Cannot persist / load GitHub Authentication SignIn Token to macOS Ventura Beta 2 Keychain

[alexanderniebuhr]

Issue Type: Bug

Using the latest macOS 13.0 Beta (22A5286j), I experience an issue / bug that reloading Window or restarting logs me out of all the extensions, e.g. Copilot, Settings Sync, Github Issues & Pull Request.

VS Code version: Code - Insiders 1.69.0-insider (668c538, 2022-06-23T05:16:19.393Z)
OS version: Darwin arm64 22.0.0
Restricted Mode: No

System Info

Item	Value
CPUs	Apple M1 Max (10 x 24)
GPU Status	2d_canvas: enabled canvas_oop_rasterization: disabled_off direct_rendering_display_compositor: disabled_off_ok gpu_compositing: enabled metal: disabled_off multiple_raster_threads: enabled_on opengl: enabled_on rasterization: enabled raw_draw: disabled_off_ok skia_renderer: enabled_on video_decode: enabled video_encode: enabled webgl: enabled webgl2: enabled
Load (avg)	7, 39, 28
Memory (System)	64.00GB (40.71GB free)
Process Argv	--crash-reporter-id 092694b8-f2ad-4473-8608-b513d685cc96
Screen Reader	no
VM	0%

Extensions (16)

Extension	Author (truncated)	Version
iconify	ant	0.3.3
vscode-eslint	dba	2.2.2
gitlens-insiders	eam	2022.6.2205
prettier-vscode	esb	9.5.0
copilot-labs	Git	0.1.176
copilot-nightly	Git	1.30.6180
vscode-pull-request-github	Git	0.44.0
better-shellscript-syntax	jef	1.1.0
i18n-ally	lok	2.8.1
vscode-docker	ms-	1.22.0
remote-containers	ms-	0.240.0
vscode-github-issue-notebooks	ms-	0.0.119
material-icon-theme	PKi	4.18.1
fortnite-vscode-theme	sdr	1.3.0
svelte-vscode	sve	105.17.0
windicss-intellisense	voo	0.23.5

(4 theme extensions excluded)

A/B Experiments

vsliv695:30137379
vsins829:30139715
vsliv368:30146709
vsreu685:30147344
python383cf:30185419
vspor879:30202332
vspor708:30202333
vspor363:30204092
vslsvsres303:30308271
pythonvspyl392:30422396
pythontb:30258533
vsc_aa:30263845
pythonptprofiler:30281269
vshan820:30294714
pythondataviewer:30285072
vscod805:30301674
bridge0708:30335490
bridge0723:30353136
vsaa593:30376534
pythonvs932:30404738
wslgetstarted:30449409
vscscmwlcmt:30465136
cppdebug:30492333
pylanb8912:30496796
vsclangdf:30492506
c4g48928:30513948

[alexanderniebuhr]

Following up on this, looking at the GitHub Authentication Output Channel, it looks like the token is not persisted.
Even the logs show that a Password is required, I do not get any modal to ask for a password.

[Info  - 11:30:30.732] Logging in for the following scopes: read:user
[Info  - 11:30:30.739] Trying without local server... (read:user)
[Trace  - 11:30:32.142] Handling Uri...
[Info  - 11:30:32.142] Exchanging code for token...
[Info  - 11:30:32.620] Token exchange success!
[Info  - 11:30:32.621] Getting user info...
[Info  - 11:30:32.919] Got account info!
[Info  - 11:30:32.919] Storing 1 sessions...
[Error  - 11:30:33.541] Setting token failed: Error: Password is required.
[Info  - 11:30:33.541] Stored 1 sessions!
[Info  - 11:30:33.541] Login success!
[Info  - 11:30:33.550] Getting sessions for user:email...
[Info  - 11:30:33.550] Got 0 sessions for user:email...
[Info  - 11:30:33.551] Getting sessions for read:user,repo,user:email,workflow...
[Info  - 11:30:33.551] Got 0 sessions for read:user,repo,user:email,workflow...
[Info  - 11:30:33.552] Getting sessions for read:user,repo,user:email...
[Info  - 11:30:33.552] Got 0 sessions for read:user,repo,user:email...

[rotu]

I'm experiencing the same. Same log messages, also on the MacOS Beta.

[und3fined]

I have same issue. Any way for fix it?

[alexanderniebuhr]

I tried to login with a different Macbook and transferring the token manually to the keychain -> That did not work.

I tried to give VSCode full permission on the Keychain item -> That did not work.
It does trigger a prompt on reload though. But it still can't load or save any Token.

I expect that Apple did change some security related stuff in Ventura, therefore we might need to wait for a fix to get this sorted. :(

[TylerLeonhardt]

I'm suspicious of this new Passkeys feature in Ventura:

which mentions iCloud Keychain...

I don't have a machine with Ventura on it, but we use http://github.com/atom/node-keytar for this interaction so we should get an issue going there.

[TylerLeonhardt]

FYI @sergiou87 we may need some help with this one.

[phyllisstein]

I was seeing the same thing on Ventura. Troubleshooting attempts that didn't work:

• Deleting VSCode's GitHub auth in Keychain Access, then signing in again.
• Disconnecting VSCode from my authorized apps on GitHub, then signing in again.
• Clearing VSCode's caches in ~/Library/Application Support/Code, then signing in again.

[TylerLeonhardt]

if you have nodejs installed, you can run this simple one-liner to see if the problem is how your keychain is setup:

npx @emacs-grammarly/keytar-cli find-creds -s vscode-insidersvscode.github-authentication

This is using the following open source package: https://github.com/emacs-grammarly/keytar-cli

What you should get is something like this:

[
  {
    account: 'github.auth',
    password: '....... longggg string ......'
  }
]

NOTE: on macOS I got a system prompt to allow this process to access the keychain... that may or may not be the case for you

If that succeeds, then the problem is possibly in vscode.

If that does complain, then we'll need a fix in keytar itself.

[rotu]

@TylerLeonhardt I can both get and set values with keytar-cli and they do show up in the Keychain Access utility.

[rotu]

In addition to the error message initially reported in the "GitHub Authentication" output, I'm seeing this in "Log (main)":

[2022-06-24 23:03:25.187] [main] [warning] Error attempting to set a password: Password is required.
[2022-06-24 23:03:25.388] [main] [warning] Error attempting to set a password: Password is required.
[2022-06-24 23:03:25.592] [main] [warning] Error attempting to set a password: Password is required.

[alexanderniebuhr]

If that succeeds, then the problem is possibly in vscode.

@TylerLeonhardt I can both get and set values with keytar-cli and they do show up in the Keychain Access utility.

Having the same behaviour as @rotu. Using suggested package keytar-cli, gives the following outputs

alexanderniebuhr@Alexanders-MBP ~ % npx @emacs-grammarly/keytar-cli find-creds -s vscode-insidersvscode.github-authentication     
[ { account: 'github.auth', password: 'ASD' } ]
alexanderniebuhr@Alexanders-MBP ~ % npx @emacs-grammarly/keytar-cli set-pass -s vscode-insidersvscode.github-authentication -a github.auth -p TEST
Successfully set the password for github.auth@vscode-insidersvscode.github-authentication!
alexanderniebuhr@Alexanders-MBP ~ % npx @emacs-grammarly/keytar-cli find-creds -s vscode-insidersvscode.github-authentication
[ { account: 'github.auth', password: 'TEST' } ]

Even using the package atom/node-keytar in a demo project works.

import keytar from "keytar"

const a = await keytar.findCredentials("vscode-insidersvscode.github-authentication")
console.log(a)
await keytar.setPassword("vscode-insidersvscode.github-authentication", "github.auth", "TEST2")
const b = await keytar.findCredentials("vscode-insidersvscode.github-authentication")
console.log(b)

alexanderniebuhr@Alexanders-MBP playground % node keytar.js
[ { account: 'github.auth', password: 'TEST' } ]
[ { account: 'github.auth', password: 'TEST2' } ]

Therefore I really think there is some issue in VSCode, actually I don't think the issue would be that it can't save or read. I think there is a problem prompting or using the root password. Therefore it is not authenticated to do so.

Can we get some higher priority on this?

[rotu]

@TylerLeonhardt I can't even figure out how to debug this. Building and running VSCode from source does not load the vscode.github-authentication extension. How do I a debugger on this in OSS VSCode?

[TylerLeonhardt]

@rotu it's because there's nothing in OSS that uses auth.

You can debug it by either side-loading a GH extension (download VSIX on the marketplace and then in OSS go to the extension pane and hit the three dots to Install from VSIX)

Or just add a SecretStorage usage in any of the built in extensions. Secrets is in the ExtensionContext

[rotu]

So far no dice. It seems the OSS version works just fine with persisting authentication. Unlike the distributed VSCode (both stable and insiders), OSS is able to write to the system keychain.

[alexanderniebuhr]

@rotu so using a version you built from source of this repo does work, while the distributed version (which I thought is also built from the repo) does not work?

[rotu]

@alexanderniebuhr that is correct.

[alexanderniebuhr]

Knowing this, I wonder if this could be a problem with App Signing. Since the distributed one is probably signed differently.

@TylerLeonhardt, what do you think? Any update from VSCode Team? Can you post a link to the newest exploration build, since the latest insider is 2 days old?

[alexanderniebuhr]

Okay, I found an interesting workaround. Using the x64 Intel (running through rosetta 2) published version of VSCode stable, does save and load successfully from the keychain.

@rotu @phyllisstein @und3fined could you verify that for your case too?

If that is true, it seams that there is something broken with the Apple Silicon version :/

[rotu]

Also, if you're in need of a workaround, the Settings Sync Extension appears to still work

[rotu]

TLDR: this is a bug in the closed source part of VSCode.

Alright @TylerLeonhardt I made some progress but I think I'm at the end of my debugging abilities, and the problem lies in the native vscode-encrypt service. I think the issue is here, where await this.encryptionService.encrypt is getting a valid JSON object but returning "":

vscode/src/vs/workbench/api/browser/mainThreadSecretState.ts

Lines 83 to 84 in c22cb87

	const encrypted = await this.encryptionService.encrypt(toEncrypt);
	return await this.credentialsService.setPassword(fullKey, key, encrypted);

[und3fined]

@alexanderniebuhr thank for workaround. It's auth worked, but VS Code sloooowwww with Intel version.
I'll use VS Code (arm) until it fixed or Zed/Fleet released. Maybe i'll never comeback VSCode, if Zed/Fleet release

[rotu]

@alexanderniebuhr @und3fined, I found an even better workaround!
Simply remove the encryption module:

rm -rf "/Applications/Visual Studio Code.app/Contents/Resources/app/node_modules.asar.unpacked/vscode-encrypt"

[alexanderniebuhr]

@deepak1556 @TylerLeonhardt actually can't verify the latest insider from Monday. (others report this too)

I actually wonder why you have closed an issue, which is not verified fixed. I suggest reopening this issue and waiting for verification of users before closing it again.

[deepak1556]

@alexanderniebuhr thanks for verifying, we are aware of the issue as well. Currently tracked in #154762

The issue was closed as part of fix in the module and another side effect is for our release bot to track fixes shipped in a certain insider version so that certain github actions can work https://github.com/microsoft/vscode-github-triage-actions. Issue will be closed to signal for verification and if issue persists then it will be reopened for further investigation.

[Dids]

Shouldn't this issue be closed when it's confirmed fixed?

The merged fix seems to only apply to the arm64 build of VSCode, however this issue also happens on the universal insider builds, which either means that universal builds need a similar fix, or the issue is still there.

Fix will be coming for both in a new insider build tomorrow!

[alexanderniebuhr]

@deepak1556 @TylerLeonhardt Just verified with newest release, and it seems to work.

Version: 1.70.0-insider
Commit: 052d5b0027f6c9d64c8ca35955cb5117ba94d5d7
Date: 2022-07-13T05:30:15.129Z
Electron: 18.3.5
Chromium: 100.0.4896.160
Node.js: 16.13.2
V8: 10.0.139.17-electron.0
OS: Darwin arm64 22.0.0

[CodeWithShreyans]

Any ETA on this coming to stable? @deepak1556

[und3fined]

Problem fixed with Sync with Github account.
But Copilot not work. It's require re-auth.

[Dids]

Problem fixed with Sync with Github account. But Copilot not work. It's require re-auth.

Are you still seeing this? Because I thought the same at first too, but now it seems intermittent, as it at least stays logged in for longer periods of time now, regardless of how many times VSCode is (re)opened.

[rstolpe]

@gjsjohnmurray Is this solved in the latest insider build?

[gjsjohnmurray]

@rstolpe that's what the verified and Insiders-released labels indicate.