osxkeychain: exclusive lock to serialize execution of operations

git passes a credential that has been used successfully to the helpers
to record. If "git-credential-osxkeychain store" commands run in
parallel (with fetch.parallel configuration and/or by running multiple
git commands simultaneously), some of them may exit with the error
"failed to store: -25299". This is because SecItemUpdate() in
add_internet_password() may return errSecDuplicateItem (-25299) in this
situation. Apple's documentation [1] also states as below:

  In macOS, some of the functions of this API block while waiting for
  input from the user (for example, when the user is asked to unlock a
  keychain or give permission to change trust settings). In general, it
  is safe to use this API in threads other than your main thread, but
  avoid calling the functions from multiple operations, work queues, or
  threads concurrently. Instead, serialize function calls or confine
  them to a single thread.

The error has not been noticed before, because the former implementation
ignored the error.

Introduce an exclusive lock to serialize execution of operations.

[1] https://developer.apple.com/documentation/security/certificate_key_and_trust_services/working_with_concurrency

Signed-off-by: Koji Nakamaru <koji.nakamaru@gree.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Koji Nakamaru 2024-05-15 19:21:06 +00:00 committed by Junio C Hamano
parent 786a3e4b8d
commit fcf5b74e59

View file

@ -414,6 +414,9 @@ int main(int argc, const char **argv)
if (!argv[1])
die("%s", usage);
if (open(argv[0], O_RDONLY | O_EXLOCK) == -1)
die("failed to lock %s", argv[0]);
read_credential();
if (!strcmp(argv[1], "get"))