AES-256-GCM credential decryption fails on macOS (Keyring + .encryption_key) #368
Description
Description
gws auth login completes successfully, but every subsequent command fails with:
Authentication failed: Failed to decrypt credentials: Decryption failed.
Credentials may have been created on a different machine.
This happens on the same machine, immediately after login. No machine change involved.
Environment
- gws version: 0.9.1
- OS: macOS 15.4 (Darwin 25.3.0), Apple Silicon (Mac Mini)
- Node.js: v22.x
- Shell: zsh
- Install method:
npm install -g @googleworkspace/cli
Steps to Reproduce
gws auth logoutgws auth login -s drive,gmail,calendar- Complete OAuth flow in browser — returns "Authentication successful"
gws drive files list --params '{"pageSize": 3}'→ 401 decryption errorgws auth export --unmasked→ same decryption error
What I Tried
- Fresh logout + login (multiple times)
- Creating
~/.config/gws/.encryption_keyfile before login (documented fallback for OS Keyring) — ignored, same error - Different OAuth client credentials (two separate GCP projects)
- Using
GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILEwith manually crafted credentials JSON — works for auth but hits 403 (separate issue) - Running from both interactive terminal and subprocess — same result in both
Expected Behavior
After successful gws auth login, subsequent commands should be able to decrypt the stored credentials.
Analysis
The .encryption_key local file fallback (mentioned in the auth success output: "key secured by OS Keyring or local .encryption_key") does not appear to be used during decryption. The encryption key seems to be written to the OS Keyring during auth login, but the read path during decryption fails — possibly a macOS Keychain access issue or a key name mismatch.