fix(linux): create default Secret Service collection when missing#49
Merged
Conversation
On live sessions, autologin setups, and fresh accounts, gnome-keyring may run with no keyring collection at all: PAM only creates the login collection during a password login. Storing a provider/MCP credential then fails with "Secret Service: no result found", blocking onboarding. The keyring crate cannot self-heal here: its create path for the special 'default' target only re-reads the alias instead of creating a collection. Detect this case on secret writes and ask the Secret Service daemon to create a collection registered as the 'default' alias (the daemon shows its own password dialog, so the user owns the keyring password), then retry the write once. If the user dismisses the dialog, return an actionable error instead of the cryptic one. Uses dbus-secret-service directly - the same crate/version keyring already pulls in for its sync secret-service backend, so no new transitive code.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
On Xubuntu live sessions, autologin setups, and fresh user accounts, creating the first provider fails with:
gnome-keyring is running with the
secretscomponent, but no keyring collection exists (~/.local/share/keyrings/is empty): PAM only creates and unlocks thelogincollection during a password login, which never happens with autologin/live sessions. The Secret Service then has nothing behind thedefaultalias and returnsno result found, blocking onboarding.The
keyringcrate (3.x) cannot self-heal: its create path for the specialdefaulttarget callsget_default_collection()again instead of creating a collection, so every write keeps failing.Fix
On Linux, when a secret write fails with
NoStorageAccess: ... no result found:SecretService::create_collection("Default keyring", "default")viadbus-secret-service— the daemon shows its own password dialog (same UX assecret-tool/ Seahorse), so the user owns the keyring password and the collection is the system-wide default, shared by every libsecret consumer.dbus-secret-serviceis the exact crate+versionkeyringalready uses for its sync secret-service backend, so this adds no new transitive code. Reads/deletes are unchanged (NoEntrywas already handled).Testing
cargo checkpasses.secret-tool, which performs the same D-Bus call this PR automates) credential storage works.