Is using a keyring an insecure thing to do? (feddit.org)

submitted 1 day ago* (last edited 1 day ago) by dieTasse@feddit.org to c/linux@lemmy.ml

37 comments fedilink hide all child comments

I have a hard time understanding the benefits of the keyring (e.g. GNOME keyring). I get the convenience parts - I don't have to enter password for something every time I want to use it (e.g. mounted encrypted drive) and I don't have to create a secret for some background stuff (applications keys). But the problem is, if I understand it correctly, that every application has the same access to my keyring, so, in theory, a malicious application can just read my Signal key and they can just read all my Signal messages right? Is there a point, then, in encrypting e.g. local database (like Signal) if the key to that database is readily available anyway? Any input is welcome. thanks!

you are viewing a single comment's thread
view the rest of the comments

[-] historicaldocuments@lemmy.world 1 points 18 hours ago

according to their stated security model, untrusted applications must not be allowed to communicate with the secret service.

That won't be a popular stance to take when someone eventually steals a bunch of cached, unlocked credentials off of D-BUS because of an oversight somewhere in the npm/aur/pip/cargo/whatever ecosystem.

More rabbit hole:

https://www.openbsd.org/papers/bsdcan14-libressl/mgp00001.html
https://gpg.fail/ (including the presentation)
https://github.com/FiloSottile/age
https://jedisct1.github.io/minisign/
https://github.com/jedisct1/encpipe

[-] dieTasse@feddit.org 1 points 17 hours ago

Who defines the untrusted applications though? Thank you for the links! Btw I found out its the same on all major systems, on Windows as well as on MacOS (there they have credentials per app, but its easily spoofable for the same reason why GNOME refuses to even implement this).

[-] historicaldocuments@lemmy.world 1 points 16 hours ago

Who defines the untrusted applications though?

¯\(ツ)/¯

If GNOME wrote it then they probably trust it. If you're using GNOME, then you've accepted their security model on some level.

At least you know to go look for it. Attackers will only get more sophisticated:

https://ioctl.fail/preliminary-analysis-of-aur-malware/

[-] dieTasse@feddit.org 1 points 14 hours ago* (last edited 14 hours ago)

I have implicitly accepted it, as any normal user, but it doesn't change the fact that its a security hole the size of Greenland 😀. And it works like this on Windows and basically MacOS as well as I stated above. So all players just got okay with that I suppose because everybody does it...

this post was submitted on 13 Jun 2026

47 points (98.0% liked)

Linux

65744 readers

968 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz