[Solved] How to stop mate from unlocking keyring at startup?

[gurfle]

Using the default installer I just did a fresh install of bookworm (debian 12.5) with mate desktop.

I would like to only unlock the keyring the first time it is needed during a session.

However as it is, mate always wants to open the keyring at startup. I see no reason for that since, as far as I can tell in my setup, nothing running at startup requires it

Ironically, if I do not use the mate autologin feature, it automatically unlocks the keyring as soon as you log in,
whereas when using the autologin feature, I am asked to unlock it ("manually" as it were - kind of defeating the idea of "autologin").

Is it possible to have mate just leave the keyring alone at startup?
I would much prefer to only be asked to unlock the keyring the first time I actually need it, say when accessing a mail server.
This was how it worked in stretch (the previous debian version I used).

If anything this new approach is less, not more secure, since you are now asked for a password one less time, not to mention having the keyring unlocked before it is even needed. So I truly fail to see what is gained by this change. Am I missing something here?

In any case, if someone can show me how to stop unlocking the keyring when mate starts up, I would be very grateful

[pbear]

I only have Mate in a test box, so not intimately familiar. Mostly a plain vanilla installation (bookworm), except autologin enabled through LightDM. I'm not prompted to open keyring.
My hunch would be that some service launched at boot is the source of the prompt. Meaning some service or app you've added to the base system.

[gurfle]

Thanks for this feedback pbear, which got me to dig a bit more thoroughly into what might be automatically launched with mate, but that still reveals nothing to give me a y clue.

I have essentially the same setup as your test box, so that adds to the mystery -- especially having not added very much since the same plain vanilla bookworm installation (also with autologin through LightDM) you have.

I get mail through evolution, which is the only thing set up to use the keyring, but I only have that running when I launch it manually. I do know it is highly integrated with the keyring system, e.g. trying to remove the package gnome-keyring forces the removal of evolution, so perhaps installing this latest version of evolution somehow is doing this (which was not the case in the version that came with stretch - the last debian I had before bookworm).

Can you see if just installing evolution on your test box creates the same issue for you? If so, then we have at least nailed down the cause to be somehow connected to the installation of evolution.

I have unchecked the only possibly related culprit under "System -> Control Center -> Startup Applications", the "SSH Key Agent", but that makes no difference.

Nothing in /etc/init.d launches it directly, but maybe someone can tell whether anything I have in there might be forcing the keyring to start indirectly:

Code: Select all

root@nickspanasonic:~# ls -l /etc/init.d
total 104
-rwxr-xr-x 1 root root 5623 Nov 30  2022 alsa-utils
-rwxr-xr-x 1 root root 2055 Jan 10  2023 anacron
-rwxr-xr-x 1 root root 3740 Feb 14  2023 apparmor
-rwxr-xr-x 1 root root 2948 Dec 10 08:57 bluetooth
-rwxr-xr-x 1 root root 1235 May 21  2023 console-setup.sh
-rwxr-xr-x 1 root root 3059 Jul 17  2022 cron
-rwxr-xr-x 1 root root 2804 Dec  1 11:35 cups
-rwxr-xr-x 1 root root 1961 May 19  2023 cups-browsed
-rwxr-xr-x 1 root root 3152 Sep 16  2023 dbus
-rwxr-xr-x 1 root root 3029 Jan 29  2023 gdm3
-rwxr-xr-x 1 root root 1748 Feb 13  2023 hwclock.sh
-rwxr-xr-x 1 root root 1482 Jul 18  2022 keyboard-setup.sh
-rwxr-xr-x 1 root root 2063 Dec  9  2022 kmod
-rwxr-xr-x 1 root root 2610 Jan 11  2022 lightdm
-rwxr-xr-x 1 root root 4531 Jan 23  2023 networking
-rwxr-xr-x 1 root root 1386 Feb  1  2023 plymouth
-rwxr-xr-x 1 root root  760 Feb  1  2023 plymouth-log
-rwxr-xr-x 1 root root  959 Dec 18  2022 procps
-rwxr-xr-x 1 root root 2224 May 16  2023 saned
-rwxr-xr-x 1 root root 2040 Sep 25  2022 speech-dispatcher
-rwxr-xr-x 1 root root 1161 Jun 27  2023 sudo
-rwxr-xr-x 1 root root 6871 Jan 26 13:46 udev
-rwxr-xr-x 1 root root 2762 Aug 18  2021 x11-common
root@nickspanasonic:~# 

I am now very curious to get to the bottom of this, as it seems well beyond my present debugging capabilities

[pbear]

Can you see if just installing evolution on your test box creates the same issue for you?

Will give it a shot. It's a VM, so I can to the test in a snapshot. Won't be able to run the test until tomorrow evening (my time), as the hamsters are tied up on another project at the moment.
Be aware, I don't use an email app (I use webmail), so not going to get much further than installing and reboot. In particular, not keen to set it up to access my email accounts.

[gurfle]

Thanks!
I did not intend for you to spend any big effort just to help my personal debugging, and in fact, I can now report that something else other than the evolution installation itself is causing keyring access at login: Having just realized I had a test machine of my own available, and now it has evolution on it (that comes with the default bookworm installation anyway) where autologin does not prompt for the keyring password!

I have not set up any email accounts on the test box (in fact not even started it up at all), so that makes me wonder if it is the result of some mail account setup I did in evolution on the offending machine . . . Seems far fetched, but I have to say I do not understand why evolution is so dependent on having keyring access in the first place. Also, the way it has a totally impenetrable way of connecting to gmail (which unfortunately I am forced to use) involving some "black box" process called oauth2, makes me wonder if my gmail setup in evolution has something to do with that.

The mystery deepens . . . I'll report back after doing some more digging around!

[gurfle]

Turns out the culprit was setting up a gmail account. When setting one up, you need to uncheck the two "Google Features" "Add Calendar to this account" and "Add Contacts to this account" before adding the account to evolution. Having not noticed this the first time, the only way I have now been able to stop the keyring from being accessed upon login was to delete the account from evolution and set it all up again making sure those two features are turned off, which annoyingly they are not by default. This took an unbelievable effort of trial and error to uncover, not knowing how to check basic stuff like process startup settings or configuration files. None of the familiar places I looked gave any clues. Kind of reminds of my days debuging Windows 95 setup glitches

What a disastrous waste of time -- sure wish I wasn't presently compelled to use gmail

[pbear]

Congratulations, well done.