Unlock keyring showing up at startup

[TylerLeonhardt]

Since the 'Unlock keyring' dialog on startup really sucks (even if no file/project is opened and no extension installed!!!), I use code --password-store=basic on Ubuntu 20.04 to disable this non-sense. Before I found this solution I used mv /usr/libexec/gcr-prompter /usr/libexec/gcr-prompter.disabled (part of the gcr package) to get rid off it. Not sure, whether this helps, but yes, code should use lazy initialization (i.e. ask when secrets are actually needed) as well as make it customizable, what kind of store (if any) to use.

Originally posted by @jelmd in https://github.com/microsoft/vscode/issues/187271#issuecomment-1625621830

[TylerLeonhardt]

The 'Unlock keyring' dialog, I'm fairly certain, is the OS level dialog that shows when anything is trying to read from the OS keyring.

One of the first things VS Code does when it starts is reads from the OS keyring in order to see if there's an existing session to be used with Settings Sync and other built-in features.

I wanna be clear and say, if VS Code doesn't get a session or it has issues accessing the keyring (like if it's locked) it fails silently. However, Ubuntu is reacting to our ask for access of the keyring by showing this 'Unlock keyring' dialog.

[TylerLeonhardt]

@sandy081 @joyceerhl to fix this, perhaps Settings Sync/Edit Sessions could:

• have some non-keyring related mechanism for determining enablement
• not be eager in reading auth sessions

Not sure which of these are already checked off today but that would be a solution to not annoy users.

[sandy081]

Changed the settings sync contribution in workbench to ask for authentication sessions only when needed, ie., sessions are not fetched upfront if settings sync is not enabled. This will also not trigger activating account extensions if not needed.

[jelmd]

OK. Thanx a lot. However, just using the default keyring is not really, what I want - therefore it would always fail, because I do not store anything in the default keyring, i.e. do not want to share all my secrets with all apps using keyring. Is it possible to specify a keyring code should use? E.g. --password-store='gnome:vscode' ?

[TylerLeonhardt]

@jelmd sadly this is out of scope for us as we are at the mercy of the platform that we use (Electron well... really Chromium). There's no way for us to configure the keyring used.

[jelmd]

@TylerLeonhardt ohhh, that's a pity. Actually the keyring stuff is one reason, why I do not use chrome. Anyway, so I need to stick with --password-store=basic (sharing secrets with apps is a bad idea anyway).

[wpd]

I just stumbled across this discussion. I may have encountered the same issue, or I may have encountered a new issue. But suddenly (as of a few days ago, after a recent VSCode update, perhaps even immediately after said update), every time I start VSCode, I am prompted to "Choose password for new keyring". Here are some details about my system:

VSCode: 1.82.2
Commit: abd2.....
Date: 2023-09-14T05:51:20.981Z (2 wks ago)
Electron: 25.8.1
ElectronBuildId: 23779380
Chromium: 114.0.5735.289
Node.js: 18.15.0
V8: 11.4.183.29-electron.0
OS: Linux x64 5.4.0-162-generic
Ubuntu 20.04

@jelmd 's suggestion to start with --password-store=basic makes this problem go away, but I would rather solve the problem than just make it go away.

AFAICT, I do not have "Settings Sync" turned on. when I open settings, I see a blue button to t"Turn on Settings Sync", so I don't think I accidentally turned that on.

If anybody has any suggestions as to what I should try/do (should I open a new issue about this?) I'm willing to try.

[TylerLeonhardt]

@wpd what window manager/desktop environment do you use?

[wpd]

@TylerLeonhardt - I never bothered to change from the default window manager, which I am told is GDM3.

[TylerLeonhardt]

Once the Cloud Changes feature makes the change I suggest above, you shouldn't see this anymore.

In terms of a workaround your two options are:

• start with --password-store=basic
• do what Ubuntu is asking and create a keyring

You see this prompt because we attempting to read something out of the keyring... and even a read causes Ubuntu to say "hey someone wants a keyring, please create it"

[jelmd]

Hey, hey, hey: IMHO it is absolutely brain damaged to create a keyring, you have no control about ...

[wpd]

I refuse to type in a password just because an arbitrary application asks me to type in a password.

Should I type in my login password?

Should I invent some new password (which I will likely forget 10 minutes after I invent it).

Yes, I could read the prompt "Choose password for new keyring", and that would probably give me some insight into the fact that using my login password is probably A VERY TERRIBLE IDEA!!! But, from an end-user standpoint, why does VSCode want me to create a keyring for it? What sort of keys does it plan on storing in that keyring? Without knowing answers to those sorts of questions, I am very hesitant to allow VSCode to create and manage a keyring for me.

Poking around a little, we found THIS. Now I'm even more hesitant to allow VSCode to create an manage a keyring for me.

What would be the best place to request a --password-store=NONE option for VSCode?

[TylerLeonhardt]

Lets take a step back as I think my last response was misunderstood.

VS Code has the opt-in ability to sync your settings & backup changes using your GitHub or Microsoft account as the auth. Additionally, there are extensions like GitHub Repositories, GitHub Pull Requests, GitHub Copilot that require auth to work.

We are trying to be a good citizen of every platform we support and store this information in what that platform deems is a secure location. On Linux distros, there are programs like gnome-keyring, kwallet, etc that provide these secure stores. These keyrings are really just secure key-value pair databases... well it's more like a collection of key-value pairs. Each keyring has a name, and that keyring has key-value pairs stored in it.

From the thread, I gather that neither of you use a feature or extension that has an auth component, so using a keyring for anything isn't necessary and I totally agree.

Here's the problem, the features of VS Code that let you sync your settings & backup changes used the keyring to store the account information needed and the presence of that information determined enablement of the feature. In other words, these features would attempt to read from the keyring to see if there already exists some account information from a previous run of VS Code when you set up these features.

But you didn't. Which is totally fine, but this logic of using the keyring to determine enablement means that regardless of you using these features or not, this feature will attempt to look for its info in the keyring.

You're using Ubuntu, so I assume that gnome-keyring is the keyring being used in your case.

Now, I would have thought that if an application (VS Code) asks the keyring (gnome-keyring) for:

"give me value of the vscode.account key out of the login keyring

that if the login keyring didn't even exist, the keyring would simply say "I don't have it" and return nothing.

Instead, what it does is that it asks you to create a keyring... which you back with a password of your choice... and when you create the keyring, gnome-keyring then returns nothing to VS Code because nothing is in the newly created keyring.

So, that's how it all works.

What's the solution? Well, to not annoy users with "create keyring" prompts, VS Code needs to use some other signal for enablement. Which we can easily store somewhere outside of the keyring. It won't have sensitive data or anything like that... it's just gonna be as simple as a boolean to say "hey this feature is on, grab the account info from the keychain OR hey this feature isn't on, DON'T touch the keying at all".

From the history of this issue, you can see that Sandeep already updated this for the settings sync feature... all that's left is for Joyce to do the same for the Cloud Changes feature.

Once she does that, then this prompt should go away for you.

With that said, we're all busy so I don't know what her timeline is for that fix, so I gave you a couple of workaround (workaround is not the same as solution) above which are:

• use password-store as basic... this doesn't use the keyring at all... so you won't get the notification
• create the keyring... as long as you don't do anything with auth, this keyring will sit empty forever
• your last comment reminded me that we also have --use-inmemory-secretstorage which, as the name implies, means that if a feature/extension wants to interact with the abstraction we call "secret storage" which normally uses the keyring on Linux, it will instead use an in-memory representation of a keyring.

All of these options have the same result since you're not planning on using any auth features. However, should you want to use one of these things, then they each have their pros & cons.

I think that's enough of a wall of text for now... but I close with this. We're trying to do the right thing.

[wpd]

Thank you for the well written explanation. And I apologize for the tone in my previous message. I didn't mean for it to sound the way it did. I was just trying to defend my internal bias against software asking me for personal information (like passwords) when I don't know what's going on.

This is not likely the best (and is certainly not the correct) forum for asking this... but I wonder if it might make sense to add a user-settings field for --password-store=basic or for --use-inmemory-secretstorage. It's just a thought.

[TylerLeonhardt]

@wpd see https://github.com/microsoft/vscode/issues/195013#issuecomment-1751098128 for that request :)

[wpd]

@TylerLeonhardt - Thanks! You're the best!!