diff --git a/README.md b/README.md new file mode 100644 index 0000000..d9c21e9 --- /dev/null +++ b/README.md @@ -0,0 +1,113 @@ +# gnome keyring patches for Ubuntu 22.04 + +The Gnome keyring (at the time of writing, version 40.0) running on Ubuntu +version 22.04 has a fairly egregious UI flaw ā€“ when unlocking keyrings, it +*pre-selects* the less secure option of "Automatically unlock this keyring +whenever I'm logged in", and if you accidentally *do* leave that option +selected, it's quite difficult to undo. + +If you encounter the bug and try to work out what Gnome component is causing the +problem, you might do a process listing and discover that the program displaying +the "unlock" prompt seems to be `/usr/libexec/gcr-prompter`, part of the Gnome +[gcr][gcr] package,[^gcr] and you might guess that the responsible code is +somewhere in that package (maybe in the `gcr` or `ui` directories). +However, *that's not where the bug lies*. The gcr-prompter seems to be a fairly +"dumb" UI widget, and the flawed logic is in the Gnome keyring component, which +creates the gcr widget (and presumably the `gcr-prompter` process?) in some +mysterious way (probably via dbus, but I can't be bothered to wade through the +source to find out exactly). + +[gcr]: https://gitlab.gnome.org/GNOME/gcr + +[^gcr]: What the abbreviation "gcr" stands for is unclear, but + probably "**G**nome **cr**yptography services". + +Below are some historical details about the bug, then instructions on how to +rebuild the Ubuntu .deb packages for the Gnome keyring (plus related packages) +incorporating a patch by [Atul Anand][atul] which fixes the issue. +And if you happen to be running Ubuntu 22.04 (or +a distro using the 22.04 repos, like Linux Mint 21.2) on an x86-64 machine, +you can use the .deb files on the "Releases" page of this repo. + +## Background (feel free to skip) + +This bug was reported on Gnome's Bugzilla instance in [Bug 725641][bugz-725641] +in 2014, and a fix created by [Atul Anand][atul] in 2016, but the fix has never +been incorporated by the Gnome keyring maintainer, [Niels De Graef][niels] +([`@nielsdg`][nielsdg]). + +[atul]: https://github.com/atulhjp +[bugz-725641]: https://bugzilla.gnome.org/show_bug.cgi?id=725641 +[niels]: https://nielsdg.pages.gitlab.gnome.org/development-blog/about/ +[nielsdg]: https://gitlab.gnome.org/nielsdg + +Gnome's bugzilla closed down, and the bug got transferred by Niels to the Gnome +GitLab instance as [issue #46][gl-issue-46] in the "gcr" package (not actually where +the bug lies, so far as I can tell) in March 2014. + +[gl-issue-46]: https://gitlab.gnome.org/GNOME/gcr/-/issues/46 + +Gnome keyring [issue #7][gl-issue-7], filed in 2018, points out that the issue +still hasn't been fixed, and mentions some related bugs: + +- 2014 ["Automatically unlock this keyring whenever I'm logged in" should be unchecked by default](https://bugzilla.gnome.org/show_bug.cgi?id=740734) +- 2009 ["Automatically unlock when I log in" considered harmful](https://bugzilla.gnome.org/show_bug.cgi?id=576676) + +[gl-issue-7]: https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/7 + +In [Merge request #38][gl-mreq-38] (from May 2021), a fix is again supplied, +this time by [Ryan Hendrickson][ryan], but it still hasn't been merged, and in a +[March 2023 post][disc-post] to Gnome's Discourse instance, Ryan wonders why, +but doesn't get any terribly good answers. (Other than "contact the maintainer" ā€“ +but if filing issues and proposing merge requests isn't a good way of +contacting a maintainer, then why on earth have them at all?) + +[ryan]: https://github.com/rhendric +[gl-mreq-38]: https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/38 +[disc-post]: https://discourse.gnome.org/t/aging-gnome-keyring-mr-needs-review/14335 + +Anyway. Below are steps to re-build the .deb packages with Atul's fix incorporated. + +If you install these, you'll have to "hold" the Gnome keyring packages at their current +version, and forego any new versions arriving from upstream -- but if the last +nine years are any guide, you won't be missing anything much. + +## Steps to re-build .deb packages + +These steps verified for Ubuntu 22.04 (Jammy) ā€“ probably they can be adapted +for other Ubuntu versions. + +1. Make a fresh directory somewhere, in which the Ubuntu source and .deb + files will end up. It'll be cleaner to do this inside a Docker container, + so that you don't clutter your system with the build dependencies of + gnome-keyring. + + Anyhow, `cd` into your directory, and + + ``` + $ sudo apt-get update + $ apt-get source gnome-keyring + $ sudo apt-get build-dep gnome-keyring + $ sudo apt-get install fakeroot build-essential devscripts quilt + ``` + +2. Running `apt-get source` will create a directory `gnome-keyring_40.0`, as + well files with extensions `.dsc`, `.orig.tar.xz`, and `.debian.tar.xz`. + The `.orig.tar.xz` file gets extracted into the directory, and the patches + in the `.debian.tar.xz` file get automatically applied. + +3. We first want to un-apply the debian patches, so we can insert our own + patch into them, and then apply the whole lot at once. So cd into + `gnome-keyring_40.0` run `quilt pop -a`, and you should see a bunch of + messages about removing patches and restoring files, ending with "No patches applied". + +4. Apply the patches from this repo -- `git apply /path/to/repo/ui_fixes.patch`, + which adds a new patch in `debian/patches`, and then apply all the + patches with `quilt push -a`. + + (Is all this necessary? idk. Probably. Could it be made + simpler? Also probably.) + +5. Run `DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -us -uc`, and your .deb + (and .ddeb) packages will be built. + diff --git a/ui_fixes.patch b/ui_fixes.patch new file mode 100644 index 0000000..c28fcda --- /dev/null +++ b/ui_fixes.patch @@ -0,0 +1,62 @@ +diff --git a/debian/patches/99_fix-prompt.patch b/debian/patches/99_fix-prompt.patch +new file mode 100644 +index 0000000..0794a03 +--- /dev/null ++++ b/debian/patches/99_fix-prompt.patch +@@ -0,0 +1,46 @@ ++From: atul ++Date: Tue Feb 2 04:09:10 2016 +0530 ++Subject: fix keyring prompt ++ ++ Bug 725641 ++--- ++ pkcs11/wrap-layer/gkm-wrap-prompt.c | 10 ++-------- ++ 1 file changed, 2 insertions(+), 8 deletions(-) ++ ++diff --git a/pkcs11/wrap-layer/gkm-wrap-prompt.c b/pkcs11/wrap-layer/gkm-wrap-prompt.c ++index 576cfc2..c720937 100644 ++--- a/pkcs11/wrap-layer/gkm-wrap-prompt.c +++++ b/pkcs11/wrap-layer/gkm-wrap-prompt.c ++@@ -511,16 +511,8 @@ get_unlock_options_from_prompt (GkmWrapPrompt *self, CK_ULONG_PTR n_options) ++ static void ++ set_unlock_options_on_prompt (GkmWrapPrompt *self, CK_ATTRIBUTE_PTR options, CK_ULONG n_options) ++ { ++- gboolean chosen = FALSE; ++- gboolean bval; ++- ++ g_assert (GKM_IS_WRAP_PROMPT (self)); ++ g_assert (options || !n_options); ++- ++- if (gkm_attributes_find_boolean (options, n_options, CKA_GNOME_TRANSIENT, &bval)) ++- chosen = bval; ++- ++- gcr_prompt_set_choice_chosen (GCR_PROMPT (self), chosen); ++ } ++ ++ static CK_ATTRIBUTE_PTR ++@@ -606,6 +598,7 @@ setup_unlock_keyring_other (GkmWrapPrompt *self, ++ { ++ GcrPrompt *prompt; ++ const gchar *choice; +++ const gboolean chosen = FALSE; ++ gchar *text; ++ ++ g_assert (GKM_IS_WRAP_PROMPT (self)); ++@@ -622,6 +615,7 @@ setup_unlock_keyring_other (GkmWrapPrompt *self, ++ if (gkm_wrap_login_is_usable ()) ++ choice = _("Automatically unlock this keyring whenever Iā€™m logged in"); ++ gcr_prompt_set_choice_label (prompt, choice); +++ gcr_prompt_set_choice_chosen (GCR_PROMPT(self), chosen); ++ gcr_prompt_set_continue_label (prompt, _("Unlock")); ++ } ++ +diff --git a/debian/patches/series b/debian/patches/series +index 4e83944..527b97e 100644 +--- a/debian/patches/series ++++ b/debian/patches/series +@@ -2,4 +2,5 @@ egg-secure-memory-Allocate-enough-space-for-the-guard-poi.patch + egg-secure-memory-Add-a-warning-if-gnome-keyring-36-happe.patch + 03_kfreebsd.patch + 05_skip-known-test-failures.patch ++99_fix-prompt.patch + git_ssh_arm.patch