I’m gradually switching from Gnome desktop to i3, and trying to figure out how gnome-keyring behaves in this context.
I haven’t explicitly enabled the keyring in my config, but I still have Gnome DE enabled, since I’m bouncing between Gnome and i3:
xserver.desktopManager.gnome3.enable = true;
and this is enabling gnome-keyring.
If I log into i3 (through lightdm), I can see that a keyring daemon was started:
$ pstree -U | head -2
systemd─┬─.colord-wrapped───2*[{.colord-wrapped}]
├─.gnome-keyring-───3*[{.gnome-keyring-}]
But I haven’t figured out how to use it. SSH_AUTH_SOCK is not set.
This leaves me with two questions:
- What’s causing the keyring daemon to be launched?
- What would I need to configure in order to actually use it?
I’m not very familiar with how X sessions are managed yet, but I’ve been poking around looking at startup scripts.
lightdm_conf=/etc/lightdm/lightdm.conf
session_wrapper=$(awk '/^session-wrapper/ { print $NF }' "$lightdm_conf")
sessions_directory=$(awk '/^sessions-directory/ { print $NF }' "$lightdm_conf")
xserver_command=$(awk '/^xserver-command/ { print $NF }' "$lightdm_conf")
i3_desktop_exec=$(awk -F= '/^Exec=/ { print $NF }' $sessions_directory/none+i3.desktop)
xsession_script=${i3_desktop_exec%% *}
xserver_conf=$(tail -1 $xserver_command | grep -oP ' -config \K\S+')
I also noticed that services.xserver.displayManager.extraSessionFilePackages is set:
[ "/nix/store/3dkfy3sq81lczv9d9vh4jmr4saljgrpr-gnome-session-3.32.0" ]
though I don’t know if that’s relevant to gnome-keyring’s behavior.
I’m not sure I understand the questions here.
services.gnome3.gnome-keyring.enable = true; is how you enable the keyring.
Any program that uses the secret services api will then use gnome-keyring to store secrets.
You can use seahorse to look at what secrets are stored in your login keyring.
Is the question how do you store ssh secrets with gnome-keyring?
Sorry, I should’ve been clearer. I am basically asking how I can access the ssh secrets in my keyring.
In a Gnome Desktop session, the first time I use my ssh key I’ll be prompted (by a graphical prompt) for the passphrase. After that, I can use the key without further prompts, until I log out.
In i3, however, trying to use my key doesn’t cause a graphical prompt to be shown, instead I’m prompted in the terminal, and re-prompted each time I use the key.
Seahorse shows my ssh key in the keyring.
In Gnome Desktop, SSH_AUTH_SOCK is set to /run/user/1000/keyring/ssh, whereas in i3, it’s not set.
I’m not sure what changed, but the keyring daemon no longer starts automatically when I log into i3, only in Gnome desktop. It sounds like that’s actually the expected behavior.
This makes it straightforward to set the keyring up for use in i3:
services.xserver.windowManager.i3.extraSessionCommands = ''
eval $(gnome-keyring-daemon --daemonize)
export SSH_AUTH_SOCK
'';
At one point, I gave up and switched to using gpg-agent:
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
This works nicely, except for how it handles sudo.
2 Likes
This is only vaguely related, but I have a similar setup, except that I start i3 from a home-manager managed xsession.
Instead of services.xserver.windowManager.i3.extraSessionCommands I’m using:
xsession.profileExtra = ''
eval $(${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon --daemonize --components=ssh,secrets)
export SSH_AUTH_SOCK
'';
…after which it almost worked, but was complaining with Gcr: couldn't prompt for password: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.keyring.SystemPrompter was not provided by any .service files when trying to access the prompter.
“Fixed” that by adding the package gcr manually to my system packages.