Issues with gnome-keyring and libsecret

I am running the gnome3 desktop and using mailnag.

Recently mailnag was upgraded from 1.3.0 to 2.0.0. Part of this changed
involved going from using libgnome-keyring to libsecret.

Since then, mailnag does not remember passwords between sessions. When I run mailnag-config the password fields are empty, and when I fill them in mailnag it restarts and runs correctly. However when I rerun mailnag-config or restart my login session the passwords disappear and mailnag warns the the passwords are invalid.

Seahorse shows the passwords when i look them up. I can’t figure out how to do a wildcard search in secret-tool to see if it can find them.

Is there a problem with the setup for gnome-keyring-demon which seem to be working for everything else.

This may not be the answer you may look for, but: I just moved to Gnome from a tiling WM and using mailnag has been one of the delights I always craved for, that’s why I wrote #85979. TIL, that installing mailnag plugins such as the one for Gnome’s online accounts, is not trivial for NixOS (as usual). That’s why I wrote:

I think gnome online accounts is a way to hook things like your google account to gnome. I don’t have any online account set up through Gnome. The gnome keyring is a way to store general confidental
information in an encrypted form in a store which gets unlocked with your password when you log in.

Gnome used to use libgnome-keyring API to store that information. Since 2014 this was replaced with libsecret. I know that other programs like gpg store info using the gnome keyring, and I can look at info using the seahorse application that was put there by gpg and mailnag. However when mailnag changed from 1.3.0 to 2.0.0 it replaced the libgnome-keyring3 code with libsecret, and mailnag could not save passwords anymore. The Gnome documentation references this change obsolescing libgnome-keyring and support for libsecrets but I cannot find anything about how this all works. Is the Gnome Keyring now supposed to support libsecrets? Is there a new daemon?

I just hoped someone here could clarify what is expected.

1 Like

@barryfm I understand your issue, no need to repeat yourself both here and at the PR. I’ve just tested mailnag with a Gmail account and with the online-accounts plugin disabled: I created the account, rebooted and I was able to see the account there again and had no passwords errors.

There is. Let’s ask some questions:

  1. Do you have seahorse enabled?
  2. What more services.gnome3.* do you have enabled?
  3. What do these commands print:
echo $XDG_DATA_DIRS | sed 's/:/\n/g' | sort -u
echo $GI_TYPELIB_PATH | sed 's/:/\n/g' | sort -u


1 Like

Sorry about repeating myself. I shouldn’t have posted to the PR.

I do not have seahorse enabled. This is the first time I have heard that seahorse worked as a service. I had thought it was just an GUI application.

echo $XDG_DATA_DIRS | sed 's/:/\n/g' | sort -u
echo $GI_TYPELIB_PATH | sed 's/:/\n/g' | sort -u

I enabled the seahorse service in gnome3 and things now are working. Thank you very much for your help.

I used:

programs.seahorse.enabled = true;
services.gnome3 = {
   seahorse.enabled = true;

I’m not sure if both is needed.

After looking explicitly for the seahorse service I found web references. However, it was not mentioned
in reference to the obsoleting of libgnome-keyring in the gnome3 documentation or in the NixOS manual’s short reference to enabling the gnome3 desktop. I also find no references to how it should be setup, since it has a program.seahorse.enable flag and could be listed in services.gnome3 or maybe even services.dbus.packages. Often the nixpkgs code allows for multiple ways, but its a bit confusing there are few NixOS wide published conventions. This seems like something the NixOS manual could do.

Hi, GNOME maintainer in nixos here :wave:

services.gnome3.seahorse.enable was renamed to programs.seahorse.enable in 20.03 IIRC. So they would do exactly the same thing.

As far as I can tell, I’m don’t think I have a clue how enabling seahorse fixed your issue. Unless you used seahorse to modify your login keyring somehow.

1 Like

I spoke to soon. The confusing part is that in the seahorse app the Default keyring is show as locked,
but I can quickly unlock it just by clicking on the lock symbol, without asking me for a password. If I then restart mailnag it works fine. The paswords involved are in the Default_keyring.
So it knows the password, it just does not unlock it at login.

If this works OK for others, then its probably not a NixOS issue. I have brought up the issue on the gnome-list to see if they input about what is going on.

Do you have any of these options enabled: ?

This was not a problem in my nix setup.

After I looked at the key setup on a Fedora and an Arch system I noticed that these did not have a Default_keyring, and all the passwords were in the Login keyring. The Login keyring only had a key to unlock the Default_keyring. I then:

  1. Deleted all the mailnag keys in the default keyring.
  2. Right clicked on the Login keyring and made it the default keyring
  3. Ran mailnag-config and reentered my passwords.

The new entries ended up in the Login keyring, and when I rebooted and logged in mailnag was
able to find them.

I’m not sure how the keyrings got set up the way they did, but I have been running Gnome from before the time that the pam setup had been worked out and I was regularly prompted by the gnome-keyring for my password every time I logged in.

Thanks for the help and sounding board to work out the issue. At least there is some documentation on the net about a solution. I know I looked a long time and found nothing.

1 Like

Yep, the keyring getting unlocked on login used to be a problem in nixos and we fixed that a couple releases back. So it’s likely that is exactly what happened.