winhowes · winhowes · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/app/redis_tls_auth_test.go b/app/redis_tls_auth_test.go
@@ -147,7 +147,7 @@ func TestRateLimiterRedisAuthUsername(t *testing.T) {
 }
 
 func TestRateLimiterRedisTLSAuthRequiresVerification(t *testing.T) {
-	key, _ := rsa.GenerateKey(rand.Reader, 1024)
+	key, _ := rsa.GenerateKey(rand.Reader, 2048)
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject:      pkix.Name{CommonName: "srv"},
@@ -201,7 +201,7 @@ func TestRateLimiterRedisTLSAuthRequiresVerification(t *testing.T) {
 }
 
 func TestRateLimiterRedisTLSWithCA(t *testing.T) {
-	key, _ := rsa.GenerateKey(rand.Reader, 1024)
+	key, _ := rsa.GenerateKey(rand.Reader, 2048)
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject:      pkix.Name{CommonName: "srv"},

diff --git a/app/secrets/plugins/keychain/plugin.go b/app/secrets/plugins/keychain/plugin.go
@@ -47,7 +47,7 @@ func (keychainPlugin) Load(ctx context.Context, id string) (string, error) {
 		return "", fmt.Errorf("keychain lookup failed: %w", err)
 	}
 
-	return string(out), nil
+	return trimCommandLineTerminator(out), nil
 }
 
 func parseKeychainID(id string) (service, account string, err error) {
@@ -65,4 +65,8 @@ func parseKeychainID(id string) (service, account string, err error) {
 	return service, account, nil
 }
 
+func trimCommandLineTerminator(out []byte) string {
+	return strings.TrimSuffix(string(out), "\n")
+}
+
 func init() { secrets.Register(keychainPlugin{}) }
diff --git a/app/secrets/plugins/keychain/plugin_test.go b/app/secrets/plugins/keychain/plugin_test.go
@@ -23,7 +23,7 @@ func TestKeychainPluginLoad(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
-	if got != "super-secret\n" {
+	if got != "super-secret" {
 		t.Fatalf("expected exact secret bytes, got %q", got)
 	}
 
@@ -46,11 +46,29 @@ func TestKeychainPluginLoadPreservesWhitespace(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
-	if got != "  secret with spaces  \n" {
+	if got != "  secret with spaces  " {
 		t.Fatalf("expected exact secret bytes, got %q", got)
 	}
 }
 
+func TestKeychainPluginLoadPreservesTrailingCRBeforeCommandLF(t *testing.T) {
+	old := execSecurityCommand
+	t.Cleanup(func() { execSecurityCommand = old })
+
+	execSecurityCommand = func(ctx context.Context, args ...string) ([]byte, error) {
+		return []byte("secret\r\n"), nil
+	}
+
+	p := keychainPlugin{}
+	got, err := p.Load(context.Background(), "svc")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if got != "secret\r" {
+		t.Fatalf("expected trailing carriage return to be preserved, got %q", got)
+	}
+}
+
 func TestKeychainPluginLoadServiceOnly(t *testing.T) {
 	old := execSecurityCommand
 	t.Cleanup(func() { execSecurityCommand = old })

diff --git a/app/secrets/plugins/secretservice/plugin_test.go b/app/secrets/plugins/secretservice/plugin_test.go
@@ -50,6 +50,24 @@ func TestSecretServicePluginLoadPreservesWhitespace(t *testing.T) {
 	}
 }
 
+func TestSecretServicePluginLoadPreservesCRLFTrailingBytes(t *testing.T) {
+	old := execSecretTool
+	t.Cleanup(func() { execSecretTool = old })
+
+	execSecretTool = func(ctx context.Context, args ...string) ([]byte, error) {
+		return []byte("secret\r\n"), nil
+	}
+
+	p := secretServicePlugin{}
+	got, err := p.Load(context.Background(), "service=slack")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if got != "secret\r\n" {
+		t.Fatalf("expected exact secret bytes, got %q", got)
+	}
+}
+
 func TestSecretServicePluginLoadInvalidID(t *testing.T) {
 	p := secretServicePlugin{}
 	if _, err := p.Load(context.Background(), "bad"); err == nil {