From f831b003c22bb103b820a3c3e608eedbb15b11c4 Mon Sep 17 00:00:00 2001
From: FabianLars <github@fabianlars.de>
Date: Tue, 14 Oct 2025 17:42:04 +0200
Subject: [PATCH] migrate to keyring-core

---
 Cargo.lock                                    | 235 ++++++++++++++----
 plugins/secure-storage/Cargo.toml             |  29 ++-
 .../permissions/autogenerated/reference.md    |  19 ++
 .../permissions/schemas/schema.json           |   6 +
 plugins/secure-storage/src/error.rs           |   3 +-
 plugins/secure-storage/src/lib.rs             |  18 +-
 plugins/websocket/Cargo.toml                  |   2 +-
 7 files changed, 249 insertions(+), 63 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index ad3365f23..7d504d866 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -118,14 +118,13 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 
 [[package]]
-name = "android-keyring"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b051e1fab4f4c15e384424252c57321173b8fb274d50f30bd46145c35cd0a6a2"
+name = "android-native-keyring-store"
+version = "0.4.0"
+source = "git+https://github.com/FabianLars/android-native-keyring-store#6d59ad7d6a84b1496175754aa00c000a59356da0"
 dependencies = [
  "base64 0.22.1",
  "jni",
- "keyring",
+ "keyring-core",
  "ndk-context",
  "thiserror 2.0.12",
  "tracing",
@@ -290,6 +289,17 @@ dependencies = [
  "tauri-plugin-store",
 ]
 
+[[package]]
+name = "apple-native-keyring-store"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10f9955235ce557bd0ea2c64d7ff09a887885f515e98572d2640a29520d9c98c"
+dependencies = [
+ "keyring-core",
+ "log",
+ "security-framework 3.5.1",
+]
+
 [[package]]
 name = "arbitrary"
 version = "1.4.1"
@@ -896,6 +906,15 @@ dependencies = [
  "toml",
 ]
 
+[[package]]
+name = "cbc"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "cc"
 version = "1.2.19"
@@ -980,7 +999,7 @@ dependencies = [
  "iana-time-zone",
  "num-traits",
  "serde",
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -1544,7 +1563,7 @@ dependencies = [
  "libc",
  "option-ext",
  "redox_users 0.5.0",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -3257,18 +3276,12 @@ dependencies = [
 ]
 
 [[package]]
-name = "keyring"
-version = "3.6.3"
+name = "keyring-core"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eebcc3aff044e5944a8fbaf69eb277d11986064cba30c468730e8b9909fb551c"
+checksum = "64ad182c4841eb5795af9d20e6e020b65a895517f6a41e6358ed8af74ba35d98"
 dependencies = [
- "byteorder",
- "linux-keyutils",
  "log",
- "security-framework 2.11.1",
- "security-framework 3.2.0",
- "windows-sys 0.60.2",
- "zeroize",
 ]
 
 [[package]]
@@ -3421,16 +3434,6 @@ dependencies = [
  "vcpkg",
 ]
 
-[[package]]
-name = "linux-keyutils"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "761e49ec5fd8a5a463f9b84e877c373d888935b71c6be78f3767fe2ae6bed18e"
-dependencies = [
- "bitflags 2.9.0",
- "libc",
-]
-
 [[package]]
 name = "linux-raw-sys"
 version = "0.4.15"
@@ -3812,6 +3815,30 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "num"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23"
+dependencies = [
+ "num-bigint",
+ "num-complex",
+ "num-integer",
+ "num-iter",
+ "num-rational",
+ "num-traits",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
 [[package]]
 name = "num-bigint-dig"
 version = "0.8.4"
@@ -3829,6 +3856,15 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "num-complex"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495"
+dependencies = [
+ "num-traits",
+]
+
 [[package]]
 name = "num-conv"
 version = "0.1.0"
@@ -3855,6 +3891,17 @@ dependencies = [
  "num-traits",
 ]
 
+[[package]]
+name = "num-rational"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824"
+dependencies = [
+ "num-bigint",
+ "num-integer",
+ "num-traits",
+]
+
 [[package]]
 name = "num-traits"
 version = "0.2.19"
@@ -5318,7 +5365,7 @@ dependencies = [
  "openssl-probe",
  "rustls-pki-types",
  "schannel",
- "security-framework 3.2.0",
+ "security-framework 3.5.1",
 ]
 
 [[package]]
@@ -5465,6 +5512,25 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "secret-service"
+version = "5.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a62d7f86047af0077255a29494136b9aaaf697c76ff70b8e49cded4e2623c14"
+dependencies = [
+ "aes",
+ "cbc",
+ "futures-util",
+ "generic-array",
+ "getrandom 0.2.15",
+ "hkdf",
+ "num",
+ "once_cell",
+ "serde",
+ "sha2",
+ "zbus",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.11.1"
@@ -5480,9 +5546,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework"
-version = "3.2.0"
+version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "271720403f46ca04f7ba6f55d438f8bd878d6b8ca0a1046e8228c4145bcbb316"
+checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
 dependencies = [
  "bitflags 2.9.0",
  "core-foundation 0.10.0",
@@ -5493,9 +5559,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework-sys"
-version = "2.14.0"
+version = "2.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49db231d56a190491cb4aeda9527f1ad45345af50b0851622a7adb8c03b01c32"
+checksum = "cc1f0cbffaac4852523ce30d8bd3c5cdc873501d96ff467ca09b6767bb8cd5c0"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -6835,14 +6901,17 @@ dependencies = [
 name = "tauri-plugin-secure-storage"
 version = "2.0.0"
 dependencies = [
- "android-keyring",
- "keyring",
+ "android-native-keyring-store",
+ "apple-native-keyring-store",
+ "keyring-core",
  "log",
  "serde",
  "serde_json",
  "tauri",
  "tauri-plugin",
  "thiserror 2.0.12",
+ "windows-native-keyring-store",
+ "zbus-secret-service-keyring-store",
 ]
 
 [[package]]
@@ -6993,7 +7062,7 @@ dependencies = [
  "tauri-plugin",
  "thiserror 2.0.12",
  "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.28.0",
 ]
 
 [[package]]
@@ -7361,6 +7430,18 @@ name = "tokio-tungstenite"
 version = "0.27.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "489a59b6730eda1b0171fcfda8b121f4bee2b35cba8645ca35c5f7ba3eb736c1"
+dependencies = [
+ "futures-util",
+ "log",
+ "tokio",
+ "tungstenite 0.27.0",
+]
+
+[[package]]
+name = "tokio-tungstenite"
+version = "0.28.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d25a406cddcc431a75d3d9afc6a7c0f7428d4891dd973e4d54c56b46127bf857"
 dependencies = [
  "futures-util",
  "log",
@@ -7371,7 +7452,7 @@ dependencies = [
  "tokio",
  "tokio-native-tls",
  "tokio-rustls",
- "tungstenite",
+ "tungstenite 0.28.0",
  "webpki-roots",
 ]
 
@@ -7555,6 +7636,23 @@ name = "tungstenite"
 version = "0.27.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eadc29d668c91fcc564941132e17b28a7ceb2f3ebf0b9dae3e03fd7a6748eb0d"
+dependencies = [
+ "bytes",
+ "data-encoding",
+ "http",
+ "httparse",
+ "log",
+ "rand 0.9.0",
+ "sha1",
+ "thiserror 2.0.12",
+ "utf-8",
+]
+
+[[package]]
+name = "tungstenite"
+version = "0.28.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8628dcc84e5a09eb3d8423d6cb682965dea9133204e8fb3efee74c2a0c259442"
 dependencies = [
  "bytes",
  "data-encoding",
@@ -8115,7 +8213,7 @@ dependencies = [
  "tauri-build",
  "tauri-plugin-websocket",
  "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.27.0",
 ]
 
 [[package]]
@@ -8248,7 +8346,7 @@ dependencies = [
  "windows-collections",
  "windows-core",
  "windows-future",
- "windows-link",
+ "windows-link 0.1.1",
  "windows-numerics",
 ]
 
@@ -8269,7 +8367,7 @@ checksum = "4763c1de310c86d75a878046489e2e5ba02c649d185f21c67d4cf8a56d098980"
 dependencies = [
  "windows-implement",
  "windows-interface",
- "windows-link",
+ "windows-link 0.1.1",
  "windows-result",
  "windows-strings 0.4.0",
 ]
@@ -8281,7 +8379,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a1d6bbefcb7b60acd19828e1bc965da6fcf18a7e39490c5f8be71e54a19ba32"
 dependencies = [
  "windows-core",
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8312,6 +8410,24 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38"
 
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-native-keyring-store"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d37273ed015cfe7bce6fd684478cdd40435fc84a9ce781404d1fbc61c2d674d"
+dependencies = [
+ "byteorder",
+ "keyring-core",
+ "windows-sys 0.61.2",
+ "zeroize",
+]
+
 [[package]]
 name = "windows-numerics"
 version = "0.2.0"
@@ -8319,7 +8435,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9150af68066c4c5c07ddc0ce30421554771e528bde427614c61038bc2c92c2b1"
 dependencies = [
  "windows-core",
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8339,7 +8455,7 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ad1da3e436dc7653dfdf3da67332e22bff09bb0e28b0239e1624499c7830842e"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
  "windows-result",
  "windows-strings 0.4.0",
 ]
@@ -8350,7 +8466,7 @@ version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c64fd11a4fd95df68efcfee5f44a294fe71b8bc6a91993e2791938abcc712252"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8359,7 +8475,7 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "87fa48cc5d406560701792be122a10132491cff9d0aeb23583cc2dcafc847319"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8368,7 +8484,7 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a2ba9642430ee452d5a7aa78d72907ebe8cfda358e8cb7918a2050581322f97"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8416,6 +8532,15 @@ dependencies = [
  "windows-targets 0.53.2",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link 0.2.1",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.42.2"
@@ -8484,7 +8609,7 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e04a5c6627e310a23ad2358483286c7df260c964eb2d003d8efd6d0f4e79265c"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8918,9 +9043,9 @@ dependencies = [
 
 [[package]]
 name = "zbus"
-version = "5.9.0"
+version = "5.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4bb4f9a464286d42851d18a605f7193b8febaf5b0919d71c6399b7b26e5b0aad"
+checksum = "2d07e46d035fb8e375b2ce63ba4e4ff90a7f73cf2ffb0138b29e1158d2eaadf7"
 dependencies = [
  "async-broadcast",
  "async-executor",
@@ -8943,18 +9068,28 @@ dependencies = [
  "tokio",
  "tracing",
  "uds_windows",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
  "winnow 0.7.6",
  "zbus_macros",
  "zbus_names",
  "zvariant",
 ]
 
+[[package]]
+name = "zbus-secret-service-keyring-store"
+version = "0.1.0"
+source = "git+https://github.com/FabianLars/zbus-secret-service-keyring-store#e465bd217f68350a969229c5fcbc758ebb6819c4"
+dependencies = [
+ "keyring-core",
+ "secret-service",
+ "zbus",
+]
+
 [[package]]
 name = "zbus_macros"
-version = "5.9.0"
+version = "5.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef9859f68ee0c4ee2e8cde84737c78e3f4c54f946f2a38645d0d4c7a95327659"
+checksum = "57e797a9c847ed3ccc5b6254e8bcce056494b375b511b3d6edcec0aeb4defaca"
 dependencies = [
  "proc-macro-crate 3.3.0",
  "proc-macro2",
diff --git a/plugins/secure-storage/Cargo.toml b/plugins/secure-storage/Cargo.toml
index 7fc78b797..b495f086c 100644
--- a/plugins/secure-storage/Cargo.toml
+++ b/plugins/secure-storage/Cargo.toml
@@ -26,19 +26,30 @@ ios = { level = "full", notes = "" }
 [build-dependencies]
 tauri-plugin = { workspace = true, features = ["build"] }
 
+[features]
+# TODO: docs
+# TODO: Check if protected works on intel as well, otherwise we may have to split this up. using protected for ios and keychain for macos and somehow making protected opt-in for apple silicon macs.
+apple-keychain = ["apple-native-keyring-store/keychain"]
+apple-protected = ["apple-native-keyring-store/protected"]
+
 [dependencies]
 serde = { workspace = true }
 serde_json = { workspace = true }
 tauri = { workspace = true }
 log = { workspace = true }
 thiserror = { workspace = true }
-# When updating to v4 we likely won't use linux-native aka keyutils but we need to look into which backend to use.
-# Also, `linux-native` is non persistent.
-keyring = { version = "3.6", features = [
-  "apple-native",
-  "windows-native",
-  "linux-native",
-] }
+keyring-core = "0.7"
 
-[target."cfg(target_os = \"android\")".dependencies]
-android-keyring = "0.2.0"
+[target.'cfg(windows)'.dependencies]
+windows-native-keyring-store = "0.2"
+
+[target.'cfg(target_os = "linux")'.dependencies]
+# TODO: upstream is on keyring-core@0.6 while windows & apple backends only have 0.5 and 0.7 releases.
+zbus-secret-service-keyring-store = { git = "https://github.com/FabianLars/zbus-secret-service-keyring-store", features = ["rt-tokio-crypto-rust"] }
+
+[target.'cfg(any(target_os = "ios", target_os = "macos"))'.dependencies]
+apple-native-keyring-store = "0.2"
+
+[target.'cfg(target_os = "android")'.dependencies]
+# TODO: upstream is on keyring-core@0.6 while windows & apple backends only have 0.5 and 0.7 releases.
+android-native-keyring-store =  { git = "https://github.com/FabianLars/android-native-keyring-store" }
diff --git a/plugins/secure-storage/permissions/autogenerated/reference.md b/plugins/secure-storage/permissions/autogenerated/reference.md
index c2cb464af..9a2b7910a 100644
--- a/plugins/secure-storage/permissions/autogenerated/reference.md
+++ b/plugins/secure-storage/permissions/autogenerated/reference.md
@@ -1,3 +1,22 @@
+## Default Permission
+
+This permission set configures which
+Secure Storage APIs are available by defaultt.
+
+#### Granted Permissions
+
+In the PoC phase all commands are allowed by default.
+
+#### This default permission set includes the following:
+
+- `allow-arch`
+- `allow-exe-extension`
+- `allow-family`
+- `allow-locale`
+- `allow-os-type`
+- `allow-platform`
+- `allow-version`
+
 ## Permission Table
 
 <table>
diff --git a/plugins/secure-storage/permissions/schemas/schema.json b/plugins/secure-storage/permissions/schemas/schema.json
index 8e19aa10d..c5708657c 100644
--- a/plugins/secure-storage/permissions/schemas/schema.json
+++ b/plugins/secure-storage/permissions/schemas/schema.json
@@ -341,6 +341,12 @@
           "type": "string",
           "const": "deny-set-string",
           "markdownDescription": "Denies the set_string command without any pre-configured scope."
+        },
+        {
+          "description": "This permission set configures which\nSecure Storage APIs are available by defaultt.\n\n#### Granted Permissions\n\nIn the PoC phase all commands are allowed by default.\n\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`",
+          "type": "string",
+          "const": "default",
+          "markdownDescription": "This permission set configures which\nSecure Storage APIs are available by defaultt.\n\n#### Granted Permissions\n\nIn the PoC phase all commands are allowed by default.\n\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`"
         }
       ]
     }
diff --git a/plugins/secure-storage/src/error.rs b/plugins/secure-storage/src/error.rs
index 7af8ece59..36ac901ab 100644
--- a/plugins/secure-storage/src/error.rs
+++ b/plugins/secure-storage/src/error.rs
@@ -6,10 +6,11 @@ use serde::{ser::Serializer, Serialize};
 
 pub type Result<T> = std::result::Result<T, Error>;
 
+#[non_exhaustive]
 #[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error(transparent)]
-    Keyring(#[from] keyring::Error),
+    Keyring(#[from] keyring_core::Error),
 }
 
 impl Serialize for Error {
diff --git a/plugins/secure-storage/src/lib.rs b/plugins/secure-storage/src/lib.rs
index 7b2a88b78..b032da0d7 100644
--- a/plugins/secure-storage/src/lib.rs
+++ b/plugins/secure-storage/src/lib.rs
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-License-Identifier: MIT
 
-use keyring::Entry;
+use keyring_core::{set_default_store, Entry};
 use tauri::{
     plugin::{Builder, TauriPlugin},
     AppHandle, Manager, Runtime,
@@ -37,7 +37,21 @@ pub fn init<R: Runtime>() -> TauriPlugin<R> {
         ])
         .setup(|app, _api| {
             #[cfg(target_os = "android")]
-            android_keyring::set_android_keyring_credential_builder()?;
+            set_default_store(android_native_keyring_store::AndroidStore::from_ndk_context()?);
+
+            // TODO: (maybe) config to change used keychain.
+            #[cfg(all(target_os = "android", feature = "apple-keychain"))]
+            set_default_store(apple_native_keyring_store::keychain::Store::new()?);
+
+            // TODO: config. most notably icloud sync and biometrics
+            #[cfg(all(target_os = "android", feature = "apple-protected"))]
+            set_default_store(apple_native_keyring_store::protected::Store::new()?);
+
+            #[cfg(windows)]
+            set_default_store(windows_native_keyring_store::Store::new()?);
+
+            #[cfg(target_os = "linux")]
+            set_default_store(zbus_secret_service_keyring_store::Store::new()?);
 
             app.manage(SecureStorage(app.clone()));
             Ok(())
diff --git a/plugins/websocket/Cargo.toml b/plugins/websocket/Cargo.toml
index 40db186ee..f77e4ccc2 100644
--- a/plugins/websocket/Cargo.toml
+++ b/plugins/websocket/Cargo.toml
@@ -34,7 +34,7 @@ http = "1"
 rand = "0.9"
 futures-util = "0.3"
 tokio = { version = "1", features = ["net", "sync"] }
-tokio-tungstenite = { version = "0.27" }
+tokio-tungstenite = { version = "0.28" }
 
 [features]
 default = ["rustls-tls"]