Using GNU Pass as a keyring provider doesn't seem to work

Recently, I’ve tried to install nheko, a Matrix client, but I failed using it because it complains it cannot store password and other secrets because there are no providers for org.freedesktop.secrets available on my machine. Not knowing what that meant, I googled it, and found out it’s some standard API for a keyring, the example implementation being GNOME Keyring. Since I use neither Gnome nor KDE, I don’t really want to use software that’s supposed to integrate in these DE, so I looked for alternatives, and I found pass secret service, which is a provider for org.freedesktop.secrets using the GNU Pass backend, which is a good thing for me because I otherwise use pass as my password manager. I tried installing using it by enabling services.passSecretService system-wide, then rebooted. However, that didn’t work: nheko now complains that it timeouts when it tries to store things, and retrieving passwords using GNU Pass takes a significant amount of time.

I suspect the issue is the following:

  • whenever my GPG key is required, the GPG agent tries to obtain the password, first by checking if it’s in the keyring, and resorting to pinentry (ie. a password-asking popup) otherwise
  • my GPG key is required both when trying to read and write in the password store using GNU Pass, because it has to uncipher the crypted passwords, and because when it writes something, it commits it to the underlying repo, which in turn tries sign the commit using the same key.
  • checking if a secret information is in the keyring requires reading the password store, since I’ve connected the keyring interface to the GNU Pass backend.

That creates a cycle: whenever I need to get the password of my GPG key, it tries to query the keyring first, which in turn queries the password store, which in turns asks GPG the decipher its content, which in turn makes GPG try to get the password for the key, …

This, I think, ends with a timeout, explaining why nheko fails with an error message about a timeout, and why the password store takes more time to retrieve the password: it just fails to get the password until the timeout occurs, and then it reverts to asking me for the password.

How can I setup things properly to avoid these issues? Ideally, the solution would be not to put GPG key passwords in the keyring at all, if my understanding of the situation is correct.


I would also very much like to find a solution. My setup is similar but I prefer to not store GPG key passphrase in the store at all, and just cache it in ram for N hours.

But I do prefer sticking all sort of other secrets into the pass backend, basically anything that requires a keychain beyond GPG should go in there. SSH agent, and things like pgcli

Currently these things dissapear “somewhere”, ssh agent asked me to create a gnome keychain password, and stopped asking. Its a bit of a mess

I made it work by disabling GPG password caching using the org.freedesktop.secrets api, by adding

services.gpg-agent.extraConfig = "no-allow-external-cache";

as a home-manager option.