I am using Hyprland setup with NixOS.
When I open VS code after boot for the first time, I get a confirmation popup to enter my password. The reason being “The login keyring did not get unlocked.”
Is there a fix for this? It should automatically do it, no?
I am not even using a different password for the keyring.
I am using Gnome-Keyring with libsecret if that helps.
Yeah I observed this too.
From memory the behaviour was different in the past, my gnome-keyring used to (at least that’s my current explanation) be unlocked at startup.
Do you have the following set?
# unlock keyring on login
security.pam.services.greetd.enableGnomeKeyring = true;
Note this assumes a greetd setup.
I am using GDM as my login manager.
security.pam.services.gdm.enableGnomeKeyring = true;
I have this set in my configuration, but it doesn’t work for some reason.
Does ps aux | grep gnome-keyring-daemon show something like /run/wrappers/bin/gnome-keyring-daemon --start --foreground --components=secrets? I’m using the service services.gnome.gnome-keyring.enable to start it up for me. Just wanted to verify it’s running.
Here’s the output after running the command:
ps aux | grep gnome-keyring-daemon:
masum 5471 0.0 0.0 6412 2596 pts/0 S+ 13:57 0:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox gnome-keyring-daemon
After unlocking the keyring:
masum 5849 0.0 0.0 458544 9344 ? SLl 13:57 0:00 /run/wrappers/bin/gnome-keyring-daemon --start --foreground --components=secrets
masum 7260 0.0 0.0 6412 2628 pts/0 S+ 14:03 0:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox gnome-keyring-daemon
Do you have services.gnome.gnome-keyring.enable = true; in your config? If not, try adding that.
I have the following in my configuration, still the same issue.:
services.gnome.gnome-keyring.enable = true;
programs.seahorse.enable = true; # enable the graphical frontend
environment.systemPackages = [ pkgs.libsecret ]; # libsecret api needed
security.pam.services.gdm.enableGnomeKeyring = true; # load gnome-keyring at startup
The problem is, it sometimes works and sometimes doesn’t. I don’t know what is the trigger/cause of it to stop unlocking it automatically during login.
Found out the actual problem. The login shell runtime dir was not properly set at gdm startup.
So set
environment.variables.XDG_RUNTIME_DIR = "/run/user/$UID"; # set the runtime directory
which unlocks the keyring properly every time now.
Full config is here.
From journalctl -b | grep gkr-pam:
Mar 26 00:28:17 Ainz-NIX gdm-password][3065]: gkr-pam: unable to locate daemon control file
Mar 26 00:28:17 Ainz-NIX gdm-password][3065]: gkr-pam: stashed password to try later in open session
Mar 26 00:28:17 Ainz-NIX gdm-password][3065]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Thanks for finding this a while back, it really helped me solving the issue.
As of todays update, my logs show
May 03 23:58:58 aitutaki sddm-helper[2679]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
May 04 00:06:35 aitutaki gnome-keyring-daemon[3700]: couldn't access control socket: /run/user/31337/keyring/control: No such file or directory
and my gnome-keyring remains locked after startup.
Try with:
security.pam.services.gdm-password.enableGnomeKeyring = true;
simply using gdm/login there won’t work because GNOME keyring is supposed to be unlocked as part of gdm-password service.