pak icon indicating copy to clipboard operation
pak copied to clipboard
verified publisher icon r-lib

Auth: `Aborted setting keyring password` error in pak when also using the `keyring` package on Linux

Open glin opened this issue 1 year ago • 4 comments

I was testing compatibility between pak and a separately installed keyring package on each OS, and found Windows/macOS to work perfectly. You can set credentials using keyring and retrieve/override them with pak, and vice-versa.

I am getting errors trying the same on Linux though, with Ubuntu and the file backend. It looks like pak may be trying to prompt for a keyring password but something goes wrong?

I have not tested the secret service backend because the Gnome Keyring docs are just totally confusing on how you actually run it IMO 😅

Here are repro steps with docker. If there are issues with docker here, I did also repro the issue on my Ubuntu 22 host.

# R 4.4, Ubuntu 24
docker run -it --rm rstudio/r-base:4.4-noble bash

# Install nightly pak
R -e 'install.packages("pak", repos = sprintf(
  "https://r-lib.github.io/p/pak/devel/%s/%s/%s",
  .Platform$pkgType,
  R.Version()$os,
  R.Version()$arch
))'

R

pak::pkg_install("keyring")

keyring::key_set_with_value("http://localhost", username = "user", password = "pass")
# The 'system' keyring does not exist, enter a keyring password to create it:  
# 🔑 <I just hit enter here>
#  OK
keyring::key_get("http://localhost", username = "user")
# pass

pak::repo_auth_key_get("http://localhost", username = "user")
# Error: 
# ! error in pak subprocess
# Caused by error in `b__file_set_keyring_pass(self, private, key, keyring)`:
# ! Aborted setting keyring password
# Type .Last.error to see the more details.

pak::repo_auth_key_set("http://localhost", username = "user", password = "pass")
# Error: 
# ! error in pak subprocess
# Caused by error in `b__file_set_keyring_pass(self, private, key, keyring)`:
# ! Aborted setting keyring password
# Type .Last.error to see the more details.

And if I redo this without using keyring, pak works fine:

pak::repo_auth_key_set("http://localhost", username = "user", password = "pass")
pak::repo_auth_key_get("http://localhost", username = "user")
# pass

glin avatar Mar 05 '25 02:03 glin

The CRAN version of keyring uses the "file" backend by default, even if the (default) keyring file does not exist. I changed this in the dev version of keyring, which will be released very soon.

gaborcsardi avatar Mar 11 '25 11:03 gaborcsardi

With the dev version I get:

R -e 'pak::pkg_install("r-lib/keyring")'

> keyring::key_set_with_value("http://localhost", username = "user", password = "pass")
Warning message:
In default_backend_auto() :
  Selecting ‘env’ backend. Secrets are stored in environment variables
> keyring::key_get("http://localhost", username = "user")
[1] "pass"
Warning message:
In default_backend_auto() :
  Selecting ‘env’ backend. Secrets are stored in environment variables
> pak::repo_auth_key_get("http://localhost", username = "user")
[1] "pass"

Using the env backend is also not so great, e.g.

> pak::repo_auth_key_set("http://localhost", username = "user", password = "pass2")
> keyring::key_get("http://localhost", username = "user")
[1] "pass"
Warning message:
In default_backend_auto() :
  Selecting ‘env’ backend. Secrets are stored in environment variables
> pak::repo_auth_key_get("http://localhost", username = "user")
[1] "pass2"

I think I can improve this.

gaborcsardi avatar Mar 11 '25 13:03 gaborcsardi

For the record, these are the supported backends:

  • Windows credential store,
  • macOS Keychain,
  • Linux Secret Service via libsecret, if built with libsecret support,
  • environment variables.

https://pak.r-lib.org/dev/reference/repo_auth.html#details

I am working on supporting the other backends, which is not so easy, unfortunately. I don't know yet if I'll manage to support them for the next pak update. If not, then I'll improve the warnings at least.

gaborcsardi avatar Apr 09 '25 08:04 gaborcsardi

Updates

  • Now we support the file based backed as well. This needs a call to repo_auth_unlock() first, in every session. Not so great, but at least it works.
  • The messaging is much better, see the captured outputs at https://github.com/r-lib/pak/blob/main/tests/testthat/_snaps/auth.md
  • I tried to compile a static libsecret, with all its dependencies, and eventually succeeded, however, the end result does not work on Ubuntu, so that's not an option.
  • Another way to have libsecret support in the static pak builds is to include a static binary of the Rust program at https://github.com/gaborcsardi/secret-service-cli. This is a PoC for now, but it does work. I can create a static binary on Alpine and that works on Ubuntu. So we can put this into the static pak builds on Linux.

gaborcsardi avatar May 13 '25 12:05 gaborcsardi