migrate to keyring-core

plugins/secure-storage/Cargo.toml

@@ -26,19 +26,30 @@ ios = { level = "full", notes = "" }
 [build-dependencies]
 tauri-plugin = { workspace = true, features = ["build"] }
 
+[features]
+# TODO: docs
+# TODO: Check if protected works on intel as well, otherwise we may have to split this up. using protected for ios and keychain for macos and somehow making protected opt-in for apple silicon macs.
+apple-keychain = ["apple-native-keyring-store/keychain"]
+apple-protected = ["apple-native-keyring-store/protected"]
+
 [dependencies]
 serde = { workspace = true }
 serde_json = { workspace = true }
 tauri = { workspace = true }
 log = { workspace = true }
 thiserror = { workspace = true }
-# When updating to v4 we likely won't use linux-native aka keyutils but we need to look into which backend to use.
-# Also, `linux-native` is non persistent.
-keyring = { version = "3.6", features = [
-  "apple-native",
-  "windows-native",
-  "linux-native",
-] }
+keyring-core = "0.7"
 
-[target."cfg(target_os = \"android\")".dependencies]
-android-keyring = "0.2.0"
+[target.'cfg(windows)'.dependencies]
+windows-native-keyring-store = "0.2"
+
+[target.'cfg(target_os = "linux")'.dependencies]
+# TODO: upstream is on keyring-core@0.6 while windows & apple backends only have 0.5 and 0.7 releases.
+zbus-secret-service-keyring-store = { git = "https://github.com/FabianLars/zbus-secret-service-keyring-store", features = ["rt-tokio-crypto-rust"] }
+
+[target.'cfg(any(target_os = "ios", target_os = "macos"))'.dependencies]
+apple-native-keyring-store = "0.2"
+
+[target.'cfg(target_os = "android")'.dependencies]
+# TODO: upstream is on keyring-core@0.6 while windows & apple backends only have 0.5 and 0.7 releases.
+android-native-keyring-store =  { git = "https://github.com/FabianLars/android-native-keyring-store" }

plugins/secure-storage/permissions/autogenerated/reference.md

@@ -1,3 +1,22 @@
+## Default Permission
+
+This permission set configures which
+Secure Storage APIs are available by defaultt.
+
+#### Granted Permissions
+
+In the PoC phase all commands are allowed by default.
+
+#### This default permission set includes the following:
+
+- `allow-arch`
+- `allow-exe-extension`
+- `allow-family`
+- `allow-locale`
+- `allow-os-type`
+- `allow-platform`
+- `allow-version`
+
 ## Permission Table
 
 <table>

plugins/secure-storage/permissions/schemas/schema.json

@@ -341,6 +341,12 @@
           "type": "string",
           "const": "deny-set-string",
           "markdownDescription": "Denies the set_string command without any pre-configured scope."
+        },
+        {
+          "description": "This permission set configures which\nSecure Storage APIs are available by defaultt.\n\n#### Granted Permissions\n\nIn the PoC phase all commands are allowed by default.\n\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`",
+          "type": "string",
+          "const": "default",
+          "markdownDescription": "This permission set configures which\nSecure Storage APIs are available by defaultt.\n\n#### Granted Permissions\n\nIn the PoC phase all commands are allowed by default.\n\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`"
         }
       ]
     }

plugins/secure-storage/src/error.rs

@@ -6,10 +6,11 @@ use serde::{ser::Serializer, Serialize};
 
 pub type Result<T> = std::result::Result<T, Error>;
 
+#[non_exhaustive]
 #[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error(transparent)]
-    Keyring(#[from] keyring::Error),
+    Keyring(#[from] keyring_core::Error),
 }
 
 impl Serialize for Error {

plugins/secure-storage/src/lib.rs

@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-License-Identifier: MIT
 
-use keyring::Entry;
+use keyring_core::{set_default_store, Entry};
 use tauri::{
     plugin::{Builder, TauriPlugin},
     AppHandle, Manager, Runtime,
@@ -37,7 +37,21 @@ pub fn init<R: Runtime>() -> TauriPlugin<R> {
         ])
         .setup(|app, _api| {
             #[cfg(target_os = "android")]
-            android_keyring::set_android_keyring_credential_builder()?;
+            set_default_store(android_native_keyring_store::AndroidStore::from_ndk_context()?);
+
+            // TODO: (maybe) config to change used keychain.
+            #[cfg(all(target_os = "android", feature = "apple-keychain"))]
+            set_default_store(apple_native_keyring_store::keychain::Store::new()?);
+
+            // TODO: config. most notably icloud sync and biometrics
+            #[cfg(all(target_os = "android", feature = "apple-protected"))]
+            set_default_store(apple_native_keyring_store::protected::Store::new()?);
+
+            #[cfg(windows)]
+            set_default_store(windows_native_keyring_store::Store::new()?);
+
+            #[cfg(target_os = "linux")]
+            set_default_store(zbus_secret_service_keyring_store::Store::new()?);
 
             app.manage(SecureStorage(app.clone()));
             Ok(())

plugins/websocket/Cargo.toml

@@ -34,7 +34,7 @@ http = "1"
 rand = "0.9"
 futures-util = "0.3"
 tokio = { version = "1", features = ["net", "sync"] }
-tokio-tungstenite = { version = "0.27" }
+tokio-tungstenite = { version = "0.28" }
 
 [features]
 default = ["rustls-tls"]