Subversion and the GNOME Keyring

Shell Programming and Scripting
1

The reason I'm posting this message is because I've written a Korn shell script that will be of use to those people who use the Subversion client on Linux or Solaris and would like their passwords to be encrypted. I realise this isn't strictly a question or matter concerning shell scripts, but as this is a very useful script I couldn't think of anywhere better to post it so that the wider community can make use of it.

I wrote it in Korn shell because I needed something up and running quickly. If someone else would prefer it written an A. N. Other favourite language (perl, python, ruby, prose, you name it), please feel free to write a port.

For a background of the task at hand, see Technical Prose: Using Subversion with the GNOME Keyring. What the attached script will do is act as a wrapper for the 'svn' tool, starting the 'gnome-keyring-daemon' on your behalf and managing the set-up of the keyring. This is needed on servers where the GNOME Desktop is not installed. Using this script and the process I've documented below will save you hours of pain (the pain I've already had to go through).

Initial Set-up

Steps to get this working if your login shell is bash:

  1. Install CollabNet Subversion v1.6.x or later client on Linux or Solaris (I've tested this on v1.6.16), which has built-in GNOME Keyring support.
  2. Install the GNOME Keyring daemon (e.g. gnome-keyring RPM on Red Hat, on Solaris this requires the SUNWgnome-base-libs and SUNWgnome-libspackages only, you can safely ignore the other dependencies).
  3. Install the attached wrapper script as /opt/CollabNet_Subversion/bin/svn_wrapper.
  4. Add the following line to your ~/.bash_login and ~/.bashrc files which will set-up an 'svn' alias so that the wrapper script is called instead:
    [ -x /opt/CollabNet_Subversion/bin/svn_wrapper ] && alias svn=/opt/CollabNet_Subversion/bin/svn_wrapper
  5. Add the following line to your ~/.bash_logout file, which will kill the GNOME Keyring daemon on exit if you have no further login sessions:
    [ -x /opt/CollabNet_Subversion/bin/svn_wrapper ] && /opt/CollabNet_Subversion/bin/svn_wrapper --gkd-logout
  6. Logout/login again to pick up the changes to your login script.
  7. Run svn --gkd-help to confirm that the wrapper script is being called. This will also display further details about the wrapper script that is of use.
  8. Edit ~/.subversion/config and set the following parameter in the [auth] section:
    password-stores = gnome-keyring
  9. Edit ~/.subversion/servers and set the following parameters in the [global] section:
    store-passwords = yes
    store-plaintext-passwords = no
  10. To remove any previously cached plain-text passwords and cache your encrypted password, run svn --gkd-clear followed by svn up in a checked-out folder.

When you invoke the 'svn up' command above, if the GNOME Keyring Daemon is not already running, it will be started by the wrapper script. You'll be prompted for the GNOME Keyring password. If this is the first time you've run the daemon, pick any password. This password is used to encrypt the keyring, and you'll be prompted for it once per session. A session lasts as long as you have a login on that server (as reported by the UNIX 'w' command).

Note that the wrapper script actually sets up one keyring per OS platform, so if you run 'svn' on both Linux and Solaris clients and automount your home directories between the two, there will be a keyring called 'svn_linux' and one called 'svn_sunos' in ~/.gnome2/keyrings. This is required to work around an incompatibility between keyrings on different platforms, as each platform provides its own version of the GNOME Keyring. This could be mitigated by compiling the same version of the GNOME Keyring for each platform you wish to support, although I've not tested that.

When Your Password Changes

If the password cached in the GNOME Keyring needs to be changed, run svn --gkd-clear followed by svn up in a checked-out folder. This will clear all passwords currently cached by the Subversion client, and then re-cache your new password.

Changing the Keyring Password

If you would like to change the password you are using to encrypt your GNOME Keyring, run rm ~/.gnome2/keyrings/svn* to delete the old 'svn' keyrings, then --gkd-clear followed by svn up in a checked-out folder.

I hope this script is of use to the wider community.

Best regards,
Mark Bannister.

2

I've amended my original svn_wrapper script with a minor fix for handling greater than 9 arguments. Please find attached.

Best regards,
Mark Bannister.

3

Hi Mark,

Here's your script with the additional configuration test I mentioned on your blog.

Dennis

4

Thanks Dennis. Although I am sure there are other ways of disabling the authentication cache if you're not using Subversion client default settings, e.g.

store-auth-creds = no

Rather than write in lots of checks and measures I assume my steps 2-10 occur immediately after step 1, i.e. you are using a default installation of the Subversion client and not one with a tinkered configuration :slight_smile:

5

Good point.

Nonetheless since I would imagine that others, like me, might want to start using your very useful script after having used the svn client for a while, it is probably good that this exchange has resulted in your assumption being explicitly stated. It might save others the hours I spent trying to get the keyring working. :slight_smile:

Thanks again for a very well-written script!

Dennis