Recently, I’ve tried to install nheko, a Matrix client, but I failed using it because it complains it cannot store password and other secrets because there are no providers for org.freedesktop.secrets available on my machine. Not knowing what that meant, I googled it, and found out it’s some standard API for a keyring, the example implementation being GNOME Keyring. Since I use neither Gnome nor KDE, I don’t really want to use software that’s supposed to integrate in these DE, so I looked for alternatives, and I found pass secret service, which is a provider for org.freedesktop.secrets using the GNU Pass backend, which is a good thing for me because I otherwise use pass as my password manager. I tried installing using it by enabling services.passSecretService system-wide, then rebooted. However, that didn’t work: nheko now complains that it timeouts when it tries to store things, and retrieving passwords using GNU Pass takes a significant amount of time.
I suspect the issue is the following:
- whenever my GPG key is required, the GPG agent tries to obtain the password, first by checking if it’s in the keyring, and resorting to pinentry (ie. a password-asking popup) otherwise
- my GPG key is required both when trying to read and write in the password store using GNU Pass, because it has to uncipher the crypted passwords, and because when it writes something, it commits it to the underlying repo, which in turn tries sign the commit using the same key.
- checking if a secret information is in the keyring requires reading the password store, since I’ve connected the keyring interface to the GNU Pass backend.
That creates a cycle: whenever I need to get the password of my GPG key, it tries to query the keyring first, which in turn queries the password store, which in turns asks GPG the decipher its content, which in turn makes GPG try to get the password for the key, …
This, I think, ends with a timeout, explaining why nheko fails with an error message about a timeout, and why the password store takes more time to retrieve the password: it just fails to get the password until the timeout occurs, and then it reverts to asking me for the password.
How can I setup things properly to avoid these issues? Ideally, the solution would be not to put GPG key passwords in the keyring at all, if my understanding of the situation is correct.