Merge pull request #387 from thaJeztah/bump_go1.25

update to go1.25.1

.github/workflows/build.yml

@@ -15,7 +15,7 @@ on:
 
 env:
   DESTDIR: ./bin
-  GO_VERSION: 1.21.10
+  GO_VERSION: 1.25.1
 
 jobs:
   validate:
@@ -29,7 +29,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -44,18 +44,19 @@ jobs:
       fail-fast: false
       matrix:
         os:
+          - ubuntu-24.04
           - ubuntu-22.04
-          - ubuntu-20.04
+          - macOS-15-intel
+          - macOS-15
           - macOS-14
-          - macOS-13
           - windows-2022
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ env.GO_VERSION }}
       -
@@ -72,7 +73,7 @@ jobs:
       -
         name: GPG conf
         if: ${{ !startsWith(matrix.os, 'windows-') }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         id: gpg
         with:
           script: |
@@ -107,23 +108,20 @@ jobs:
         shell: bash
       -
         name: Upload coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
-          file: ${{ env.DESTDIR }}/coverage.txt
+          files: ${{ env.DESTDIR }}/coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
 
   test-sandboxed:
     runs-on: ubuntu-22.04
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       -
         name: Test
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
         with:
           targets: test
           set: |
@@ -131,9 +129,9 @@ jobs:
             *.cache-to=type=gha,scope=test,mode=max
       -
         name: Upload coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
-          file: ${{ env.DESTDIR }}//coverage.txt
+          files: ${{ env.DESTDIR }}//coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
 
   build:
@@ -141,7 +139,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       -
@@ -175,7 +173,7 @@ jobs:
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87  # v2.0.5
+        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836  # v2.3.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -187,7 +185,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       -

.golangci.yml

@@ -1,31 +1,23 @@
+version: "2"
 run:
-  timeout: 10m
   modules-download-mode: vendor
 
 linters:
+  default: none
   enable:
-    - gofmt
     - govet
-    - depguard
-    - goimports
     - ineffassign
     - misspell
-    - unused
     - revive
     - staticcheck
-    - typecheck
-  disable-all: true
-
-linters-settings:
-  depguard:
+    - unused
+  settings:
+    revive:
       rules:
-      main:
-        deny:
-          - pkg: "io/ioutil"
-            desc: The io/ioutil package has been deprecated. See https://go.dev/doc/go1.16#ioutil
+        - name: package-comments  # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#package-comments
+          disabled: true
 
-issues:
-  exclude-rules:
-    - linters:
-        - revive
-      text: "stutters"
+formatters:
+  enable:
+    - gofmt
+    - goimports

Dockerfile

@@ -1,9 +1,11 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.10
-ARG XX_VERSION=1.4.0
-ARG OSXCROSS_VERSION=11.3-r7-debian
-ARG GOLANGCI_LINT_VERSION=v1.55.2
+ARG GO_VERSION=1.25.1
+ARG DEBIAN_VERSION=bookworm
+
+ARG XX_VERSION=1.7.0
+ARG OSXCROSS_VERSION=11.3-r8-debian
+ARG GOLANGCI_LINT_VERSION=v2.5
 ARG DEBIAN_FRONTEND=noninteractive
 
 ARG PACKAGE=github.com/docker/docker-credential-helpers
@@ -14,7 +16,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 # osxcross contains the MacOSX cross toolchain for xx
 FROM crazymax/osxcross:${OSXCROSS_VERSION} AS osxcross
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bullseye AS gobase
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${DEBIAN_VERSION} AS gobase
 COPY --from=xx / /
 ARG DEBIAN_FRONTEND
 RUN apt-get update && apt-get install -y --no-install-recommends clang dpkg-dev file git lld llvm make pkg-config rsync
@@ -55,7 +57,7 @@ EOT
 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION} AS golangci-lint
 FROM gobase AS lint
 ARG DEBIAN_FRONTEND
-RUN apt-get install -y binutils gcc libc6-dev libgcc-10-dev libsecret-1-dev pkg-config
+RUN apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
     --mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
@@ -64,7 +66,7 @@ RUN --mount=type=bind,target=. \
 FROM gobase AS base
 ARG TARGETPLATFORM
 ARG DEBIAN_FRONTEND
-RUN xx-apt-get install -y binutils gcc libc6-dev libgcc-10-dev libsecret-1-dev pkg-config
+RUN xx-apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config
 
 FROM base AS test
 ARG DEBIAN_FRONTEND
@@ -97,21 +99,7 @@ FROM gobase AS version
 RUN --mount=target=. \
     echo -n "$(./hack/git-meta version)" | tee /tmp/.version ; echo -n "$(./hack/git-meta revision)" | tee /tmp/.revision
 
-FROM base AS build-linux
-ARG PACKAGE
-RUN --mount=type=bind,target=. \
-    --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
-    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
-  set -ex
-  xx-go --wrap
-  make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
-  xx-verify /out/docker-credential-pass
-  xx-verify /out/docker-credential-secretservice
-EOT
-
-FROM base AS build-darwin
+FROM base AS build
 ARG PACKAGE
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
@@ -122,28 +110,26 @@ RUN --mount=type=bind,target=. \
   set -ex
   export MACOSX_VERSION_MIN=$(make print-MACOSX_DEPLOYMENT_TARGET)
   xx-go --wrap
+  case "$(xx-info os)" in
+    linux)
+      make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+      xx-verify /out/docker-credential-pass
+      xx-verify /out/docker-credential-secretservice
+      ;;
+    darwin)
       go install std
       make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
       xx-verify /out/docker-credential-osxkeychain
       xx-verify /out/docker-credential-pass
-EOT
-
-FROM base AS build-windows
-ARG PACKAGE
-RUN --mount=type=bind,target=. \
-    --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
-    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
-  set -ex
-  xx-go --wrap
+      ;;
+    windows)
       make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
       mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
       xx-verify /out/docker-credential-wincred.exe
+      ;;
+  esac
 EOT
 
-FROM build-$TARGETOS AS build
-
 FROM scratch AS binaries
 COPY --from=build /out /
 

Makefile

@@ -12,7 +12,22 @@ COVERAGEDIR ?= ./bin/coverage
 # 10.11 is the minimum supported version for osxkeychain
 export MACOSX_DEPLOYMENT_TARGET = 10.11
 ifeq "$(shell go env GOOS)" "darwin"
-	export CGO_CFLAGS = -mmacosx-version-min=$(MACOSX_DEPLOYMENT_TARGET)
+	export CGO_CFLAGS = -Wno-atomic-alignment -mmacosx-version-min=$(MACOSX_DEPLOYMENT_TARGET)
+else
+	# prevent warnings; see https://github.com/docker/docker-credential-helpers/pull/340#issuecomment-2437593837
+	# gcc_libinit.c:44:8: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0  bytes) [-Werror,-Watomic-alignment]
+	export CGO_CFLAGS = -Wno-atomic-alignment
+endif
+
+ifeq "$(shell go env GOOS)/$(shell go env GOARCH)/$(shell go env GOARM)" "linux/arm/6"
+	# Neither the CGo compiler, nor the C toolchain automatically link to
+	# libatomic when the architecture doesn't support atomic intrinsics, as is
+	# the case for arm/v6.
+	#
+	# Here's the error we get when this is not done (see https://github.com/docker/docker-credential-helpers/pull/340#issuecomment-2437593837):
+	#
+	# gcc_libinit.c:44:8: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0  bytes) [-Werror,-Watomic-alignment]
+	export CGO_LDFLAGS=-latomic
 endif
 
 .PHONY: all

README.md

@@ -34,20 +34,20 @@ $ docker buildx bake
 
 Or if the toolchain is already installed on your machine:
 
-1 - Download the source.
+1. Download the source.
 
 ```shell
 $ git clone https://github.com/docker/docker-credential-helpers.git
 $ cd docker-credential-helpers
 ```
 
-2 - Use `make` to build the program you want. That will leave an executable in the `bin` directory inside the repository.
+2.  Use `make` to build the program you want. That will leave an executable in the `bin` directory inside the repository.
 
 ```shell
 $ make osxkeychain
 ```
 
-3 - Put that binary in your `$PATH`, so Docker can find it.
+3.  Put that binary in your `$PATH`, so Docker can find it.
 
 ```shell
 $ cp bin/build/docker-credential-osxkeychain /usr/local/bin/

client/command.go

@@ -15,27 +15,30 @@ type Program interface {
 // ProgramFunc is a type of function that initializes programs based on arguments.
 type ProgramFunc func(args ...string) Program
 
-// NewShellProgramFunc creates programs that are executed in a Shell.
-func NewShellProgramFunc(name string) ProgramFunc {
-	return NewShellProgramFuncWithEnv(name, nil)
-}
-
-// NewShellProgramFuncWithEnv creates programs that are executed in a Shell with environment variables
-func NewShellProgramFuncWithEnv(name string, env *map[string]string) ProgramFunc {
+// NewShellProgramFunc creates a [ProgramFunc] to run command in a [Shell].
+func NewShellProgramFunc(command string) ProgramFunc {
 	return func(args ...string) Program {
-		return &Shell{cmd: createProgramCmdRedirectErr(name, args, env)}
+		return createProgramCmdRedirectErr(command, args, nil)
 	}
 }
 
-func createProgramCmdRedirectErr(commandName string, args []string, env *map[string]string) *exec.Cmd {
-	programCmd := exec.Command(commandName, args...)
+// NewShellProgramFuncWithEnv creates a [ProgramFunc] tu run command
+// in a [Shell] with the given environment variables.
+func NewShellProgramFuncWithEnv(command string, env *map[string]string) ProgramFunc {
+	return func(args ...string) Program {
+		return createProgramCmdRedirectErr(command, args, env)
+	}
+}
+
+func createProgramCmdRedirectErr(command string, args []string, env *map[string]string) *Shell {
+	ec := exec.Command(command, args...)
 	if env != nil {
 		for k, v := range *env {
-			programCmd.Env = append(programCmd.Environ(), k+"="+v)
+			ec.Env = append(ec.Environ(), k+"="+v)
 		}
 	}
-	programCmd.Stderr = os.Stderr
-	return programCmd
+	ec.Stderr = os.Stderr
+	return &Shell{cmd: ec}
 }
 
 // Shell invokes shell commands to talk with a remote credentials-helper.

deb/Dockerfile

@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.10
+ARG GO_VERSION=1.25.1
 ARG DISTRO=ubuntu
-ARG SUITE=focal
+ARG SUITE=jammy
 
-FROM golang:${GO_VERSION}-bullseye AS golang
+FROM golang:${GO_VERSION}-bookworm AS golang
 
 FROM ${DISTRO}:${SUITE}
 

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-  default = "1.21.10"
+  default = null
 }
 
 # Defines the output folder

go.mod

@@ -1,7 +1,15 @@
 module github.com/docker/docker-credential-helpers
 
-go 1.19
+go 1.21
 
-require github.com/danieljoos/wincred v1.2.1
+retract (
+	v0.9.1 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+	v0.9.0 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+)
 
-require golang.org/x/sys v0.15.0 // indirect
+require (
+	github.com/danieljoos/wincred v1.2.3
+	github.com/keybase/go-keychain v0.0.1
+)
+
+require golang.org/x/sys v0.20.0 // indirect

go.sum

@@ -1,9 +1,16 @@
-github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs=
-github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps=
+github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ=
+github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
+github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

osxkeychain/osxkeychain.c

@@ -1,227 +0,0 @@
-#include "osxkeychain.h"
-#include <CoreFoundation/CoreFoundation.h>
-#include <Foundation/NSValue.h>
-#include <stdio.h>
-#include <string.h>
-
-char *get_error(OSStatus status) {
-  char *buf = malloc(128);
-  CFStringRef str = SecCopyErrorMessageString(status, NULL);
-  int success = CFStringGetCString(str, buf, 128, kCFStringEncodingUTF8);
-  if (!success) {
-    strncpy(buf, "Unknown error", 128);
-  }
-  return buf;
-}
-
-char *keychain_add(struct Server *server, char *label, char *username, char *secret) {
-  SecKeychainItemRef item;
-
-  OSStatus status = SecKeychainAddInternetPassword(
-    NULL,
-    strlen(server->host), server->host,
-    0, NULL,
-    strlen(username), username,
-    strlen(server->path), server->path,
-    server->port,
-    server->proto,
-    kSecAuthenticationTypeDefault,
-    strlen(secret), secret,
-    &item
-  );
-
-  if (status) {
-    return get_error(status);
-  }
-
-  SecKeychainAttribute attribute;
-  SecKeychainAttributeList attrs;
-  attribute.tag = kSecLabelItemAttr;
-  attribute.data = label;
-  attribute.length = strlen(label);
-  attrs.count = 1;
-  attrs.attr = &attribute;
-
-  status = SecKeychainItemModifyContent(item, &attrs, 0, NULL);
-
-  if (status) {
-    return get_error(status);
-  }
-
-  return NULL;
-}
-
-char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *secret_l, char **secret) {
-  char *tmp;
-  SecKeychainItemRef item;
-
-  OSStatus status = SecKeychainFindInternetPassword(
-    NULL,
-    strlen(server->host), server->host,
-    0, NULL,
-    0, NULL,
-    strlen(server->path), server->path,
-    server->port,
-    server->proto,
-    kSecAuthenticationTypeDefault,
-    secret_l, (void **)&tmp,
-    &item);
-
-  if (status) {
-    return get_error(status);
-  }
-
-  *secret = strdup(tmp);
-  SecKeychainItemFreeContent(NULL, tmp);
-
-  SecKeychainAttributeList list;
-  SecKeychainAttribute attr;
-
-  list.count = 1;
-  list.attr = &attr;
-  attr.tag = kSecAccountItemAttr;
-
-  status = SecKeychainItemCopyContent(item, NULL, &list, NULL, NULL);
-  if (status) {
-    return get_error(status);
-  }
-
-  *username = strdup(attr.data);
-  *username_l = attr.length;
-  SecKeychainItemFreeContent(&list, NULL);
-
-  return NULL;
-}
-
-char *keychain_delete(struct Server *server) {
-  SecKeychainItemRef item;
-
-  OSStatus status = SecKeychainFindInternetPassword(
-    NULL,
-    strlen(server->host), server->host,
-    0, NULL,
-    0, NULL,
-    strlen(server->path), server->path,
-    server->port,
-    server->proto,
-    kSecAuthenticationTypeDefault,
-    0, NULL,
-    &item);
-
-  if (status) {
-    return get_error(status);
-  }
-
-  status = SecKeychainItemDelete(item);
-  if (status) {
-    return get_error(status);
-  }
-  return NULL;
-}
-
-char * CFStringToCharArr(CFStringRef aString) {
-  if (aString == NULL) {
-    return NULL;
-  }
-  CFIndex length = CFStringGetLength(aString);
-  CFIndex maxSize =
-  CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1;
-  char *buffer = (char *)malloc(maxSize);
-  if (CFStringGetCString(aString, buffer, maxSize,
-                         kCFStringEncodingUTF8)) {
-    return buffer;
-  }
-  return NULL;
-}
-
-char *keychain_list(char *credsLabel, char *** paths, char *** accts, unsigned int *list_l) {
-    CFStringRef credsLabelCF = CFStringCreateWithCString(NULL, credsLabel, kCFStringEncodingUTF8);
-    CFMutableDictionaryRef query = CFDictionaryCreateMutable (NULL, 1, NULL, NULL);
-    CFDictionaryAddValue(query, kSecClass, kSecClassInternetPassword);
-    CFDictionaryAddValue(query, kSecReturnAttributes, kCFBooleanTrue);
-    CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitAll);
-    CFDictionaryAddValue(query, kSecAttrLabel, credsLabelCF);
-    //Use this query dictionary
-    CFTypeRef result= NULL;
-    OSStatus status = SecItemCopyMatching(
-                                          query,
-                                          &result);
-
-    CFRelease(credsLabelCF);
-
-    //Ran a search and store the results in result
-    if (status) {
-        return get_error(status);
-    }
-    CFIndex numKeys = CFArrayGetCount(result);
-    *paths = (char **) malloc((int)sizeof(char *)*numKeys);
-    *accts = (char **) malloc((int)sizeof(char *)*numKeys);
-    //result is of type CFArray
-    for(CFIndex i=0; i<numKeys; i++) {
-        CFDictionaryRef currKey = CFArrayGetValueAtIndex(result,i);
-
-        CFStringRef protocolTmp = CFDictionaryGetValue(currKey, CFSTR("ptcl"));
-        if (protocolTmp != NULL) {
-            CFStringRef protocolStr = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), protocolTmp);
-            if (CFStringCompare(protocolStr, CFSTR("htps"), 0) == kCFCompareEqualTo) {
-                protocolTmp = CFSTR("https://");
-            }
-            else {
-                protocolTmp = CFSTR("http://");
-            }
-            CFRelease(protocolStr);
-        }
-        else {
-            char * path = "0";
-            char * acct = "0";
-            (*paths)[i] = (char *) malloc(sizeof(char)*(strlen(path)));
-            memcpy((*paths)[i], path, sizeof(char)*(strlen(path)));
-            (*accts)[i] = (char *) malloc(sizeof(char)*(strlen(acct)));
-            memcpy((*accts)[i], acct, sizeof(char)*(strlen(acct)));
-            continue;
-        }
-        
-        CFMutableStringRef str = CFStringCreateMutableCopy(NULL, 0, protocolTmp);
-        CFStringRef serverTmp = CFDictionaryGetValue(currKey, CFSTR("srvr"));
-        if (serverTmp != NULL) {
-            CFStringAppend(str, serverTmp);
-        }
-        
-        CFStringRef pathTmp = CFDictionaryGetValue(currKey, CFSTR("path"));
-        if (pathTmp != NULL) {
-            CFStringAppend(str, pathTmp);
-        }
-        
-        const NSNumber * portTmp = CFDictionaryGetValue(currKey, CFSTR("port"));
-        if (portTmp != NULL && portTmp.integerValue != 0) {
-            CFStringRef portStr = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), portTmp);
-            CFStringAppend(str, CFSTR(":"));
-            CFStringAppend(str, portStr);
-            CFRelease(portStr);
-        }
-        
-        CFStringRef acctTmp = CFDictionaryGetValue(currKey, CFSTR("acct"));
-        if (acctTmp == NULL) {
-            acctTmp = CFSTR("account not defined");
-        }
-
-        char * path = CFStringToCharArr(str);
-        char * acct = CFStringToCharArr(acctTmp);
-
-        //We now have all we need, username and servername. Now export this to .go
-        (*paths)[i] = (char *) malloc(sizeof(char)*(strlen(path)+1));
-        memcpy((*paths)[i], path, sizeof(char)*(strlen(path)+1));
-        (*accts)[i] = (char *) malloc(sizeof(char)*(strlen(acct)+1));
-        memcpy((*accts)[i], acct, sizeof(char)*(strlen(acct)+1));
-
-        CFRelease(str);
-    }
-    *list_l = (int)numKeys;
-    return NULL;
-}
-
-void freeListData(char *** data, unsigned int length) {
-     for(int i=0; i<length; i++) {
-        free((*data)[i]);
-     }
-}

osxkeychain/osxkeychain.go

@@ -3,30 +3,33 @@
 package osxkeychain
 
 /*
-#cgo CFLAGS: -x objective-c
-#cgo LDFLAGS: -framework Security -framework Foundation
+#cgo LDFLAGS: -framework Security -framework CoreFoundation
 
-#include "osxkeychain.h"
-#include <stdlib.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
 */
 import "C"
 
 import (
 	"errors"
+	"net"
+	"net/url"
 	"strconv"
-	"unsafe"
 
 	"github.com/docker/docker-credential-helpers/credentials"
 	"github.com/docker/docker-credential-helpers/registryurl"
+	"github.com/keybase/go-keychain"
 )
 
+// https://opensource.apple.com/source/Security/Security-55471/sec/Security/SecBase.h.auto.html
+const (
 	// errCredentialsNotFound is the specific error message returned by OS X
 	// when the credentials are not in the keychain.
-const errCredentialsNotFound = "The specified item could not be found in the keychain."
-
-// errCredentialsNotFound is the specific error message returned by OS X
+	errCredentialsNotFound = "The specified item could not be found in the keychain. (-25300)"
+	// errInteractionNotAllowed is the specific error message returned by OS X
 	// when environment does not allow showing dialog to unlock keychain.
-const errInteractionNotAllowed = "User interaction is not allowed."
+	errInteractionNotAllowed = "User interaction is not allowed. (-25308)"
+)
 
 // ErrInteractionNotAllowed is returned if keychain password prompt can not be shown.
 var ErrInteractionNotAllowed = errors.New(`keychain cannot be accessed because the current session does not allow user interaction. The keychain may be locked; unlock it by running "security -v unlock-keychain ~/Library/Keychains/login.keychain-db" and try again`)
@@ -38,152 +41,142 @@ type Osxkeychain struct{}
 func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 	_ = h.Delete(creds.ServerURL) // ignore errors as existing credential may not exist.
 
-	s, err := splitServer(creds.ServerURL)
-	if err != nil {
+	item := keychain.NewItem()
+	item.SetSecClass(keychain.SecClassInternetPassword)
+	item.SetLabel(credentials.CredsLabel)
+	item.SetAccount(creds.Username)
+	item.SetData([]byte(creds.Secret))
+	// Prior to v0.9, the credential helper was searching for credentials with
+	// the "dflt" authentication type (see [1]). Since v0.9.0, Get doesn't use
+	// that attribute anymore, and v0.9.0 - v0.9.2 were not setting it here
+	// either.
+	//
+	// In order to keep compatibility with older versions, we need to store
+	// credentials with this attribute set. This way, credentials stored with
+	// newer versions can be retrieved by older versions.
+	//
+	// [1]: https://github.com/docker/docker-credential-helpers/blob/v0.8.2/osxkeychain/osxkeychain.c#L66
+	item.SetAuthenticationType("dflt")
+	if err := splitServer(creds.ServerURL, item); err != nil {
 		return err
 	}
-	defer freeServer(s)
 
-	label := C.CString(credentials.CredsLabel)
-	defer C.free(unsafe.Pointer(label))
-	username := C.CString(creds.Username)
-	defer C.free(unsafe.Pointer(username))
-	secret := C.CString(creds.Secret)
-	defer C.free(unsafe.Pointer(secret))
-
-	errMsg := C.keychain_add(s, label, username, secret)
-	if errMsg != nil {
-		defer C.free(unsafe.Pointer(errMsg))
-		return errors.New(C.GoString(errMsg))
-	}
-
-	return nil
+	return keychain.AddItem(item)
 }
 
 // Delete removes credentials from the keychain.
 func (h Osxkeychain) Delete(serverURL string) error {
-	s, err := splitServer(serverURL)
-	if err != nil {
+	item := keychain.NewItem()
+	item.SetSecClass(keychain.SecClassInternetPassword)
+	if err := splitServer(serverURL, item); err != nil {
 		return err
 	}
-	defer freeServer(s)
-
-	if errMsg := C.keychain_delete(s); errMsg != nil {
-		defer C.free(unsafe.Pointer(errMsg))
-		switch goMsg := C.GoString(errMsg); goMsg {
+	if err := keychain.DeleteItem(item); err != nil {
+		switch err.Error() {
 		case errCredentialsNotFound:
 			return credentials.NewErrCredentialsNotFound()
 		case errInteractionNotAllowed:
 			return ErrInteractionNotAllowed
 		default:
-			return errors.New(goMsg)
+			return err
 		}
 	}
-
 	return nil
 }
 
 // Get returns the username and secret to use for a given registry server URL.
 func (h Osxkeychain) Get(serverURL string) (string, string, error) {
-	s, err := splitServer(serverURL)
-	if err != nil {
+	item := keychain.NewItem()
+	item.SetSecClass(keychain.SecClassInternetPassword)
+	item.SetMatchLimit(keychain.MatchLimitOne)
+	item.SetReturnAttributes(true)
+	item.SetReturnData(true)
+	if err := splitServer(serverURL, item); err != nil {
 		return "", "", err
 	}
-	defer freeServer(s)
 
-	var usernameLen C.uint
-	var username *C.char
-	var secretLen C.uint
-	var secret *C.char
-	defer C.free(unsafe.Pointer(username))
-	defer C.free(unsafe.Pointer(secret))
-
-	errMsg := C.keychain_get(s, &usernameLen, &username, &secretLen, &secret)
-	if errMsg != nil {
-		defer C.free(unsafe.Pointer(errMsg))
-		switch goMsg := C.GoString(errMsg); goMsg {
+	res, err := keychain.QueryItem(item)
+	if err != nil {
+		switch err.Error() {
 		case errCredentialsNotFound:
 			return "", "", credentials.NewErrCredentialsNotFound()
 		case errInteractionNotAllowed:
 			return "", "", ErrInteractionNotAllowed
 		default:
-			return "", "", errors.New(goMsg)
+			return "", "", err
 		}
+	} else if len(res) == 0 {
+		return "", "", credentials.NewErrCredentialsNotFound()
 	}
 
-	user := C.GoStringN(username, C.int(usernameLen))
-	pass := C.GoStringN(secret, C.int(secretLen))
-	return user, pass, nil
+	return res[0].Account, string(res[0].Data), nil
 }
 
 // List returns the stored URLs and corresponding usernames.
 func (h Osxkeychain) List() (map[string]string, error) {
-	credsLabelC := C.CString(credentials.CredsLabel)
-	defer C.free(unsafe.Pointer(credsLabelC))
+	item := keychain.NewItem()
+	item.SetSecClass(keychain.SecClassInternetPassword)
+	item.SetMatchLimit(keychain.MatchLimitAll)
+	item.SetReturnAttributes(true)
+	item.SetLabel(credentials.CredsLabel)
 
-	var pathsC **C.char
-	defer C.free(unsafe.Pointer(pathsC))
-	var acctsC **C.char
-	defer C.free(unsafe.Pointer(acctsC))
-	var listLenC C.uint
-	errMsg := C.keychain_list(credsLabelC, &pathsC, &acctsC, &listLenC)
-	defer C.freeListData(&pathsC, listLenC)
-	defer C.freeListData(&acctsC, listLenC)
-	if errMsg != nil {
-		defer C.free(unsafe.Pointer(errMsg))
-		switch goMsg := C.GoString(errMsg); goMsg {
+	res, err := keychain.QueryItem(item)
+	if err != nil {
+		switch err.Error() {
 		case errCredentialsNotFound:
 			return make(map[string]string), nil
 		case errInteractionNotAllowed:
 			return nil, ErrInteractionNotAllowed
 		default:
-			return nil, errors.New(goMsg)
+			return nil, err
 		}
 	}
 
-	var listLen int
-	listLen = int(listLenC)
-	pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
-	acctTmp := (*[1 << 30]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
-	// taking the array of c strings into go while ignoring all the stuff irrelevant to credentials-helper
 	resp := make(map[string]string)
-	for i := 0; i < listLen; i++ {
-		if C.GoString(pathTmp[i]) == "0" {
-			continue
+	for _, r := range res {
+		proto := "http"
+		if r.Protocol == kSecProtocolTypeHTTPS {
+			proto = "https"
 		}
-		resp[C.GoString(pathTmp[i])] = C.GoString(acctTmp[i])
+		host := r.Server
+		if r.Port != 0 {
+			host = net.JoinHostPort(host, strconv.Itoa(int(r.Port)))
+		}
+		u := url.URL{
+			Scheme: proto,
+			Host:   host,
+			Path:   r.Path,
+		}
+		resp[u.String()] = r.Account
 	}
 	return resp, nil
 }
 
-func splitServer(serverURL string) (*C.struct_Server, error) {
+const (
+	// Hardcoded protocol types matching their Objective-C equivalents.
+	// https://developer.apple.com/documentation/security/ksecattrprotocolhttps?language=objc
+	kSecProtocolTypeHTTPS = "htps" // This is NOT a typo.
+	// https://developer.apple.com/documentation/security/ksecattrprotocolhttp?language=objc
+	kSecProtocolTypeHTTP = "http"
+)
+
+func splitServer(serverURL string, item keychain.Item) error {
 	u, err := registryurl.Parse(serverURL)
 	if err != nil {
-		return nil, err
+		return err
 	}
-
-	proto := C.kSecProtocolTypeHTTPS
+	item.SetProtocol(kSecProtocolTypeHTTPS)
 	if u.Scheme == "http" {
-		proto = C.kSecProtocolTypeHTTP
+		item.SetProtocol(kSecProtocolTypeHTTP)
 	}
-	var port int
-	p := u.Port()
-	if p != "" {
-		port, err = strconv.Atoi(p)
+	item.SetServer(u.Hostname())
+	if p := u.Port(); p != "" {
+		port, err := strconv.Atoi(p)
 		if err != nil {
-			return nil, err
+			return err
 		}
+		item.SetPort(int32(port))
 	}
-
-	return &C.struct_Server{
-		proto: C.SecProtocolType(proto),
-		host:  C.CString(u.Hostname()),
-		port:  C.uint(port),
-		path:  C.CString(u.Path),
-	}, nil
-}
-
-func freeServer(s *C.struct_Server) {
-	C.free(unsafe.Pointer(s.host))
-	C.free(unsafe.Pointer(s.path))
+	item.SetPath(u.Path)
+	return nil
 }

osxkeychain/osxkeychain.h

@@ -1,14 +0,0 @@
-#include <Security/Security.h>
-
-struct Server {
-  SecProtocolType proto;
-  char *host;
-  char *path;
-  unsigned int port;
-};
-
-char *keychain_add(struct Server *server, char *label, char *username, char *secret);
-char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *secret_l, char **secret);
-char *keychain_delete(struct Server *server);
-char *keychain_list(char *credsLabel, char *** data, char *** accts, unsigned int *list_l);
-void freeListData(char *** data, unsigned int length);

osxkeychain/osxkeychain_test.go

@@ -15,11 +15,6 @@ func TestOSXKeychainHelper(t *testing.T) {
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
-	creds1 := &credentials.Credentials{
-		ServerURL: "https://foobar.example.com:2376/v2",
-		Username:  "foobarbaz",
-		Secret:    "foobar",
-	}
 	helper := Osxkeychain{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
@@ -43,19 +38,49 @@ func TestOSXKeychainHelper(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	helper.Add(creds1)
-	defer helper.Delete(creds1.ServerURL)
-	newauths, err := helper.List()
-	if len(newauths)-len(auths) != 1 {
-		if err == nil {
-			t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
-		}
-		t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
+	if _, ok := auths[creds.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds.ServerURL, auths)
 	}
 
+	// Insert another token and check if it is in the list
+	creds1 := &credentials.Credentials{
+		ServerURL: "https://foobar.example.com:2376/v2",
+		Username:  "foobarbaz",
+		Secret:    "foobar",
+	}
+	helper.Add(creds1)
+	defer helper.Delete(creds1.ServerURL)
+
+	auths, err = helper.List()
+	if err != nil {
+		t.Fatalf("operation List failed: %+v", err)
+	}
+
+	if _, ok := auths[creds.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds.ServerURL, auths)
+	}
+	if _, ok := auths[creds1.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds1.ServerURL, auths)
+	}
+
+	// Delete the 1st token inserted
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
+
+	auths, err = helper.List()
+	if err != nil {
+		t.Fatalf("operation List failed: %+v", err)
+	}
+
+	// First token should have been deleted
+	if _, ok := auths[creds.ServerURL]; ok {
+		t.Fatalf("server %s was not deleted, got: %+v", creds.ServerURL, auths)
+	}
+	// Second token should still be there
+	if _, ok := auths[creds1.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds1.ServerURL, auths)
+	}
 }
 
 // TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
@@ -107,7 +132,7 @@ func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
 				t.Fatalf("Error: failed to store secret for URL %q: %s", tc.storeURL, err)
 			}
 			if _, _, err := helper.Get(tc.readURL); err != nil {
-				t.Errorf("Error: failed to read secret for URL %q using %q", tc.storeURL, tc.readURL)
+				t.Errorf("Error: failed to read secret for URL %q using %q: %s", tc.storeURL, tc.readURL, err)
 			}
 			if err := helper.Delete(tc.storeURL); err != nil {
 				t.Error(err)
@@ -116,6 +141,39 @@ func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
 	}
 }
 
+func TestOSXKeychainHelperStoreWithUncleanPath(t *testing.T) {
+	helper := Osxkeychain{}
+	creds := &credentials.Credentials{
+		ServerURL: "https://::1:8080//////location/../../hello",
+		Username:  "testuser",
+		Secret:    "testsecret",
+	}
+
+	// Clean store before and after the test.
+	defer helper.Delete(creds.ServerURL)
+	if err := helper.Delete(creds.ServerURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
+		t.Errorf("prepare: failed to delete '%s': %v", creds.ServerURL, err)
+	}
+
+	// Store the credentials
+	if err := helper.Add(creds); err != nil {
+		t.Fatalf("Error: failed to store credentials with unclean path %q: %s", creds.ServerURL, err)
+	}
+
+	// Retrieve and verify credentials
+	username, secret, err := helper.Get(creds.ServerURL)
+	if err != nil {
+		t.Fatalf("Error: failed to retrieve credentials with unclean path %q: %s", creds.ServerURL, err)
+	}
+
+	if username != creds.Username {
+		t.Errorf("Error: expected username %s, got %s", creds.Username, username)
+	}
+	if secret != creds.Secret {
+		t.Errorf("Error: expected secret %s, got %s", creds.Secret, secret)
+	}
+}
+
 // TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {

pass/pass_test.go

@@ -83,10 +83,10 @@ func TestPassHelperList(t *testing.T) {
 		t.Error(err)
 	}
 	for server, username := range credsList {
-		if !(strings.HasSuffix(server, "2376/v1") || strings.HasSuffix(server, "2375/v1")) {
+		if !strings.HasSuffix(server, "2376/v1") && !strings.HasSuffix(server, "2375/v1") {
 			t.Errorf("invalid url: %s", server)
 		}
-		if !(username == "foo" || username == "bar") {
+		if username != "foo" && username != "bar" {
 			t.Errorf("invalid username: %v", username)
 		}
 

secretservice/secretservice.c

@@ -17,11 +17,11 @@ const SecretSchema *docker_get_schema(void)
 	return &docker_schema;
 }
 
-GError *add(char *label, char *server, char *username, char *secret) {
+GError *add(char *label, char *server, char *username, char *secret, char *displaylabel) {
 	GError *err = NULL;
 
 	secret_password_store_sync (DOCKER_SCHEMA, SECRET_COLLECTION_DEFAULT,
-			server, secret, NULL, &err,
+			displaylabel, secret, NULL, &err,
 			"label", label,
 			"server", server,
 			"username", username,
@@ -83,6 +83,9 @@ GError *get(char *server, char **username, char **secret) {
 				}
 				g_free(value);
 				secretValue = secret_item_get_secret(l->data);
+				if (secretValue == NULL) {
+					continue;
+				}
 				if (secret != NULL) {
 					*secret = strdup(secret_value_get(secretValue, &length));
 					secret_value_unref(secretValue);

secretservice/secretservice.go

@@ -33,8 +33,10 @@ func (h Secretservice) Add(creds *credentials.Credentials) error {
 	defer C.free(unsafe.Pointer(username))
 	secret := C.CString(creds.Secret)
 	defer C.free(unsafe.Pointer(secret))
+	displayLabel := C.CString("Registry credentials for " + creds.ServerURL)
+	defer C.free(unsafe.Pointer(displayLabel))
 
-	if err := C.add(credsLabel, server, username, secret); err != nil {
+	if err := C.add(credsLabel, server, username, secret, displayLabel); err != nil {
 		defer C.g_error_free(err)
 		errMsg := (*C.char)(unsafe.Pointer(err.message))
 		return errors.New(C.GoString(errMsg))

secretservice/secretservice.h

@@ -6,7 +6,7 @@ const SecretSchema *docker_get_schema(void) G_GNUC_CONST;
 
 #define DOCKER_SCHEMA docker_get_schema()
 
-GError *add(char *label, char *server, char *username, char *secret);
+GError *add(char *label, char *server, char *username, char *secret, char *displaylabel);
 GError *delete(char *server);
 GError *get(char *server, char **username, char **secret);
 GError *list(char *label, char *** paths, char *** accts, unsigned int *list_l);

vendor/github.com/danieljoos/wincred/conversion.go

@@ -31,13 +31,13 @@ func utf16FromString(str string) []uint16 {
 
 // goBytes copies the given C byte array to a Go byte array (see `C.GoBytes`).
 // This function avoids having cgo as dependency.
-func goBytes(src uintptr, len uint32) []byte {
-	if src == uintptr(0) {
+func goBytes(src *byte, len uint32) []byte {
+	if src == nil || len == 0 {
 		return []byte{}
 	}
 	rv := make([]byte, len)
 	copy(rv, *(*[]byte)(unsafe.Pointer(&reflect.SliceHeader{
-		Data: src,
+		Data: uintptr(unsafe.Pointer(src)),
 		Len:  int(len),
 		Cap:  int(len),
 	})))
@@ -59,7 +59,7 @@ func sysToCredential(cred *sysCREDENTIAL) (result *Credential) {
 	result.CredentialBlob = goBytes(cred.CredentialBlob, cred.CredentialBlobSize)
 	result.Attributes = make([]CredentialAttribute, cred.AttributeCount)
 	attrSlice := *(*[]sysCREDENTIAL_ATTRIBUTE)(unsafe.Pointer(&reflect.SliceHeader{
-		Data: cred.Attributes,
+		Data: uintptr(unsafe.Pointer(cred.Attributes)),
 		Len:  int(cred.AttributeCount),
 		Cap:  int(cred.AttributeCount),
 	}))
@@ -85,17 +85,13 @@ func sysFromCredential(cred *Credential) (result *sysCREDENTIAL) {
 	result.LastWritten = syscall.NsecToFiletime(cred.LastWritten.UnixNano())
 	result.CredentialBlobSize = uint32(len(cred.CredentialBlob))
 	if len(cred.CredentialBlob) > 0 {
-		result.CredentialBlob = uintptr(unsafe.Pointer(&cred.CredentialBlob[0]))
-	} else {
-		result.CredentialBlob = 0
+		result.CredentialBlob = &cred.CredentialBlob[0]
 	}
 	result.Persist = uint32(cred.Persist)
 	result.AttributeCount = uint32(len(cred.Attributes))
 	attributes := make([]sysCREDENTIAL_ATTRIBUTE, len(cred.Attributes))
 	if len(attributes) > 0 {
-		result.Attributes = uintptr(unsafe.Pointer(&attributes[0]))
-	} else {
-		result.Attributes = 0
+		result.Attributes = &attributes[0]
 	}
 	for i := range cred.Attributes {
 		inAttr := &cred.Attributes[i]
@@ -104,9 +100,7 @@ func sysFromCredential(cred *Credential) (result *sysCREDENTIAL) {
 		outAttr.Flags = 0
 		outAttr.ValueSize = uint32(len(inAttr.Value))
 		if len(inAttr.Value) > 0 {
-			outAttr.Value = uintptr(unsafe.Pointer(&inAttr.Value[0]))
-		} else {
-			outAttr.Value = 0
+			outAttr.Value = &inAttr.Value[0]
 		}
 	}
 	result.TargetAlias, _ = syscall.UTF16PtrFromString(cred.TargetAlias)

vendor/github.com/danieljoos/wincred/sys.go

@@ -5,6 +5,7 @@ package wincred
 
 import (
 	"reflect"
+	"runtime"
 	"syscall"
 	"unsafe"
 
@@ -33,10 +34,10 @@ type sysCREDENTIAL struct {
 	Comment            *uint16
 	LastWritten        windows.Filetime
 	CredentialBlobSize uint32
-	CredentialBlob     uintptr
+	CredentialBlob     *byte
 	Persist            uint32
 	AttributeCount     uint32
-	Attributes         uintptr
+	Attributes         *sysCREDENTIAL_ATTRIBUTE
 	TargetAlias        *uint16
 	UserName           *uint16
 }
@@ -46,7 +47,7 @@ type sysCREDENTIAL_ATTRIBUTE struct {
 	Keyword   *uint16
 	Flags     uint32
 	ValueSize uint32
-	Value     uintptr
+	Value     *byte
 }
 
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
@@ -93,6 +94,8 @@ func sysCredWrite(cred *Credential, typ sysCRED_TYPE) error {
 		uintptr(unsafe.Pointer(ncred)),
 		0,
 	)
+	// Make sure everything reachable from ncred stays alive through the call.
+	runtime.KeepAlive(ncred)
 	if ret == 0 {
 		return err
 	}

vendor/github.com/danieljoos/wincred/sys_unsupported.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package wincred
@@ -17,6 +18,7 @@ const (
 
 	sysERROR_NOT_FOUND         = syscall.Errno(1)
 	sysERROR_INVALID_PARAMETER = syscall.Errno(1)
+	sysERROR_BAD_USERNAME      = syscall.Errno(1)
 )
 
 func sysCredRead(...interface{}) (*Credential, error) {

vendor/github.com/keybase/go-keychain/.gitignore

@@ -0,0 +1,26 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+vendor

vendor/github.com/keybase/go-keychain/.golangci.yml

@@ -0,0 +1,13 @@
+linters-settings:
+  gocritic:
+    disabled-checks:
+      - ifElseChain
+      - elseif
+
+linters:
+  enable:
+    - gofmt
+    - gocritic
+    - unconvert
+    - revive
+    - govet

vendor/github.com/keybase/go-keychain/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Keybase
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

vendor/github.com/keybase/go-keychain/README.md

@@ -0,0 +1,126 @@
+# Go Keychain
+
+[![Build Status](https://github.com/keybase/go-keychain/actions/workflows/ci.yml/badge.svg)](https://github.com/keybase/go-keychain/actions)
+
+A library for accessing the Keychain for macOS, iOS, and Linux in Go (golang).
+
+Requires macOS 10.9 or greater and iOS 8 or greater. On Linux, communicates to
+a provider of the DBUS SecretService spec like gnome-keyring or ksecretservice.
+
+```go
+import "github.com/keybase/go-keychain"
+```
+
+## Mac/iOS Usage
+
+The API is meant to mirror the macOS/iOS Keychain API and is not necessarily idiomatic go.
+
+#### Add Item
+
+```go
+item := keychain.NewItem()
+item.SetSecClass(keychain.SecClassGenericPassword)
+item.SetService("MyService")
+item.SetAccount("gabriel")
+item.SetLabel("A label")
+item.SetAccessGroup("A123456789.group.com.mycorp")
+item.SetData([]byte("toomanysecrets"))
+item.SetSynchronizable(keychain.SynchronizableNo)
+item.SetAccessible(keychain.AccessibleWhenUnlocked)
+err := keychain.AddItem(item)
+
+if err == keychain.ErrorDuplicateItem {
+  // Duplicate
+}
+```
+
+#### Query Item
+
+Query for multiple results, returning attributes:
+
+```go
+query := keychain.NewItem()
+query.SetSecClass(keychain.SecClassGenericPassword)
+query.SetService(service)
+query.SetAccount(account)
+query.SetAccessGroup(accessGroup)
+query.SetMatchLimit(keychain.MatchLimitAll)
+query.SetReturnAttributes(true)
+results, err := keychain.QueryItem(query)
+if err != nil {
+  // Error
+} else {
+  for _, r := range results {
+    fmt.Printf("%#v\n", r)
+  }
+}
+```
+
+Query for a single result, returning data:
+
+```go
+query := keychain.NewItem()
+query.SetSecClass(keychain.SecClassGenericPassword)
+query.SetService(service)
+query.SetAccount(account)
+query.SetAccessGroup(accessGroup)
+query.SetMatchLimit(keychain.MatchLimitOne)
+query.SetReturnData(true)
+results, err := keychain.QueryItem(query)
+if err != nil {
+  // Error
+} else if len(results) != 1 {
+  // Not found
+} else {
+  password := string(results[0].Data)
+}
+```
+
+#### Delete Item
+
+Delete a generic password item with service and account:
+
+```go
+item := keychain.NewItem()
+item.SetSecClass(keychain.SecClassGenericPassword)
+item.SetService(service)
+item.SetAccount(account)
+err := keychain.DeleteItem(item)
+```
+
+### Other
+
+There are some convenience methods for generic password:
+
+```go
+// Create generic password item with service, account, label, password, access group
+item := keychain.NewGenericPassword("MyService", "gabriel", "A label", []byte("toomanysecrets"), "A123456789.group.com.mycorp")
+item.SetSynchronizable(keychain.SynchronizableNo)
+item.SetAccessible(keychain.AccessibleWhenUnlocked)
+err := keychain.AddItem(item)
+if err == keychain.ErrorDuplicateItem {
+  // Duplicate
+}
+
+password, err := keychain.GetGenericPassword("MyService", "gabriel", "A label", "A123456789.group.com.mycorp")
+
+accounts, err := keychain.GetGenericPasswordAccounts("MyService")
+// Should have 1 account == "gabriel"
+
+err := keychain.DeleteGenericPasswordItem("MyService", "gabriel")
+if err == keychain.ErrorItemNotFound {
+  // Not found
+}
+```
+
+## iOS
+
+Bindable package in `bind`. iOS project in `ios`. Run that project to test iOS.
+
+To re-generate framework:
+
+```
+(cd bind && gomobile bind -target=ios -tags=ios -o ../ios/bind.framework)
+```
+
+Post issues to: https://github.com/keybase/keybase-issues

vendor/github.com/keybase/go-keychain/corefoundation.go

@@ -0,0 +1,370 @@
+//go:build darwin || ios
+// +build darwin ios
+
+package keychain
+
+/*
+#cgo LDFLAGS: -framework CoreFoundation
+
+#include <CoreFoundation/CoreFoundation.h>
+
+// Can't cast a *uintptr to *unsafe.Pointer in Go, and casting
+// C.CFTypeRef to unsafe.Pointer is unsafe in Go, so have shim functions to
+// do the casting in C (where it's safe).
+
+// We add a suffix to the C functions below, because we copied this
+// file from go-kext, which means that any project that depends on this
+// package and go-kext would run into duplicate symbol errors otherwise.
+//
+// TODO: Move this file into its own package depended on by go-kext
+// and this package.
+
+CFDictionaryRef CFDictionaryCreateSafe2(CFAllocatorRef allocator, const uintptr_t *keys, const uintptr_t *values, CFIndex numValues, const CFDictionaryKeyCallBacks *keyCallBacks, const CFDictionaryValueCallBacks *valueCallBacks) {
+  return CFDictionaryCreate(allocator, (const void **)keys, (const void **)values, numValues, keyCallBacks, valueCallBacks);
+}
+
+CFArrayRef CFArrayCreateSafe2(CFAllocatorRef allocator, const uintptr_t *values, CFIndex numValues, const CFArrayCallBacks *callBacks) {
+  return CFArrayCreate(allocator, (const void **)values, numValues, callBacks);
+}
+*/
+import "C"
+import (
+	"errors"
+	"fmt"
+	"math"
+	"reflect"
+	"unicode/utf8"
+	"unsafe"
+)
+
+// Release releases memory pointed to by a CFTypeRef.
+func Release(ref C.CFTypeRef) {
+	C.CFRelease(ref)
+}
+
+// BytesToCFData will return a CFDataRef and if non-nil, must be released with
+// Release(ref).
+func BytesToCFData(b []byte) (C.CFDataRef, error) {
+	if uint64(len(b)) > math.MaxUint32 {
+		return 0, errors.New("Data is too large")
+	}
+	var p *C.UInt8
+	if len(b) > 0 {
+		p = (*C.UInt8)(&b[0])
+	}
+	cfData := C.CFDataCreate(C.kCFAllocatorDefault, p, C.CFIndex(len(b)))
+	if cfData == 0 {
+		return 0, fmt.Errorf("CFDataCreate failed")
+	}
+	return cfData, nil
+}
+
+// CFDataToBytes converts CFData to bytes.
+func CFDataToBytes(cfData C.CFDataRef) ([]byte, error) {
+	return C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(cfData)), C.int(C.CFDataGetLength(cfData))), nil
+}
+
+// MapToCFDictionary will return a CFDictionaryRef and if non-nil, must be
+// released with Release(ref).
+func MapToCFDictionary(m map[C.CFTypeRef]C.CFTypeRef) (C.CFDictionaryRef, error) {
+	var keys, values []C.uintptr_t
+	for key, value := range m {
+		keys = append(keys, C.uintptr_t(key))
+		values = append(values, C.uintptr_t(value))
+	}
+	numValues := len(values)
+	var keysPointer, valuesPointer *C.uintptr_t
+	if numValues > 0 {
+		keysPointer = &keys[0]
+		valuesPointer = &values[0]
+	}
+	cfDict := C.CFDictionaryCreateSafe2(C.kCFAllocatorDefault, keysPointer, valuesPointer, C.CFIndex(numValues),
+		&C.kCFTypeDictionaryKeyCallBacks, &C.kCFTypeDictionaryValueCallBacks) //nolint
+	if cfDict == 0 {
+		return 0, fmt.Errorf("CFDictionaryCreate failed")
+	}
+	return cfDict, nil
+}
+
+// CFDictionaryToMap converts CFDictionaryRef to a map.
+func CFDictionaryToMap(cfDict C.CFDictionaryRef) (m map[C.CFTypeRef]C.CFTypeRef) {
+	count := C.CFDictionaryGetCount(cfDict)
+	if count > 0 {
+		keys := make([]C.CFTypeRef, count)
+		values := make([]C.CFTypeRef, count)
+		C.CFDictionaryGetKeysAndValues(cfDict, (*unsafe.Pointer)(unsafe.Pointer(&keys[0])), (*unsafe.Pointer)(unsafe.Pointer(&values[0])))
+		m = make(map[C.CFTypeRef]C.CFTypeRef, count)
+		for i := C.CFIndex(0); i < count; i++ {
+			m[keys[i]] = values[i]
+		}
+	}
+	return
+}
+
+// Int32ToCFNumber will return a CFNumberRef, must be released with Release(ref).
+func Int32ToCFNumber(u int32) C.CFNumberRef {
+	sint := C.SInt32(u)
+	p := unsafe.Pointer(&sint)
+	return C.CFNumberCreate(C.kCFAllocatorDefault, C.kCFNumberSInt32Type, p)
+}
+
+// StringToCFString will return a CFStringRef and if non-nil, must be released with
+// Release(ref).
+func StringToCFString(s string) (C.CFStringRef, error) {
+	if !utf8.ValidString(s) {
+		return 0, errors.New("Invalid UTF-8 string")
+	}
+	if uint64(len(s)) > math.MaxUint32 {
+		return 0, errors.New("String is too large")
+	}
+
+	bytes := []byte(s)
+	var p *C.UInt8
+	if len(bytes) > 0 {
+		p = (*C.UInt8)(&bytes[0])
+	}
+	return C.CFStringCreateWithBytes(C.kCFAllocatorDefault, p, C.CFIndex(len(s)), C.kCFStringEncodingUTF8, C.false), nil
+}
+
+// CFStringToString converts a CFStringRef to a string.
+func CFStringToString(s C.CFStringRef) string {
+	p := C.CFStringGetCStringPtr(s, C.kCFStringEncodingUTF8)
+	if p != nil {
+		return C.GoString(p)
+	}
+	length := C.CFStringGetLength(s)
+	if length == 0 {
+		return ""
+	}
+	maxBufLen := C.CFStringGetMaximumSizeForEncoding(length, C.kCFStringEncodingUTF8)
+	if maxBufLen == 0 {
+		return ""
+	}
+	buf := make([]byte, maxBufLen)
+	var usedBufLen C.CFIndex
+	_ = C.CFStringGetBytes(s, C.CFRange{0, length}, C.kCFStringEncodingUTF8, C.UInt8(0), C.false, (*C.UInt8)(&buf[0]), maxBufLen, &usedBufLen)
+	return string(buf[:usedBufLen])
+}
+
+// ArrayToCFArray will return a CFArrayRef and if non-nil, must be released with
+// Release(ref).
+func ArrayToCFArray(a []C.CFTypeRef) C.CFArrayRef {
+	var values []C.uintptr_t
+	for _, value := range a {
+		values = append(values, C.uintptr_t(value))
+	}
+	numValues := len(values)
+	var valuesPointer *C.uintptr_t
+	if numValues > 0 {
+		valuesPointer = &values[0]
+	}
+	return C.CFArrayCreateSafe2(C.kCFAllocatorDefault, valuesPointer, C.CFIndex(numValues), &C.kCFTypeArrayCallBacks) //nolint
+}
+
+// CFArrayToArray converts a CFArrayRef to an array of CFTypes.
+func CFArrayToArray(cfArray C.CFArrayRef) (a []C.CFTypeRef) {
+	count := C.CFArrayGetCount(cfArray)
+	if count > 0 {
+		a = make([]C.CFTypeRef, count)
+		C.CFArrayGetValues(cfArray, C.CFRange{0, count}, (*unsafe.Pointer)(unsafe.Pointer(&a[0])))
+	}
+	return
+}
+
+// Convertable knows how to convert an instance to a CFTypeRef.
+type Convertable interface {
+	Convert() (C.CFTypeRef, error)
+}
+
+// ConvertMapToCFDictionary converts a map to a CFDictionary and if non-nil,
+// must be released with Release(ref).
+func ConvertMapToCFDictionary(attr map[string]interface{}) (C.CFDictionaryRef, error) {
+	m := make(map[C.CFTypeRef]C.CFTypeRef)
+	for key, i := range attr {
+		var valueRef C.CFTypeRef
+		switch val := i.(type) {
+		default:
+			return 0, fmt.Errorf("Unsupported value type: %v", reflect.TypeOf(i))
+		case C.CFTypeRef:
+			valueRef = val
+		case bool:
+			if val {
+				valueRef = C.CFTypeRef(C.kCFBooleanTrue)
+			} else {
+				valueRef = C.CFTypeRef(C.kCFBooleanFalse)
+			}
+		case int32:
+			valueRef = C.CFTypeRef(Int32ToCFNumber(val))
+			defer Release(valueRef)
+		case []byte:
+			bytesRef, err := BytesToCFData(val)
+			if err != nil {
+				return 0, err
+			}
+			valueRef = C.CFTypeRef(bytesRef)
+			defer Release(valueRef)
+		case string:
+			stringRef, err := StringToCFString(val)
+			if err != nil {
+				return 0, err
+			}
+			valueRef = C.CFTypeRef(stringRef)
+			defer Release(valueRef)
+		case Convertable:
+			convertedRef, err := val.Convert()
+			if err != nil {
+				return 0, err
+			}
+			valueRef = convertedRef
+			defer Release(valueRef)
+		}
+		keyRef, err := StringToCFString(key)
+		if err != nil {
+			return 0, err
+		}
+		m[C.CFTypeRef(keyRef)] = valueRef
+		defer Release(C.CFTypeRef(keyRef))
+	}
+
+	cfDict, err := MapToCFDictionary(m)
+	if err != nil {
+		return 0, err
+	}
+	return cfDict, nil
+}
+
+// CFTypeDescription returns type string for CFTypeRef.
+func CFTypeDescription(ref C.CFTypeRef) string {
+	typeID := C.CFGetTypeID(ref)
+	typeDesc := C.CFCopyTypeIDDescription(typeID)
+	defer Release(C.CFTypeRef(typeDesc))
+	return CFStringToString(typeDesc)
+}
+
+// Convert converts a CFTypeRef to a go instance.
+func Convert(ref C.CFTypeRef) (interface{}, error) {
+	typeID := C.CFGetTypeID(ref)
+	if typeID == C.CFStringGetTypeID() {
+		return CFStringToString(C.CFStringRef(ref)), nil
+	} else if typeID == C.CFDictionaryGetTypeID() {
+		return ConvertCFDictionary(C.CFDictionaryRef(ref))
+	} else if typeID == C.CFArrayGetTypeID() {
+		arr := CFArrayToArray(C.CFArrayRef(ref))
+		results := make([]interface{}, 0, len(arr))
+		for _, ref := range arr {
+			v, err := Convert(ref)
+			if err != nil {
+				return nil, err
+			}
+			results = append(results, v)
+		}
+		return results, nil
+	} else if typeID == C.CFDataGetTypeID() {
+		b, err := CFDataToBytes(C.CFDataRef(ref))
+		if err != nil {
+			return nil, err
+		}
+		return b, nil
+	} else if typeID == C.CFNumberGetTypeID() {
+		return CFNumberToInterface(C.CFNumberRef(ref)), nil
+	} else if typeID == C.CFBooleanGetTypeID() {
+		if C.CFBooleanGetValue(C.CFBooleanRef(ref)) != 0 {
+			return true, nil
+		}
+		return false, nil
+	}
+
+	return nil, fmt.Errorf("Invalid type: %s", CFTypeDescription(ref))
+}
+
+// ConvertCFDictionary converts a CFDictionary to map (deep).
+func ConvertCFDictionary(d C.CFDictionaryRef) (map[interface{}]interface{}, error) {
+	m := CFDictionaryToMap(d)
+	result := make(map[interface{}]interface{})
+
+	for k, v := range m {
+		gk, err := Convert(k)
+		if err != nil {
+			return nil, err
+		}
+		gv, err := Convert(v)
+		if err != nil {
+			return nil, err
+		}
+		result[gk] = gv
+	}
+	return result, nil
+}
+
+// CFNumberToInterface converts the CFNumberRef to the most appropriate numeric
+// type.
+// This code is from github.com/kballard/go-osx-plist.
+func CFNumberToInterface(cfNumber C.CFNumberRef) interface{} {
+	typ := C.CFNumberGetType(cfNumber)
+	switch typ {
+	case C.kCFNumberSInt8Type:
+		var sint C.SInt8
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&sint)) //nolint
+		return int8(sint)
+	case C.kCFNumberSInt16Type:
+		var sint C.SInt16
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&sint)) //nolint
+		return int16(sint)
+	case C.kCFNumberSInt32Type:
+		var sint C.SInt32
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&sint)) //nolint
+		return int32(sint)
+	case C.kCFNumberSInt64Type:
+		var sint C.SInt64
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&sint)) //nolint
+		return int64(sint)
+	case C.kCFNumberFloat32Type:
+		var float C.Float32
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&float)) //nolint
+		return float32(float)
+	case C.kCFNumberFloat64Type:
+		var float C.Float64
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&float)) //nolint
+		return float64(float)
+	case C.kCFNumberCharType:
+		var char C.char
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&char)) //nolint
+		return byte(char)
+	case C.kCFNumberShortType:
+		var short C.short
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&short)) //nolint
+		return int16(short)
+	case C.kCFNumberIntType:
+		var i C.int
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&i)) //nolint
+		return int32(i)
+	case C.kCFNumberLongType:
+		var long C.long
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&long)) //nolint
+		return int(long)
+	case C.kCFNumberLongLongType:
+		// This is the only type that may actually overflow us
+		var longlong C.longlong
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&longlong)) //nolint
+		return int64(longlong)
+	case C.kCFNumberFloatType:
+		var float C.float
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&float)) //nolint
+		return float32(float)
+	case C.kCFNumberDoubleType:
+		var double C.double
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&double)) //nolint
+		return float64(double)
+	case C.kCFNumberCFIndexType:
+		// CFIndex is a long
+		var index C.CFIndex
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&index)) //nolint
+		return int(index)
+	case C.kCFNumberNSIntegerType:
+		// We don't have a definition of NSInteger, but we know it's either an int or a long
+		var nsInt C.long
+		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&nsInt)) //nolint
+		return int(nsInt)
+	}
+	panic("Unknown CFNumber type")
+}

vendor/github.com/keybase/go-keychain/datetime.go

@@ -0,0 +1,69 @@
+//go:build darwin || ios
+// +build darwin ios
+
+package keychain
+
+/*
+#cgo LDFLAGS: -framework CoreFoundation
+
+#include <CoreFoundation/CoreFoundation.h>
+*/
+import "C"
+import (
+	"math"
+	"time"
+)
+
+const nsPerSec = 1000 * 1000 * 1000
+
+// absoluteTimeIntervalSince1970() returns the number of seconds from
+// the Unix epoch (1970-01-01T00:00:00+00:00) to the Core Foundation
+// absolute reference date (2001-01-01T00:00:00+00:00). It should be
+// exactly 978307200.
+func absoluteTimeIntervalSince1970() int64 {
+	return int64(C.kCFAbsoluteTimeIntervalSince1970)
+}
+
+func unixToAbsoluteTime(s int64, ns int64) C.CFAbsoluteTime {
+	// Subtract as int64s first before converting to floating
+	// point to minimize precision loss (assuming the given time
+	// isn't much earlier than the Core Foundation absolute
+	// reference date).
+	abs := s - absoluteTimeIntervalSince1970()
+	return C.CFAbsoluteTime(abs) + C.CFTimeInterval(ns)/nsPerSec
+}
+
+func absoluteTimeToUnix(abs C.CFAbsoluteTime) (int64, int64) {
+	i, frac := math.Modf(float64(abs))
+	return int64(i) + absoluteTimeIntervalSince1970(), int64(frac * nsPerSec)
+}
+
+// TimeToCFDate will convert the given time.Time to a CFDateRef, which
+// must be released with Release(ref).
+func TimeToCFDate(t time.Time) C.CFDateRef {
+	s := t.Unix()
+	ns := int64(t.Nanosecond())
+	abs := unixToAbsoluteTime(s, ns)
+	return C.CFDateCreate(C.kCFAllocatorDefault, abs)
+}
+
+// CFDateToTime will convert the given CFDateRef to a time.Time.
+func CFDateToTime(d C.CFDateRef) time.Time {
+	abs := C.CFDateGetAbsoluteTime(d)
+	s, ns := absoluteTimeToUnix(abs)
+	return time.Unix(s, ns)
+}
+
+// Wrappers around C functions for testing.
+
+func cfDateToAbsoluteTime(d C.CFDateRef) C.CFAbsoluteTime {
+	return C.CFDateGetAbsoluteTime(d)
+}
+
+func absoluteTimeToCFDate(abs C.CFAbsoluteTime) C.CFDateRef {
+	return C.CFDateCreate(C.kCFAllocatorDefault, abs)
+}
+
+func releaseCFDate(d C.CFDateRef) {
+	Release(C.CFTypeRef(d))
+}

vendor/github.com/keybase/go-keychain/ios.go

@@ -0,0 +1,23 @@
+//go:build darwin && ios
+// +build darwin,ios
+
+package keychain
+
+/*
+#cgo LDFLAGS: -framework CoreFoundation -framework Security
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+*/
+import "C"
+
+var AccessibleKey = attrKey(C.CFTypeRef(C.kSecAttrAccessible))
+var accessibleTypeRef = map[Accessible]C.CFTypeRef{
+	AccessibleWhenUnlocked:                   C.CFTypeRef(C.kSecAttrAccessibleWhenUnlocked),
+	AccessibleAfterFirstUnlock:               C.CFTypeRef(C.kSecAttrAccessibleAfterFirstUnlock),
+	AccessibleAlways:                         C.CFTypeRef(C.kSecAttrAccessibleAlways),
+	AccessibleWhenPasscodeSetThisDeviceOnly:  C.CFTypeRef(C.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly),
+	AccessibleWhenUnlockedThisDeviceOnly:     C.CFTypeRef(C.kSecAttrAccessibleWhenUnlockedThisDeviceOnly),
+	AccessibleAfterFirstUnlockThisDeviceOnly: C.CFTypeRef(C.kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly),
+	AccessibleAccessibleAlwaysThisDeviceOnly: C.CFTypeRef(C.kSecAttrAccessibleAlwaysThisDeviceOnly),
+}

vendor/github.com/keybase/go-keychain/keychain.go

@@ -0,0 +1,653 @@
+//go:build darwin
+// +build darwin
+
+package keychain
+
+// See https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/index.html for the APIs used below.
+
+// Also see https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html .
+
+/*
+#cgo LDFLAGS: -framework CoreFoundation -framework Security
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+*/
+import "C"
+import (
+	"fmt"
+	"time"
+)
+
+// Error defines keychain errors
+type Error int
+
+var (
+	// ErrorUnimplemented corresponds to errSecUnimplemented result code
+	ErrorUnimplemented = Error(C.errSecUnimplemented)
+	// ErrorParam corresponds to errSecParam result code
+	ErrorParam = Error(C.errSecParam)
+	// ErrorAllocate corresponds to errSecAllocate result code
+	ErrorAllocate = Error(C.errSecAllocate)
+	// ErrorNotAvailable corresponds to errSecNotAvailable result code
+	ErrorNotAvailable = Error(C.errSecNotAvailable)
+	// ErrorAuthFailed corresponds to errSecAuthFailed result code
+	ErrorAuthFailed = Error(C.errSecAuthFailed)
+	// ErrorDuplicateItem corresponds to errSecDuplicateItem result code
+	ErrorDuplicateItem = Error(C.errSecDuplicateItem)
+	// ErrorItemNotFound corresponds to errSecItemNotFound result code
+	ErrorItemNotFound = Error(C.errSecItemNotFound)
+	// ErrorInteractionNotAllowed corresponds to errSecInteractionNotAllowed result code
+	ErrorInteractionNotAllowed = Error(C.errSecInteractionNotAllowed)
+	// ErrorDecode corresponds to errSecDecode result code
+	ErrorDecode = Error(C.errSecDecode)
+	// ErrorNoSuchKeychain corresponds to errSecNoSuchKeychain result code
+	ErrorNoSuchKeychain = Error(C.errSecNoSuchKeychain)
+	// ErrorNoAccessForItem corresponds to errSecNoAccessForItem result code
+	ErrorNoAccessForItem = Error(C.errSecNoAccessForItem)
+	// ErrorReadOnly corresponds to errSecReadOnly result code
+	ErrorReadOnly = Error(C.errSecReadOnly)
+	// ErrorInvalidKeychain corresponds to errSecInvalidKeychain result code
+	ErrorInvalidKeychain = Error(C.errSecInvalidKeychain)
+	// ErrorDuplicateKeyChain corresponds to errSecDuplicateKeychain result code
+	ErrorDuplicateKeyChain = Error(C.errSecDuplicateKeychain)
+	// ErrorWrongVersion corresponds to errSecWrongSecVersion result code
+	ErrorWrongVersion = Error(C.errSecWrongSecVersion)
+	// ErrorReadonlyAttribute corresponds to errSecReadOnlyAttr result code
+	ErrorReadonlyAttribute = Error(C.errSecReadOnlyAttr)
+	// ErrorInvalidSearchRef corresponds to errSecInvalidSearchRef result code
+	ErrorInvalidSearchRef = Error(C.errSecInvalidSearchRef)
+	// ErrorInvalidItemRef corresponds to errSecInvalidItemRef result code
+	ErrorInvalidItemRef = Error(C.errSecInvalidItemRef)
+	// ErrorDataNotAvailable corresponds to errSecDataNotAvailable result code
+	ErrorDataNotAvailable = Error(C.errSecDataNotAvailable)
+	// ErrorDataNotModifiable corresponds to errSecDataNotModifiable result code
+	ErrorDataNotModifiable = Error(C.errSecDataNotModifiable)
+	// ErrorInvalidOwnerEdit corresponds to errSecInvalidOwnerEdit result code
+	ErrorInvalidOwnerEdit = Error(C.errSecInvalidOwnerEdit)
+	// ErrorUserCanceled corresponds to errSecUserCanceled result code
+	ErrorUserCanceled = Error(C.errSecUserCanceled)
+)
+
+func checkError(errCode C.OSStatus) error {
+	if errCode == C.errSecSuccess {
+		return nil
+	}
+	return Error(errCode)
+}
+
+func (k Error) Error() (msg string) {
+	// SecCopyErrorMessageString is only available on OSX, so derive manually.
+	// Messages derived from `$ security error $errcode`.
+	switch k {
+	case ErrorUnimplemented:
+		msg = "Function or operation not implemented."
+	case ErrorParam:
+		msg = "One or more parameters passed to the function were not valid."
+	case ErrorAllocate:
+		msg = "Failed to allocate memory."
+	case ErrorNotAvailable:
+		msg = "No keychain is available. You may need to restart your computer."
+	case ErrorAuthFailed:
+		msg = "The user name or passphrase you entered is not correct."
+	case ErrorDuplicateItem:
+		msg = "The specified item already exists in the keychain."
+	case ErrorItemNotFound:
+		msg = "The specified item could not be found in the keychain."
+	case ErrorInteractionNotAllowed:
+		msg = "User interaction is not allowed."
+	case ErrorDecode:
+		msg = "Unable to decode the provided data."
+	case ErrorNoSuchKeychain:
+		msg = "The specified keychain could not be found."
+	case ErrorNoAccessForItem:
+		msg = "The specified item has no access control."
+	case ErrorReadOnly:
+		msg = "Read-only error."
+	case ErrorReadonlyAttribute:
+		msg = "The attribute is read-only."
+	case ErrorInvalidKeychain:
+		msg = "The keychain is not valid."
+	case ErrorDuplicateKeyChain:
+		msg = "A keychain with the same name already exists."
+	case ErrorWrongVersion:
+		msg = "The version is incorrect."
+	case ErrorInvalidItemRef:
+		msg = "The item reference is invalid."
+	case ErrorInvalidSearchRef:
+		msg = "The search reference is invalid."
+	case ErrorDataNotAvailable:
+		msg = "The data is not available."
+	case ErrorDataNotModifiable:
+		msg = "The data is not modifiable."
+	case ErrorInvalidOwnerEdit:
+		msg = "An invalid attempt to change the owner of an item."
+	case ErrorUserCanceled:
+		msg = "User canceled the operation."
+	default:
+		msg = "Keychain Error."
+	}
+	return fmt.Sprintf("%s (%d)", msg, k)
+}
+
+// SecClass is the items class code
+type SecClass int
+
+// Keychain Item Classes
+var (
+	/*
+		kSecClassGenericPassword item attributes:
+		 kSecAttrAccess (OS X only)
+		 kSecAttrAccessGroup (iOS; also OS X if kSecAttrSynchronizable specified)
+		 kSecAttrAccessible (iOS; also OS X if kSecAttrSynchronizable specified)
+		 kSecAttrAccount
+		 kSecAttrService
+	*/
+	SecClassGenericPassword  SecClass = 1
+	SecClassInternetPassword SecClass = 2
+)
+
+// SecClassKey is the key type for SecClass
+var SecClassKey = attrKey(C.CFTypeRef(C.kSecClass))
+var secClassTypeRef = map[SecClass]C.CFTypeRef{
+	SecClassGenericPassword:  C.CFTypeRef(C.kSecClassGenericPassword),
+	SecClassInternetPassword: C.CFTypeRef(C.kSecClassInternetPassword),
+}
+
+var (
+	// ServiceKey is for kSecAttrService
+	ServiceKey = attrKey(C.CFTypeRef(C.kSecAttrService))
+
+	// ServerKey is for kSecAttrServer
+	ServerKey = attrKey(C.CFTypeRef(C.kSecAttrServer))
+	// ProtocolKey is for kSecAttrProtocol
+	ProtocolKey = attrKey(C.CFTypeRef(C.kSecAttrProtocol))
+	// AuthenticationTypeKey is for kSecAttrAuthenticationType
+	AuthenticationTypeKey = attrKey(C.CFTypeRef(C.kSecAttrAuthenticationType))
+	// PortKey is for kSecAttrPort
+	PortKey = attrKey(C.CFTypeRef(C.kSecAttrPort))
+	// PathKey is for kSecAttrPath
+	PathKey = attrKey(C.CFTypeRef(C.kSecAttrPath))
+
+	// LabelKey is for kSecAttrLabel
+	LabelKey = attrKey(C.CFTypeRef(C.kSecAttrLabel))
+	// AccountKey is for kSecAttrAccount
+	AccountKey = attrKey(C.CFTypeRef(C.kSecAttrAccount))
+	// AccessGroupKey is for kSecAttrAccessGroup
+	AccessGroupKey = attrKey(C.CFTypeRef(C.kSecAttrAccessGroup))
+	// DataKey is for kSecValueData
+	DataKey = attrKey(C.CFTypeRef(C.kSecValueData))
+	// DescriptionKey is for kSecAttrDescription
+	DescriptionKey = attrKey(C.CFTypeRef(C.kSecAttrDescription))
+	// CommentKey is for kSecAttrComment
+	CommentKey = attrKey(C.CFTypeRef(C.kSecAttrComment))
+	// CreationDateKey is for kSecAttrCreationDate
+	CreationDateKey = attrKey(C.CFTypeRef(C.kSecAttrCreationDate))
+	// ModificationDateKey is for kSecAttrModificationDate
+	ModificationDateKey = attrKey(C.CFTypeRef(C.kSecAttrModificationDate))
+)
+
+// Synchronizable is the items synchronizable status
+type Synchronizable int
+
+const (
+	// SynchronizableDefault is the default setting
+	SynchronizableDefault Synchronizable = 0
+	// SynchronizableAny is for kSecAttrSynchronizableAny
+	SynchronizableAny = 1
+	// SynchronizableYes enables synchronization
+	SynchronizableYes = 2
+	// SynchronizableNo disables synchronization
+	SynchronizableNo = 3
+)
+
+// SynchronizableKey is the key type for Synchronizable
+var SynchronizableKey = attrKey(C.CFTypeRef(C.kSecAttrSynchronizable))
+var syncTypeRef = map[Synchronizable]C.CFTypeRef{
+	SynchronizableAny: C.CFTypeRef(C.kSecAttrSynchronizableAny),
+	SynchronizableYes: C.CFTypeRef(C.kCFBooleanTrue),
+	SynchronizableNo:  C.CFTypeRef(C.kCFBooleanFalse),
+}
+
+// Accessible is the items accessibility
+type Accessible int
+
+const (
+	// AccessibleDefault is the default
+	AccessibleDefault Accessible = 0
+	// AccessibleWhenUnlocked is when unlocked
+	AccessibleWhenUnlocked = 1
+	// AccessibleAfterFirstUnlock is after first unlock
+	AccessibleAfterFirstUnlock = 2
+	// AccessibleAlways is always
+	AccessibleAlways = 3
+	// AccessibleWhenPasscodeSetThisDeviceOnly is when passcode is set
+	AccessibleWhenPasscodeSetThisDeviceOnly = 4
+	// AccessibleWhenUnlockedThisDeviceOnly is when unlocked for this device only
+	AccessibleWhenUnlockedThisDeviceOnly = 5
+	// AccessibleAfterFirstUnlockThisDeviceOnly is after first unlock for this device only
+	AccessibleAfterFirstUnlockThisDeviceOnly = 6
+	// AccessibleAccessibleAlwaysThisDeviceOnly is always for this device only
+	AccessibleAccessibleAlwaysThisDeviceOnly = 7
+)
+
+// MatchLimit is whether to limit results on query
+type MatchLimit int
+
+const (
+	// MatchLimitDefault is the default
+	MatchLimitDefault MatchLimit = 0
+	// MatchLimitOne limits to one result
+	MatchLimitOne = 1
+	// MatchLimitAll is no limit
+	MatchLimitAll = 2
+)
+
+// MatchLimitKey is key type for MatchLimit
+var MatchLimitKey = attrKey(C.CFTypeRef(C.kSecMatchLimit))
+var matchTypeRef = map[MatchLimit]C.CFTypeRef{
+	MatchLimitOne: C.CFTypeRef(C.kSecMatchLimitOne),
+	MatchLimitAll: C.CFTypeRef(C.kSecMatchLimitAll),
+}
+
+// ReturnAttributesKey is key type for kSecReturnAttributes
+var ReturnAttributesKey = attrKey(C.CFTypeRef(C.kSecReturnAttributes))
+
+// ReturnDataKey is key type for kSecReturnData
+var ReturnDataKey = attrKey(C.CFTypeRef(C.kSecReturnData))
+
+// ReturnRefKey is key type for kSecReturnRef
+var ReturnRefKey = attrKey(C.CFTypeRef(C.kSecReturnRef))
+
+// Item for adding, querying or deleting.
+type Item struct {
+	// Values can be string, []byte, Convertable or CFTypeRef (constant).
+	attr map[string]interface{}
+}
+
+// SetSecClass sets the security class
+func (k *Item) SetSecClass(sc SecClass) {
+	k.attr[SecClassKey] = secClassTypeRef[sc]
+}
+
+// SetInt32 sets an int32 attribute for a string key
+func (k *Item) SetInt32(key string, v int32) {
+	if v != 0 {
+		k.attr[key] = v
+	} else {
+		delete(k.attr, key)
+	}
+}
+
+// SetString sets a string attibute for a string key
+func (k *Item) SetString(key string, s string) {
+	if s != "" {
+		k.attr[key] = s
+	} else {
+		delete(k.attr, key)
+	}
+}
+
+// SetService sets the service attribute (for generic application items)
+func (k *Item) SetService(s string) {
+	k.SetString(ServiceKey, s)
+}
+
+// SetServer sets the server attribute (for internet password items)
+func (k *Item) SetServer(s string) {
+	k.SetString(ServerKey, s)
+}
+
+// SetProtocol sets the protocol attribute (for internet password items)
+// Example values are: "htps", "http", "smb "
+func (k *Item) SetProtocol(s string) {
+	k.SetString(ProtocolKey, s)
+}
+
+// SetAuthenticationType sets the authentication type attribute (for internet password items)
+func (k *Item) SetAuthenticationType(s string) {
+	k.SetString(AuthenticationTypeKey, s)
+}
+
+// SetPort sets the port attribute (for internet password items)
+func (k *Item) SetPort(v int32) {
+	k.SetInt32(PortKey, v)
+}
+
+// SetPath sets the path attribute (for internet password items)
+func (k *Item) SetPath(s string) {
+	k.SetString(PathKey, s)
+}
+
+// SetAccount sets the account attribute
+func (k *Item) SetAccount(a string) {
+	k.SetString(AccountKey, a)
+}
+
+// SetLabel sets the label attribute
+func (k *Item) SetLabel(l string) {
+	k.SetString(LabelKey, l)
+}
+
+// SetDescription sets the description attribute
+func (k *Item) SetDescription(s string) {
+	k.SetString(DescriptionKey, s)
+}
+
+// SetComment sets the comment attribute
+func (k *Item) SetComment(s string) {
+	k.SetString(CommentKey, s)
+}
+
+// SetData sets the data attribute
+func (k *Item) SetData(b []byte) {
+	if b != nil {
+		k.attr[DataKey] = b
+	} else {
+		delete(k.attr, DataKey)
+	}
+}
+
+// SetAccessGroup sets the access group attribute
+func (k *Item) SetAccessGroup(ag string) {
+	k.SetString(AccessGroupKey, ag)
+}
+
+// SetSynchronizable sets the synchronizable attribute
+func (k *Item) SetSynchronizable(sync Synchronizable) {
+	if sync != SynchronizableDefault {
+		k.attr[SynchronizableKey] = syncTypeRef[sync]
+	} else {
+		delete(k.attr, SynchronizableKey)
+	}
+}
+
+// SetAccessible sets the accessible attribute
+func (k *Item) SetAccessible(accessible Accessible) {
+	if accessible != AccessibleDefault {
+		k.attr[AccessibleKey] = accessibleTypeRef[accessible]
+	} else {
+		delete(k.attr, AccessibleKey)
+	}
+}
+
+// SetMatchLimit sets the match limit
+func (k *Item) SetMatchLimit(matchLimit MatchLimit) {
+	if matchLimit != MatchLimitDefault {
+		k.attr[MatchLimitKey] = matchTypeRef[matchLimit]
+	} else {
+		delete(k.attr, MatchLimitKey)
+	}
+}
+
+// SetReturnAttributes sets the return value type on query
+func (k *Item) SetReturnAttributes(b bool) {
+	k.attr[ReturnAttributesKey] = b
+}
+
+// SetReturnData enables returning data on query
+func (k *Item) SetReturnData(b bool) {
+	k.attr[ReturnDataKey] = b
+}
+
+// SetReturnRef enables returning references on query
+func (k *Item) SetReturnRef(b bool) {
+	k.attr[ReturnRefKey] = b
+}
+
+// NewItem is a new empty keychain item
+func NewItem() Item {
+	return Item{make(map[string]interface{})}
+}
+
+// NewGenericPassword creates a generic password item with the default keychain. This is a convenience method.
+func NewGenericPassword(service string, account string, label string, data []byte, accessGroup string) Item {
+	item := NewItem()
+	item.SetSecClass(SecClassGenericPassword)
+	item.SetService(service)
+	item.SetAccount(account)
+	item.SetLabel(label)
+	item.SetData(data)
+	item.SetAccessGroup(accessGroup)
+	return item
+}
+
+// AddItem adds a Item to a Keychain
+func AddItem(item Item) error {
+	cfDict, err := ConvertMapToCFDictionary(item.attr)
+	if err != nil {
+		return err
+	}
+	defer Release(C.CFTypeRef(cfDict))
+
+	errCode := C.SecItemAdd(cfDict, nil)
+	err = checkError(errCode)
+	return err
+}
+
+// UpdateItem updates the queryItem with the parameters from updateItem
+func UpdateItem(queryItem Item, updateItem Item) error {
+	cfDict, err := ConvertMapToCFDictionary(queryItem.attr)
+	if err != nil {
+		return err
+	}
+	defer Release(C.CFTypeRef(cfDict))
+	cfDictUpdate, err := ConvertMapToCFDictionary(updateItem.attr)
+	if err != nil {
+		return err
+	}
+	defer Release(C.CFTypeRef(cfDictUpdate))
+	errCode := C.SecItemUpdate(cfDict, cfDictUpdate)
+	err = checkError(errCode)
+	return err
+}
+
+// QueryResult stores all possible results from queries.
+// Not all fields are applicable all the time. Results depend on query.
+type QueryResult struct {
+	// For generic application items
+	Service string
+
+	// For internet password items
+	Server             string
+	Protocol           string
+	AuthenticationType string
+	Port               int32
+	Path               string
+
+	Account          string
+	AccessGroup      string
+	Label            string
+	Description      string
+	Comment          string
+	Data             []byte
+	CreationDate     time.Time
+	ModificationDate time.Time
+}
+
+// QueryItemRef returns query result as CFTypeRef. You must release it when you are done.
+func QueryItemRef(item Item) (C.CFTypeRef, error) {
+	cfDict, err := ConvertMapToCFDictionary(item.attr)
+	if err != nil {
+		return 0, err
+	}
+	defer Release(C.CFTypeRef(cfDict))
+
+	var resultsRef C.CFTypeRef
+	errCode := C.SecItemCopyMatching(cfDict, &resultsRef) //nolint
+	if Error(errCode) == ErrorItemNotFound {
+		return 0, nil
+	}
+	err = checkError(errCode)
+	if err != nil {
+		return 0, err
+	}
+	return resultsRef, nil
+}
+
+// QueryItem returns a list of query results.
+func QueryItem(item Item) ([]QueryResult, error) {
+	resultsRef, err := QueryItemRef(item)
+	if err != nil {
+		return nil, err
+	}
+	if resultsRef == 0 {
+		return nil, nil
+	}
+	defer Release(resultsRef)
+
+	results := make([]QueryResult, 0, 1)
+
+	typeID := C.CFGetTypeID(resultsRef)
+	if typeID == C.CFArrayGetTypeID() {
+		arr := CFArrayToArray(C.CFArrayRef(resultsRef))
+		for _, ref := range arr {
+			elementTypeID := C.CFGetTypeID(ref)
+			if elementTypeID == C.CFDictionaryGetTypeID() {
+				item, err := convertResult(C.CFDictionaryRef(ref))
+				if err != nil {
+					return nil, err
+				}
+				results = append(results, *item)
+			} else {
+				return nil, fmt.Errorf("invalid result type (If you SetReturnRef(true) you should use QueryItemRef directly)")
+			}
+		}
+	} else if typeID == C.CFDictionaryGetTypeID() {
+		item, err := convertResult(C.CFDictionaryRef(resultsRef))
+		if err != nil {
+			return nil, err
+		}
+		results = append(results, *item)
+	} else if typeID == C.CFDataGetTypeID() {
+		b, err := CFDataToBytes(C.CFDataRef(resultsRef))
+		if err != nil {
+			return nil, err
+		}
+		item := QueryResult{Data: b}
+		results = append(results, item)
+	} else {
+		return nil, fmt.Errorf("Invalid result type: %s", CFTypeDescription(resultsRef))
+	}
+
+	return results, nil
+}
+
+func attrKey(ref C.CFTypeRef) string {
+	return CFStringToString(C.CFStringRef(ref))
+}
+
+func convertResult(d C.CFDictionaryRef) (*QueryResult, error) {
+	m := CFDictionaryToMap(d)
+	result := QueryResult{}
+	for k, v := range m {
+		switch attrKey(k) {
+		case ServiceKey:
+			result.Service = CFStringToString(C.CFStringRef(v))
+		case ServerKey:
+			result.Server = CFStringToString(C.CFStringRef(v))
+		case ProtocolKey:
+			result.Protocol = CFStringToString(C.CFStringRef(v))
+		case AuthenticationTypeKey:
+			result.AuthenticationType = CFStringToString(C.CFStringRef(v))
+		case PortKey:
+			val := CFNumberToInterface(C.CFNumberRef(v))
+			result.Port = val.(int32)
+		case PathKey:
+			result.Path = CFStringToString(C.CFStringRef(v))
+		case AccountKey:
+			result.Account = CFStringToString(C.CFStringRef(v))
+		case AccessGroupKey:
+			result.AccessGroup = CFStringToString(C.CFStringRef(v))
+		case LabelKey:
+			result.Label = CFStringToString(C.CFStringRef(v))
+		case DescriptionKey:
+			result.Description = CFStringToString(C.CFStringRef(v))
+		case CommentKey:
+			result.Comment = CFStringToString(C.CFStringRef(v))
+		case DataKey:
+			b, err := CFDataToBytes(C.CFDataRef(v))
+			if err != nil {
+				return nil, err
+			}
+			result.Data = b
+		case CreationDateKey:
+			result.CreationDate = CFDateToTime(C.CFDateRef(v))
+		case ModificationDateKey:
+			result.ModificationDate = CFDateToTime(C.CFDateRef(v))
+			// default:
+			// fmt.Printf("Unhandled key in conversion: %v = %v\n", cfTypeValue(k), cfTypeValue(v))
+		}
+	}
+	return &result, nil
+}
+
+// DeleteGenericPasswordItem removes a generic password item.
+func DeleteGenericPasswordItem(service string, account string) error {
+	item := NewItem()
+	item.SetSecClass(SecClassGenericPassword)
+	item.SetService(service)
+	item.SetAccount(account)
+	return DeleteItem(item)
+}
+
+// DeleteItem removes a Item
+func DeleteItem(item Item) error {
+	cfDict, err := ConvertMapToCFDictionary(item.attr)
+	if err != nil {
+		return err
+	}
+	defer Release(C.CFTypeRef(cfDict))
+
+	errCode := C.SecItemDelete(cfDict)
+	return checkError(errCode)
+}
+
+// GetAccountsForService is deprecated
+func GetAccountsForService(service string) ([]string, error) {
+	return GetGenericPasswordAccounts(service)
+}
+
+// GetGenericPasswordAccounts returns generic password accounts for service. This is a convenience method.
+func GetGenericPasswordAccounts(service string) ([]string, error) {
+	query := NewItem()
+	query.SetSecClass(SecClassGenericPassword)
+	query.SetService(service)
+	query.SetMatchLimit(MatchLimitAll)
+	query.SetReturnAttributes(true)
+	results, err := QueryItem(query)
+	if err != nil {
+		return nil, err
+	}
+
+	accounts := make([]string, 0, len(results))
+	for _, r := range results {
+		accounts = append(accounts, r.Account)
+	}
+
+	return accounts, nil
+}
+
+// GetGenericPassword returns password data for service and account. This is a convenience method.
+// If item is not found returns nil, nil.
+func GetGenericPassword(service string, account string, label string, accessGroup string) ([]byte, error) {
+	query := NewItem()
+	query.SetSecClass(SecClassGenericPassword)
+	query.SetService(service)
+	query.SetAccount(account)
+	query.SetLabel(label)
+	query.SetAccessGroup(accessGroup)
+	query.SetMatchLimit(MatchLimitOne)
+	query.SetReturnData(true)
+	results, err := QueryItem(query)
+	if err != nil {
+		return nil, err
+	}
+	if len(results) > 1 {
+		return nil, fmt.Errorf("Too many results")
+	}
+	if len(results) == 1 {
+		return results[0].Data, nil
+	}
+	return nil, nil
+}

vendor/github.com/keybase/go-keychain/macos.go

@@ -0,0 +1,25 @@
+//go:build darwin && !ios
+// +build darwin,!ios
+
+package keychain
+
+/*
+#cgo LDFLAGS: -framework CoreFoundation -framework Security
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+*/
+import "C"
+
+// AccessibleKey is key for kSecAttrAccessible
+var AccessibleKey = attrKey(C.CFTypeRef(C.kSecAttrAccessible))
+var accessibleTypeRef = map[Accessible]C.CFTypeRef{
+	AccessibleWhenUnlocked:                   C.CFTypeRef(C.kSecAttrAccessibleWhenUnlocked),
+	AccessibleAfterFirstUnlock:               C.CFTypeRef(C.kSecAttrAccessibleAfterFirstUnlock),
+	AccessibleAlways:                         C.CFTypeRef(C.kSecAttrAccessibleAlways),
+	AccessibleWhenUnlockedThisDeviceOnly:     C.CFTypeRef(C.kSecAttrAccessibleWhenUnlockedThisDeviceOnly),
+	AccessibleAfterFirstUnlockThisDeviceOnly: C.CFTypeRef(C.kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly),
+	AccessibleAccessibleAlwaysThisDeviceOnly: C.CFTypeRef(C.kSecAttrAccessibleAlwaysThisDeviceOnly),
+
+	// Only available in 10.10
+	//AccessibleWhenPasscodeSetThisDeviceOnly:  C.CFTypeRef(C.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly),
+}

vendor/github.com/keybase/go-keychain/util.go

@@ -0,0 +1,31 @@
+package keychain
+
+import (
+	"crypto/rand"
+	"encoding/base32"
+	"strings"
+)
+
+var randRead = rand.Read
+
+// RandomID returns random ID (base32) string with prefix, using 256 bits as
+// recommended by tptacek: https://gist.github.com/tqbf/be58d2d39690c3b366ad
+func RandomID(prefix string) (string, error) {
+	buf, err := RandBytes(32)
+	if err != nil {
+		return "", err
+	}
+	str := base32.StdEncoding.EncodeToString(buf)
+	str = strings.ReplaceAll(str, "=", "")
+	str = prefix + str
+	return str, nil
+}
+
+// RandBytes returns random bytes of length
+func RandBytes(length int) ([]byte, error) {
+	buf := make([]byte, length)
+	if _, err := randRead(buf); err != nil {
+		return nil, err
+	}
+	return buf, nil
+}

vendor/golang.org/x/sys/windows/aliases.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build windows && go1.9
+//go:build windows
 
 package windows
 

vendor/golang.org/x/sys/windows/empty.s

@@ -1,8 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.12
-
-// This file is here to allow bodyless functions with go:linkname for Go 1.11
-// and earlier (see https://golang.org/issue/23311).

vendor/golang.org/x/sys/windows/env_windows.go

@@ -37,14 +37,17 @@ func (token Token) Environ(inheritExisting bool) (env []string, err error) {
 		return nil, err
 	}
 	defer DestroyEnvironmentBlock(block)
-	blockp := unsafe.Pointer(block)
-	for {
-		entry := UTF16PtrToString((*uint16)(blockp))
-		if len(entry) == 0 {
-			break
+	size := unsafe.Sizeof(*block)
+	for *block != 0 {
+		// find NUL terminator
+		end := unsafe.Pointer(block)
+		for *(*uint16)(end) != 0 {
+			end = unsafe.Add(end, size)
 		}
-		env = append(env, entry)
-		blockp = unsafe.Add(blockp, 2*(len(entry)+1))
+
+		entry := unsafe.Slice(block, (uintptr(end)-uintptr(unsafe.Pointer(block)))/size)
+		env = append(env, UTF16ToString(entry))
+		block = (*uint16)(unsafe.Add(end, size))
 	}
 	return env, nil
 }

vendor/golang.org/x/sys/windows/syscall_windows.go

@@ -125,8 +125,7 @@ func UTF16PtrToString(p *uint16) string {
 	for ptr := unsafe.Pointer(p); *(*uint16)(ptr) != 0; n++ {
 		ptr = unsafe.Pointer(uintptr(ptr) + unsafe.Sizeof(*p))
 	}
-
-	return string(utf16.Decode(unsafe.Slice(p, n)))
+	return UTF16ToString(unsafe.Slice(p, n))
 }
 
 func Getpagesize() int { return 4096 }
@@ -166,6 +165,7 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	CreateFile(name *uint16, access uint32, mode uint32, sa *SecurityAttributes, createmode uint32, attrs uint32, templatefile Handle) (handle Handle, err error) [failretval==InvalidHandle] = CreateFileW
 //sys	CreateNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *SecurityAttributes) (handle Handle, err error)  [failretval==InvalidHandle] = CreateNamedPipeW
 //sys	ConnectNamedPipe(pipe Handle, overlapped *Overlapped) (err error)
+//sys	DisconnectNamedPipe(pipe Handle) (err error)
 //sys	GetNamedPipeInfo(pipe Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error)
 //sys	GetNamedPipeHandleState(pipe Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) = GetNamedPipeHandleStateW
 //sys	SetNamedPipeHandleState(pipe Handle, state *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32) (err error) = SetNamedPipeHandleState
@@ -194,6 +194,7 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	GetComputerName(buf *uint16, n *uint32) (err error) = GetComputerNameW
 //sys	GetComputerNameEx(nametype uint32, buf *uint16, n *uint32) (err error) = GetComputerNameExW
 //sys	SetEndOfFile(handle Handle) (err error)
+//sys	SetFileValidData(handle Handle, validDataLength int64) (err error)
 //sys	GetSystemTimeAsFileTime(time *Filetime)
 //sys	GetSystemTimePreciseAsFileTime(time *Filetime)
 //sys	GetTimeZoneInformation(tzi *Timezoneinformation) (rc uint32, err error) [failretval==0xffffffff]
@@ -348,8 +349,19 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	SetProcessPriorityBoost(process Handle, disable bool) (err error) = kernel32.SetProcessPriorityBoost
 //sys	GetProcessWorkingSetSizeEx(hProcess Handle, lpMinimumWorkingSetSize *uintptr, lpMaximumWorkingSetSize *uintptr, flags *uint32)
 //sys	SetProcessWorkingSetSizeEx(hProcess Handle, dwMinimumWorkingSetSize uintptr, dwMaximumWorkingSetSize uintptr, flags uint32) (err error)
+//sys	ClearCommBreak(handle Handle) (err error)
+//sys	ClearCommError(handle Handle, lpErrors *uint32, lpStat *ComStat) (err error)
+//sys	EscapeCommFunction(handle Handle, dwFunc uint32) (err error)
+//sys	GetCommState(handle Handle, lpDCB *DCB) (err error)
+//sys	GetCommModemStatus(handle Handle, lpModemStat *uint32) (err error)
 //sys	GetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error)
+//sys	PurgeComm(handle Handle, dwFlags uint32) (err error)
+//sys	SetCommBreak(handle Handle) (err error)
+//sys	SetCommMask(handle Handle, dwEvtMask uint32) (err error)
+//sys	SetCommState(handle Handle, lpDCB *DCB) (err error)
 //sys	SetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error)
+//sys	SetupComm(handle Handle, dwInQueue uint32, dwOutQueue uint32) (err error)
+//sys	WaitCommEvent(handle Handle, lpEvtMask *uint32, lpOverlapped *Overlapped) (err error)
 //sys	GetActiveProcessorCount(groupNumber uint16) (ret uint32)
 //sys	GetMaximumProcessorCount(groupNumber uint16) (ret uint32)
 //sys	EnumWindows(enumFunc uintptr, param unsafe.Pointer) (err error) = user32.EnumWindows
@@ -1834,3 +1846,73 @@ func ResizePseudoConsole(pconsole Handle, size Coord) error {
 	// accept arguments that can be casted to uintptr, and Coord can't.
 	return resizePseudoConsole(pconsole, *((*uint32)(unsafe.Pointer(&size))))
 }
+
+// DCB constants. See https://learn.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-dcb.
+const (
+	CBR_110    = 110
+	CBR_300    = 300
+	CBR_600    = 600
+	CBR_1200   = 1200
+	CBR_2400   = 2400
+	CBR_4800   = 4800
+	CBR_9600   = 9600
+	CBR_14400  = 14400
+	CBR_19200  = 19200
+	CBR_38400  = 38400
+	CBR_57600  = 57600
+	CBR_115200 = 115200
+	CBR_128000 = 128000
+	CBR_256000 = 256000
+
+	DTR_CONTROL_DISABLE   = 0x00000000
+	DTR_CONTROL_ENABLE    = 0x00000010
+	DTR_CONTROL_HANDSHAKE = 0x00000020
+
+	RTS_CONTROL_DISABLE   = 0x00000000
+	RTS_CONTROL_ENABLE    = 0x00001000
+	RTS_CONTROL_HANDSHAKE = 0x00002000
+	RTS_CONTROL_TOGGLE    = 0x00003000
+
+	NOPARITY    = 0
+	ODDPARITY   = 1
+	EVENPARITY  = 2
+	MARKPARITY  = 3
+	SPACEPARITY = 4
+
+	ONESTOPBIT   = 0
+	ONE5STOPBITS = 1
+	TWOSTOPBITS  = 2
+)
+
+// EscapeCommFunction constants. See https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-escapecommfunction.
+const (
+	SETXOFF  = 1
+	SETXON   = 2
+	SETRTS   = 3
+	CLRRTS   = 4
+	SETDTR   = 5
+	CLRDTR   = 6
+	SETBREAK = 8
+	CLRBREAK = 9
+)
+
+// PurgeComm constants. See https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-purgecomm.
+const (
+	PURGE_TXABORT = 0x0001
+	PURGE_RXABORT = 0x0002
+	PURGE_TXCLEAR = 0x0004
+	PURGE_RXCLEAR = 0x0008
+)
+
+// SetCommMask constants. See https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-setcommmask.
+const (
+	EV_RXCHAR  = 0x0001
+	EV_RXFLAG  = 0x0002
+	EV_TXEMPTY = 0x0004
+	EV_CTS     = 0x0008
+	EV_DSR     = 0x0010
+	EV_RLSD    = 0x0020
+	EV_BREAK   = 0x0040
+	EV_ERR     = 0x0080
+	EV_RING    = 0x0100
+)

vendor/golang.org/x/sys/windows/types_windows.go

@@ -3380,3 +3380,27 @@ type BLOB struct {
 	Size     uint32
 	BlobData *byte
 }
+
+type ComStat struct {
+	Flags    uint32
+	CBInQue  uint32
+	CBOutQue uint32
+}
+
+type DCB struct {
+	DCBlength  uint32
+	BaudRate   uint32
+	Flags      uint32
+	wReserved  uint16
+	XonLim     uint16
+	XoffLim    uint16
+	ByteSize   uint8
+	Parity     uint8
+	StopBits   uint8
+	XonChar    byte
+	XoffChar   byte
+	ErrorChar  byte
+	EofChar    byte
+	EvtChar    byte
+	wReserved1 uint16
+}

vendor/golang.org/x/sys/windows/zsyscall_windows.go

@@ -188,6 +188,8 @@ var (
 	procAssignProcessToJobObject                             = modkernel32.NewProc("AssignProcessToJobObject")
 	procCancelIo                                             = modkernel32.NewProc("CancelIo")
 	procCancelIoEx                                           = modkernel32.NewProc("CancelIoEx")
+	procClearCommBreak                                       = modkernel32.NewProc("ClearCommBreak")
+	procClearCommError                                       = modkernel32.NewProc("ClearCommError")
 	procCloseHandle                                          = modkernel32.NewProc("CloseHandle")
 	procClosePseudoConsole                                   = modkernel32.NewProc("ClosePseudoConsole")
 	procConnectNamedPipe                                     = modkernel32.NewProc("ConnectNamedPipe")
@@ -212,7 +214,9 @@ var (
 	procDeleteProcThreadAttributeList                        = modkernel32.NewProc("DeleteProcThreadAttributeList")
 	procDeleteVolumeMountPointW                              = modkernel32.NewProc("DeleteVolumeMountPointW")
 	procDeviceIoControl                                      = modkernel32.NewProc("DeviceIoControl")
+	procDisconnectNamedPipe                                  = modkernel32.NewProc("DisconnectNamedPipe")
 	procDuplicateHandle                                      = modkernel32.NewProc("DuplicateHandle")
+	procEscapeCommFunction                                   = modkernel32.NewProc("EscapeCommFunction")
 	procExitProcess                                          = modkernel32.NewProc("ExitProcess")
 	procExpandEnvironmentStringsW                            = modkernel32.NewProc("ExpandEnvironmentStringsW")
 	procFindClose                                            = modkernel32.NewProc("FindClose")
@@ -236,6 +240,8 @@ var (
 	procGenerateConsoleCtrlEvent                             = modkernel32.NewProc("GenerateConsoleCtrlEvent")
 	procGetACP                                               = modkernel32.NewProc("GetACP")
 	procGetActiveProcessorCount                              = modkernel32.NewProc("GetActiveProcessorCount")
+	procGetCommModemStatus                                   = modkernel32.NewProc("GetCommModemStatus")
+	procGetCommState                                         = modkernel32.NewProc("GetCommState")
 	procGetCommTimeouts                                      = modkernel32.NewProc("GetCommTimeouts")
 	procGetCommandLineW                                      = modkernel32.NewProc("GetCommandLineW")
 	procGetComputerNameExW                                   = modkernel32.NewProc("GetComputerNameExW")
@@ -322,6 +328,7 @@ var (
 	procProcess32NextW                                       = modkernel32.NewProc("Process32NextW")
 	procProcessIdToSessionId                                 = modkernel32.NewProc("ProcessIdToSessionId")
 	procPulseEvent                                           = modkernel32.NewProc("PulseEvent")
+	procPurgeComm                                            = modkernel32.NewProc("PurgeComm")
 	procQueryDosDeviceW                                      = modkernel32.NewProc("QueryDosDeviceW")
 	procQueryFullProcessImageNameW                           = modkernel32.NewProc("QueryFullProcessImageNameW")
 	procQueryInformationJobObject                            = modkernel32.NewProc("QueryInformationJobObject")
@@ -335,6 +342,9 @@ var (
 	procResetEvent                                           = modkernel32.NewProc("ResetEvent")
 	procResizePseudoConsole                                  = modkernel32.NewProc("ResizePseudoConsole")
 	procResumeThread                                         = modkernel32.NewProc("ResumeThread")
+	procSetCommBreak                                         = modkernel32.NewProc("SetCommBreak")
+	procSetCommMask                                          = modkernel32.NewProc("SetCommMask")
+	procSetCommState                                         = modkernel32.NewProc("SetCommState")
 	procSetCommTimeouts                                      = modkernel32.NewProc("SetCommTimeouts")
 	procSetConsoleCursorPosition                             = modkernel32.NewProc("SetConsoleCursorPosition")
 	procSetConsoleMode                                       = modkernel32.NewProc("SetConsoleMode")
@@ -350,6 +360,7 @@ var (
 	procSetFileInformationByHandle                           = modkernel32.NewProc("SetFileInformationByHandle")
 	procSetFilePointer                                       = modkernel32.NewProc("SetFilePointer")
 	procSetFileTime                                          = modkernel32.NewProc("SetFileTime")
+	procSetFileValidData                                     = modkernel32.NewProc("SetFileValidData")
 	procSetHandleInformation                                 = modkernel32.NewProc("SetHandleInformation")
 	procSetInformationJobObject                              = modkernel32.NewProc("SetInformationJobObject")
 	procSetNamedPipeHandleState                              = modkernel32.NewProc("SetNamedPipeHandleState")
@@ -360,6 +371,7 @@ var (
 	procSetStdHandle                                         = modkernel32.NewProc("SetStdHandle")
 	procSetVolumeLabelW                                      = modkernel32.NewProc("SetVolumeLabelW")
 	procSetVolumeMountPointW                                 = modkernel32.NewProc("SetVolumeMountPointW")
+	procSetupComm                                            = modkernel32.NewProc("SetupComm")
 	procSizeofResource                                       = modkernel32.NewProc("SizeofResource")
 	procSleepEx                                              = modkernel32.NewProc("SleepEx")
 	procTerminateJobObject                                   = modkernel32.NewProc("TerminateJobObject")
@@ -378,6 +390,7 @@ var (
 	procVirtualQueryEx                                       = modkernel32.NewProc("VirtualQueryEx")
 	procVirtualUnlock                                        = modkernel32.NewProc("VirtualUnlock")
 	procWTSGetActiveConsoleSessionId                         = modkernel32.NewProc("WTSGetActiveConsoleSessionId")
+	procWaitCommEvent                                        = modkernel32.NewProc("WaitCommEvent")
 	procWaitForMultipleObjects                               = modkernel32.NewProc("WaitForMultipleObjects")
 	procWaitForSingleObject                                  = modkernel32.NewProc("WaitForSingleObject")
 	procWriteConsoleW                                        = modkernel32.NewProc("WriteConsoleW")
@@ -1640,6 +1653,22 @@ func CancelIoEx(s Handle, o *Overlapped) (err error) {
 	return
 }
 
+func ClearCommBreak(handle Handle) (err error) {
+	r1, _, e1 := syscall.Syscall(procClearCommBreak.Addr(), 1, uintptr(handle), 0, 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func ClearCommError(handle Handle, lpErrors *uint32, lpStat *ComStat) (err error) {
+	r1, _, e1 := syscall.Syscall(procClearCommError.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(lpErrors)), uintptr(unsafe.Pointer(lpStat)))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func CloseHandle(handle Handle) (err error) {
 	r1, _, e1 := syscall.Syscall(procCloseHandle.Addr(), 1, uintptr(handle), 0, 0)
 	if r1 == 0 {
@@ -1844,6 +1873,14 @@ func DeviceIoControl(handle Handle, ioControlCode uint32, inBuffer *byte, inBuff
 	return
 }
 
+func DisconnectNamedPipe(pipe Handle) (err error) {
+	r1, _, e1 := syscall.Syscall(procDisconnectNamedPipe.Addr(), 1, uintptr(pipe), 0, 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func DuplicateHandle(hSourceProcessHandle Handle, hSourceHandle Handle, hTargetProcessHandle Handle, lpTargetHandle *Handle, dwDesiredAccess uint32, bInheritHandle bool, dwOptions uint32) (err error) {
 	var _p0 uint32
 	if bInheritHandle {
@@ -1856,6 +1893,14 @@ func DuplicateHandle(hSourceProcessHandle Handle, hSourceHandle Handle, hTargetP
 	return
 }
 
+func EscapeCommFunction(handle Handle, dwFunc uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procEscapeCommFunction.Addr(), 2, uintptr(handle), uintptr(dwFunc), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func ExitProcess(exitcode uint32) {
 	syscall.Syscall(procExitProcess.Addr(), 1, uintptr(exitcode), 0, 0)
 	return
@@ -2057,6 +2102,22 @@ func GetActiveProcessorCount(groupNumber uint16) (ret uint32) {
 	return
 }
 
+func GetCommModemStatus(handle Handle, lpModemStat *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procGetCommModemStatus.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(lpModemStat)), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func GetCommState(handle Handle, lpDCB *DCB) (err error) {
+	r1, _, e1 := syscall.Syscall(procGetCommState.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(lpDCB)), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func GetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error) {
 	r1, _, e1 := syscall.Syscall(procGetCommTimeouts.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(timeouts)), 0)
 	if r1 == 0 {
@@ -2809,6 +2870,14 @@ func PulseEvent(event Handle) (err error) {
 	return
 }
 
+func PurgeComm(handle Handle, dwFlags uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procPurgeComm.Addr(), 2, uintptr(handle), uintptr(dwFlags), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func QueryDosDevice(deviceName *uint16, targetPath *uint16, max uint32) (n uint32, err error) {
 	r0, _, e1 := syscall.Syscall(procQueryDosDeviceW.Addr(), 3, uintptr(unsafe.Pointer(deviceName)), uintptr(unsafe.Pointer(targetPath)), uintptr(max))
 	n = uint32(r0)
@@ -2923,6 +2992,30 @@ func ResumeThread(thread Handle) (ret uint32, err error) {
 	return
 }
 
+func SetCommBreak(handle Handle) (err error) {
+	r1, _, e1 := syscall.Syscall(procSetCommBreak.Addr(), 1, uintptr(handle), 0, 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func SetCommMask(handle Handle, dwEvtMask uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procSetCommMask.Addr(), 2, uintptr(handle), uintptr(dwEvtMask), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func SetCommState(handle Handle, lpDCB *DCB) (err error) {
+	r1, _, e1 := syscall.Syscall(procSetCommState.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(lpDCB)), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func SetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error) {
 	r1, _, e1 := syscall.Syscall(procSetCommTimeouts.Addr(), 2, uintptr(handle), uintptr(unsafe.Pointer(timeouts)), 0)
 	if r1 == 0 {
@@ -3051,6 +3144,14 @@ func SetFileTime(handle Handle, ctime *Filetime, atime *Filetime, wtime *Filetim
 	return
 }
 
+func SetFileValidData(handle Handle, validDataLength int64) (err error) {
+	r1, _, e1 := syscall.Syscall(procSetFileValidData.Addr(), 2, uintptr(handle), uintptr(validDataLength), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func SetHandleInformation(handle Handle, mask uint32, flags uint32) (err error) {
 	r1, _, e1 := syscall.Syscall(procSetHandleInformation.Addr(), 3, uintptr(handle), uintptr(mask), uintptr(flags))
 	if r1 == 0 {
@@ -3136,6 +3237,14 @@ func SetVolumeMountPoint(volumeMountPoint *uint16, volumeName *uint16) (err erro
 	return
 }
 
+func SetupComm(handle Handle, dwInQueue uint32, dwOutQueue uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procSetupComm.Addr(), 3, uintptr(handle), uintptr(dwInQueue), uintptr(dwOutQueue))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func SizeofResource(module Handle, resInfo Handle) (size uint32, err error) {
 	r0, _, e1 := syscall.Syscall(procSizeofResource.Addr(), 2, uintptr(module), uintptr(resInfo), 0)
 	size = uint32(r0)
@@ -3282,6 +3391,14 @@ func WTSGetActiveConsoleSessionId() (sessionID uint32) {
 	return
 }
 
+func WaitCommEvent(handle Handle, lpEvtMask *uint32, lpOverlapped *Overlapped) (err error) {
+	r1, _, e1 := syscall.Syscall(procWaitCommEvent.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(lpEvtMask)), uintptr(unsafe.Pointer(lpOverlapped)))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func waitForMultipleObjects(count uint32, handles uintptr, waitAll bool, waitMilliseconds uint32) (event uint32, err error) {
 	var _p0 uint32
 	if waitAll {

vendor/modules.txt

@@ -1,6 +1,9 @@
-# github.com/danieljoos/wincred v1.2.1
+# github.com/danieljoos/wincred v1.2.3
 ## explicit; go 1.18
 github.com/danieljoos/wincred
-# golang.org/x/sys v0.15.0
+# github.com/keybase/go-keychain v0.0.1
+## explicit; go 1.21
+github.com/keybase/go-keychain
+# golang.org/x/sys v0.20.0
 ## explicit; go 1.18
 golang.org/x/sys/windows