Bug#1035061: gnome-keyring: prevents chrome/chromium from running on a new account's first run
I reported the issue upstream: https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/137
Bug#1035061: gnome-keyring: prevents chrome/chromium from running on a new account's first run
I can confirm that the bug also impact Kali Linux (which is a rolling
distro based on Debian testing).
I tested the XFCE desktop (x11), and GNOME desktop (both x11 and
wayland). A reboot is enough to fix the issue.
Here's how it looks like on the bus for the first boot:
$ gdbus introspect --session -d org.freedesktop.secrets \
-o /org/freedesktop/secrets/collection --recurse | grep node
node /org/freedesktop/secrets/collection {
node /org/freedesktop/secrets/collection/session {
And now on the second boot:
$ gdbus introspect --session -d org.freedesktop.secrets \
-o /org/freedesktop/secrets/collection --recurse | grep node
node /org/freedesktop/secrets/collection {
node /org/freedesktop/secrets/collection/session {
node /org/freedesktop/secrets/collection/login {
It confirms what was said above: collection/login is not published on
the bus during first boot.
I enabled G_MESSAGES_DEBUG=all for the gnome-keyring-daemon, and we can
see the difference.
Here's first boot:
Nov 29 03:35:52 kali gnome-keyring-d[758]: Using cross-namespace
EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
Nov 29 03:35:52 kali gnome-keyring-d[758]: couldn't set environment
variable in session:
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
org.gnome.SessionManager was not provided by any .service files
Nov 29 03:35:52 kali gnome-keyring-d[758]: keyring alias directory:
/home/kali/.local/share/keyrings
Nov 29 03:35:52 kali gnome-keyring-d[758]: closing prompt
Nov 29 03:35:52 kali gnome-keyring-d[758]: matching: (1) [ { CKA_CLASS =
0xC74E4DB3 } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: matching: (2) [ { CKA_CLASS =
CKO_SECRET_KEY }, { CKA_0xC74E4E1B = (7) NOT-PRINTED } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: initialization complete
Nov 29 03:35:52 kali gnome-keyring-d[758]: matching: (3) [ { CKA_CLASS =
0xC74E4DB3 }, { CKA_TOKEN = (1) "\x01" }, { CKA_ID = (5) "login" } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: gkm_store_get_attribute:
CKR_ATTRIBUTE_TYPE_INVALID: CKA_ID not in schema
Nov 29 03:35:52 kali gnome-keyring-d[758]:
gkm_object_real_get_attribute: CKR_ATTRIBUTE_TYPE_INVALID: no CKA_ID
attribute
Nov 29 03:35:52 kali gnome-keyring-d[758]: created object: (4) [ {
CKA_CLASS = 0xC74E4DA9 }, { CKA_VALUE = (4) NOT-PRINTED }, {
CKA_0xC74E4E0E = (1) NOT-PRINTED }, { CKA_TOKEN = (1) "\x01" } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: created object: (5) [ {
CKA_CLASS = 0xC74E4DB3 }, { CKA_ID = (5) "login" }, { CKA_0xC74E4E11 =
(8) NOT-PRINTED }, { CKA_TOKEN = (1) "\x01" }, { CKA_LABEL = (5)
"Login" } ]
Nov 29 03:35:52 kali gnome-keyring-d[758]: refresh_with_login:
refreshing: /home/kali/.local/share/keyrings/user.keystore
Nov 29 03:35:52 kali gnome-keyring-d[758]: refresh_with_login: closing:
/home/kali/.local/share/keyrings/user.keystore
Nov 29 03:35:52 kali gnome-keyring-d[758]: begin_lock_file: modifying:
/home/kali/.local/share/keyrings/user.keystore
Nov 29 03:35:52 kali gnome-keyring-d[758]: complete_lock_file: closing:
/home/kali/.local/share/keyrings/user.keystore
Now second boot:
Nov 29 03:40:18 kali gnome-keyring-d[751]: Using cross-namespace
EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
Nov 29 03:40:18 kali gnome-keyring-d[751]: couldn't set environment
variable in session:
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
org.gnome.SessionManager was not provided by any .service files
Nov 29 03:40:18 kali gnome-keyring-d[751]: keyring alias directory:
/home/kali/.local/share/keyrings
Nov 29 03:40:18 kali gnome-keyring-d[751]: closing prompt
Nov 29 03:40:18 kali gnome-keyring-d[751]: matching: (1) [ { CKA_CLASS =
0xC74E4DB3 } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: matching: (2) [ { CKA_CLASS =
CKO_SECRET_KEY }, { CKA_0xC74E4E1B = (7) NOT-PRINTED } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: matching: (2) [ { CKA_CLASS =
CKO_SECRET_KEY }, { CKA_0xC74E4E1B = (5) NOT-PRINTED } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: initialization complete
Nov 29 03:40:18 kali gnome-keyring-d[751]: matching: (3) [ { CKA_CLASS =
0xC74E4DB3 }, { CKA_TOKEN = (1) "\x01" }, { CKA_ID = (5) "login" } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: gkm_store_get_attribute:
CKR_ATTRIBUTE_TYPE_INVALID: CKA_ID not in schema
Nov 29 03:40:18 kali gnome-keyring-d[751]:
gkm_object_real_get_attribute: CKR_ATTRIBUTE_TYPE_INVALID: no CKA_ID
attribute
Nov 29 03:40:18 kali gnome-keyring-d[751]: created object: (5) [ {
CKA_CLASS = 0xC74E4DA9 }, { CKA_VALUE = (4) NOT-PRINTED }, {
CKA_0xC74E4E0E = (1) NOT-PRINTED }, { CKA_TOKEN = (1) "\x01" }, {
CKA_0xC74E4E0F = (8) NOT-PRINTED } ]
Nov 29 03:40:18 kali gnome-keyring-d[751]: refresh_with_login:
refreshing: /home/kali/.local/share/keyrings/user.keystore
Nov 29 03:40:18 kali gnome-keyring-d[751]: refresh_with_login: closing:
/home/kali/.local/share/keyrings/user.keystore
We can see that there's one m
Bug#1035061: gnome-keyring: prevents chrome/chromium from running on a new account's first run
On Sun, 07 May 2023 at 03:11:12 -0400, Andres Salomon wrote: > 7. Dbus (not gnome-keyring) responds back with a DBus.Error.UnknownMethod: > Object does not exist at path "/org/freedesktop/secrets/collection/login" The message bus (dbus-daemon or dbus-broker) does not know whether gnome-keyring implements a particular object-path or not. All it does with these messages is to forward messages from Chromium to gnome-keyring, and forward the replies back to Chromium. The typical source of an "object does not exist" error is this: - the service (in this case gnome-keyring) has told its D-Bus library implementation (usually dbus' libdbus, GLib's GDBus or systemd's sd-bus) that it wants to export some list of objects - the service has *not* told its D-Bus library implementation what it wants to export at /org/freedesktop/secrets/collection/login; or maybe it has exported an object at that path and then unexported it again - the D-Bus library implementation receives the message from Chromium, looks up the destination object, doesn't find one, and replies "object does not exist" on behalf of the service In this case, the message "Object does not exist at path “%s”" is part of GLib's GDBus code, which is reasonably strong evidence that gnome-keyring is using GDBus; but it's gnome-keyring that is responsible for telling GDBus to export whatever objects it intends to have in its API, because GDBus has no other way to know what API gnome-keyring was meant to have. smcv
Bug#1035061: gnome-keyring: prevents chrome/chromium from running on a new account's first run
Oh, this also breaks Geary as well; it fails to start with an error about no such secret collection at path /org/freedesktop/secrets/collection/login.
Bug#1035061: gnome-keyring: prevents chrome/chromium from running on a new account's first run
Control: affects -1 chromium
On Fri, 28 Apr 2023 10:35:16 -0400 Harold Grove
wrote:
> Package: gnome-keyring
> Version: 42.1-1+b2
> Severity: normal
> X-Debbugs-Cc: rgr...@rsu20.org
>
> Dear Maintainer,
>
> On a new account, gnome-keyring seems to prevent the first run of
both Google
> Chrome and Chromium. Restarting gnome-keyring-daemon.service works
but requires
> another unlock of the keyring. After this, Chrome/Chromium launches
as
> expected.
> Thanks
>
In debugging this, I see the following happening on the dbus session:
1. Chromium asks for (and receives) the owner for
org.freedesktop.secrets
2. Chromium calls Properties.GetAll("org.freedesktop.Secret.Service")
3. gnome-keyring sends back a dict Collections [
"/org/freedesktop/secrets/collection/login",
"/org/freedesktop/secrets/collection/session"]
4. Chromium calls org.freedesktop.SecretService.OpenSession()
5. gnome-keyring sends back a (fingerprint? and) session path
"/org/freedesktop/secrets/session/s19"
6. Chromium calls org.freedesktop.Secret.Collection.CreateItem(),
passing it an Item label, the session path, and some other stuff.
7. Dbus (not gnome-keyring) responds back with a
DBus.Error.UnknownMethod: Object does not exist at path
"/org/freedesktop/secrets/collection/login"
This is pretty easily reproducible on a fresh bookworm install in a VM
(I used the xfce desktop task); however, it only occurs on the first
boot. After rebooting (or restarting gnome-keyring I guess?), dbus
won't report the above error and chromium will start successfully.
Bug#1035061: gnome-keyring: prevents chrome/chromium from running on a new account's first run
Package: gnome-keyring Version: 42.1-1+b2 Severity: normal X-Debbugs-Cc: rgr...@rsu20.org Dear Maintainer, On a new account, gnome-keyring seems to prevent the first run of both Google Chrome and Chromium. Restarting gnome-keyring-daemon.service works but requires another unlock of the keyring. After this, Chrome/Chromium launches as expected. Thanks -- System Information: Debian Release: 12.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-7-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gnome-keyring depends on: ii dbus-user-session [default-dbus-session-bus] 1.14.6-1 ii dbus-x11 [dbus-session-bus] 1.14.6-1 ii dconf-gsettings-backend [gsettings-backend] 0.40.0-4 ii gcr 3.41.1-1+b1 ii init-system-helpers 1.65.2 ii libc6 2.36-9 ii libgck-1-03.41.1-1+b1 ii libgcr-base-3-1 3.41.1-1+b1 ii libgcrypt20 1.10.1-3 ii libglib2.0-0 2.74.6-2 ii libsystemd0 252.6-1 ii p11-kit 0.24.1-2 ii pinentry-gnome3 1.2.1-1 Versions of packages gnome-keyring recommends: ii gnome-keyring-pkcs11 42.1-1+b2 ii libpam-gnome-keyring 42.1-1+b2 gnome-keyring suggests no packages. -- no debconf information
