VS Code extension secrets when default keyring is unavailable/locked #1188
Replies: 3 comments 12 replies
-
Hi @cgrama, I have some context and a followup question:
As you've called out, we do notify the user that their keyring is in a bad state and they need to remediate. Including attaching our troubleshooting guide. It's intended to call out that they are in a bad state... Any solution would either be error prone (us fixing it for them) or a questionable security practice (storing the secrets in plaintext). With that said, my question for you is... what would you like to do with this information that they are in a bad state?
The default keyring is only used for encryption. In other words, it holds a piece of the encryption key needed to encrypt/decrypt secrets which are then stored in the user's data directory with other state like UI state. |
Beta Was this translation helpful? Give feedback.
-
When default keyring is unavailable or locked, extensions are able to store/get/delete extension secrets using VSCode secret storage apis with NO errors.
We get a vscode notification (in the notification windos) "You're running in a GNOME environment but the OS keyring is not available for encryption. Ensure you have gnome-keyring or another libsecret compatible implementation installed and running.".
There is NO error returned warning that secrets are NOT stored on the disk.
The extension's secrets stored in this scenarios are available for use by the extension in the same vscode session. If you close and reopen vscode the extension's secrets are no longer available.
This makes it very difficult for secrets to be used by vscode extensions as the extension does not know if the secret was stored in memory or on the disk.
Questions:
(1) How can a vscode extension check if the extension secret is stored in-memory or in the vscode secret storage ?
(2) Can the extension secret store apis be enhanced to return an error or return value which informs the api caller that the secret is stored in-memory and not in vscode secret storage ?
(3) Also from the secret storage info shared at #748, is the default keyring used only for encryption OR is the default keyring used for storing the extension secrets also ?
Included below is a prt of the vscode console output from "code --user-data-dir=/scratch/vscode2 code --verbose --vmodule="/components/os_crypt/=1" | tee verbose_upgrade.log":
app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003951.673893:INFO:CONSOLE(656)] "%cTRACE color: #888 [mainThreadSecretState] Setting password for vscextn.extn1 extension: key1", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003951.675050:VERBOSE1:key_storage_util_linux.cc(52)] Password storage detected desktop environment: GNOME
[2669207:0510/003951.675065:VERBOSE1:key_storage_linux.cc(118)] Selected backend for OSCrypt: GNOME_LIBSECRET
[2669207:0510/003954.651823:VERBOSE1:libsecret_util_linux.cc(169)] Dummy store to unlock the default keyring failed: No such interface “org.freedesktop.Secret.Collection” on object at path /org/freedesktop/secrets/collection/Default_5fkeyring
[2669207:0510/003954.651849:VERBOSE1:key_storage_linux.cc(165)] OSCrypt using Libsecret as backend.
[2669207:0510/003957.531557:VERBOSE1:key_storage_libsecret.cc(73)] Libsecret lookup failed: No such interface “org.freedesktop.Secret.Collection” on object at path /org/freedesktop/secrets/collection/Default_5fkeyring
[2669207:0510/003957.538272:INFO:CONSOLE(656)] "%cTRACE color: #888 [SecretStorageService] Encryption is not available, falling back to in-memory storage", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.545398:INFO:CONSOLE(656)] "%cTRACE color: #888 [NativeSecretStorageService] Notifying user that secrets are not being stored on disk.", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.548906:INFO:CONSOLE(796)] "You're running in a GNOME environment but the OS keyring is not available for encryption. Ensure you have gnome-keyring or another libsecret compatible implementation installed and running.", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (796)
[2669207:0510/003957.549118:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] encrypting secret for key: {"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.549318:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] storing encrypted secret for key: secret://{"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.549540:INFO:CONSOLE(656)] "%cTRACE color: #888 [SecretStorageService] Notifying change in value for secret: {"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.552598:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] stored encrypted secret for key: secret://{"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.558749:INFO:CONSOLE(656)] "%cTRACE color: #888 [mainThreadSecretState] Password set for: vscextn.extn1 key1", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.636472:INFO:CONSOLE(656)] "%cTRACE color: #888 [mainThreadSecretState] Getting password for vscextn.extn1 extension: key1", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.638363:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] getting secret for key: secret://{"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.638899:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] decrypting gotten secret for key: secret://{"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.641229:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] decrypted secret for key: secret://{"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.641454:INFO:CONSOLE(656)] "%cTRACE color: #888 [mainThreadSecretState] Password found for: vscextn.extn1 key1", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.648246:INFO:CONSOLE(656)] "%cTRACE color: #888 [mainThreadSecretState] Getting password for vscextn.extn1 extension: key1", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.648418:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] getting secret for key: secret://{"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.648558:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] decrypting gotten secret for key: secret://{"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.649588:INFO:CONSOLE(656)] "%cTRACE color: #888 [secrets] decrypted secret for key: secret://{"extensionId":"vscextn.extn1","key":key1}", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
[2669207:0510/003957.650248:INFO:CONSOLE(656)] "%cTRACE color: #888 [mainThreadSecretState] Password found for: vscextn.extn1 key1", source: vscode-file://vscode-app/usr/share/code/resources/app/out/vs/workbench/workbench.desktop.main.js (656)
Beta Was this translation helpful? Give feedback.
All reactions