Using secret-tool and Gnome keyring to protect Salsa API keys

To: Debian-Go Mailing List <debian-go@lists.debian.org>
Subject: Using secret-tool and Gnome keyring to protect Salsa API keys
From: Otto Kekäläinen <otto@debian.org>
Date: Sun, 9 Mar 2025 22:57:14 -0700
Message-id: <[🔎] CAOU6tACM+hYBftc0P4ryPF8WTB1mBaUM9EXjO_Qd_qnFeJEY_A@mail.gmail.com>

Hi Simon and others,

You raised earlier a concern that using GITLAB_TOKEN directly in glab
is a security concern
as users may end up storing API keys in plain text in .bashrc files or similar.

I just filed https://salsa.debian.org/go-team/infra/pkg-go-tools/-/merge_requests/5
that uses the secret-tool to store and retrieve the API key from the
Gnome keyring.

You can try this:

sudo apt install libsecret-tools

secret-tool lookup application glab host salsa.debian.org
# No output, only exit code 1

secret-tool store --label='GitLab API access token for Salsa'
application glab host salsa.debian.org
Password: glpat-1234567890

secret-tool lookup application glab host salsa.debian.org
glpat-1234567890


I might submit this to

Reply to:

Follow-Ups:
- Re: Using secret-tool and Gnome keyring to protect Salsa API keys
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: Bug#1096140: package new upstream and Go code?
Next by Date: Re: Using secret-tool and Gnome keyring to protect Salsa API keys
Previous by thread: Re: Bug#1096140: package new upstream and Go code?
Next by thread: Re: Using secret-tool and Gnome keyring to protect Salsa API keys
Index(es):
- Date
- Thread