Troubleshooting "...no longer matches that of your login keyring” problem,

Tom_Hodder · May 21, 2025, 6:09pm

I run fedora 41 with both gnome and i3wm sessions installed, but usually with i3wm. gnome-keyring-daemon is being used by chrome, webstorm, and various apps for credential storage [^1]

After a recent dnf update and a reboot, I got the message on opening vscode, that "The password you use to log in to your computer no longer matches that of your login keyring”. I was able to confirm the problem in seahorse, as seahorse won’t unlock the Login keyring with my login password with a similar error. The dialog also pops for any app that is using libsecret for credentials storage (chrome/webstorm/etc)

I tried my current login password, which hasn’t changed for some time, at least the year, and it was not having it. After a bit of reading [^2], [^3] it seems like it does happen that the keyring password gets reset, but not by the user changing their password. I also tried the root password, and blank, and a few others that i thought it might have got set to, but nope, can’t unlock.

I can see from backups that the keyrings file has been updated a few times recently:

Filename     |MD5                   |JobId|StartTime              |
-------------+----------------------+-----+-----------------------+
login.keyring|pbjGSDPz08LO20G8hFq25A|39635|2025-05-21 10:30:04.000|
login.keyring|KNJLkS/1x+IgsqpdYUGwvA|39450|2025-05-19 13:30:05.000|
login.keyring|KK//q+5KaJPwFTp18vkWRg|39429|2025-05-19 08:30:04.000|
login.keyring|XnZMxLfkQ+R25DZ8OYxghg|39417|2025-05-19 04:30:05.000|
login.keyring|DBOdy+YERrhSkF80lEAkcA|39355|2025-05-18 14:30:05.000|
login.keyring|6fWrQoKY/AsNZs+hICejlA|39281|2025-05-17 20:30:05.000|
login.keyring|xhQNMloukmi/PzPFlR8rbA|39275|2025-05-17 18:30:05.000|
login.keyring|6uTeSu/K1nNaIOEzO7cihQ|39174|2025-05-16 17:30:04.000|
login.keyring|OAqrXwvVHxUTBiule6E1jQ|39165|2025-05-16 16:30:04.000|

I tried restoring the previous version from the backup, but it doesn’t seem to want to accept my login password for that one either. However maybe I am not understanding how the gnome-keyring-daemon.service is loading the login.keyring.

the steps i did were

killall gnome-keyring-daemon
cp ~/.local/share/keyrings/login.keyring ~/login.keyring.bak
restore the backup cp /backup/restore/.local/share/keyrings/login.keyring ~/.local/share/keyrings/login.keyring
start the gnome-keyring-daemon in the foreground
try and open the login keyring from seahorse

the above did not work.

I have restored all those historical backups to a tmp folder. how can i test them with an unlock password?

Any other steps I can take to determine what is likely to have changed the password for the login keyring?

note:
presumably being started by d-bus activtation, as i don’t see anything in my co

– link removed due to restrictions –
–link removed due to restrictions–

Tom_Hodder · May 21, 2025, 8:49pm

ok, so foillowing up, proceeding back through the backups, i find that I am able to unlock the login.keyring from 2025-05-10 13:30:05.000

This corresponds to about 12 hours after the last reboot of the machine

root@pc04:~# journalctl --list-boots | cat
IDX BOOT ID                          FIRST ENTRY                 LAST ENTRY
...
2025-05-10 01:21:37 BST
 -2 44565d7915e248d591a64e13f587cf0d Sat 2025-05-10 01:22:29 BST Sat 2025-05-10 01:27:03 BST
 -1 42fa748dd7a7489f894d2bf29b6d1321 Sat 2025-05-10 01:27:42 BST Wed 2025-05-21 00:30:18 BST
  0 b46fd886f80b4da482aa4e481c1918f7 Wed 2025-05-21 00:59:30 BST Wed 2025-05-21 21:22:02 BST

so some time later that day, after logging in, and presumably using apps like chrome and vscode that are using libsecret for secrets, it changes the password of the login.keyring. however this is not logged at all:

root@pc04:~# journalctl --since "2025-05-10 00:00:00" --until "2025-05-20 23:59:59" --no-pager | grep -i "gkr-pam"
May 10 01:28:29 pc04 gdm-password][2888]: gkr-pam: unable to locate daemon control file
May 10 01:28:29 pc04 gdm-password][2888]: gkr-pam: stashed password to try later in open session
May 10 01:28:29 pc04 gdm-password][2888]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
root@pc04:~#

but i can’t login to the login.keyring from 14:30 onwards (hourly backup), most record shown

JobId|Filename     |MD5                   |hex_md5                         |JobId|MinStartTime           |MaxStartTime           |
-----+-------------+----------------------+--------------------------------+-----+-----------------------+-----------------------+
38571|login.keyring|lkFS7HR6u7aN7/ffVYqukg|964152EC747ABBB68DEFF7DF558AAE92|39132|2025-05-10 14:30:05.000|2025-05-16 07:30:05.000|

^^^ this is the one where it stop working,

but this does not correlate to any password change activity on my login user

$ chage -l $USER
Last password change                                    : Apr 05, 2025
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Tom_Hodder · May 22, 2025, 1:12am

ah ok, this is what i was looking for

$ journalctl --utc --user  | grep gnome-keyring-daemon |  grep 'May 10'
May 10 06:39:45 pc04 gnome-keyring-daemon[3310]: discover_other_daemon: 1
May 10 06:39:45 pc04 gnome-keyring-daemon[209976]: discover_other_daemon: 0
May 10 06:39:45 pc04 gnome-keyring-daemon[209976]: Replacing daemon, using directory: /run/user/1000/keyring
May 10 06:39:45 pc04 gnome-keyring-daemon[209976]: failed to unlock login keyring on startup
May 10 13:51:14 pc04 gnome-keyring-daemon[209976]: couldn't allocate secure memory to keep passwords and or keys from being written to the disk
May 10 13:51:14 pc04 gnome-keyring-daemon[209976]: fixed login keyring password to match login password
May 10 14:26:28 pc04 gnome-keyring-daemon[209976]: asked to register item /org/freedesktop/secrets/collection/login/1271, but it's already registered
May 10 14:28:06 pc04 gnome-keyring-daemon[921417]: discover_other_daemon: 0
May 10 14:28:06 pc04 gnome-keyring-daemon[921417]: Replacing daemon, using directory: /run/user/1000/keyring

May 10 13:51:14 pc04 gnome-keyring-daemon[209976]: fixed login keyring password to match login password

the backup produced at 14:30, can’t be decrypted any more, (and none of the subsequent backups) so there is some sequence of events in which a daemon tries to unlock, fails, then overwrites the login keyring with an incorrect password. I found a recent bug reporting similar behaviour, which i have added some comments tracking my research https://bugzilla.redhat.com/show_bug.cgi?id=2356002