I can confirm that the bug also impact Kali Linux (which is a rolling
distro based on Debian testing).
I tested the XFCE desktop (x11), and GNOME desktop (both x11 and
wayland). A reboot is enough to fix the issue.
Here's how it looks like on the bus for the first boot:
$ gdbus introspect --session -d org.freedesktop.secrets \
-o /org/freedesktop/secrets/collection --recurse | grep node
node /org/freedesktop/secrets/collection {
node /org/freedesktop/secrets/collection/session {
And now on the second boot:
$ gdbus introspect --session -d org.freedesktop.secrets \
-o /org/freedesktop/secrets/collection --recurse | grep node
node /org/freedesktop/secrets/collection {
node /org/freedesktop/secrets/collection/session {
node /org/freedesktop/secrets/collection/login {
It confirms what was said above: collection/login is not published on
the bus during first boot.
I enabled G_MESSAGES_DEBUG=all for the gnome-keyring-daemon, and we can
see the difference.
Here's first boot:
Nov 29 03:35:52 kali gnome-keyring-d[758]: Using cross-namespace
EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
Nov 29 03:35:52 kali gnome-keyring-d[758]: couldn't set environment
variable in session:
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
org.gnome.SessionManager was not provided by any .service files
Nov 29 03:35:52 kali gnome-keyring-d[758]: keyring alias directory:
/home/kali/.local/share/keyrings
Nov 29 03:35:52 kali gnome-keyring-d[758]: closing prompt
Nov 29 03:35:52 kali gnome-keyring-d[758]: matching: (1) [ { CKA_CLASS =
0xC74E4DB3 } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: matching: (2) [ { CKA_CLASS =
CKO_SECRET_KEY }, { CKA_0xC74E4E1B = (7) NOT-PRINTED } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: initialization complete
Nov 29 03:35:52 kali gnome-keyring-d[758]: matching: (3) [ { CKA_CLASS =
0xC74E4DB3 }, { CKA_TOKEN = (1) "\x01" }, { CKA_ID = (5) "login" } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: gkm_store_get_attribute:
CKR_ATTRIBUTE_TYPE_INVALID: CKA_ID not in schema
Nov 29 03:35:52 kali gnome-keyring-d[758]:
gkm_object_real_get_attribute: CKR_ATTRIBUTE_TYPE_INVALID: no CKA_ID
attribute
Nov 29 03:35:52 kali gnome-keyring-d[758]: created object: (4) [ {
CKA_CLASS = 0xC74E4DA9 }, { CKA_VALUE = (4) NOT-PRINTED }, {
CKA_0xC74E4E0E = (1) NOT-PRINTED }, { CKA_TOKEN = (1) "\x01" } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: created object: (5) [ {
CKA_CLASS = 0xC74E4DB3 }, { CKA_ID = (5) "login" }, { CKA_0xC74E4E11 =
(8) NOT-PRINTED }, { CKA_TOKEN = (1) "\x01" }, { CKA_LABEL = (5)
"Login" } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: refresh_with_login:
refreshing: /home/kali/.local/share/keyrings/user.keystore
Nov 29 03:35:52 kali gnome-keyring-d[758]: refresh_with_login: closing:
/home/kali/.local/share/keyrings/user.keystore
Nov 29 03:35:52 kali gnome-keyring-d[758]: begin_lock_file: modifying:
/home/kali/.local/share/keyrings/user.keystore
Nov 29 03:35:52 kali gnome-keyring-d[758]: complete_lock_file: closing:
/home/kali/.local/share/keyrings/user.keystore
Now second boot:
Nov 29 03:40:18 kali gnome-keyring-d[751]: Using cross-namespace
EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
Nov 29 03:40:18 kali gnome-keyring-d[751]: couldn't set environment
variable in session:
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
org.gnome.SessionManager was not provided by any .service files
Nov 29 03:40:18 kali gnome-keyring-d[751]: keyring alias directory:
/home/kali/.local/share/keyrings
Nov 29 03:40:18 kali gnome-keyring-d[751]: closing prompt
Nov 29 03:40:18 kali gnome-keyring-d[751]: matching: (1) [ { CKA_CLASS =
0xC74E4DB3 } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: matching: (2) [ { CKA_CLASS =
CKO_SECRET_KEY }, { CKA_0xC74E4E1B = (7) NOT-PRINTED } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: matching: (2) [ { CKA_CLASS =
CKO_SECRET_KEY }, { CKA_0xC74E4E1B = (5) NOT-PRINTED } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: initialization complete
Nov 29 03:40:18 kali gnome-keyring-d[751]: matching: (3) [ { CKA_CLASS =
0xC74E4DB3 }, { CKA_TOKEN = (1) "\x01" }, { CKA_ID = (5) "login" } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: gkm_store_get_attribute:
CKR_ATTRIBUTE_TYPE_INVALID: CKA_ID not in schema
Nov 29 03:40:18 kali gnome-keyring-d[751]:
gkm_object_real_get_attribute: CKR_ATTRIBUTE_TYPE_INVALID: no CKA_ID
attribute
Nov 29 03:40:18 kali gnome-keyring-d[751]: created object: (5) [ {
CKA_CLASS = 0xC74E4DA9 }, { CKA_VALUE = (4) NOT-PRINTED }, {
CKA_0xC74E4E0E = (1) NOT-PRINTED }, { CKA_TOKEN = (1) "\x01" }, {
CKA_0xC74E4E0F = (8) NOT-PRINTED } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: refresh_with_login:
refreshing: /home/kali/.local/share/keyrings/user.keystore
Nov 29 03:40:18 kali gnome-keyring-d[751]: refresh_with_login: closing:
/home/kali/.local/share/keyrings/user.keystore
We can see that there's one more created object on first boot, with a
label of "Login".
So it looks to me that, on first boot, the gnome-keyring-daemon creates
the login keyring, however the change is not published on the bus. And
after looking at the code a few hours, it doesn't look like there's a
one-line fix, rather it looks like the scenario of updating the
collections on the bus is not supported (my reading of the code, might
be wrong).
One additional detail: you'd think that a restart of
gnome-keyring-daemon is enough to fix it, but not exactly. If I restart
it (via systemd --user), and then I start chromium, GNOME prompts me for
my password, saying "The login keyring did not get unlocked when you
logged into your computer". However I can just click cancel, and then
chromium proceeds and starts successfully.
--
Arnaud Rebillout / OffSec / Kali Linux Developer
