Login Keyring did not get unlocked - Hyprland

JohnRTitor · March 5, 2024, 9:44pm

I am using Hyprland setup with NixOS.
When I open VS code after boot for the first time, I get a confirmation popup to enter my password. The reason being “The login keyring did not get unlocked.”
Is there a fix for this? It should automatically do it, no?
I am not even using a different password for the keyring.

I am using Gnome-Keyring with libsecret if that helps.

don.dfh · March 6, 2024, 8:50pm

Yeah I observed this too.

From memory the behaviour was different in the past, my gnome-keyring used to (at least that’s my current explanation) be unlocked at startup.

willbush · March 11, 2024, 2:25am

Do you have the following set?

  # unlock keyring on login
  security.pam.services.greetd.enableGnomeKeyring = true;

Note this assumes a greetd setup.

JohnRTitor · March 11, 2024, 4:36pm

I am using GDM as my login manager.

security.pam.services.gdm.enableGnomeKeyring = true;

I have this set in my configuration, but it doesn’t work for some reason.

willbush · March 15, 2024, 8:27am

Does ps aux | grep gnome-keyring-daemon show something like /run/wrappers/bin/gnome-keyring-daemon --start --foreground --components=secrets? I’m using the service services.gnome.gnome-keyring.enable to start it up for me. Just wanted to verify it’s running.

JohnRTitor · March 16, 2024, 8:29am

Here’s the output after running the command:
ps aux | grep gnome-keyring-daemon:

masum       5471  0.0  0.0   6412  2596 pts/0    S+   13:57   0:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox gnome-keyring-daemon

After unlocking the keyring:

masum       5849  0.0  0.0 458544  9344 ?        SLl  13:57   0:00 /run/wrappers/bin/gnome-keyring-daemon --start --foreground --components=secrets
masum       7260  0.0  0.0   6412  2628 pts/0    S+   14:03   0:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox gnome-keyring-daemon

willbush · March 16, 2024, 6:05pm

Do you have services.gnome.gnome-keyring.enable = true; in your config? If not, try adding that.

JohnRTitor · March 16, 2024, 6:12pm

I have the following in my configuration, still the same issue.:

  services.gnome.gnome-keyring.enable = true;
  programs.seahorse.enable = true; # enable the graphical frontend
  environment.systemPackages = [ pkgs.libsecret ]; # libsecret api needed
  security.pam.services.gdm.enableGnomeKeyring = true; # load gnome-keyring at startup

The problem is, it sometimes works and sometimes doesn’t. I don’t know what is the trigger/cause of it to stop unlocking it automatically during login.

JohnRTitor · March 25, 2024, 7:06pm

Found out the actual problem. The login shell runtime dir was not properly set at gdm startup.
So set

  environment.variables.XDG_RUNTIME_DIR = "/run/user/$UID"; # set the runtime directory

which unlocks the keyring properly every time now.
Full config is here.

From journalctl -b | grep gkr-pam:

Mar 26 00:28:17 Ainz-NIX gdm-password][3065]: gkr-pam: unable to locate daemon control file
Mar 26 00:28:17 Ainz-NIX gdm-password][3065]: gkr-pam: stashed password to try later in open session
Mar 26 00:28:17 Ainz-NIX gdm-password][3065]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring

don.dfh · May 4, 2024, 12:39am

Thanks for finding this a while back, it really helped me solving the issue.

As of todays update, my logs show

May 03 23:58:58 aitutaki sddm-helper[2679]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
May 04 00:06:35 aitutaki gnome-keyring-daemon[3700]: couldn't access control socket: /run/user/31337/keyring/control: No such file or directory

and my gnome-keyring remains locked after startup.

JohnRTitor · May 29, 2024, 4:55pm

Try with:

  security.pam.services.gdm-password.enableGnomeKeyring = true;

simply using gdm/login there won’t work because GNOME keyring is supposed to be unlocked as part of gdm-password service.

guttermonk · October 23, 2024, 5:25am

Having this issue after switching from 24.05 to unstable.

Already have:

services.gnome.gnome-keyring.enable = true;
security.pam.services.greetd.enableGnomeKeyring = true;
environment.variables.XDG_RUNTIME_DIR = "/run/user/$UID";

What would be the equivalent of security.pam.services.gdm-password.enableGnomeKeyring = true; for greetd?

I tried security.pam.services.greetd-password.enableGnomeKeyring = true; but that didn’t work.

Here’s the error message I’m getting: “The application ‘Brave’ has requested to open the wallet ‘Default keyring’. Please enter the password for this wallet below.”

niksingh710 · February 13, 2025, 7:41am

I am using uwsm to login directly, not using any login manager.
also utilising impermanence setup still the issue remains for me.
is this not resolvable without gdm?

guttermonk · March 15, 2025, 10:45pm

FWIW, I was able to fix my issue with Brave by changing my Brave Browser startup command to:
brave --password-store=gnome-libsecret

Still getting prompted to unlock gnome-keyring after logging in though :\

JimJ92120 · April 17, 2025, 10:38pm

Can you check with journalctl | grep gnome-keyring if any error?
Maybe try with that too: Hyprland on Home Manager – Hyprland Wiki

guttermonk · April 18, 2025, 1:43pm

Thanks for the link. I added the additional hyprland config and rebooted. Then ran journalctl | grep gnome-keyring and got this:

Apr 18 08:31:40 hyprnix gnome-keyring-daemon[6199]: discover_other_daemon: 0
Apr 18 08:33:50 hyprnix greetd[2121]: gkr-pam: gnome-keyring-daemon started properly
Apr 18 08:33:55 hyprnix greetd[2148]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Apr 18 08:34:00 hyprnix dbus-broker-launch[2231]: Ignoring duplicate name 'org.freedesktop.impl.portal.Secret' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.freedesktop.impl.portal.Secret.service'
Apr 18 08:34:00 hyprnix dbus-broker-launch[2231]: Ignoring duplicate name 'org.freedesktop.secrets' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.freedesktop.secrets.service'
Apr 18 08:34:00 hyprnix dbus-broker-launch[2231]: Ignoring duplicate name 'org.gnome.keyring' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.gnome.keyring.service'
Apr 18 08:34:00 hyprnix dbus-broker-launch[2231]: Ignoring duplicate name 'org.freedesktop.impl.portal.Secret' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.freedesktop.impl.portal.Secret.service'
Apr 18 08:34:00 hyprnix dbus-broker-launch[2231]: Ignoring duplicate name 'org.freedesktop.secrets' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.freedesktop.secrets.service'
Apr 18 08:34:00 hyprnix dbus-broker-launch[2231]: Ignoring duplicate name 'org.gnome.keyring' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.gnome.keyring.service'
Apr 18 08:35:17 hyprnix gnome-keyring-daemon[5035]: couldn't access control socket: /run/user/$UID/keyring/control: No such file or directory
Apr 18 08:35:17 hyprnix .gnome-keyring-[5035]: couldn't access control socket: /run/user/$UID/keyring/control: No such file or directory
Apr 18 08:35:17 hyprnix gnome-keyring-daemon[5035]: discover_other_daemon: 1

JimJ92120 · April 18, 2025, 3:34pm

This maybe? Gnome Keyring not working / Newbie Corner / Arch Linux Forums

guttermonk:

Apr 18 08:33:55 hyprnix greetd[2148]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
...
Apr 18 08:35:17 hyprnix gnome-keyring-daemon[5035]: couldn't access control socket: /run/user/$UID/keyring/control: No such file or directory
Apr 18 08:35:17 hyprnix .gnome-keyring-[5035]: couldn't access control socket: /run/user/$UID/keyring/control: No such file or directory

guttermonk · April 18, 2025, 4:20pm

Tried that, but it didn’t do anything. Still getting the same error. Reading the Arch Wiki, it says “startx will run the default /etc/X11/xinit/xinitrc” but there isn’t anything at that path.

Would it be better to use a keyring made for Wayland? Not sure the best direction to go from here.

JimJ92120 · April 18, 2025, 5:19pm

Well Gnome supports both so safe to assume it works on Wayland - doesn’t make sense from Gnome using 2 different pkgs you know.

GNOME/Keyring - ArchWiki (section 6.8) details how that works outside Desktop Environments.

Could you try to install e.g seahorse and unlock from there: Passwords > Login
Then poweroff and restart (don’t reboot).

~~Should see smth like that with journalctl | grep gnome-keyring:~~

dbus-daemon[2286]: [session uid=1000 pid=2286] Activating service name='org.gnome.keyring.SystemPrompter' requested by ':1.23' (uid=1000 pid=3000 comm="/run/wrappers/bin/gnome-keyring-daemon --start --f" label="kernel")
...
gnome-keyring-daemon[3000]: asked to register item /org/freedesktop/secrets/collection/login/1, but it's already registered

Smth though odd is that it seems that the daemon starts more than once in a single session.

EDIT: pop-up will still show up after some time so not a solution.

Actually doc mentions to let the keyring password blank but that may bring security concerns and some other solutions: GNOME/Keyring - ArchWiki

Another workaround is creating a script that fetch user passwd and unlock keyring, e.g: GitHub - umglurf/gnome-keyring-unlock: Script to unlock gnome keyring

guttermonk · April 19, 2025, 3:05pm

No need to leave the password blank if you’re not trying to use automatic login.

I’ll have to use it for the next week, but it’s been working 95% reliably so far with the following changes. In my hyprland config, commented these lines out:

     # env = [ "GNOME_KEYRING_CONTROL,/run/user/$UID/keyring" ];
     # exec-once = [ "/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh" ];

Other than that, I’m using the config I posted above.

Now journalctl | grep gnome-keyring looks like this:

Apr 19 09:52:28 hyprnix greetd[2214]: gkr-pam: gnome-keyring-daemon started properly
Apr 19 09:52:37 hyprnix greetd[2241]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Apr 19 09:52:42 hyprnix dbus-broker-launch[2590]: Ignoring duplicate name 'org.freedesktop.impl.portal.Secret' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.freedesktop.impl.portal.Secret.service'
Apr 19 09:52:42 hyprnix dbus-broker-launch[2590]: Ignoring duplicate name 'org.freedesktop.secrets' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.freedesktop.secrets.service'
Apr 19 09:52:42 hyprnix dbus-broker-launch[2590]: Ignoring duplicate name 'org.gnome.keyring' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.gnome.keyring.service'
Apr 19 09:52:42 hyprnix dbus-broker-launch[2590]: Ignoring duplicate name 'org.freedesktop.impl.portal.Secret' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.freedesktop.impl.portal.Secret.service'
Apr 19 09:52:42 hyprnix dbus-broker-launch[2590]: Ignoring duplicate name 'org.freedesktop.secrets' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.freedesktop.secrets.service'
Apr 19 09:52:42 hyprnix dbus-broker-launch[2590]: Ignoring duplicate name 'org.gnome.keyring' in service file '/nix/store/bmyd47261zj1s9iqda7h7lnrscbv1yb7-gnome-keyring-46.2/share/dbus-1/services/org.gnome.keyring.service'
Apr 19 09:53:09 hyprnix gnome-keyring-daemon[4102]: discover_other_daemon: 1

In regards to these issues with dbus-broker and service files, it looks like there’s an open nixpkgs issue. Other than that, so far so good.