Secret Service integratoin

[Flashwalker]

Summary

Is it really integration? It looks like replacement:

We want to keep running gnome-keyring while integrating keepassxc

Examples

Context

[michaelk83]

KeePassXC acts as a Secret Service provider (local "server"), same as Gnome keyring. Meaning, you can have client applications store and retrieve their secrets in KeePassXC (or in Gnome keyring) via the Secret Service API. You can only run one Secret Service provider at a time, so you have to choose which one. If you want to keep using Gnome keyring, simply disable the Secret Service integration in KeePassXC.

KeePassXC does not currently act as a client for Secret Service. Meaning, it cannot display and manage the secrets you have stored in another provider such as Gnome keyring. (Technically that would be a duplicate of #1402, but it was poorly defined and later misinterpreted.)

[Flashwalker]

KeePassXC acts as a Secret Service provider (local "server"), same as Gnome keyring. Meaning, you can have client applications store and retrieve their secrets in KeePassXC (or in Gnome keyring) via the Secret Service API. You can only run one Secret Service provider at a time, so you have to choose which one. If you want to keep using Gnome keyring, simply disable the Secret Service integration in KeePassXC.

KeePassXC does not currently act as a client for Secret Service. Meaning, it cannot display and manage the secrets you have stored in another provider such as Gnome keyring. (Technically that would be a duplicate of #1402, but it was poorly defined and later misinterpreted.)

Hmmm...
In Linux we have to unlock the login keyring on login so applications (e.g. Chromium or NetworkManager) can use it.
Normally this happens on user login with he's password, but if the user has set the auto-login, he usually gets a password request window to unlock the login keyring...

So, will the password prompt appear or not if KeePassXC set as backend?

[droidmonkey]

KeePassXC doesn't link to your account login. They are totally separate. If your database is locked you will be presented with an unlock dialog when the secret service action is requested.

[Flashwalker]

Hmmm...Hmmm...
Ok, i think i understand now.
I guess the keyring named Login is actually gnome-keyring-daemon --start --components=secrets, which i assume is a Secret Service.

So KeePassXC will start as soon as the password prompt appears? And how will it run, as GUI or as a daemon?

[michaelk83]

gnome-keyring-daemon is the backend process of Gnome keyring. It exposes a "login" collection via the Secret Service API, as well as a "default" alias, which I think points at the "login" collection. If I'm not mistaken, Gnome keyring's PAM module uses the user's system login to unlock the "login" collection. Then most applications talk to the "default" alias.

With KeePassXC, the collection name is determined from the database name, I think, and the "default" alias is mapped to the currently active database (see #8479). KeePassXC runs as a GUI application, but it can be minimized to the tray (depending on your settings, it may lock the database when minimized).

When a client application tries to access the Secret Service API, if no backend is running at that time, DBus will try to automatically determine which backend to start to provide the API. If you have Gnome keyring installed, this will usually default to gnome-keyring-daemon. If you want KeePassXC to be auto-started instead, you will either need to uninstall Gnome keyring, or override that default as explained in #6274 (comment). If a provider is already running, then DBus will use whatever is running.