Support for keyrings.cryptfile

[firefart]

Since keepass_jeepney is now non functional (https://github.com/genotrance/px/issues/187) it would be nice to support https://pypi.org/project/keyrings.cryptfile/ as an alternative. There is an example in the notes to take the password from an environment variable which might be an alternative solution for headless systems

[genotrance]

There have been some discussions on this - https://github.com/genotrance/px/discussions/142, https://github.com/genotrance/px/discussions/143.

Px supports keyrings.alt.file - not as secure but at least a fallback. I don't remember trying keyrings.cryptfile. I'll look into it as the option for older RHEL but it might drag in more dependencies (pycryptodome?) - let's see.

Frankly, if there's a simpler way to save passwords on Linux that avoids keyring, please let me know. Most of the headaches in Linux is around saving the password today.

[genotrance]

I spent some time looking into this. SecretStorage now depends on jeepney directly so there's no need for keyring_jeepney. This also makes it easier for headless systems without a GUI. There are still cases where an alternative is needed though - e.g. RHEL + derivatives.

While keyrings.cryptfile is good to securely save the proxy password, it requires the user to provide a keyring password to encrypt the proxy password. This means Px will now need to know this keyring password to access the proxy password at runtime. Either that or it will prompt the user to type out the password which might not be practical if Px is expected to start behind the scenes.

Another backend is sagecipher which uses ssh key fingerprints to encrypt/decrypt the keyring but now Px needs to be configured with this fingerprint.

However, both these backends and some others allow the user to specify the keyring password via an environment variable so that apps like Px can simply call keyring without having to deal with the keyring password.

Considering these backends can be installed by the user and automatically loaded by keyring, I'm not adding any of them to the Px dependency list. Also, the fact that that keyrings.alt is really deprecated and insecure, I am removing it from the Px dependency list as well. Going forward, only keyring will be a dependency within Px. Users can install alternatives when needed.

This won't work for the Linux Nuitka binaries though since it won't allow installing anything but is a small use case (340 downloads in 9 months). Regardless, passwords are a pain so Px will also add support to load passwords and other information directly from environment variables and .env files.

[genotrance]

This is documented in v0.9.0 still in development - see branch.

[genotrance]

v0.9.0 has been released.