The officially official Devuan Forum!

Altoid

Member

Registered: 2017-05-07

Posts: 1,769  

Daedalus: why so many keyrings?

Hello:

This is (sort of) a continuation of this thread from 09/2022.

My Daedalus installation has these keyrings installed:

$ apt list | grep installed | grep keyring
--- snip ---
debian-archive-keyring/stable,stable,now 2023.3+deb12u2 all [installed]
gnome-keyring/stable,now 42.1-1+b2 amd64 [installed]
python3-keyring/stable,stable,now 23.9.3-2 all [installed,automatic]
python3-keyrings.alt/stable,stable,now 4.2.0-1 all [installed,automatic]
$ 

I checked with aptitude to see just what wants what:

$ aptitude why debian-archive-keyring
i   apt Depends debian-archive-keyring
$ 

$ aptitude why gnome-keyring
i   backintime-common     Depends    python3-keyring                                       
i A python3-keyring       Depends    python3-secretstorage (>= 3.2)                        
i A python3-secretstorage Recommends gnome-keyring | libkf5wallet-bin (>= 5.97) | keepassxc
$ 

$ aptitude why python3-keyring
i   backintime-common Depends python3-keyring
$ 

$ aptitude why python3-keyrings.alt
i   backintime-common Depends  python3-keyring     
i A python3-keyring   Suggests python3-keyrings.alt
$ 

debian-archive-keyring is for apt                                                    -> must keep
gnome-keyring is a recommends from python3-secretstorage       -> must keep / could replace with keepassxc, also a recommends (?)
python3-keyring is a recommends from backintime                         -> must keep
python3-keyrings.alt is a suggests from python3-keyrings.alt  -> security issues / not needed*

* see the Debian package description here.

Keyrings in this package may have security risks or other implications. These backends were extracted from the main keyring project to make them available for those who wish to employ them, but are discouraged for general production use. Include this module and use its backends at your own risk.

I have purged python3-keyrings.alt with no apparent ill effects, will stay alert.

I use the gnome-disk-utility and am in the process of checking on the various gnome-whatevers installed in my system to see to what extent they are needed.

The one I am working on now is gnome-keyring which cannot be purged because then BiT does not work.

Makes me wonder why a recommends flag like this one isn't a depends flag.
eg:

$ aptitude why gnome-keyring
i   backintime-common     Depends    python3-keyring                                       
i A python3-keyring       Depends    python3-secretstorage (>= 3.2)                        
i A python3-secretstorage Depends gnome-keyring |or| libkf5wallet-bin (>= 5.97) |or| keepassxc
$ 

That said, if I understood correctly, gnome-keyring can be replaced with keepassxc. 

Q:
How can I go about doing that without getting myself a hard to solve problem?
eg: screwing up BiT routines

Thanks in advance.

Best,

A.

EDX-0

Member

Registered: 2020-12-12

Posts: 121  

Re: Daedalus: why so many keyrings?

not every "keyring" is the same type, this stems from the miss labeling of keyring packages

the debian and devuan keyrings would be the "true" keyrings as those contains the keys to authenticate the packages in fact come from debian or devuan

the gnome keyring is misslabeled as it should be the gnome-keyring-daemon, what it does is store your passwords and secrets, provide the dbus interface so that other programs can use the passwords and secrets (so that for example upon login your browser does not ask for your local user password to unlock it's password store and allow you to login onto websites), it also implements the gpg and ssh agents to load the user keys and ask for passphrases only when needed, so for example if you are staging a commit with git and want to sign the commit with a gpg key, the gnome keyring daemon loads the key so that you don't need to enter the key's passphrase every time, then when you push that commit, if you do it through ssh the keyring daemon loads the ssh key so that you don't have to enter the passphrase for that one too

as for replacing the gnome keyring daemon with keepass, you need to install a plugin because that functionality is not part of the main keepassxc program, the pass passoword manager also has a similar plugin https://github.com/mdellweg/pass_secret_service

personally i use bitwarden as my password manager so the gnome keyring daemon is what integrates the best with my environment, if i was invested with either pass or keepassxc then i'd consider replacing functionality of the keyring daemon with plugins for either of those.

Altoid

Member

Registered: 2017-05-07

Posts: 1,769  

Re: Daedalus: why so many keyrings?

Hello:

not every "keyring" is the same type ...
... debian and devuan keyrings ...
... contains the keys to authenticate the packages ...

So I gather.

... gnome keyring ...
... should be the gnome-keyring-daemon ...

I see.

... what it does is store your passwords ...
... dbus interface so that other programs can use ...
... upon login your browser does not ask for your local user password to unlock it's password store and allow you to login onto websites.

But I do not want any of that done.
ie: I log in with a specific password as required when required, I have no interest in that being automated.

... replacing the gnome keyring daemon with keepass ...
... need to install a plugin ...

Then why is it that aptitude prints out this:

$ aptitude why gnome-keyring
i   backintime-common     Depends    python3-keyring                                       
i A python3-keyring       Depends    python3-secretstorage (>= 3.2)                        
i A python3-secretstorage Recommends gnome-keyring | libkf5wallet-bin (>= 5.97) | keepassxc  <- ###
$ 

I understand that python3-secretstorage needs either gnome-keyring or keepassxc.
libkf5wallet-bin seems to be a transitional package that can be removed so it does not count, leaving keepassxc as the only other alternative to gnome-keyring.

... invested with either pass or keepassxc ...
... consider replacing functionality ...
... with plugins for either of those.

The keepassxc web page FAQ says that it does not support pugins.

Further on, it also says that it requires network access and that if you do not want that particular feature, you have to compile it yourself.

Much to my chagrin, I think I will have to stay with the gnome-keyring daemon so that BiT will continue to work as it has up to now.

Thank you very much for your reply.

Best,

A.