keyring MITkeyring (🥉27 · ⭐ 630) - Store and access your passwords safely. MIT

I am seeing this error on Yosemite (10.10.5 (14F27))

keyring.backends._OS_X_API.Error: (-25293, "Can't fetch password from system")

edit: it works if I enable all applications to use the password from the keychain.

Just using the default from the keyring module defaults to a plaintext keyring file, which is very insecure. Either default to the system keyring, an otherwise encrypted keyring, or just fail with an error if you can't actually provide a secure keyring.

Making plaintext the default will just lead users to think they are secure when their passwords are all dumped to the disk in plain text, which is insane.

• Bitbucket: https://bitbucket.org/kang/python-keyring-lib/issue/117
• Originally reported by: Stavros Korokithakis
• Originally created at: 2013-09-27T14:11:44.531

It was recently brought to my attention that python-keyring doesn't appear to be able to retrieve a password from the OS X Keychain when called from cron. Any ideas why?

I assumed it has to do with the keychain being locked, but I'm able to access the keychain from cron using the security program (which keyring uses as its default OS X backend), as long as my cron entry first unlocks the keychain, e.g. security unlock-keychain -p MYPASS /path/to/login.keychain && security find-generic-password -a ACCOUNT -s SERVICE -g >> outfile.log

Also -- totally irrelevant, but -- what prompted the change to GitHub from Bitbucket? I didn't seen any discussion of it with the relevant commit, maybe I missed it.

In a relatively fresh install of Fedora 25 with KDE Plasma as the DE, seems keyring prefers to use gnome-keyring (libgnome-keyring) by default. Getting rid of gnome-keyring doesn't solve the problem, while erasing libgnome-keyring is not feasible as it is a dependency of many packages. Any chance to add some logic to detect the desktop environment and use kwallet if running under plasma?

It doesn't seem to be used to install or do anything after install (except for running tests).

• Bitbucket: https://bitbucket.org/kang/python-keyring-lib/issue/105
• Originally reported by: Matthew Thode
• Originally created at: 2013-07-10T22:02:59.446

Hi @jaraco,

One of the major issues with Keyring on Linux is the dbus-python dependency, which has the following problems:

• It is difficult to install from PyPI: there are no wheels, it needs the D-Bus headers installed locally and compiles itself during install.
• It is not actively developed, and the author recommends switching to another library.

Some time ago I created a port of SecretStorage to Jeepney, a modern pure-Python library by @takluyver. Please see mitya57/secretstorage#10 and the wip/jeepney branch. I want it to eventually become the new release of SecretStorage.

But Jeepney only supports Python 3.5+, while Keyring aims to support Python 2. So I wonder how we should resolve this issue. I see the following possibilities:

1. Release the branch as a separate project, like secretstorage-ng. Tweak setup.py to select secretstorage-ng for newer Pythons and secretstorage for older Pythons. The module name will not change, so secretstorage and secretstorage-ng will conflict with each other.
2. Release the branch as secretstorage 3.0a1. PyPI will not pull it automatically, but setup.py can select secretstorage>=3.0a1 for newer Pythons.
3. Release the branch as secretstorage 3.0. Make setup.py select secretstorage<3 for older Pythons. I think I prefer this option, but I may consider others too.
4. Try to fork Jeepney and add Python 2 / 3.4 support?

What do you think?

Keyring delegates password setting to security on OS X. When a password is set the process is Popen'd with the password in the command. I think this exposes the password to ps, e.g. you can see the arguments to sleep here:

>>> import subprocess
>>> subprocess.Popen(['sleep', '100'])

$ ps
PID   TTY           TIME CMD
50559 ttys002    0:00.01 sleep 100

• Bitbucket: https://bitbucket.org/kang/python-keyring-lib/issue/145
• Originally reported by: Sam Birch
• Originally created at: 2014-04-29T03:27:46.155

Hi, I've been using Mercurial+python's kerying+python's mercurial-keyring together in the past on my opensuse 11.4 pc to "hg push" my local repositories to the server without having to type in my password repeatedly. It worked fine there.

However, I've experienced a problem when now running in opensuse 12.1. Initially I reported this on the issue-tracker for mercurial-keyring, at:

https://bitbucket.org/Mekk/mercurial_keyring/issue/23/probs-in-opensuse-121

But the author said the trace indicates that the issue is at the keyring level and that I should report it here.

Ok then, here's the trace:

searching for changes
http authorization required
realm: Mecurial Repo
user: gurcei (fixed in .hg/hgrc)
password: 
ERROR:dbus.proxies:Introspect error on :1.222:/org/freedesktop/secrets/aliases/default: dbus.exceptions.DBusException: org.freedesktop.Secret.Error.NoSuchObject: The '/org/freedesktop/secrets/aliases/default' object does not exist
ERROR:dbus.connection:Unable to set arguments ({'org.freedesktop.Secret.Item.Label': u'gurcei@@http://rapiddev/hg @ Mercurial', 'org.freedesktop.Secret.Item.Attributes': {'username': u'gurcei@@http://rapiddev/hg', 'service': u'Mercurial'}}, dbus.Struct((dbus.ObjectPath('/org/freedesktop/secrets/session/s11'), '', dbus.ByteArray('xxxxx'), 'application/octet-stream'), signature=None), True) according to signature None: <type 'exceptions.TypeError'>: Expected a string or unicode object
** Unknown exception encountered with possibly-broken third-party extension mercurial_keyring
** which supports versions unknown of Mercurial.
** Please disable mercurial_keyring and try your action again.
** If that fixes the bug please report it to the extension author.
** Python 2.7.2 (default, Aug 19 2011, 20:41:43) [GCC]
** Mercurial Distributed SCM (version 2.4.1)
** Extensions loaded: hgk, mercurial_keyring
Traceback (most recent call last):
  File "/usr/bin/hg", line 38, in <module>
    mercurial.dispatch.run()
  File "/usr/lib/python2.7/site-packages/mercurial/dispatch.py", line 28, in run
    sys.exit((dispatch(request(sys.argv[1:])) or 0) & 255)
  File "/usr/lib/python2.7/site-packages/mercurial/dispatch.py", line 65, in dispatch
    return _runcatch(req)
  File "/usr/lib/python2.7/site-packages/mercurial/dispatch.py", line 88, in _runcatch
    return _dispatch(req)
  File "/usr/lib/python2.7/site-packages/mercurial/dispatch.py", line 741, in _dispatch
    cmdpats, cmdoptions)
  File "/usr/lib/python2.7/site-packages/mercurial/dispatch.py", line 514, in runcommand
    ret = _runcommand(ui, options, cmd, d)
  File "/usr/lib/python2.7/site-packages/mercurial/dispatch.py", line 831, in _runcommand
    return checkargs()
  File "/usr/lib/python2.7/site-packages/mercurial/dispatch.py", line 802, in checkargs
    return cmdfunc()
  File "/usr/lib/python2.7/site-packages/mercurial/dispatch.py", line 738, in <lambda>
    d = lambda: util.checksignature(func)(ui, *args, **cmdoptions)
  File "/usr/lib/python2.7/site-packages/mercurial/util.py", line 472, in check
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/mercurial/commands.py", line 4751, in push
    newbranch=opts.get('new_branch'))
  File "/usr/lib/python2.7/site-packages/mercurial/localrepo.py", line 1910, in push
    ret = remote.unbundle(cg, remoteheads, 'push')
  File "/usr/lib/python2.7/site-packages/mercurial/wireproto.py", line 307, in unbundle
    ret, output = self._callpush("unbundle", cg, heads=heads)
  File "/usr/lib/python2.7/site-packages/mercurial/httppeer.py", line 200, in _callpush
    r = self._call(cmd, data=fp, headers=headers, **args)
  File "/usr/lib/python2.7/site-packages/mercurial/httppeer.py", line 170, in _call
    fp = self._callstream(cmd, **args)
  File "/usr/lib/python2.7/site-packages/mercurial/httppeer.py", line 118, in _callstream
    resp = self.urlopener.open(req)
  File "/usr/lib/python2.7/urllib2.py", line 400, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 513, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 432, in error
    result = self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 372, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 884, in http_error_401
    url, req, headers)
  File "/usr/lib/python2.7/site-packages/mercurial/url.py", line 431, in http_error_auth_reqed
    self, auth_header, host, req, headers)
  File "/usr/local/lib/python2.7/site-packages/mercurial_keyring-0.5.4-py2.7.egg/mercurial_keyring.py", line 363, in basic_http_error_auth_reqed
    return basic_http_error_auth_reqed.orig(self, authreq, host, req, headers)
  File "/usr/lib/python2.7/urllib2.py", line 859, in http_error_auth_reqed
    response = self.retry_http_basic_auth(host, req, realm)
  File "/usr/lib/python2.7/urllib2.py", line 865, in retry_http_basic_auth
    user, pw = self.passwd.find_user_password(realm, host)
  File "/usr/local/lib/python2.7/site-packages/mercurial_keyring-0.5.4-py2.7.egg/mercurial_keyring.py", line 357, in find_user_password
    return self._pwd_handler.find_auth(self, realm, authuri, req)
  File "/usr/local/lib/python2.7/site-packages/mercurial_keyring-0.5.4-py2.7.egg/mercurial_keyring.py", line 242, in find_auth
    password_store.set_http_password(keyring_url, user, pwd)
  File "/usr/local/lib/python2.7/site-packages/mercurial_keyring-0.5.4-py2.7.egg/mercurial_keyring.py", line 95, in set_http_password
    password)
  File "/usr/local/lib/python2.7/site-packages/keyring-1.2.2-py2.7.egg/keyring/core.py", line 42, in set_password
    _keyring_backend.set_password(service_name, username, password)
  File "/usr/local/lib/python2.7/site-packages/keyring-1.2.2-py2.7.egg/keyring/backends/SecretService.py", line 107, in set_password
    item, prompt = self.collection.CreateItem(properties, secret, True)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 68, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 140, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 620, in call_blocking
    message.append(signature=signature, *args)
TypeError: Expected a string or unicode object

• Bitbucket: https://bitbucket.org/kang/python-keyring-lib/issue/91
• Originally reported by: Gurce Isikyildiz
• Originally created at: 2013-02-17T22:00:07.233

This lib seemed way interesting and got a bit of publicity a few weeks ago, so I decided to check it out the usual way: create a virtualenv, pip install the library inside it and play around.

Except I didn't get anywhere: get_password would always return None (with no keychain prompt) and set_password would throw OSError: Can't store password in Keychain, in both cases whatever the service & account are. After a few reinstallations, I tried compiling from scratch (cloning from mercurial and python setup.py build… success. Both tip (4a551eda6bf8) and tag 0.2 build and work perfectly.

Try to python setup.py install it in my virtualenv, failure again (except it now throws keyring.backend.PasswordSetError on set_password, due to being tip I guess).

Tested the same scenario in a fresh OpenSUSE image, no issue.

• Bitbucket: https://bitbucket.org/kang/python-keyring-lib/issue/13
• Originally reported by: masklinn
• Originally created at: 2009-12-30T17:10:27.189

This error appears when I updated keyring from version 11.0.0 to version 12.2.0 and compiled my source with the pyinstaller. The source file works fine, However on running the binary I get RuntimeError: No recommended backend was available. Install the keyrings.alt package if you want to use the non-recommended backends. See README.rst for details.

I have installed keyrings.alt, but I don't known how to use it, and how to modify my source for keyring.

Thank for any help.

Turned get_preferred_collection into a context_manager. This required no api change. I didn't take the effort to write a unittest that showed the issue.

I'm running Python 3.9.16 (under asdf-vm) and keyring 23.13.1, and cannot list backends from the command-line program. I'm not sure which backends, if any, are configured.

$ keyring --list-backends
Traceback (most recent call last):
  File "/home/user/.asdf/installs/python/3.9.16/bin/keyring", line 8, in <module>
    sys.exit(main())
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/keyring/cli.py", line 134, in main
    return cli.run(argv)
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/keyring/cli.py", line 59, in run
    for k in backend.get_all_keyring():
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/keyring/util/__init__.py", line 22, in wrapper
    func.always_returns = func(*args, **kwargs)
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/keyring/backend.py", line 215, in get_all_keyring
    _load_plugins()
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/keyring/backend.py", line 199, in _load_plugins
    for ep in metadata.entry_points(group='keyring.backends'):
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/importlib_metadata/__init__.py", line 856, in entry_points
    return EntryPoints(eps).select(**params)
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/importlib_metadata/__init__.py", line 853, in <genexpr>
    eps = itertools.chain.from_iterable(
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/importlib_metadata/_itertools.py", line 16, in unique_everseen
    k = key(element)
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/importlib_metadata/_py39compat.py", line 18, in normalized_name
    return dist._normalized_name
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/importlib_metadata/__init__.py", line 778, in _normalized_name
    or super()._normalized_name
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/importlib_metadata/__init__.py", line 445, in _normalized_name
    return Prepared.normalize(self.name)
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/site-packages/importlib_metadata/__init__.py", line 700, in normalize
    return re.sub(r"[-_.]+", "-", name).lower().replace('-', '_')
  File "/home/user/.asdf/installs/python/3.9.16/lib/python3.9/re.py", line 210, in sub
    return _compile(pattern, flags).sub(repl, string, count)
TypeError: expected string or bytes-like object

Password section in hanging in Windows 11 Command Prompt A clear and concise description of what the bug is. This bug is the password hanging when I use the twine module (and the twine module uses keyring)

To Reproduce Steps to reproduce the behavior:

1. Install the twine module (when said below).
2. Make a blank local python module (https://packaging.python.org/en/latest/tutorials/packaging-projects/)
3. Enter this command: py -m twine upload --repository testpypi dist/*
4. Enter username (for everybody - token)
5. See error - not able to enter password.

Expected behavior I expect that you will be unable to enter your password as it will hang repeatedly.

Environment

• OS: Windows 11

Additional context

Not exactly a bug, but a lack of documentation. Sorry if it is not the right use of keyring.

In a shell script I can get a needed password from gnome-keyring to a variable or feed it via pipe to some program:

passwd=$(secret-tool lookup user myname domain somehost.com)

If I got it right, keyring can be used for the same purpose in a python script. I could not find any minimal working example example to do that in python with keyring module. There probably must be a better way than using os.popen(cmd).read() with the above shell command...

The example from the README file

$ python
  >>> import keyring
  >>> keyring.get_keyring()
  <keyring.backends.SecretService.Keyring object at 0x7f9b9c971ba8>
  >>> keyring.set_password("system", "username", "password")
  >>> keyring.get_password("system", "username")

launces "KDE Wallet Service" configuration which is not relevant for me, since I use gnome-keyring...

Thank you!

Environment

• OS: Ubuntu 22.04

$ dpkg -l |grep python3-keyring
ii  python3-keyring                               23.5.0-1                                all          store and access your passwords safely
$ keyring --list-backends
keyring.backends.kwallet.DBusKeyring (priority: 4.9)
keyring.backends.fail.Keyring (priority: 0)
keyring.backends.chainer.ChainerBackend (priority: 10)
keyring.backends.libsecret.Keyring (priority: 4.8)

Currently, the macOS Keyring backend hard-codes a few error codes to messages. Better would be to use the API to resolve error codes to human-readable message strings.

I started looking into how to do it. I imagine it goes something like:

>> api._sec.SecCopyErrorMessageString(-25244)
-1797030505

But probably something needs to translate that integer response into a CFString object and convert that object to a Python string.

Maybe someone would be interested in determining how to do that?

    > The intention of keyring is that the default behavior _should_ be suitable.

If the presence of the chainer is causing problems, it probably shouldn't be enabled by default or at the very least should have an escape hatch (a way for a library like backintime to disable its usage). I'd be happy to support such a thing in keyring if simply honoring chainer as "appropriate" isn't suitable.

chainer is a cool thing and my challenge is now that the keyring API and configuration should more or less be hidden to end users since it is meant for developers or customizers (it should be a black box to end users IMHO).

So I have to give the end-user of Back In Time a simply way to configure this from the Back-in-Time-app point of view (user should not need to learn internals of keyring).

keyring's chainer uses some "heuristics" that seems to work non-deterministically from the Application point-of-view since external installations or settings may influence the priority value (I still have not completely browsed the keyring code so this is still more opinion than fact based I admit).

So the end user just want's to specify and persist the used "password safe" instead of a technical backend of an App-internal library.

And until the user does specify a "password safe" the "best guess" is the chainer so the default is good IMHO.

What would be nice in keyring to improve embedding it into an CLI or GUI app:

1. Add a public method to query for supported "password safes" (internally asking all available backends) return a list of the "pretty-labeled" password safes and a list of responsible backend names for each password safe to be used internally by 2.

   This would allow to fill a GUI widget more easily.

   Open question: How to cope with the 1:n nature of password safe to backends in the GUI then. The end user must take a decision for a backend finally, but based on which information?

2. Add a public method to persist the chosen backend without editing a file. An app (as keyring client) shoudn't have to know the storage location and file format (= encapsulate this in keyring). Optionally this setting could be valid only for a app (could be passed as key) but I assume that the selection should be right for every app/client then.

3. I assume we don't need to add an API to read the config file since the active backend (dominated by an existing config file) can already be queried with get_keyring().

~/.config/python_keyring/keyringrc.cfg containing ... necessary to “steer” the keyring system to using the correct backend. If honoring an environment variable or some other mechanism would help, keyring would be interested in exploring making this use-case simpler.

I think a persistence API would be more helpful than another env var (see proposal 2).

Originally posted by @aryoda in https://github.com/bit-team/backintime/issues/990#issuecomment-1272014311

In reaction to #593 - it would be neat if there was a CI workflow which would do downstream testing against keyrings.alt released version. We do similar downstream testing e.g. in DataLad (https://github.com/datalad/datalad/blob/master/.github/workflows/test_extensions.yml) and other projects (e.g. for git-annex itself - testing against datalad in https://github.com/datalad/git-annex/) which helps tremendously to keep "ecosystem" healthy. Such testing would help to avoid such issues as #593 which might cause lots of ripple effects through downstream projects.