diff --git a/Cargo.lock b/Cargo.lock
index cca0238..0e277e8 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1691,7 +1691,7 @@ dependencies = [
 
 [[package]]
 name = "tiny-encrypt"
-version = "1.1.1"
+version = "1.1.2"
 dependencies = [
  "aes-gcm-stream",
  "base64",
diff --git a/Cargo.toml b/Cargo.toml
index 2d65b24..3a0f9d4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "tiny-encrypt"
-version = "1.1.1"
+version = "1.1.2"
 edition = "2021"
 license = "MIT"
 description = "A simple and tiny file encrypt tool"
diff --git a/src/cmd_decrypt.rs b/src/cmd_decrypt.rs
index 366f28a..78df5d8 100644
--- a/src/cmd_decrypt.rs
+++ b/src/cmd_decrypt.rs
@@ -18,8 +18,6 @@ use yubikey::YubiKey;
 use zeroize::Zeroize;
 
 use crate::{cmd_encrypt, consts, crypto_simple, util, util_enc_file, util_env, util_envelop, util_file, util_pgp, util_piv};
-#[cfg(feature = "macos")]
-use crate::util_keychainpasskey;
 use crate::compress::GzStreamDecoder;
 use crate::config::TinyEncryptConfig;
 use crate::consts::{
@@ -32,6 +30,8 @@ use crate::crypto_cryptor::{Cryptor, KeyNonce};
 use crate::spec::{EncEncryptedMeta, TinyEncryptEnvelop, TinyEncryptEnvelopType, TinyEncryptMeta};
 use crate::util::SecVec;
 use crate::util_digest::DigestWrite;
+#[cfg(feature = "macos")]
+use crate::util_keychainpasskey;
 use crate::util_progress::Progress;
 use crate::wrap_key::WrapKey;
 
@@ -200,7 +200,8 @@ pub fn decrypt_single(config: &Option<TinyEncryptConfig>,
         let temp_file = create_edit_temp_file(&write_file_content, path_out)?;
 
         let do_edit_file = || -> XResult<()> {
-            let temp_file_content_bytes = run_file_editor_and_wait_content(&editor, &temp_file, secure_editor, &temp_encryption_key_nonce)?;
+            let temp_file_content_bytes = run_file_editor_and_wait_content(
+                &editor, &temp_file, secure_editor, cmd_decrypt.readonly, &temp_encryption_key_nonce)?;
             if cmd_decrypt.readonly {
                 information!("Readonly, do not check temp file is changed.");
                 return Ok(());
@@ -283,13 +284,14 @@ pub fn decrypt_single(config: &Option<TinyEncryptConfig>,
     Ok(meta.file_length)
 }
 
-fn run_file_editor_and_wait_content(editor: &str, temp_file: &PathBuf, secure_editor: bool, temp_encryption_key_nonce: &(SecVec, SecVec)) -> XResult<Vec<u8>> {
+fn run_file_editor_and_wait_content(editor: &str, temp_file: &PathBuf, secure_editor: bool, readonly: bool, temp_encryption_key_nonce: &(SecVec, SecVec)) -> XResult<Vec<u8>> {
     let mut command = Command::new(editor);
     command.arg(temp_file.to_str().expect("Get temp file path failed."));
     if secure_editor {
         command.arg("aes-256-gcm");
         command.arg(&hex::encode(&temp_encryption_key_nonce.0));
         command.arg(&hex::encode(&temp_encryption_key_nonce.1));
+        if readonly { command.env("READONLY", "true"); }
     }
     debugging!("Run cmd: {:?}", command);
     let run_cmd_result = util_cmd::run_command_and_wait(&mut command);