Issues with gnome-keyring and libsecret

I am running the gnome3 desktop and using mailnag.

Recently mailnag was upgraded from 1.3.0 to 2.0.0. Part of this changed
involved going from using libgnome-keyring to libsecret.

Since then, mailnag does not remember passwords between sessions. When I run mailnag-config the password fields are empty, and when I fill them in mailnag it restarts and runs correctly. However when I rerun mailnag-config or restart my login session the passwords disappear and mailnag warns the the passwords are invalid.

Seahorse shows the passwords when i look them up. I can’t figure out how to do a wildcard search in secret-tool to see if it can find them.

Is there a problem with the setup for gnome-keyring-demon which seem to be working for everything else.

This may not be the answer you may look for, but: I just moved to Gnome from a tiling WM and using mailnag has been one of the delights I always craved for, that’s why I wrote #85979. TIL, that installing mailnag plugins such as the one for Gnome’s online accounts, is not trivial for NixOS (as usual). That’s why I wrote:

I think gnome online accounts is a way to hook things like your google account to gnome. I don’t have any online account set up through Gnome. The gnome keyring is a way to store general confidental
information in an encrypted form in a store which gets unlocked with your password when you log in.

Gnome used to use libgnome-keyring API to store that information. Since 2014 this was replaced with libsecret. I know that other programs like gpg store info using the gnome keyring, and I can look at info using the seahorse application that was put there by gpg and mailnag. However when mailnag changed from 1.3.0 to 2.0.0 it replaced the libgnome-keyring3 code with libsecret, and mailnag could not save passwords anymore. The Gnome documentation references this change obsolescing libgnome-keyring and support for libsecrets but I cannot find anything about how this all works. Is the Gnome Keyring now supposed to support libsecrets? Is there a new daemon?

I just hoped someone here could clarify what is expected.

1 Like

@barryfm I understand your issue, no need to repeat yourself both here and at the PR. I’ve just tested mailnag with a Gmail account and with the online-accounts plugin disabled: I created the account, rebooted and I was able to see the account there again and had no passwords errors.

There is. Let’s ask some questions:

  1. Do you have seahorse enabled?
  2. What more services.gnome3.* do you have enabled?
  3. What do these commands print:
echo $XDG_DATA_DIRS | sed 's/:/\n/g' | sort -u
echo $GI_TYPELIB_PATH | sed 's/:/\n/g' | sort -u

?

1 Like

Sorry about repeating myself. I shouldn’t have posted to the PR.

I do not have seahorse enabled. This is the first time I have heard that seahorse worked as a service. I had thought it was just an GUI application.

echo $XDG_DATA_DIRS | sed 's/:/\n/g' | sort -u
etc/profiles/per-user/barry/share
/home/barry/.nix-profile/share
/nix/store/01djnnw9gh2cazjr1nqakazdsag8xsc0-ibus-1.5.21/share
/nix/store/01djnnw9gh2cazjr1nqakazdsag8xsc0-ibus-1.5.21/share/gsettings-schemas/ibus-1.5.21
/nix/store/1181hzayb3bw71s2vlhid69npy0spik3-libgweather-3.34.0/share/gsettings-schemas/libgweather-3.34.0
/nix/store/79s3dn1snyvblcd0g21k69pz1wj699wj-gsettings-desktop-schemas-3.34.0/share/gsettings-schemas/gsettings-desktop-schemas-3.34.0
/nix/store/9apjfg5bh1d4rp268dvrwv7gwnid266h-mutter-3.34.6/share/gsettings-schemas/mutter-3.34.6
/nix/store/9p353v37zghdh1k7d0gsna7phgvwwl69-evolution-data-server-3.34.4/share/gsettings-schemas/evolution-data-server-3.34.4
/nix/store/a9h152qh8lkdad41lsmav7mm95w44812-network-manager-applet-1.8.24/share
/nix/store/ar60sfi23bmlzx79q8w0751wbgbr2bgm-gnome-settings-daemon-3.34.2/share/gsettings-schemas/gnome-settings-daemon-3.34.2
/nix/store/awrdsxmr9zmy9p4shy7kly7w6nh862li-gdm-3.34.1/share/gsettings-schemas/gdm-3.34.1
/nix/store/crs7zzp337d84g5nxzbqid9nbkda72jq-gnome-shell-extensions-3.34.2/share/gsettings-schemas/gnome-shell-extensions-3.34.2
/nix/store/gy6paf4sj8xakx1lyshcl7yibrg5s8iy-gnome-terminal-3.34.2/share
/nix/store/gy6paf4sj8xakx1lyshcl7yibrg5s8iy-gnome-terminal-3.34.2/share/gsettings-schemas/gnome-terminal-3.34.2
/nix/store/hxs5qmc5dvqh8prqaiw3iaig389ikb3r-gnome-shell-3.34.5/share
/nix/store/hxs5qmc5dvqh8prqaiw3iaig389ikb3r-gnome-shell-3.34.5/share/gsettings-schemas/gnome-shell-3.34.5
/nix/store/iabiw73qjpzc3pdb3dxxy67mfh2bq7a9-nautilus-3.34.3/share/gsettings-schemas/nautilus-3.34.3
/nix/store/ii6xlybrjqmixw6m228v0hkvfl8ifg9j-gnome-bluetooth-3.34.1/share
/nix/store/iswss4xpllmd4x5szj4ya1fjvxzx881y-network-manager-applet-1.8.24-lib/share/gsettings-schemas/network-manager-applet-1.8.24
/nix/store/j1aann2dzgnd9q5dk4qk03dhjinmknpp-telepathy-logger-0.8.2/share/gsettings-schemas/telepathy-logger-0.8.2
/nix/store/kim0q9jqqcgqn2n97rz9p7q7yraq4nmj-gnome-clocks-3.34.0/share
/nix/store/kim0q9jqqcgqn2n97rz9p7q7yraq4nmj-gnome-clocks-3.34.0/share/gsettings-schemas/gnome-clocks-3.34.0
/nix/store/m3xlgsji0jvpa2kibz4c3m5lbnnxv6k5-hicolor-icon-theme-0.17/share
/nix/store/m7c2qnp60ghng6xzmh0mrpcbflgah0rv-adwaita-icon-theme-3.34.3/share
/nix/store/mmswyr5l5kcr251iq94v3x8kc1bjmwf2-gnome-mimeapps/share
/nix/store/nk5s9rbqq0lb8g4gkhm1i6rf60igjva1-gpaste-3.34.1/share/gsettings-schemas/gpaste-3.34.1
/nix/store/paxgi6ajzwqm11cm3bpkxaql009bi51q-gnome-session-3.34.2/share
/nix/store/paxgi6ajzwqm11cm3bpkxaql009bi51q-gnome-session-3.34.2/share/gsettings-schemas/gnome-session-3.34.2
/nix/store/s3hp0m6j793p2shlj59alm87sp79z2zv-gnome-keyring-3.34.0/share/gsettings-schemas/gnome-keyring-3.34.0
/nix/store/syrw9vbnjwkv2px07gfbc2715fpvx06r-gtk+3-3.24.21/share
/nix/store/syrw9vbnjwkv2px07gfbc2715fpvx06r-gtk+3-3.24.21/share/gsettings-schemas/gtk+3-3.24.21
/nix/store/wadi8s0908mcxb7dlfgr7rk0amd4bvin-gjs-1.58.8/share/gsettings-schemas/gjs-1.58.8
/nix/store/xq0nsv2vj26v1icl8pwqa54bs854z7l7-cups-2.3.3/share
/nix/store/y8zplr8a7r2nynmm0vwzsb3wgmm5srfr-shared-mime-info-1.13.1/share
/nix/store/ylx1d6mm523ydihm4zi6n6dm4is23lp4-gcr-3.34.0/share
/nix/store/ylx1d6mm523ydihm4zi6n6dm4is23lp4-gcr-3.34.0/share/gsettings-schemas/gcr-3.34.0
/nix/var/nix/profiles/default/share
/run/current-system/sw/share
echo $GI_TYPELIB_PATH | sed 's/:/\n/g' | sort -u
nix/store/01djnnw9gh2cazjr1nqakazdsag8xsc0-ibus-1.5.21/lib/girepository-1.0
/nix/store/1181hzayb3bw71s2vlhid69npy0spik3-libgweather-3.34.0/lib/girepository-1.0
/nix/store/2j71zkvld1r8vhyk44xilcid9sybjpqw-gstreamer-1.16.2/lib/girepository-1.0
/nix/store/2j7zb8qsxw4m4myhq3cgy19d627zvkqd-upower-0.99.11/lib/girepository-1.0
/nix/store/789ac60d8hdyhgbi5arx26m34zp410ik-gst-plugins-base-1.16.2/lib/girepository-1.0
/nix/store/79s3dn1snyvblcd0g21k69pz1wj699wj-gsettings-desktop-schemas-3.34.0/lib/girepository-1.0
/nix/store/8b20phgy2df14a79xhcc1axfj6izgmnk-at-spi2-core-2.34.0/lib/girepository-1.0
/nix/store/8cwavgbqy7zql30qyw27kd5pvii9wn2b-telepathy-glib-0.24.1/lib/girepository-1.0
/nix/store/9p353v37zghdh1k7d0gsna7phgvwwl69-evolution-data-server-3.34.4/lib/girepository-1.0
/nix/store/adz7ks9j187dzbd1qpnx0jbr5brc6lfw-json-glib-1.4.4/lib/girepository-1.0
/nix/store/awrdsxmr9zmy9p4shy7kly7w6nh862li-gdm-3.34.1/lib/girepository-1.0
/nix/store/cklz5y6rqcd0c93r85jibpypf9xywlkz-libgudev-233/lib/girepository-1.0
/nix/store/flvlzs0z0fnc1zsnr9241biz7xwlmpc4-pango-1.44.7/lib/girepository-1.0
/nix/store/gqqny2pl5zrhcnykspaah25zsacvymgi-accountsservice-0.6.55/lib/girepository-1.0
/nix/store/hm3c159y0q2fslqq328gcmkfnwxmpmhx-gnome-autoar-0.2.4/lib/girepository-1.0
/nix/store/ii6xlybrjqmixw6m228v0hkvfl8ifg9j-gnome-bluetooth-3.34.1/lib/girepository-1.0
/nix/store/iswss4xpllmd4x5szj4ya1fjvxzx881y-network-manager-applet-1.8.24-lib/lib/girepository-1.0
/nix/store/ixyxjxyrbnv5ii259winl2l7dpbig8dm-gobject-introspection-1.62.0/lib/girepository-1.0
/nix/store/j1aann2dzgnd9q5dk4qk03dhjinmknpp-telepathy-logger-0.8.2/lib/girepository-1.0
/nix/store/jslgzyrv01cq2km0fxpp5vnn8w3gz6w9-polkit-0.116/lib/girepository-1.0
/nix/store/kh689v6iz7h9hljqx769imb4xd7q4wbc-clutter-1.26.4/lib/girepository-1.0
/nix/store/nk5s9rbqq0lb8g4gkhm1i6rf60igjva1-gpaste-3.34.1/lib/girepository-1.0
/nix/store/nmsb3s1mgzvmr2jflky1lzs6k6kv3j1z-gnome-desktop-3.34.7/lib/girepository-1.0
/nix/store/p1d2c82dfy4kn8wgp5np0x5dy7ixi97q-libical-3.0.7/lib/girepository-1.0
/nix/store/qiblx8fknsb45yfzwm3c19qv8dph1qyw-geoclue-2.5.5/lib/girepository-1.0
/nix/store/qpxrlwdjai5pnbks3ryc693zas49qf7c-librsvg-2.46.4/lib/girepository-1.0
/nix/store/rd3s91pyy3p1nwkzpkamx62szhryw4q1-network-manager-1.22.14/lib/girepository-1.0
/nix/store/syrw9vbnjwkv2px07gfbc2715fpvx06r-gtk+3-3.24.21/lib/girepository-1.0
/nix/store/vfzafmq3skvpa5332vjzwi0rqvpilbvs-libsoup-2.68.4/lib/girepository-1.0
/nix/store/w9hbx5lgl4b2d7n4p0sjn34jxpja9i1d-cogl-1.22.8/lib/girepository-1.0
/nix/store/ylx1d6mm523ydihm4zi6n6dm4is23lp4-gcr-3.34.0/lib/girepository-1.0
/nix/store/z3pjmsmk60wg3bklnndra12g7lgq3fik-atk-2.34.1/lib/girepository-1.0
/nix/store/zc66pg8gzxx7i5s7jc4cr3nkyx8vsnk2-gdk-pixbuf-2.40.0/lib/girepository-1.0
/nix/store/ziqyf7pcmhw2clyjlvbar8k8zfv4wghp-libsecret-0.20.3/lib/girepository-1.0

I enabled the seahorse service in gnome3 and things now are working. Thank you very much for your help.

I used:

programs.seahorse.enabled = true;
services.gnome3 = {
   ...
   seahorse.enabled = true;
};

I’m not sure if both is needed.

After looking explicitly for the seahorse service I found web references. However, it was not mentioned
in reference to the obsoleting of libgnome-keyring in the gnome3 documentation or in the NixOS manual’s short reference to enabling the gnome3 desktop. I also find no references to how it should be setup, since it has a program.seahorse.enable flag and could be listed in services.gnome3 or maybe even services.dbus.packages. Often the nixpkgs code allows for multiple ways, but its a bit confusing there are few NixOS wide published conventions. This seems like something the NixOS manual could do.

Hi, GNOME maintainer in nixos here :wave:

services.gnome3.seahorse.enable was renamed to programs.seahorse.enable in 20.03 IIRC. So they would do exactly the same thing.

As far as I can tell, I’m don’t think I have a clue how enabling seahorse fixed your issue. Unless you used seahorse to modify your login keyring somehow.

1 Like

I spoke to soon. The confusing part is that in the seahorse app the Default keyring is show as locked,
but I can quickly unlock it just by clicking on the lock symbol, without asking me for a password. If I then restart mailnag it works fine. The paswords involved are in the Default_keyring.
So it knows the password, it just does not unlock it at login.

If this works OK for others, then its probably not a NixOS issue. I have brought up the issue on the gnome-list to see if they input about what is going on.

Do you have any of these options enabled: https://nixos.org/nixos/options.html#keyring ?

This was not a problem in my nix setup.

After I looked at the key setup on a Fedora and an Arch system I noticed that these did not have a Default_keyring, and all the passwords were in the Login keyring. The Login keyring only had a key to unlock the Default_keyring. I then:

  1. Deleted all the mailnag keys in the default keyring.
  2. Right clicked on the Login keyring and made it the default keyring
  3. Ran mailnag-config and reentered my passwords.

The new entries ended up in the Login keyring, and when I rebooted and logged in mailnag was
able to find them.

I’m not sure how the keyrings got set up the way they did, but I have been running Gnome from before the time that the pam setup had been worked out and I was regularly prompted by the gnome-keyring for my password every time I logged in.

Thanks for the help and sounding board to work out the issue. At least there is some documentation on the net about a solution. I know I looked a long time and found nothing.

1 Like

Yep, the keyring getting unlocked on login used to be a problem in nixos and we fixed that a couple releases back. So it’s likely that is exactly what happened.