Will seahorse use this backend also, or will it still use GNOME keyring daemon?
Will the secret-tool CLI and libsecret use this backend by default? Will this work seamlessly with the existing git-credential-helper? Will existing askpass utilities that currently work in gnome for gpg and ssh still work with this? GNOME supports multiple keyrings. Will this support multiple keyrings? On upgrade, how will secrets be migrated if multiple keyrings are used? Will migration be easy if the GNOME keyrings are not unlocked by PAM (because they have a different passphrase than the account, for example). How, if at all, will saved passwords in GNOME Online Accounts (goa) be affected? Will any fedora-packager tools be affected, such as fpkinit? Sorry for all the questions, but this seems like a big change for me. I've been a g-k-d user for a very long time! On Tue, Jun 30, 2026, 13:26 Aoife Moloney via devel-announce < [email protected]> wrote: > Wiki - https://fedoraproject.org/wiki/Changes/oo7_Secrets_Service_Provider > Discussion thread - > > https://discussion.fedoraproject.org/t/f45-change-proposal-oo7-secrets-service-provider-system-wide/195274 > > This is a proposed Change for Fedora Linux. > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > > == Summary == > Switch the default Secrets Service provider for Fedora desktops from > KWallet and GNOME Keyring to oo7. > > == Owner == > * Name: [[User:ngompa| Neal Gompa]], [[User:decathorpe| Fabio > Valentini]], [[User:salimma| Michel Lind]] > * Email: [email protected], [email protected], [email protected] > > > == Detailed Description == > A new universal secrets storage system has been developed in the form > of [https://github.com/linux-credentials/oo7 oo7] that replaces > KWallet's backend and GNOME Keyring. Package up > <code>oo7-daemon</code> and associated support code and change the > Fedora default secrets storage backend to it across all desktops. > > == Feedback == > > > == Benefit to Fedora == > The idea with this new secrets storage system is to support a new > model for credentials where scoped authorization is possible for > applications and services. Additionally, it opens the door for > mediating access to FIDO2-based authentication mechanisms. This lends > itself well to enabling limited trust to secrets for sandboxed > applications, among other things. KDE Plasma, COSMIC, and GNOME (among > others) are all converging on this and so enabling this allows Fedora > to remain at the forefront of supporting desktop technologies. > > == Scope == > * Proposal owners: > ** Package <code>oo7-daemon</code>, PAM module, and other support code > ** Add oo7 PAM module to relevant PAM configs where gnome-keyring and > kwallet PAM modules are listed > ** Adjust comps to replace gnome-keyring with oo7-daemon > ** Adjust dependencies in desktops to use oo7 instead of gnome-keyring > > * Other developers: N/A (not needed for this Change) > > * Release engineering: > [https://forge.fedoraproject.org/releng/tickets/issues/13405 #13405] > > * Policies and guidelines: N/A (not needed for this Change) > > * Trademark approval: N/A (not needed for this Change) > > * Alignment with the Fedora Strategy: N/A (not needed for this Change) > > > == Upgrade/compatibility impact == > The oo7 service will automatically migrate existing data from GNOME > Keyring and KWallet, so no user interaction is required to handle the > transition. > > > > == How To Test == > Once oo7-daemon and related code are packaged and updated > configuration lands in Rawhide, users can test this simply by > upgrading and using things that leverage the secrets service like > normal. > > == User Experience == > This is expected to be fairly transparent to the user. > > == Dependencies == > This will involve updating the PAM configuration files for the > desktops and login managers used across Fedora deliverables. > > > == Contingency Plan == > * Contingency mechanism: Revert swap to oo7 and defer to the next release > * Contingency deadline: Beta freeze > * Blocks release? Yes > > > == Documentation == > More information about oo7 is present in [https://docs.rs/oo7/ the > upstream project documentation]. > > == Release Notes == > Fedora Linux now uses the oo7 as the default secrets service provider, > replacing older solutions like GNOME Keyring. This brings enhanced > security to secrets management, particularly for sandboxed > applications, and enables FIDO2 authentication secrets. > > > -- > Aoife Moloney > > Fedora Operations Architect > > Fedora Project > > Matrix: @amoloney:fedora.im > > IRC: amoloney > > -- > _______________________________________________ > devel-announce mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new >
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
