS home directory. (~/.secretmanagement/secretvaultregistry/vaultinfo). The KeyChain extension does not get involved in the Register|Unregister flow and SecretManagement.KeyChain-db is not created in Register-SecretVault.

As described in the README.md "Configuration of SecretManagement.KeyChain", the cmdlet Get-KeyChainConfiguration will trigger creation of this keychain resource. It does this by calling the extension cmdlet Test-SecretVault which detects if the keychain is present, and creates it if not present (~/Library/Keychains/SecretManagement.KeyChain-db).

BTW - the assignment to $null is to prevent any unwanted data from being put into the pipeline as a result of this call. See Microsoft Docs

If you cannot Register or Unregister a Vault, there are some basic PowerShell / Microsoft.PowerShell.SecretManagement installation issues.

Take a look at the content of your vaultinfo file and make sure the ModulePath property of your vaults are accurate. You could also do the following if Microsoft.PowerShell.SecretManagement is working>

$(Get-SecretVault).ModulePath|Get-ChildItem
        Directory: /Users/donhunt/.local/share/powershell/Modules/SecretManagement.KeyChain
         LastWriteTime     Length Name
         -------------     ------ ----
   7/4/2022 9:59:55 AM            ▶ 0.1.3

Using the latest versions of powershell itself & the SecretManagement modules is suggested. Also, keep in mind that if a vault is not your Default, you must specify the Vault name in secret management cmdlets.

pwsh -version
PowerShell 7.3.6

get-module *secret* -ListAvailable | Format-Table Version,Name
Version Name
------- ----
1.1.2   Microsoft.PowerShell.SecretManagement
0.1.3   SecretManagement.KeyChain

DonPwrShellHunt avatar Sep 05 '23 15:09 DonPwrShellHunt

@DonPwrShellHunt thank you so much for your detailed explanations. very helpful, much appreciated.

TheBigBear avatar Sep 06 '23 07:09 TheBigBear