sneak/secret
1
0
Fork 1
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

Bug: Non-darwin KeychainUnlocker stub panics instead of returning errors #7

New Issue
Open
opened 2026-02-08 21:02:23 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-08 21:02:23 +01:00
Copy Link

Bug

In internal/secret/keychainunlocker_stub.go (non-darwin build), all methods including NewKeychainUnlocker, GetType(), GetID(), etc. call panic() instead of returning errors:

func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
    panic("keychain unlockers are only supported on macOS")
}

This is a crash bug on Linux/Windows. The code paths in vault/unlockers.go GetCurrentUnlocker() and findUnlockerByID() call NewKeychainUnlocker when they encounter a keychain-type unlocker in metadata:

case "keychain":
    unlocker = secret.NewKeychainUnlocker(v.fs, unlockerDir, metadata)

If a vault is synced from macOS to Linux (which is a valid use case since vaults are just files), and the vault has a keychain unlocker, any operation that lists or resolves unlockers will panic and crash instead of gracefully skipping or returning an error.

Impact

  • Cross-platform vault portability is broken
  • Program crashes instead of showing a helpful error
  • secret unlocker list crashes on Linux if any keychain unlocker exists

Fix

Stub methods should return errors instead of panicking. NewKeychainUnlocker should return a valid struct whose methods return appropriate errors.

## Bug In `internal/secret/keychainunlocker_stub.go` (non-darwin build), all methods including `NewKeychainUnlocker`, `GetType()`, `GetID()`, etc. call `panic()` instead of returning errors: ```go func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker { panic("keychain unlockers are only supported on macOS") } ``` This is a **crash bug** on Linux/Windows. The code paths in `vault/unlockers.go` `GetCurrentUnlocker()` and `findUnlockerByID()` call `NewKeychainUnlocker` when they encounter a keychain-type unlocker in metadata: ```go case "keychain": unlocker = secret.NewKeychainUnlocker(v.fs, unlockerDir, metadata) ``` If a vault is synced from macOS to Linux (which is a valid use case since vaults are just files), and the vault has a keychain unlocker, any operation that lists or resolves unlockers will **panic and crash** instead of gracefully skipping or returning an error. ## Impact - Cross-platform vault portability is broken - Program crashes instead of showing a helpful error - `secret unlocker list` crashes on Linux if any keychain unlocker exists ## Fix Stub methods should return errors instead of panicking. `NewKeychainUnlocker` should return a valid struct whose methods return appropriate errors.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/secret#7
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?