Proposal: Keyring in keyring? Or how to reduce the number of items in a Keychain-backed keyring

[nickatsegment]

Hi, I'm the (main) maintainer of aws-okta. We don't sign our Mac OS X builds, so we constantly run into the issue of users having to reauthorize aws-okta for all its Keychain items, every time the binary changes (upgrades, new builds during dev, ...).

Probably, the best solution is to figure out signing, but my workaround was to collapse all items into a single JSON item. But it made me think that maybe this is useful to keyring more generally. It's essentially a JSON-backed, unencrypted keyring in a second Keychain-backed keyring item.

First off, I'm wondering if this is actually useful to any other users.

Second, I'm wondering how this should be implemented.

One approach is to add a new type like:

type KeyringInKeyring struct {
	Parent *Keyring
	ParentItemKey string
}

That would basically proxy Keyring.* methods to the parent keyring.

I'm not sure of the general utility of this approach. Another would be to solve this specific use case with a new backend SingleItemKeychain that would embed all Items in a single Keychain item.

Thoughts? To be clear, I'm considering contributing this myself.