A minimal macOS pinentry implementation for rbw.
It currently focuses on four things:
- Collect the Bitwarden master password with a GUI prompt on first unlock
- Prefer a macOS GUI password prompt for manual entry, with terminal fallback
- Store the password in macOS Keychain
- Use
LocalAuthenticationbefore reading the stored password from Keychain
This is still an MVP. The current goal is to prove out:
- The minimum
pinentryprotocol surface needed byrbw - Touch ID unlock
- Letting the macOS authentication UI decide whether Apple Watch can participate when supported by the system
Homebrew is the recommended installation path:
brew tap pppobear/tap
brew install pinentry-rbw-macosIf you just want to try it without Homebrew, prebuilt binaries are also available from GitHub Releases:
After installing with Homebrew, point rbw at the installed binary:
rbw config set pinentry "$(brew --prefix)/bin/pinentry-rbw-macos"If you use multiple profiles, keep RBW_PROFILE set consistently so each profile maps to a separate Keychain account.
Seed the master password interactively:
pinentry-rbw-macos --storeSeed the master password from standard input:
printf '%s' 'your-master-password' | pinentry-rbw-macos --store-stdinRemove the stored password:
pinentry-rbw-macos --clearBuild from source locally:
cd pinentry-rbw-macos
swift build -c releaseBinary path:
./.build/release/pinentry-rbw-macosIf you are testing from a local source checkout, you can temporarily point rbw at the locally built binary:
rbw config set pinentry "$(pwd)/.build/release/pinentry-rbw-macos"Pushing a v* tag triggers the GitHub Actions release workflow:
git tag v0.1.0
git push origin v0.1.0Release artifacts include:
pinentry-rbw-macos-vX.Y.Z-macos-arm64.zippinentry-rbw-macos-vX.Y.Z-macos-x86_64.zip- matching
sha256files - an updated Homebrew formula in
pppobear/homebrew-tapwhenHOMEBREW_TAP_GITHUB_TOKENis configured
You can also run the Release workflow manually from GitHub Actions.
When running it manually, provide a version such as v0.1.0.
To update the Homebrew tap automatically, add a repository secret named HOMEBREW_TAP_GITHUB_TOKEN
with permission to push to pppobear/homebrew-tap.
After the tap has been updated, users need to refresh local metadata before upgrading:
brew update
brew upgrade pinentry-rbw-macosRBW_PROFILEPINENTRY_RBW_SERVICEPINENTRY_RBW_ACCOUNT
- The GUI password prompt requires a desktop session; SSH and other headless sessions fall back to terminal input
- Only the minimum
pinentrybehavior needed byrbwis implemented right now - Whether Apple Watch appears as an authentication option depends on macOS version, hardware, and system settings; this project does not force a companion-only policy
- The current unlock flow protects reads at the application layer: it runs
LocalAuthenticationbefore reading a normal Keychain item. This is not the same as storing the password in a Keychain entry enforced with.userPresence. - This design is intentional for the current project setup: without an Apple developer account, the project does not have a reliable signing / entitlement distribution pipeline for a
.userPresence-protected Keychain item. - As a result, this is better suited to improving day-to-day protection than defending against a local attacker who can already run code as your user and bypass or patch the app's read path.