OS X is blocking the ejection of USB drives because of 1P4 using OS X keychains [Confirmed]

akerlakerl
edited November 2013 in 1Password 6 Beta

I'm using the 1Password4 beta, and I also have a Filevault-encrypted USB flash drive. The only thing on the drive is a GPG keychain and a Mac .keychain file (from Keychain Access). It's not the System or Login keychain, it's a fully separate one that I've created and placed there.

About 90% of the time when I try to unmount the flash drive, OSX refuses to do so, telling me that 1Password4 is preventing the drive from unmounting. If I quite 1Password4 (both the main app and the mini bar thing), unmounting stalls with a popup that the drive is still being accessed, and I can choose to forcibly unmount it.

  • Les

Comments

  • roustemroustem AgileBits Founder

    Team Member

    Please try to open Activity Monitor and find 1Password or 1Password mini in the list of processes.

    Use the list of "open files and ports" for 1Password to see if there are any files that are open on the USB drive.

  • akerlakerl
    edited August 2013

    Thanks; I didn't know that was part of Activity Monitor.

    Both 1Password and 1Password mini have the .keychain file on the USB drive open (they actually appear to have all keychains open).

    I'm unsure why this needs to occur, as to my knowledge 1Password shouldn't be performing any persistent interaction with my keychain, especially with a keychain other than the primary Login chain.

  • roustemroustem AgileBits Founder

    Team Member

    Thank you for the update!

    In 1Password 4, please select 1Password > Preferences > Sync and see if it is trying to sync with the location on the USB drive. By default, 1Password 4 find the file used by version 3 and imports the data from it. It also sets up the syncing with this location.

  • Nope; Under the Sync section, I'm set up to sync with Dropbox, and the path is nowhere near my flash drive.

    To be clear, I'm not sure why any potential Sync options would cause it to open all the OSX keychains (System, login, and my custom keychain). What is 1Password using these keychains for, because I certainly haven't asked it to touch my keychains in any fashion?

  • roustemroustem AgileBits Founder

    Team Member

    @akerl,

    I am sorry, I missed the fact that these were the OS X .keychain files.

    1Password is not accessing them directly but I can also see all .keychain files open on my Mac. My guess is that this is done by the system framework when using SSL connections.

    Do you see these files listed when you open OS X Keychain Access utility and select Edit > Keychain List menu?

  • akerlakerl
    edited August 2013

    Yes, they're listed there.

    I've checked a few other applications that I'd expect to be doing SSL connections (specifically, certificate validation), and it appears that they open the following keychains:

    Google Chrome (dev build):
    /Library/Keychains/System.keychain
    /System/Library/Keychains/SystemRootCertificates.keychain

    Twitter (the official Mac app):
    /Library/Keychains/System.keychain
    /Users/akerl/Library/Keychains/login.keychain (of note, this keychain has my Twitter account oauth token in it)
    /System/Library/Keychains/SystemRootCertificates.keychain

    iTunes:
    /Library/Keychains/System.keychain
    /System/Library/Keychains/SystemRootCertificates.keychain

    I've admittedly not dug into any code involved, but based on that it appears that the general behavior of Mac apps is to load the SystemRoot and System keychains to look for SSL certificates when performing validation on an SSL connection.

    I imagine this behavior could be unpleasant if a user stores custom certificates in a custom keychain and those are needed for a connection, but within 1Password itself I expect the only SSL connections are towards your servers, and perhaps when looking for thumbnails for login items. As such, would it be possible for 1Password to open just those keychains, rather than all chains?

  • roustemroustem AgileBits Founder

    Team Member
    edited August 2013

    I think I found where this keychain usage might be coming from. We had a Mac App Store receipt validation code and for testing I enabled it for the beta build. I am going to remove this code from the beta build, let me know how it works for you in b70.

    Turned out that the receipt validation code is using the SystemRootCertificates.keychain only.

  • MartySMartyS AgileBits Customer Care (retired)

    @Roustem, as a test, I just launched 1P4 b69 and it does open my login.keychain, System.keychain and SystemRootCertificates.keychain. Those are the only keychains available to Keychain Access so my guess is that whatever is listed there will get opened — for what reason we don't know yet. Since @akerl has their USB-located keychain listed in Keychain Access it then makes sense that it too would be opened by whatever mechanism 1Password is triggering.

  • Any word on what's causing this? I'm currently stuck yanking my thumb drive out and having the Mac show me the shame-alert about how bad that is. I'm not terribly worried, but I'd prefer if 1Password limited its keychain access to just the keychains it needs.

  • sjksjk oversoul

    Team Member

    I'm currently stuck yanking my thumb drive out and having the Mac show me the shame-alert about how bad that is.

    Any reason you'd rather not temporarily quit 1P main (and mini, if also necessary) so the drive can be cleanly unmounted/removed? I'd be more comfortable doing that than increasing the risk of data loss (regardless of how minimal it is).

  • As per my previous update:

    "If I quite 1Password4 (both the main app and the mini bar thing), unmounting stalls with a popup that the drive is still being accessed, and I can choose to forcibly unmount it."

  • sjksjk oversoul

    Team Member

    Thanks, @akerl. Sorry I missed that earlier, maybe because my brain didn't readjust the minor "quite" typo as "quit". :)

  • Ah, my bad there :)

  • Hey guys, any update on this? It's still opening all my keychains and blocking me from cleanly removing my thumb drive.

    • Les
  • MikeTMikeT Agile Samurai

    Team Member

    Hi @akeri,

    No updates yet, there's an open bug report in our tracker about this. We'll investigate this as soon as we can.

  • Any updates?... It's been months, and this makes using 1Password a pretty painful experience.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @akeri,

    Unfortunately, no updates. We've been dealing with other issues that we need to improve first, so we hadn't had the chance to look at this. I'll nudge Roustem to see what we can do.

This discussion has been closed.