This is something that’s pretty high on my todo list but I haven’t found the right approach yet. For now, I’ve been thinking of a two step solution.
- A key/value pair can be securely stored in the keychain from the apps settings. So in settings there would be an entry named “Keychain”. When opened, users will be presented with a list of keys they have added to their keychain. From here, they can add and remove keys.
- Add a Keychain API which can read from the keychain but not write to it. That way scripts cannot modify the keychain but they can read existing keys.
I think that’s a simple and secure solution. Adding credentials from the script can quickly get complicated because I think that in many cause you would only want to do this in case the credentials doesn’t already exist.
I still haven’t ruled out a solution that only involves a Keychain API, i.e. support for reading AND writing to the keychain but I fear it gets too complicated.
I’d love to know what you think about the approach described above 