Python binding for gnomekeyring prevents password prompt on unlock

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

I can confirm this for Lucid. A possible workaround is to create a dummy key and delete it immediately after that, this triggers a user dialog to unlock the keyring.

Still a problem in 10.10.

Still a problem in 10.10.

I'm writing a helper script that integrates offlineimap and notmuch mail.

Have to fire up Seahorse and manually unlock the keyring before I run the script.

Would be nice if I could just display a notification via the Gnome Keyring daemon.

I also agree that this is a security issue, having the application pop up it's own prompt for your keyring password defeats the whole purpose of using Gnome Keyring.

The purpose of Gnome Keyring, much like PAM - is to abstract away authentication from the desktop application itself.

Man, I don't know how to use bzr but I've been in touch with the gnome guys and the fix is really easy.

I've downloaded the gnome-python-desktop-2.30.0 src package.

Here's a relevant diff

diff ./gnomekeyring/gnomekeyring.defs ./gnomekeyring/gnomekeyring.defs.orig
272c272
< '("const-char*" "password" (null-ok))
---
> '("const-char*" "password")

That fixes it.

that diff is wrong, it needs to be changed in 2 places, regenerating...

I'm hopeless at diff . I'm adding the entire file, although it's only a two line change, incidentally it works great!

Fixes the bug

The changed defun's were:

(define-function unlock
  (c-name "gnome_keyring_unlock")
  (return-type "gpointer")
  (parameters
    '("const-char*" "keyring" (null-ok))
    '("const-char*" "password" (null-ok))
    '("GnomeKeyringOperationDoneCallback" "callback")
    '("gpointer" "data")
    '("GDestroyNotify" "destroy_data")
  )
)

(define-function unlock_sync
  (c-name "gnome_keyring_unlock_sync")
  (return-type "GnomeKeyringResult")
  (unblock-threads #t)
  (parameters
    '("const-char*" "keyring" (null-ok))
    '("const-char*" "password"(null-ok))
  )
)

Just as some background, I'm trying to use it with offlineimap, which allows the user to include python functions to retrieve username or password.

% egrep "(passeval|py)" ~/.offlineimaprc
pythonfile = ~/.offlineimap.gnome.py
remotepasseval = get_password("offlineimap", "gmail.test.account")

% cat .offlineimap.gnome.py
#!/usr/bin/python

import sys
import pygtk
pygtk.require('2.0')
import gtk # sets app name
import gnomekeyring

def get_password(keyringid,identifier):
    #This pops up the password prompt but is currently broken
    #https://bugs.launchpad.net/ubuntu/+source/gnome-python-desktop/+bug/432882
    #gnomekeyring.unlock_sync(keyringid, None)
    for keyring in gnomekeyring.list_keyring_names_sync():
        if(keyring == keyringid):
            for id in gnomekeyring.list_item_ids_sync(keyring):
                item = gnomekeyring.item_get_info_sync(keyring, id)
                print(item.get_display_name())
                if(item.get_display_name() == identifier):
                    return item.get_secret()

def main():
    print( get_password("offlineimap","gmail.test.account") )

if __name__ == "__main__":
    main()

any news regarding this bug, I reported it back in the Maverick days. I suppose Gnome may no longer be a priority for Ubuntu but I'd like to know if I can be of any more help in trying to get this patch in. It's such a small change to have it work correctly and we're on Lucid now...