GoSecret is a Golang library to interface with SecretService/libsecret/Gnome-Keyring via DBus. https://pkg.go.dev/r00t2.io/gosecret
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
brent s. aa8aef4ccf
adding convenience function to check (in a very basic manner) if an API spec is legacy.
9 months ago
.idea checking in some work- adding custom errors and low-level compat with SecretService, but it may not be needed. 10 months ago
.ref minor fixes/improvements... 10 months ago
.gitignore improvements, start integration tests 10 months ago
LICENSE v0.0.1 is now done. 11 months ago
README.adoc wrap errors 9 months ago
TODO cleanly close, catch Dbus errors 10 months ago
collection_funcs.go wrap errors 9 months ago
collection_funcs_test.go cleanly close, catch Dbus errors 10 months ago
consts.go docs update; clarification 10 months ago
consts_test.go --amend 10 months ago
doc.go wrap errors 9 months ago
errs.go adding more convenience functions, improve some argument receivers 10 months ago
funcs.go adding convenience function to check (in a very basic manner) if an API spec is legacy. 9 months ago
go.mod wrap errors 9 months ago
go.sum wrap errors 9 months ago
item_funcs.go adding convenience function to check (in a very basic manner) if an API spec is legacy. 9 months ago
item_funcs_test.go fixing various race conditions and errors after refactoring 10 months ago
prompt_funcs.go adding ref mat'l, Service tests done 10 months ago
secret_funcs.go checking in - all basic funcs in place; add a few more then v1 merge 10 months ago
secretvalue_funcs.go fix JSON marshaling for SecretValue. 10 months ago
service_funcs.go adding convenience function to check (in a very basic manner) if an API spec is legacy. 9 months ago
service_funcs_test.go fixing various race conditions and errors after refactoring 10 months ago
session_funcs.go cleanly close, catch Dbus errors 10 months ago
sserror_funcs.go checking in - all basic funcs in place; add a few more then v1 merge 10 months ago
types.go adding convenience function to check (in a very basic manner) if an API spec is legacy. 9 months ago




This project is originally forked from go-libsecret due to:

  • Lack of response from the developer

  • Complete lack of documentation

  • Poor, ineffecient, or just plain antipattern design

  • Missing functionality

and as such, hopefully this library should serve as a more effective libsecret/SecretService interface.

1. Backwards Compatability/Drop-In Replacement Support

Version series v0.X.X of this library promises full and non-breaking backwards support of API interaction with the original project. The only changes should be internal optimizations, adding documentation, some file reorganizing, adding Golang module support, etc.all transparent from the library API itself.

To use this library as a replacement without significantly modifying your code, you can simply use a replace directive:

// ...
replace (
	github.com/gsterjov/go-libsecret dev => r00t2.io/gosecret v0

and then run go mod tidy.

2. New Developer API

Starting from v1.0.0 onwards, entirely breaking changes can be assumed from the original project.

To use the new version,

import (

To reflect the absolute breaking changes, the module name changes as well from libsecret to gosecret.

2.1. Status

The new API is underway, and all functionality in V0 is present. However, it’s not "complete". PRs welcome, of course, but this will be an ongoing effort for a bit of time.

3. SecretService Concepts

For reference:

  • A Service allows one to retrieve and operate on/with Session and Collection objects.

  • A Session allows one to operate on/with Item objects (e.g. parsing/decoding/decrypting them).

  • A Collection allows one to retrieve and operate on/with Item objects.

  • An Item allows one to retrieve and operate on/with Secret objects.

(Secrets are considered "terminating objects" in this model, and contain actual secret value(s) and metadata).

Various interactions are handled by Prompts.

So the object hierarchy in theory looks kind of like this:

├─ Session "A"
├─ Session "B"
├─ Collection "A"
│	├─ Item "A.1"
│	│	├─ Secret "A_1_a"
│	│	└─ Secret "A_1_b"
│	└─ Item "A.2"
│		├─ Secret "A_2_a"
│		└─ Secret "A_2_b"
└─ Collection "B"
    ├─ Item "B.1"
    │	├─ Secret "B_1_a"
    │	└─ Secret "B_1_b"
    └─ Item "B.2"
        ├─ Secret "B_2_a"
        └─ Secret "B_2_b"

And so on.

In practice, however, most users will only have two Collections:

  • a default "system" one named login (usually unlocked upon login), and

  • a temporary one that may or may not exist, running in memory for the current login session named session

4. Usage

Full documentation can be found via inline documentation. Either via the pkg.go.dev documentation or godoc (or go doc) in the source root.

However, here’s a quick demonstration.

package main

import (

	// "github.com/johnnybubonic/gosecret" // GitHub mirror
	"r00t2.io/gosecret"                   // real upstream; recommended

const (
	// The default collection; it should be available on all SecretService implementations.
	collectionName string = "login"
	// A label for an Item used in examples below.
	exampleLabel   string = "Some Website Credentials"

func main() {

	var err error
	var service *gosecret.Service
	var collection *gosecret.Collection
	var item *gosecret.Item
	var itemAttrs map[string]string
	var itemLabel string
	var secret *gosecret.Secret

	// All interactions with SecretService start with initiating a Service connection.
	if service, err = gosecret.NewService(); err != nil {
	defer service.Close()

	// And unless operating directly on a Service via its methods, you probably need a Collection as well.
	if collection, err = service.GetCollection(collectionName); err != nil {

		Create a Secret which gets stored in an Item which gets stored in a Collection.
		See the documentation for details.
	// Incidentally, I believe this is the only exported function/method that does not return an error returner.
	secret = gosecret.NewSecret(
		service.Session,                   // The session associated with this Secret. You're likely fine with the automatically-created *(Service).Session.
		[]byte{},                          // The "parameters". Likely this is an empty byteslice.
		[]byte("a super secret password"), // The actual secret value.
		"text/plain",                      // The content type (MIME type/media type). See https://www.iana.org/assignments/media-types/media-types.xhtml.

		Item attributes are a map[string]string of *metadata* about a Secret/Item.
		Do *NOT* store sensitive information in these.
		They're primarily used for searching for Items.
	itemAttrs = map[string]string{
		"Use":      "an example secret",
		"note":     "These keys can be anything you want!",
		"url":      "https://somewebsite.tld/login",
		"username": "user.name",

	// And create the Item (and add it to SecretService).
	if item, err = collection.CreateItem(
		exampleLabel, // The label of the item. This should also be considered not secret.
		itemAttrs,    // Attributes for the item; see above.
		secret,       // The actual secret.
		true,         // Whether to replace an existing item with the same label or not.
	); err != nil {

		Now let's fetch the same Item via its attributes.
		The results are split into locked items and unlocked items.
	var unlockedItems []*gosecret.Item
	var lockedItems []*gosecret.Item

	if unlockedItems, lockedItems, err = service.SearchItems(itemAttrs); err != nil {

	// We should only have one Item that matches the search attributes, and unless the item or collection is locked, ...
	item = unlockedItems[0]
	if itemLabel, err = item.Label(); err != nil {
	fmt.Printf("Found item: %v\n", itemLabel)

	// Alternatively if you are unsure of the attributes but know the label of the item you want, you can iterate through them.
	var itemResults []*gosecret.Item

	if itemResults, err = collection.Items(); err != nil {

	for idx, i := range itemResults {
		if itemLabel, err = i.Label(); err != nil {
			fmt.Printf("Cannot read label for item at path '%v'\n", i.Dbus.Path())
		if itemLabel != exampleLabel { // Matching against a desired label - exampleLabel, in this case.
		fmt.Printf("Found item labeled '%v'! Index number %v at path '%v'\n", itemLabel, idx, i.Dbus.Path())
		fmt.Printf("Password: %v\n", string(i.Secret.Value))

Note that many functions/methods may return a (r00t2.io/goutils/)multierr.MultiError, which you may attempt to typeswitch to receive the original errors in their native error format. The functions/methods which may return a MultiError are noted as such in their individual documentation.

5. Library Hacking

5.1. Reference

Aside from the above (INCREDIBLY brief and perhaps slightly inaccurate) introduction to SecretService concepts, it is recommended to see the .ref/ directory in git. Notably, the URLS file profides several excellent resources for understanding SecretService further. The Dbus specification (first URL in the file) is highly recommended if you are unfamiliar with SecretService internals.

5.2. Tests

Many functions are consolidated into a single test due to how dependent certain processes are on other objects. However, all functionality should be covered by test cases and the error string will always be passed through the stack to go test -v output.

Obviously since this library interacts directly with Dbus (and I don’t want to spend the time to mock up an entire Dbus-like interface to test), all tests are integration tests rather than unit tests. Therefore in the event of a failed run, you will need to open e.g. Seahorse or d-feet or some other Dbus/SecretService browser and manually delete the created Secret Service collection. It/they should be easily identified; they use a generated UUID4 string as the collection name and it is highly unlikely that you will see any other collections named as such. If running go test with the verbose flag (-v), the name and path of the collection will be printed out. If all tests pass, the test collection should be removed automatically.

The same UUID is used for all tests in a test run.

You may be prompted during a test run for a password; you can simply use a blank password for this as it is the password used to protect a collection. This prompt pops up during the creation of a Collection.