[PATCH] services: Integrate gnome-keyring service in gnome-desktop service.

  • Done
  • quality assurance status badge
Details
2 participants
  • Liliana Marie Prikler
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal

Debbugs page

Maxim Cournoyer wrote 5 days ago
(address . guix-patches@gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
a20525a5912b024b157db67ce7743cd92486b041.1741437690.git.maxim.cournoyer@gmail.com
Previous to this change, GNOME users would have to manually add the
gnome-keyring-service-type to their services to have a default login keyring
created and unlocked at login time. Some applications depend on a default
keyring being available, prompt repeatedly for it, which is confusing and
doesn't match user expectations, given most distributions use the GNOME
keyring pam module to unlock the login keyring by default.

* doc/guix.texi (Desktop Services): Update doc.
* gnu/services/desktop.scm (<gnome-keyring-configuration>): Move above
gnome-desktop-service-type, and streamline description.
(pam-gnome-keyring): Return the empty list when CONFIG is #f.
(gnome-desktop-configuration) [gnome-keyring-configuration]: New field.

Change-Id: Ica26c1e1b85a038c1187edfb3ec3691fcd429641
---
doc/guix.texi | 12 +++-
gnu/services/desktop.scm | 125 +++++++++++++++++++++++----------------
2 files changed, 83 insertions(+), 54 deletions(-)

Toggle diff (212 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 6844470ce2..d5d08ece78 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -49,7 +49,7 @@
Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@*
Copyright @copyright{} 2017, 2018, 2019, 2020, 2021, 2022 Marius Bakke@*
Copyright @copyright{} 2017, 2019, 2020, 2022 Hartmut Goebel@*
-Copyright @copyright{} 2017, 2019, 2020, 2021, 2022, 2023, 2024 Maxim Cournoyer@*
+Copyright @copyright{} 2017, 2019--2025 Maxim Cournoyer@*
Copyright @copyright{} 2017–2022 Tobias Geerinckx-Rice@*
Copyright @copyright{} 2017 George Clemmer@*
Copyright @copyright{} 2017 Andy Wingo@*
@@ -25649,6 +25649,12 @@ Desktop Services
package that should not be installed. By default, every polkit rule
added by any package referenced in the other fields are installed.
+@item @code{gnome-keyring-configuration} (type: gnome-keyring-configuration-or-#f)
+A <gnome-keyring-configuration> record used to better integrate the
+GNOME keyring with the system. Refer to the documentation of the
+@code{gnome-keyring-service-type} for more information. If you'd rather
+avoid integrating the GNOME keyring, you can set this to @code{#f}.
+
@end table
@end deftp
@@ -26666,7 +26672,9 @@ Desktop Services
@defvar gnome-keyring-service-type
This is the type of the service that adds the
@uref{https://wiki.gnome.org/Projects/GnomeKeyring, GNOME Keyring}. Its
-value is a @code{gnome-keyring-configuration} object (see below).
+value is a @code{gnome-keyring-configuration} object (see below). Note
+that there is no need to use this service when using
+@code{gnome-desktop-service-type}, which includes it.
This service adds the @code{gnome-keyring} package to the system profile
and extends PAM with entries using @code{pam_gnome_keyring.so}, unlocking
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index ee05bd98db..39a9da6384 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -154,6 +154,7 @@ (define-module (gnu services desktop)
gnome-desktop-configuration-extra-packages
gnome-desktop-configuration-polkit-ignorelist
gnome-desktop-configuration-udev-ignorelist
+ gnome-desktop-configuration-gnome-keyring-configuration
gnome-desktop-service
gnome-desktop-service-type
@@ -1471,6 +1472,65 @@ (define sane-service-type
(service-extension account-service-type
(const %sane-accounts))))))
+
+;;;
+;;; gnome-keyring-service-type
+;;;
+
+(define-record-type* <gnome-keyring-configuration> gnome-keyring-configuration
+ make-gnome-keyring-configuration
+ gnome-keyring-configuration?
+ (keyring gnome-keyring-package (default gnome-keyring))
+ (pam-services gnome-keyring-pam-services (default '(("gdm-password" . login)
+ ("passwd" . passwd)))))
+
+(define (pam-gnome-keyring config)
+ ;; CONFIG may be either a <gnome-desktop-configuration> or a
+ ;; <gnome-keyring-configuration>> record, when using the
+ ;; gnome-keyring-service-type on its own.
+ (let ((config (if (gnome-desktop-configuration? config)
+ (gnome-desktop-configuration-gnome-keyring-configuration
+ config)
+ config)))
+ (match config
+ (#f '()) ;explicitly disabled by user
+ (_
+ (define (%pam-keyring-entry . arguments)
+ (pam-entry
+ (control "optional")
+ (module (file-append (gnome-keyring-package config)
+ "/lib/security/pam_gnome_keyring.so"))
+ (arguments arguments)))
+
+ (list
+ (pam-extension
+ (transformer
+ (lambda (service)
+ (case (assoc-ref (gnome-keyring-pam-services config)
+ (pam-service-name service))
+ ((login)
+ (pam-service
+ (inherit service)
+ (auth (append (pam-service-auth service)
+ (list (%pam-keyring-entry))))
+ (session (append (pam-service-session service)
+ (list (%pam-keyring-entry "auto_start"))))))
+ ((passwd)
+ (pam-service
+ (inherit service)
+ (password (append (pam-service-password service)
+ (list (%pam-keyring-entry))))))
+ (else service))))))))))
+
+(define gnome-keyring-service-type
+ (service-type
+ (name 'gnome-keyring)
+ (extensions (list
+ (service-extension pam-root-service-type pam-gnome-keyring)))
+ (default-value (gnome-keyring-configuration))
+ (description "Return a service, that extends PAM with entries using
+@code{pam_gnome_keyring.so}, unlocking a user's login keyring when they log in
+or setting its password with passwd.")))
;;;
@@ -1479,6 +1539,10 @@ (define sane-service-type
(define-maybe/no-serialization package)
+(define (gnome-keyring-configuration-or-#f? value)
+ (or (gnome-keyring-configuration? value)
+ (not value)))
+
(define (extract-propagated-inputs package)
;; Drop input labels. Attempt to support outputs.
(map
@@ -1515,7 +1579,13 @@ (define-configuration/no-serialization gnome-desktop-configuration
(list-of-strings '())
"A list of regular expressions denoting polkit rules provided by any package
that should not be installed. By default, every polkit rule added by any package
-referenced in the other fields are installed."))
+referenced in the other fields are installed.")
+ (gnome-keyring-configuration
+ (gnome-keyring-configuration-or-#f (gnome-keyring-configuration))
+ "A <gnome-keyring-configuration> record used to better integrate the GNOME
+keyring with the system. Refer to the documentation of the
+@code{gnome-keyring-service-type} for more information. If you'd rather avoid
+integrating the GNOME keyring, you can set this to @code{#f}."))
(define (gnome-package gnome name)
"Return the package NAME among the GNOME package inputs. NAME can be a
@@ -1636,6 +1706,8 @@ (define gnome-desktop-service-type
(extensions
(list (service-extension udev-service-type
gnome-udev-configuration-files)
+ (service-extension pam-root-service-type
+ pam-gnome-keyring)
(service-extension polkit-service-type
gnome-polkit-settings)
(service-extension privileged-program-service-type
@@ -1972,57 +2044,6 @@ (define inputattach-service-type
(description "Return a service that runs inputattach on a device and
dispatches events from it.")))
-
-;;;
-;;; gnome-keyring-service-type
-;;;
-
-(define-record-type* <gnome-keyring-configuration> gnome-keyring-configuration
- make-gnome-keyring-configuration
- gnome-keyring-configuration?
- (keyring gnome-keyring-package (default gnome-keyring))
- (pam-services gnome-keyring-pam-services (default '(("gdm-password" . login)
- ("passwd" . passwd)))))
-
-(define (pam-gnome-keyring config)
- (define (%pam-keyring-entry . arguments)
- (pam-entry
- (control "optional")
- (module (file-append (gnome-keyring-package config)
- "/lib/security/pam_gnome_keyring.so"))
- (arguments arguments)))
-
- (list
- (pam-extension
- (transformer
- (lambda (service)
- (case (assoc-ref (gnome-keyring-pam-services config)
- (pam-service-name service))
- ((login)
- (pam-service
- (inherit service)
- (auth (append (pam-service-auth service)
- (list (%pam-keyring-entry))))
- (session (append (pam-service-session service)
- (list (%pam-keyring-entry "auto_start"))))))
- ((passwd)
- (pam-service
- (inherit service)
- (password (append (pam-service-password service)
- (list (%pam-keyring-entry))))))
- (else service)))))))
-
-(define gnome-keyring-service-type
- (service-type
- (name 'gnome-keyring)
- (extensions (list
- (service-extension pam-root-service-type pam-gnome-keyring)))
- (default-value (gnome-keyring-configuration))
- (description "Return a service, that adds the @code{gnome-keyring} package
-to the system profile and extends PAM with entries using
-@code{pam_gnome_keyring.so}, unlocking a user's login keyring when they log in
-or setting its password with passwd.")))
-
;;;
;;; polkit-wheel-service -- Allow wheel group to perform admin actions

base-commit: 1f26b0eec83b5dc949900a743ed01088cb093c65
--
2.48.1
Liliana Marie Prikler wrote 5 days ago
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 76864@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)(name . Vivien Kraus)(address . vivien@planete-kraus.eu)
ea0700330e25b9e3c6dc49bec5d71eb040acc043.camel@gmail.com
Am Samstag, dem 08.03.2025 um 21:41 +0900 schrieb Maxim Cournoyer:
Toggle quote (18 lines)
> Previous to this change, GNOME users would have to manually add the
> gnome-keyring-service-type to their services to have a default login
> keyring created and unlocked at login time.  Some applications depend
> on a default keyring being available, prompt repeatedly for it, which
> is confusing and doesn't match user expectations, given most
> distributions use the GNOME keyring pam module to unlock the login
> keyring by default.
>
> * doc/guix.texi (Desktop Services): Update doc.
> * gnu/services/desktop.scm (<gnome-keyring-configuration>): Move
> above
> gnome-desktop-service-type, and streamline description.
> (pam-gnome-keyring): Return the empty list when CONFIG is #f.
> (gnome-desktop-configuration) [gnome-keyring-configuration]: New
> field.
>
> Change-Id: Ica26c1e1b85a038c1187edfb3ec3691fcd429641
> ---
SGTM

Toggle quote (59 lines)
>  doc/guix.texi            |  12 +++-
>  gnu/services/desktop.scm | 125 +++++++++++++++++++++++--------------
> --
>  2 files changed, 83 insertions(+), 54 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 6844470ce2..d5d08ece78 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -49,7 +49,7 @@
>  Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@*
>  Copyright @copyright{} 2017, 2018, 2019, 2020, 2021, 2022 Marius
> Bakke@*
>  Copyright @copyright{} 2017, 2019, 2020, 2022 Hartmut Goebel@*
> -Copyright @copyright{} 2017, 2019, 2020, 2021, 2022, 2023, 2024
> Maxim Cournoyer@*
> +Copyright @copyright{} 2017, 2019--2025 Maxim Cournoyer@*
>  Copyright @copyright{} 2017–2022 Tobias Geerinckx-Rice@*
>  Copyright @copyright{} 2017 George Clemmer@*
>  Copyright @copyright{} 2017 Andy Wingo@*
> @@ -25649,6 +25649,12 @@ Desktop Services
>  package that should not be installed.  By default, every polkit rule
>  added by any package referenced in the other fields are installed.
>  
> +@item @code{gnome-keyring-configuration} (type: gnome-keyring-
> configuration-or-#f)
> +A <gnome-keyring-configuration> record used to better integrate the
> +GNOME keyring with the system.  Refer to the documentation of the
> +@code{gnome-keyring-service-type} for more information.  If you'd
> rather
> +avoid integrating the GNOME keyring, you can set this to @code{#f}.
> +
>  @end table
>  @end deftp
>  
> @@ -26666,7 +26672,9 @@ Desktop Services
>  @defvar gnome-keyring-service-type
>  This is the type of the service that adds the
>  @uref{https://wiki.gnome.org/Projects/GnomeKeyring, GNOME Keyring}. 
> Its
> -value is a @code{gnome-keyring-configuration} object (see below).
> +value is a @code{gnome-keyring-configuration} object (see below). 
> Note
> +that there is no need to use this service when using
> +@code{gnome-desktop-service-type}, which includes it.
>  
>  This service adds the @code{gnome-keyring} package to the system
> profile
>  and extends PAM with entries using @code{pam_gnome_keyring.so},
> unlocking
> diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
> index ee05bd98db..39a9da6384 100644
> --- a/gnu/services/desktop.scm
> +++ b/gnu/services/desktop.scm
> @@ -154,6 +154,7 @@ (define-module (gnu services desktop)
>              gnome-desktop-configuration-extra-packages
>              gnome-desktop-configuration-polkit-ignorelist
>              gnome-desktop-configuration-udev-ignorelist
> +            gnome-desktop-configuration-gnome-keyring-configuration
I would use a shorter name here. Perhaps gnome-desktop-configuration-
keyring?


Cheers
Maxim Cournoyer wrote 5 days ago
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(name . Vivien Kraus)(address . vivien@planete-kraus.eu)(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 76864@debbugs.gnu.org)
87plirwphd.fsf@gmail.com
Hi Liliana,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

[...]

Toggle quote (8 lines)
>> @@ -154,6 +154,7 @@ (define-module (gnu services desktop)
>>              gnome-desktop-configuration-extra-packages
>>              gnome-desktop-configuration-polkit-ignorelist
>>              gnome-desktop-configuration-udev-ignorelist
>> +            gnome-desktop-configuration-gnome-keyring-configuration
> I would use a shorter name here. Perhaps gnome-desktop-configuration-
> keyring?

While I agree the naming is a mouthful, I find it necessary to have it
descriptive enough that it conveys the odd situation where we are
embedding a configuration object in another configuration :-).

So I'd keep it as is, knowing it probably will be seldom typed in a user
operating system config file anyway.

--
Thanks,
Maxim
Liliana Marie Prikler wrote 5 days ago
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(name . Vivien Kraus)(address . vivien@planete-kraus.eu)(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 76864@debbugs.gnu.org)
d67cc8105ad4b16c6dacab6cb519eab827954309.camel@gmail.com
Am Samstag, dem 08.03.2025 um 23:45 +0900 schrieb Maxim Cournoyer:
Toggle quote (22 lines)
> Hi Liliana,
>
> Liliana Marie Prikler <liliana.prikler@gmail.com> writes:
>
> [...]
>
> > > @@ -154,6 +154,7 @@ (define-module (gnu services desktop)
> > >              gnome-desktop-configuration-extra-packages
> > >              gnome-desktop-configuration-polkit-ignorelist
> > >              gnome-desktop-configuration-udev-ignorelist
> > > +            gnome-desktop-configuration-gnome-keyring-
> > > configuration
> > I would use a shorter name here.  Perhaps gnome-desktop-
> > configuration-
> > keyring?
>
> While I agree the naming is a mouthful, I find it necessary to have
> it descriptive enough that it conveys the odd situation where we are
> embedding a configuration object in another configuration :-).
>
> So I'd keep it as is, knowing it probably will be seldom typed in a
> user operating system config file anyway.
For the field name adding -configuration is fine, but the accessor
should really be shorter. Compare slim-configuration-xorg or 
gdm-configuration-xorg :)

Cheers
Maxim Cournoyer wrote 4 days ago
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(name . Vivien Kraus)(address . vivien@planete-kraus.eu)(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 76864-done@debbugs.gnu.org)
877c4yu0yx.fsf@gmail.com
Hi,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

[...]

Toggle quote (10 lines)
>> While I agree the naming is a mouthful, I find it necessary to have
>> it descriptive enough that it conveys the odd situation where we are
>> embedding a configuration object in another configuration :-).
>>
>> So I'd keep it as is, knowing it probably will be seldom typed in a
>> user operating system config file anyway.
> For the field name adding -configuration is fine, but the accessor
> should really be shorter. Compare slim-configuration-xorg or 
> gdm-configuration-xorg :)

OK, these existing precedents are enough to sway my opinion. Renamed to
just '-keyring' and pushed!

Thanks for the review.

--
Thanks,
Maxim
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 76864@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 76864
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help