如何在 Debian headless (WSL 2) 上解锁 Gnome Keyring 并使其在 Python 中工作?
[英]How to unlock Gnome Keyring on Debian headless (WSL 2) and make it work in Python?
问题描述
I have read the guindance that the keyring package has in its project for headless linux systems.
我已经阅读了keyring 包在其用于无头 linux 系统的项目中的指导。
So the main recommendation is to install the gnome-keyring package in order to work with the Secret Service Backend.所以主要的建议是安装gnome-keyring包以便与 Secret Service 后端一起工作。
sudo apt install gnome-keyring
Then, as I already have the dbus package installed I just run:然后,因为我已经安装了dbus包,所以我只运行:
dbus-run-session -- sh
But, as I am in WSL 2 I get a weird prompt, it seems that PS1 is not parsed and I get something like this:但是,当我在 WSL 2 中时,我得到一个奇怪的提示,似乎 PS1 没有被解析,我得到这样的东西:
\[\e]0;\u@\h: \w\a\]\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]$
In a normal Debian or Ubuntu instance I would get $在普通的 Debian 或 Ubuntu 实例中,我会得到$
I send the password to unlock the keyring我发送密码来解锁钥匙圈
echo 'db' | gnome-keyring-daemon --unlock
I also tried to enter the password manually through stdin as this answer points out, with the same result:正如this answer指出的那样,我还尝试通过stdin手动输入密码,结果相同:
gnome-keyring-daemon --unlock
Now the guide says "run your application in the same D-Bus session as the daemon".现在指南说“在与守护进程相同的 D-Bus 会话中运行您的应用程序”。 I don't know if I need to do something special to achieve that.我不知道我是否需要做一些特别的事情来实现这一点。 I just run python after entering the password.输入密码后我只运行python。
$ python
>>> import keyring
>>> keyring.get_keyring()
<keyring.backends.SecretService.Keyring object at 0x7f383b89f220>
>>> keyring.set_password("system", "username", "password")
But at this point I get this error:但此时我收到此错误:
dbus-daemon[9337]: [session uid=1000 pid=9337] Activating service name='org.freedesktop.secrets' requested by ':1.4' (uid=1000 pid=9339 comm="python ")
GNOME_KEYRING_CONTROL=/home/db/.cache/keyring-TPE3M1
dbus-daemon[9337]: [session uid=1000 pid=9337] Successfully activated service 'org.freedesktop.secrets'
dbus-daemon[9337]: [session uid=1000 pid=9337] Activating service name='org.gnome.keyring.SystemPrompter' requested by ':1.5' (uid=1000 pid=9356 comm="/usr/bin/gnome-keyring-daemon --start --foreground")
Unable to init server: Could not connect: Connection refused
(gcr-prompter:9364): Gtk-WARNING **: 09:36:04.690: cannot open display:
dbus-daemon[9337]: [session uid=1000 pid=9337] Activated service 'org.gnome.keyring.SystemPrompter' failed: Process org.gnome.keyring.SystemPrompter exited with status 1
** (gnome-keyring-daemon:9356): WARNING **: 09:36:04.701: couldn't create system prompt: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.gnome.keyring.SystemPrompter exited with status 1
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/path/to/env/lib/python3.9/site-packages/keyring/core.py", line 60, in set_password
get_keyring().set_password(service_name, username, password)
File "/path/to/env/lib/python3.9/site-packages/keyring/backends/SecretService.py", line 87, in set_password
collection = self.get_preferred_collection()
File "/path/to/env/lib/python3.9/site-packages/keyring/backends/SecretService.py", line 67, in get_preferred_collection
raise KeyringLocked("Failed to unlock the collection!")
keyring.errors.KeyringLocked: Failed to unlock the collection!
And the processes tree look like this进程树看起来像这样
I also tried with我也试过
dbus-run-session -- bash
With the same result结果相同
Possible WSL 2 Issue可能的 WSL 2 问题
I also found an issue on WSL2 project where "jaraco" says that the guidance that I followed may give some hints, but I could not get it to work.我还在WSL2 项目中发现了一个问题,其中“jaraco”说我遵循的指导可能会给出一些提示,但我无法让它发挥作用。
Alternative Backend替代后端
I tried with other backend as well, though in some places they say that this backend is not recommendable:我也尝试过使用其他后端,尽管在某些地方他们说这个后端是不推荐的:
“alternate” , possibly-insecure backends, originally part of the core package, but available for opt-in"
pip install keyrings.alt
With similar result.结果相似。 The keyring backend was different:密钥环后端不同:
>>> keyring.get_keyring()
<keyring.backends.chainer.ChainerBackend object at 0x7ffbad5fd040>
Any alternative or recommendation?有什么选择或推荐吗? Am I missing some step?我错过了一些步骤吗? Is this possible to make in WSL 2?这可以在 WSL 2 中实现吗? I think I will try in a debian machine directly to check if it is a problem of WSL or all Debian headless distros.我想我会直接在 debian 机器上尝试检查它是否是 WSL 或所有 Debian 无头发行版的问题。 Anybody make it work on Debian without Gnome desktop installed?有人在没有安装 Gnome 桌面的情况下让它在 Debian 上运行吗?
The next step would be to automate all the process , but first I need to get this to work下一步是自动化所有过程,但首先我需要让它工作
Update更新
Well, I can confirm that in a virtual machine on Debian 11.3 works fine.好吧,我可以确认在 Debian 11.3 上的虚拟机中可以正常工作。 So it must be something to do with WSL 2所以一定和WSL 2有关
1 个解决方案
解决方案1
3 已采纳 2022-06-08 05:00:35
Note that I have been able to get this to work (WSL2, Debian Bullseye, python3, gnome-keyring, Windows 10).请注意,我已经能够让它工作(WSL2、Debian Bullseye、python3、gnome-keyring、Windows 10)。 I can understand parts of why it may not be working for you, but there are some minor differences in the errors you are seeing from what I can reproduce (when I try to break it).我可以理解为什么它可能对您不起作用的部分原因,但是您看到的错误与我可以重现的错误(当我尝试破坏它时)存在一些细微差别。 We'll come back to those if we need to, but let me go through what I've tried successfully so far.如果需要,我们会回到那些,但让我回顾一下到目前为止我已经成功尝试过的内容。
But, as I am in WSL 2 I get a weird prompt
First, I think this is an orthogonal issue, but perhaps not.首先,我认为这是一个正交问题,但也许不是。 I always suspect startup configuration files for this type of weirdness, so I would try eliminating those from the equation:我总是怀疑这种奇怪的启动配置文件,所以我会尝试从等式中消除那些:
dbus-run-session -- bash --noprofile --norc
If the prompt looks normal when running that, I'd look to ~/.profile since it sounds like it it happens both Bash and Dash ( sh ) for you and Dash doesn't have an rc file.如果在运行时提示看起来很正常,我会查看~/.profile ,因为听起来它会同时发生在 Bash 和 Dash ( sh ) 中,而 Dash 没有 rc 文件。
Again, I'm assuming that's not the problem with the keyring, but it doesn't hurt to eliminate it as a potential contributor.同样,我假设这不是钥匙圈的问题,但将其作为潜在贡献者消除也没有什么坏处。
As for the main keyring problem, that, I believe, is because:至于主要的钥匙圈问题,我相信是因为:
Gnome Keyring is attempting to ask for a password.
Gnome Keyring 正在尝试询问密码。 It does this with a graphical password prompt, which fails because ...它通过图形密码提示执行此操作,但失败是因为...You are running Windows 10 without an X server, or if you are running an X server, then the
DISPLAYvariable is "lost".您在没有 X 服务器的情况下运行 Windows 10,或者如果您正在运行 X 服务器,则DISPLAY变量“丢失”。 That's thecannot open displayerror in the trace.那是跟踪中的cannot open display错误。 If you were on Windows 11, the graphical prompt would display.如果您使用的是 Windows 11,则会显示图形提示。 You could also configure Windows 10 WSL to use a third-party X server like VcXsrv.您还可以将 Windows 10 WSL 配置为使用第三方 X 服务器,例如 VcXsrv。 Or you could run with Xrdp.或者你可以使用 Xrdp 运行。 See this Super User question (and others) for more info.有关更多信息,请参阅此超级用户问题(和其他问题)。
Of course, that would no longer count as "headless", which is your question.当然,那将不再算作“无头”,这是您的问题。 So we need to figure out why gnome-keyring is asking for a password.所以我们需要弄清楚为什么gnome-keyring 要求输入密码。 I can think of at least possible three reasons, but there may be others:我至少可以想到三个可能的原因,但可能还有其他原因:
The default collection (keyring) doesn't exist yet.
默认集合(密钥环)尚不存在。 I'm fairly sure that's not the case for you, since it should have been created when you ran the --unlock.我很确定您不是这种情况,因为它应该是在您运行--unlock时创建的。 Of course, you can verify this by checking~/.local/share/keyrings.当然,您可以通过检查~/.local/share/keyrings来验证这一点。gnome-keyring-daemonhasn't yet been started, and needs the keyring password.gnome-keyring-daemon尚未启动,需要密钥环密码。 Again, you've clearly run that here.同样,您已经清楚地在这里运行了它。 You've done the right thing by running the dbus-run-sessionfirst, then inside that session, run the--unlock.通过首先运行dbus-run-session,然后在该会话中运行--unlock,您已经做了正确的事情。 You can, of course, verify that it is running with aps -efHor similar.当然,您可以使用ps -efH或类似命令来验证它是否正在运行。The password that was passed via
--unlockis wrong.通过--unlock传递的密码错误。
So with the first two eliminated, we're left with the assumption there's an issue with the unlock password.因此,消除了前两个,我们假设解锁密码存在问题。 If you created the collection with the initial --unlock , then the first password you used should be the one set on the collection.如果您使用初始--unlock创建了集合,那么您使用的第一个密码应该是集合上设置的密码。
There are some "gotchas" here.这里有一些“陷阱”。 First, contrary to what the answer you linked says, I'm convinced that the newline is added to the password.首先,与您链接的答案相反,我确信换行符已添加到密码中。 If you somehow initially set the password without a newline, you'd need to unlock it with echo -n .如果您最初以某种方式设置密码而没有换行符,则需要使用echo -n将其解锁。 Eg:例如:
echo -n 'db' | gnome-keyring-daemon --unlock
Second, it doesn't sound like this was the case for you, but if you create the keyring through the normal frontend, then it appears to me that the password may be salted.其次,听起来您不是这种情况,但是如果您通过普通前端创建密钥环,那么在我看来,密码可能会被加盐。 I have not been able to use gnome-keyring-daemon --unlock (in any of its forms) to unlock a collection where the password was entered through the graphical prompt.我无法使用gnome-keyring-daemon --unlock (以任何形式)解锁通过图形提示输入密码的集合。 To clarify:澄清:
If I initially create the keyring via
gnome-keyring-daemon --unlock, then I can unlock it either through the GUI askpass program that it uses (on Windows 11 or with a Windows 10 VcXsrv installation), but ...如果我最初通过gnome-keyring-daemon --unlock创建密钥环,那么我可以通过它使用的 GUI askpass 程序(在 Windows 11 上或使用 Windows 10 VcXsrv 安装)解锁它,但是......If I initially create the keyring via an initial access of it which prompts for the password through the GUI, then I can subsequently only unlock it through the GUI.
如果我最初通过初始访问创建密钥环,通过 GUI 提示输入密码,那么我随后只能通过 GUI 解锁它。 I can no longer use gnome-keyring-daemon --unlock.我不能再使用gnome-keyring-daemon --unlock。
Assuming this is a new keyring in WSL2, then my advice would be to remove it and try again:假设这是 WSL2 中的新密钥环,那么我的建议是删除它并重试:
dbus-run-session -- bash --noprofile --norc
# Back them up first if you'd like
rm -rf ~/.local/share/keyrings
echo -n 'db' | gnome-keyring-daemon --unlock
python3
Note that you can test the keyring module directly from the shell via:请注意,您可以通过以下方式直接从 shell 测试密钥环模块:
python3 -m keyring set system username
# Will prompt for the secret
python3 -m keyring get system username
# Should return the secret
If things are working from there, they'll work from your code.如果事情从那里开始工作,他们将在您的代码中工作。 If it fails, it should do so with the same error at least.如果它失败了,它应该至少会出现同样的错误。 This might save some time in troubleshooting if this doesn't work.如果这不起作用,这可能会节省一些故障排除时间。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.