Commit 92a26ca
fix(keychain): update Secret Service items in place on Linux to stop duplicate accumulation
On Linux, keychainStore.Save copied the secret's volatile Metadata() into the
searchable Secret Service attributes and relied on CreateItem(ReplaceBehaviorReplace)
to overwrite the prior item. Both gnome-keyring and kwalletd select the replace
target by matching the full supplied attribute set, so any change in the volatile
metadata (e.g. the Docker Hub OAuth credential's rotating JWT claims) defeats the
match and a brand-new item is created on every save -- duplicates pile up without
bound, and each stale item keeps a cleartext copy of the old claims.
Fix Save to update in place: search by the stable identity triple
{service:group, service:name, id} only, then either create when absent or rewrite
the first match's secret/attributes/label in place and collapse any pre-existing
duplicates. The item's object path is preserved, so the secret is never momentarily
absent and no duplicate is minted. The observable store contract is unchanged:
Save still returns nil iff the secret is stored (refreshing attributes/label and
collapsing leftovers are best-effort).
This is backend-agnostic: the attribute-match behaviour is shared by gnome-keyring
and kwalletd, and macOS/Windows key items on a stable identifier so are unaffected.
Add SetItemSecret/SetItemAttributes/SetItemLabel to the vendored secretservice
library (thin org.freedesktop.Secret.Item wrappers) to enable the in-place update.
Refs: docker/secrets-engine-private#446
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 5d056a7 commit 92a26ca
2 files changed
Lines changed: 69 additions & 2 deletions
Lines changed: 34 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
436 | 436 | | |
437 | 437 | | |
438 | 438 | | |
| 439 | + | |
| 440 | + | |
| 441 | + | |
| 442 | + | |
| 443 | + | |
| 444 | + | |
| 445 | + | |
| 446 | + | |
| 447 | + | |
| 448 | + | |
| 449 | + | |
| 450 | + | |
| 451 | + | |
| 452 | + | |
| 453 | + | |
| 454 | + | |
| 455 | + | |
| 456 | + | |
| 457 | + | |
| 458 | + | |
| 459 | + | |
| 460 | + | |
| 461 | + | |
| 462 | + | |
| 463 | + | |
| 464 | + | |
| 465 | + | |
| 466 | + | |
| 467 | + | |
| 468 | + | |
| 469 | + | |
| 470 | + | |
| 471 | + | |
| 472 | + | |
439 | 473 | | |
440 | 474 | | |
441 | 475 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
65 | 65 | | |
66 | 66 | | |
67 | 67 | | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
68 | 71 | | |
69 | 72 | | |
70 | 73 | | |
| |||
385 | 388 | | |
386 | 389 | | |
387 | 390 | | |
388 | | - | |
389 | 391 | | |
390 | | - | |
| 392 | + | |
| 393 | + | |
| 394 | + | |
| 395 | + | |
| 396 | + | |
| 397 | + | |
| 398 | + | |
| 399 | + | |
| 400 | + | |
| 401 | + | |
391 | 402 | | |
392 | 403 | | |
393 | 404 | | |
394 | 405 | | |
| 406 | + | |
| 407 | + | |
| 408 | + | |
| 409 | + | |
| 410 | + | |
| 411 | + | |
| 412 | + | |
| 413 | + | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
| 419 | + | |
| 420 | + | |
| 421 | + | |
| 422 | + | |
| 423 | + | |
| 424 | + | |
| 425 | + | |
| 426 | + | |
| 427 | + | |
395 | 428 | | |
396 | 429 | | |
397 | 430 | | |
| |||
0 commit comments