Re: Fedora 34 Change proposal: Modular GNOME Keyring services (Self-Contained Change)
Michael Catanzaro <mcatanzaro(a)gnome.org> writes:
On Wed, Nov 4, 2020 at 1:12 pm, Ben Cotton <bcotton(a)redhat.com>
wrote:
> Despite its original goal to be the central cryptographic service on
> desktop, the scope of GNOME Keyring has been gradually reduced over
> years. Notable examples are
> [https://bugzilla.gnome.org/show_bug.cgi?id=750514 gpg-agent removal]
> in 2015, [https://bugzilla.gnome.org/show_bug.cgi?id=791401 PKCS #11
> module deprecation]
Any plans to finish the PKCS#11 module deprecation work? Currently the
module cannot be removed as it implements public gcr API needed by
GNOME applications like geary.
It's a bit off-topic to this Change proposal, but let me briefly answer:
the original plan was to make the gcr API to use p11-kit-trust.so
instead of gnome-keyring.so to store the trust assertion information.
Later we realized that this approach requires significant effort,
including the enablement of p11-kit-trust's per-user trust store by
default, which is currently disabled at compile time.
On the other hand, the use-case is quite limited (the only affected
application I know of is geary). I suspect a more practical plan might
be to let gcr maintain trust assertions in a local file by its own. I
haven't had time to investigate this possibility further, but if anyone
is willing to work on it, that would be certainly appreciated.
Regards,
--
Daiki Ueno