Vscode: Multiple prompt to grant access to login keychain

Interestingly, after upgraded to 1.50 Stable, I also got two prompts (though I said always allow).

FWIW the acl list is same between my machine and Peng's machine, verified with

security dump-keychain -ar <path-to>/login.keychain-db

And the keychain settings are also same

security show-keychain-info <path-to>/login.keychain-db

Also experiencing this on Darwin x64 19.6.0 since upgrading to:

Version: 1.50.0
Commit: 93c2f0fbf16c5a4b10e4d5f89737d9c2c25488a

I can't make the dialog prompt go away. I don't know the login keychain password and the option to change it in Keychain Access is greyed out on my mac.

I am not using settings sync, and even after uninstalling the GitHub Pull Requests and Issues extension I'm still getting the dialog frequently.

Same issue here. After recent update, keychain password prompt is appearing every 30 second.

VS Code version: 1.50.0
MacOS version: 10.15.7

I think there should an option to migrate to previous vs code.

The prompt are too obtrusive and even after making "Always Allow" they still pop up again and again.

I just installed the previous vscode version and turned auto-update off, this issue made it pretty much unusable.

Deleting the old vscode-github.login from Keychain Access seems to solve the problem.

Thanks, this was driving me absolutely crazy.

BTW, expecting the user to blindly click “yes” on a security prompt (even once) is not acceptable; it amounts to educating users to bypassing prompts that protect them from attacks. Indeed, when I saw the prompt, I wondered whether vscode was under attack.

Same issue here. After recent update, keychain password prompt is forcing and ignoring either Allow/Deny
VS Code version: 1.50.0
MacOS version: 10.12.6

I will expand on https://code.visualstudio.com/updates/v1_50#_macos-keychain-access-moved-to-a-different-process and why this ought to happen.

VSCode uses a native module called keytar https://github.com/atom/node-keytar to manage passwords across different OS, so any extension that saves an authentication talks to this module for interaction with the keychain. MacOS manages the access control list for a keychain item based on the bundle identifier of the application trying to access it.

So why is there a prompt with 1.50 ?

Before 1.50 this module was present inside each window and on macOS the windows are spawned by an executable called Code Helper (Renderer) which is different from the main application executable. The VSCode app structure looks like

• Visual Studio Code.app
  
  
  
  • Contents
    
    
    
    
    
    • Frameworks
      
      
      
      
      
      
      
      • Code Helper
      
      
      
      
      • Code Helper (GPU)
      
      
      
      
      • Code Helper (Plugin)
      
      
      
      
      • Code Helper (Renderer)
      
      
      
      
    
    
    
    • MacOS
    
    
    
    • Code.exe
    
    
    
    • Resources
    
    
    
  
  

Why a different executable ?

This comes from the multi-process architecture of chromium https://chromium.googlesource.com/chromium/src/+/master/sandbox/mac/seatbelt_sandbox_design.md#code-structure where each of these helper executables are responsible for different components as rendering, running utility process etc and the advantage in that allows for applying different profiles of the OS sandboxing. For ex: gpu helper will depend on a different set of system libraries than the renderer helper or restrict the system calls that can be made directly from the renderer. You can check https://source.chromium.org/chromium/chromium/src/+/master:sandbox/policy/mac/ for the different policies applied to each of these process.

So what does all of these come down to ?

In 1.50 we moved the keytar module from the renderer process to the main process in an effort towards sandboxing https://github.com/microsoft/vscode/issues/92164 . As mentioned earlier keychain access control list is based on the bundle identifier, and the bundle identifier for these helper executables are different from the main application executable. Since there is now a change of application executable that is trying to access the keychain , the prompt is shown. There is nothing the app can do here to prevent the prompt from showing up. I certainly agree its an annoyance but thats how it works today.

So please make sure you have done one of these,

• Provide Always Allow to prevent from repeated prompts
• You can also delete the particular keychain entity that is trying to be accessed if you no longer use that extension
• The polling for the keychain will be addressed in https://github.com/microsoft/vscode/issues/107480 and that should make things better and you might not have to provide Always Allow

Deleting the old vscode-github.login from Keychain Access seems to solve the problem.

I am not able to delete it. It took some time and finally I was able to delete it.😌

Same issue here. 'Visual studio code wants to use your confidential information stored in "VS Code Account" in your keychain. To allow this, enter the "login" keychain password.'

Entering my login keychain password results in the same prompt appearing. Clicking deny several times eventually it stops asking.

Same here, Microsoft way of forcing things down people's throat.
I do NOT want to give VS Code keychain access, and now has been asking everytime I open a new project at least for times.

I also use a different client for git, I do not like using VSCode for git integration. I disabled git integration in VSCode through the setting git.enabled=false so why does it have to keep asking about keychain items?

Deleting the old vscode-github.login from Keychain Access seems to solve the problem.

I love you man, nothing worked but this. So pissed off about this.

There is nothing the app can do here to prevent the prompt from showing up.

I can see what you actually meant, and how _that_ is accurate, but this sentence is false, and it seems to suggest the 1.50 release deserves the "stable" moniker. The response headline is "sorry we screwed up" — the suggested workaround, clicking "Always allow", is neither appropriate nor always sufficient.

Same here, Microsoft way of forcing things down people's throat.

@damianof While I don't like this either, I don't think that's what is going on. But I agree that reaction is due to a VSCode bug (my take is https://github.com/microsoft/vscode/issues/108342#issuecomment-706130650).

Deleting the old vscode-github.login from Keychain Access seems to solve the problem.

I opened Keychain Access and deleted "vscode-github.login" and "VS Code Account" (from All items category of login keychains)

Before you make an architecture/structural/product change such as https://code.visualstudio.com/updates/v1_50#_macos-keychain-access-moved-to-a-different-process to please the development team members, please think about beta-testing and be able to quickly rollback if such a feature did not help (or rather less annoy) the users., especially if it is a security feature.

If these erratic security change continue, users will naturally turn towards installing IntelliJIDEA, which consumes around the same amount of RAM as VS Code Helper processes combined take.

@SebastianWolf It's asking permanent and unlimited access to only vscode-github.login item of Keychain, not entire Keychain.

Deleting the old vscode-github.login from Keychain Access seems to solve the problem.

hmm seems like this worked for most people but didn't do anything for me :/

I do feel this particular thing needs a bit more explanation.

Deleting the old vscode-github.login from Keychain Access seems to solve the problem.

Thank you. It solved the issue for me.

Deleting the old vscode-github.login from Keychain Access seems to solve the problem.

how i can access the keychain access in vs code ??

@SalsabeelaHasan
there is an app called Keychain Access, search there vscode-github.login and delete it

Deleting the old vscode-github.login from Keychain Access seems to solve the problem.

thank you! it's works

I cannot find an entry with vscode in Keychain Access, however when searching just for "code" I found this: LiveShare.accessToken and removing that seems to have fixed it for me.

The fix from Rachel to remove the periodic polling of credentials that are needed by VSCode is already in our insiders version of VSCode and we plan on releasing it to stable (1.50.1) later this week.

If people could give our insiders build a try on macOS and report back if that improves the situation for them, that would be helpful 👍

You can give our preview releases a try from: https://code.visualstudio.com/insiders/

While attempting to verify this fix for our upcoming recovery release, I have a better understanding now why this issue is present now and was not there before. As a preparation I deleted any VSCode related entry of the macOS keychain and then started VSCode to sign-in to GH. I was NOT prompted with a dialog to grant access to the keychain simply because the application was the first to store the password. However, once I removed VSCode from having access to the entry to see the repeated dialogs appearing, they started to appear.

In summary, this is what happened:

• VSCode started to put credentials for GH access into the macOS keychain a couple of months ago (maybe 1 year ago) to enable features such as showing assigned pull requests or issues
• We used to use the window process (= Code Helper) as the one to access macOS keychain
• Since this was the first time the credential was written to the keychain, no dialog appeared and the window process was granted access from then on
• Last month we moved access to macOS keychain into a different process with a different bundle ID (the main process)
• The entry for GH credentials already did exist in macOS keychain and now suddenly a new process wanted access
• You end up with the dialog that keeps popping up asking for access

vscode-github.login

It worked. Thank you!

Under: preferences > settings > extensions > Github

I unchecked the box: _Controls whether to enable automatic Github authentication for git commands within VS Code._

Seems to have stopped for me, but not sure that's a good solution or not?

I got around this issue by selecting always allow instead of the allow option.

https://docs.github.com/cn/free-pro-team@latest/github/using-git/updating-credentials-from-the-macos-keychain

@deepak1556 @RMacfarlane should I create a new issue since this one became the tracking issue for auth token pulling however I'm still seeing it no matter how many times I pressed "Always Allow" in both Insiders and Stable?