Credentials located in gnome-keyring can be compromised easily

This was 2018, right? Arent we all mostly patched?

Also Gnome keyring is being replaced with Rust based oo7 (funded by the STF)

No one mentioned that “oo7” will patch this issue, GNOME devs are not planning on adding any patches to how gnome-keyring is currently working as it was intended to work that way. Check comments on this issue.

gnome-keyring is being replaced as it is unmaintained:

The free desktop standardises the storage and usage of secrets (such as passphrases or SSH keys) via the secrets specification. gnome-keyring was the backend implementation, and libsecret the client-side of said specification.

gnome-keyring and libsecret are written in C and lack maintenance. oo7 is a modern Rust client-side library that respects the secrets specification. Dhanuka is extending oo7 to implement the backend side of secrets management, and ultimately replace gnome-keyring

And from the oo7 docs:

Sandboxed applications should prefer using the file backend as it doesn’t expose the application secrets to other sandboxed applications if they can talk to the org.freedesktop.Secrets service.

However, for non Flatpak apps the issues remains.

Similar problem with other keyrings, for example on KDE. Situation is just a mess on Linux and keyrings are not a safe place to store secrets.

2 Likes