{"id":31679276,"url":"https://github.com/rgeraskin/kctouch","last_synced_at":"2026-05-15T13:03:45.808Z","repository":{"id":315133714,"uuid":"1051058553","full_name":"rgeraskin/kctouch","owner":"rgeraskin","description":"A command-line tool for managing macOS Keychain items with TouchID authentication","archived":false,"fork":false,"pushed_at":"2025-09-16T22:22:11.000Z","size":12,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-09-16T23:18:40.605Z","etag":null,"topics":["keepassxc","keychain","macos","secrets","security","touchid"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgeraskin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-05T11:28:28.000Z","updated_at":"2025-09-16T22:23:43.000Z","dependencies_parsed_at":"2025-09-16T23:19:35.447Z","dependency_job_id":"d4d8278e-a31c-40f3-9cd4-0d076073a553","html_url":"https://github.com/rgeraskin/kctouch","commit_stats":null,"previous_names":["rgeraskin/kctouch"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/rgeraskin/kctouch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgeraskin%2Fkctouch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgeraskin%2Fkctouch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgeraskin%2Fkctouch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgeraskin%2Fkctouch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgeraskin","download_url":"https://codeload.github.com/rgeraskin/kctouch/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgeraskin%2Fkctouch/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278903008,"owners_count":26065786,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keepassxc","keychain","macos","secrets","security","touchid"],"created_at":"2025-10-08T06:47:36.851Z","updated_at":"2025-10-08T06:47:44.213Z","avatar_url":"https://github.com/rgeraskin.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kctouch\n\nA command-line tool for managing macOS Keychain items with TouchID authentication.\n\n## Overview\n\n**kctouch** is a Go-based CLI tool that provides a simple and secure way to store, retrieve, and manage passwords in the macOS Keychain. All operations require TouchID authentication, ensuring that your credentials remain protected even if someone gains access to your terminal.\n\nIt can be used standalone or as a Touch ID interface for your favorite password manager CLI tool: store the master password for your database in the keychain and use kctouch to retrieve it to unlock your secrets. For example, at the time of writing, KeePassXC does not support Touch ID for its CLI. And as far as I know, there is no KeePass CLI backend that supports Touch ID authentication.\n\nKctouch works with generic-password keychain items only.\n\n## Features\n\n- 🔐 **TouchID Authentication** - All operations require biometric authentication\n- 🔑 **Keychain Integration** - Seamlessly works with macOS Keychain\n- 📝 **Multiple Input Methods** - Support for interactive input, stdin, and command-line arguments\n- 🛡️ **Secure by Default** - No plaintext password storage in command history\n- ⚡ **Fast \u0026 Lightweight** - Single binary with minimal dependencies\n- 🎯 **Simple Interface** - Intuitive commands with helpful aliases\n\nYou probably know that the macOS `security` command-line tool can manage Keychain items. But granting it access to your secrets means any application with terminal access can potentially retrieve those secrets using the `security` command without prompting for authentication. Kctouch addresses this by adding an intermediate layer of authentication with Touch ID, enhancing security.\n\n## Requirements\n\n- macOS with TouchID support\n- Go 1.24.4 or later (for building from source)\n\n## Installation\n\n### Homebrew\n\n```sh\nbrew install rgeraskin/homebrew/kctouch\n```\n\n### Using Go Install\n\n```bash\ngo install github.com/rgeraskin/kctouch@latest\n```\n\n### From Source\n\n```bash\ngit clone https://github.com/rgeraskin/kctouch.git\ncd kctouch\ngo build -o kctouch\nsudo mv kctouch /usr/local/bin/\n```\n\n## Usage\n\nAll commands support the following flags:\n- `-s, --service` - Service name (required for add/rm operations)\n- `-a, --account` - Account name (optional)\n- `-l, --label` - Label for the keychain item (optional, defaults to service name)\n- `-v, --verbose` - Enable verbose logging\n- `--cache-for` - Cache authentication for specified time duration (e.g. 1h, 10m, 10s)\n- `--cache-n` - Cache authentication for N subsequent operations\n\n### Adding Passwords\n\n#### Interactive password input (recommended for security):\n```bash\nkctouch add -s \"MyService\"\n# You'll be prompted to enter the password securely\n```\n\n#### From stdin:\n```bash\necho \"mypassword\" | kctouch add -s \"MyService\" -p -\n```\n\n#### Direct password (not recommended for sensitive data):\n```bash\nkctouch add -s \"MyService\" -p \"mypassword\"\n```\n\n#### With custom label and account:\n```bash\nkctouch add -s \"ghpat\" -a \"myuser\" -l \"GitHub Personal Access Token\"\n```\n\n#### Updating existing passwords:\n```bash\n# Update an existing password entry\nkctouch add -s \"MyService\" -u\n\n# Update with new password directly\nkctouch add -s \"MyService\" -p \"newpassword\" --update\n```\n\n### Retrieving Passwords\n\n```bash\n# Get password by service name\nkctouch get -s \"GitHub\"\n\n# Get password by service and account\nkctouch get -s \"GitHub\" -a \"myusername\"\n\n# Get password with specific label\nkctouch get -l \"GitHub Personal Access Token\"\n\n# Using with scripts\nAPI_KEY=$(kctouch get -s \"myapi\" -a \"production\")\ncurl -H \"Authorization: Bearer $API_KEY\" https://api.example.com/data\n\n# Using in pipes\nkctouch get -l keepass | keepassxc-cli show -a password -s passwords.kdbx my/password\n```\n\n### Removing Passwords\n\n```bash\n# Remove by service name\nkctouch rm -s \"GitHub\"\n\n# Remove by service and account\nkctouch rm -s \"GitHub\" -a \"myusername\"\n```\n\n### Authentication Caching\n\nTo reduce the number of TouchID prompts during multiple operations, you can cache authentication:\n\n```bash\n# Get secret and cache authentication for 10 minutes\nkctouch get -s /my/secret --cache-for 10m\n\n# Add secret and cache authentication for 5 operations\nkctouch add -s /my/secret --cache-n 5\n\n# Remove secret and invalidate authentication cache for duration\nkctouch rm -s /my/secret --cache-for 0\n\n# Invalidate authentication cache for number of operations\nkctouch noop --cache-n 0\n```\n\nIf you set both `--cache-for` and `--cache-n`, the attempts will begin to decrease from `--cache-n` after `--cache-for` expires.\n\n### No-Op Command\n\nThe `noop` command is useful for authentication caching without performing any actual keychain operations:\n\n```bash\n# Authenticate and cache for future operations\nkctouch noop --cache-for 5m\n\n# Just do nothing except auth\nkctouch noop\n```\n\n### Command Aliases\n\nFor faster typing, kctouch supports several aliases:\n\n- **add**: `a`, `put`, `set`\n- **get**: `g`, `find`\n- **rm**: `d`, `del`, `delete`, `remove`\n\nExamples:\n```bash\nkctouch a -s \"service\" -p \"password\"\nkctouch g -s \"service\"\nkctouch d -s \"service\"\n```\n\n### Debugging and Verbose Output\n\nUse the verbose flag to see detailed logging information:\n\n```bash\n# Enable verbose logging for any command\nkctouch add -s \"service\" -v\nkctouch get -s \"service\" --verbose\nkctouch noop --cache-for 5m -v\n```\n\n## Dependencies\n\n- [cobra](https://github.com/spf13/cobra) - CLI framework\n- [go-keychain](https://github.com/keybase/go-keychain) - macOS Keychain bindings\n- [go-touchid](https://github.com/ansxuman/go-touchid) - TouchID authentication\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Support\n\nIf you encounter any issues or have questions, please open an issue on GitHub.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgeraskin%2Fkctouch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frgeraskin%2Fkctouch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgeraskin%2Fkctouch/lists"}