apple

.changes/config.json

@@ -78,6 +78,7 @@
         "notification",
         "os",
         "process",
+        "secure-storage",
         "shell",
         "store",
         "updater",
@@ -104,6 +105,7 @@
         "notification-js",
         "os-js",
         "process-js",
+        "secure-storage-js",
         "shell-js",
         "store-js",
         "updater-js"
@@ -282,6 +284,14 @@
       "path": "./plugins/process",
       "manager": "javascript"
     },
+    "secure-storage": {
+      "path": "./plugins/secure-storage",
+      "manager": "rust"
+    },
+    "secure-storage-js": {
+      "path": "./plugins/secure-storage",
+      "manager": "javascript"
+    },
     "shell": {
       "path": "./plugins/shell",
       "manager": "rust"

.changes/deprecate-stronghold.md

@@ -0,0 +1,6 @@
+---
+stronghold: patch
+stronghold-js: patch
+---
+
+The `stronghold` plugin is now deprecated and will be removed in v3. The `secure-storage` plugin should be a replacement for most use-cases.

.github/workflows/check-generated-files.yml

@@ -101,6 +101,11 @@ jobs:
               - pnpm-lock.yaml
               - plugins/process/guest-js/**
               - plugins/process/src/api-iife.js
+            secure-storage:
+              - .github/workflows/check-generated-files.yml
+              - pnpm-lock.yaml
+              - plugins/secure-storage/guest-js/**
+              - plugins/secure-storage/src/api-iife.js
             shell:
               - .github/workflows/check-generated-files.yml
               - pnpm-lock.yaml

.github/workflows/lint-rust.yml

@@ -98,6 +98,9 @@ jobs:
             tauri-plugin-process:
               - .github/workflows/lint-rust.yml
               - plugins/process/**
+            tauri-plugin-secure-storage:
+              - .github/workflows/lint-rust.yml
+              - plugins/secure-storage/**
             tauri-plugin-shell:
               - .github/workflows/lint-rust.yml
               - plugins/shell/**

.github/workflows/test-rust.yml

@@ -137,6 +137,11 @@ jobs:
               - Cargo.toml
               - Cargo.lock
               - plugins/process/**
+            tauri-plugin-secure-storage:
+              - .github/workflows/test-rust.yml
+              - Cargo.toml
+              - Cargo.lock
+              - plugins/secure-storage/**
             tauri-plugin-shell:
               - .github/workflows/test-rust.yml
               - Cargo.toml
@@ -219,7 +224,7 @@ jobs:
               target: aarch64-linux-android,
               os: ubuntu-latest,
               runner: 'cross',
-              command: 'build'
+              command: 'build --verbose'
             }
 
     runs-on: ${{ matrix.platform.os }}
@@ -233,7 +238,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libwebkit2gtk-4.0-dev libwebkit2gtk-4.1-dev
 
-      - uses: dtolnay/rust-toolchain@1.77.2
+      - uses: dtolnay/rust-toolchain@1.85
         with:
           targets: ${{ matrix.platform.target }}
 
@@ -246,7 +251,7 @@ jobs:
         run: cargo +stable install cross --git https://github.com/cross-rs/cross
 
       - name: test ${{ matrix.package }}
-        if: ${{ matrix.package != 'tauri-plugin-http' && matrix.package != 'tauri-plugin-dialog' }}
+        if: matrix.package != 'tauri-plugin-http' && matrix.package != 'tauri-plugin-secure-storage' && matrix.package != 'tauri-plugin-dialog'
         run: ${{ matrix.platform.runner }} ${{ matrix.platform.command }} --package ${{ matrix.package }} --target ${{ matrix.platform.target }} --all-targets --all-features
 
       - name: test ${{ matrix.package }}

.taurignore

@@ -1,2 +1,3 @@
 plugins/*/permissions/autogenerated/
 plugins/*/android/.tauri/tauri-api/build/
+plugins/*/android/build/intermediates/

Cargo.lock

@@ -117,6 +117,19 @@ version = "0.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 
+[[package]]
+name = "android-native-keyring-store"
+version = "0.4.0"
+source = "git+https://github.com/FabianLars/android-native-keyring-store#6d59ad7d6a84b1496175754aa00c000a59356da0"
+dependencies = [
+ "base64 0.22.1",
+ "jni",
+ "keyring-core",
+ "ndk-context",
+ "thiserror 2.0.12",
+ "tracing",
+]
+
 [[package]]
 name = "android-tzdata"
 version = "0.1.1"
@@ -230,6 +243,7 @@ dependencies = [
  "tauri-plugin-opener",
  "tauri-plugin-os",
  "tauri-plugin-process",
+ "tauri-plugin-secure-storage",
  "tauri-plugin-shell",
  "tauri-plugin-store",
  "tauri-plugin-updater",
@@ -275,6 +289,17 @@ dependencies = [
  "tauri-plugin-store",
 ]
 
+[[package]]
+name = "apple-native-keyring-store"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10f9955235ce557bd0ea2c64d7ff09a887885f515e98572d2640a29520d9c98c"
+dependencies = [
+ "keyring-core",
+ "log",
+ "security-framework 3.5.1",
+]
+
 [[package]]
 name = "arbitrary"
 version = "1.4.1"
@@ -881,6 +906,15 @@ dependencies = [
  "toml 0.8.20",
 ]
 
+[[package]]
+name = "cbc"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "cc"
 version = "1.2.19"
@@ -965,7 +999,7 @@ dependencies = [
  "iana-time-zone",
  "num-traits",
  "serde",
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -3241,6 +3275,15 @@ dependencies = [
  "unicode-segmentation",
 ]
 
+[[package]]
+name = "keyring-core"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64ad182c4841eb5795af9d20e6e020b65a895517f6a41e6358ed8af74ba35d98"
+dependencies = [
+ "log",
+]
+
 [[package]]
 name = "kqueue"
 version = "1.1.1"
@@ -3772,6 +3815,30 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "num"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23"
+dependencies = [
+ "num-bigint",
+ "num-complex",
+ "num-integer",
+ "num-iter",
+ "num-rational",
+ "num-traits",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
 [[package]]
 name = "num-bigint-dig"
 version = "0.8.4"
@@ -3789,6 +3856,15 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "num-complex"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495"
+dependencies = [
+ "num-traits",
+]
+
 [[package]]
 name = "num-conv"
 version = "0.1.0"
@@ -3815,6 +3891,17 @@ dependencies = [
  "num-traits",
 ]
 
+[[package]]
+name = "num-rational"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824"
+dependencies = [
+ "num-bigint",
+ "num-integer",
+ "num-traits",
+]
+
 [[package]]
 name = "num-traits"
 version = "0.2.19"
@@ -5298,7 +5385,7 @@ dependencies = [
  "openssl-probe",
  "rustls-pki-types",
  "schannel",
- "security-framework 3.2.0",
+ "security-framework 3.5.1",
 ]
 
 [[package]]
@@ -5445,6 +5532,25 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "secret-service"
+version = "5.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a62d7f86047af0077255a29494136b9aaaf697c76ff70b8e49cded4e2623c14"
+dependencies = [
+ "aes",
+ "cbc",
+ "futures-util",
+ "generic-array",
+ "getrandom 0.2.15",
+ "hkdf",
+ "num",
+ "once_cell",
+ "serde",
+ "sha2",
+ "zbus",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.11.1"
@@ -5460,9 +5566,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework"
-version = "3.2.0"
+version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "271720403f46ca04f7ba6f55d438f8bd878d6b8ca0a1046e8228c4145bcbb316"
+checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
 dependencies = [
  "bitflags 2.9.0",
  "core-foundation 0.10.0",
@@ -5473,9 +5579,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework-sys"
-version = "2.14.0"
+version = "2.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49db231d56a190491cb4aeda9527f1ad45345af50b0851622a7adb8c03b01c32"
+checksum = "cc1f0cbffaac4852523ce30d8bd3c5cdc873501d96ff467ca09b6767bb8cd5c0"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -6824,6 +6930,23 @@ dependencies = [
  "tauri-plugin",
 ]
 
+[[package]]
+name = "tauri-plugin-secure-storage"
+version = "2.0.0"
+dependencies = [
+ "android-native-keyring-store",
+ "apple-native-keyring-store",
+ "keyring-core",
+ "log",
+ "serde",
+ "serde_json",
+ "tauri",
+ "tauri-plugin",
+ "thiserror 2.0.12",
+ "windows-native-keyring-store",
+ "zbus-secret-service-keyring-store",
+]
+
 [[package]]
 name = "tauri-plugin-shell"
 version = "2.3.3"
@@ -8275,7 +8398,7 @@ dependencies = [
  "windows-collections",
  "windows-core",
  "windows-future",
- "windows-link",
+ "windows-link 0.1.1",
  "windows-numerics",
 ]
 
@@ -8296,7 +8419,7 @@ checksum = "4763c1de310c86d75a878046489e2e5ba02c649d185f21c67d4cf8a56d098980"
 dependencies = [
  "windows-implement",
  "windows-interface",
- "windows-link",
+ "windows-link 0.1.1",
  "windows-result",
  "windows-strings 0.4.0",
 ]
@@ -8308,7 +8431,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a1d6bbefcb7b60acd19828e1bc965da6fcf18a7e39490c5f8be71e54a19ba32"
 dependencies = [
  "windows-core",
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8339,6 +8462,24 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38"
 
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-native-keyring-store"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d37273ed015cfe7bce6fd684478cdd40435fc84a9ce781404d1fbc61c2d674d"
+dependencies = [
+ "byteorder",
+ "keyring-core",
+ "windows-sys 0.61.2",
+ "zeroize",
+]
+
 [[package]]
 name = "windows-numerics"
 version = "0.2.0"
@@ -8346,7 +8487,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9150af68066c4c5c07ddc0ce30421554771e528bde427614c61038bc2c92c2b1"
 dependencies = [
  "windows-core",
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8366,7 +8507,7 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ad1da3e436dc7653dfdf3da67332e22bff09bb0e28b0239e1624499c7830842e"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
  "windows-result",
  "windows-strings 0.4.0",
 ]
@@ -8377,7 +8518,7 @@ version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c64fd11a4fd95df68efcfee5f44a294fe71b8bc6a91993e2791938abcc712252"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8386,7 +8527,7 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "87fa48cc5d406560701792be122a10132491cff9d0aeb23583cc2dcafc847319"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8395,7 +8536,7 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a2ba9642430ee452d5a7aa78d72907ebe8cfda358e8cb7918a2050581322f97"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8443,6 +8584,15 @@ dependencies = [
  "windows-targets 0.53.2",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link 0.2.1",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.42.2"
@@ -8511,7 +8661,7 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e04a5c6627e310a23ad2358483286c7df260c964eb2d003d8efd6d0f4e79265c"
 dependencies = [
- "windows-link",
+ "windows-link 0.1.1",
 ]
 
 [[package]]
@@ -8946,9 +9096,9 @@ dependencies = [
 
 [[package]]
 name = "zbus"
-version = "5.9.0"
+version = "5.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4bb4f9a464286d42851d18a605f7193b8febaf5b0919d71c6399b7b26e5b0aad"
+checksum = "b622b18155f7a93d1cd2dc8c01d2d6a44e08fb9ebb7b3f9e6ed101488bad6c91"
 dependencies = [
  "async-broadcast",
  "async-executor",
@@ -8971,7 +9121,8 @@ dependencies = [
  "tokio",
  "tracing",
  "uds_windows",
- "windows-sys 0.59.0",
+ "uuid",
+ "windows-sys 0.61.2",
  "winnow 0.7.12",
  "zbus_macros",
  "zbus_names",
@@ -8979,10 +9130,21 @@ dependencies = [
 ]
 
 [[package]]
-name = "zbus_macros"
-version = "5.9.0"
+name = "zbus-secret-service-keyring-store"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef9859f68ee0c4ee2e8cde84737c78e3f4c54f946f2a38645d0d4c7a95327659"
+checksum = "0371a7e111fe248bf8e2d4648faa87b9d59ce4eabc0ff515bc3432a7d8ccf84f"
+dependencies = [
+ "keyring-core",
+ "secret-service",
+ "zbus",
+]
+
+[[package]]
+name = "zbus_macros"
+version = "5.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1cdb94821ca8a87ca9c298b5d1cbd80e2a8b67115d99f6e4551ac49e42b6a314"
 dependencies = [
  "proc-macro-crate 3.3.0",
  "proc-macro2",

examples/api/package.json

@@ -26,6 +26,7 @@
     "@tauri-apps/plugin-opener": "^2.5.2",
     "@tauri-apps/plugin-os": "^2.3.2",
     "@tauri-apps/plugin-process": "^2.3.1",
+    "@tauri-apps/plugin-secure-storage": "file:../../plugins/secure-storage",
     "@tauri-apps/plugin-shell": "^2.3.3",
     "@tauri-apps/plugin-store": "^2.4.1",
     "@tauri-apps/plugin-updater": "^2.9.0",

examples/api/src-tauri/Cargo.toml

@@ -36,6 +36,7 @@ tauri-plugin-notification = { path = "../../../plugins/notification", version =
 tauri-plugin-os = { path = "../../../plugins/os", version = "2.3.2" }
 tauri-plugin-process = { path = "../../../plugins/process", version = "2.3.1" }
 tauri-plugin-opener = { path = "../../../plugins/opener", version = "2.5.2" }
+tauri-plugin-secure-storage = { path = "../../../plugins/secure-storage" }
 tauri-plugin-shell = { path = "../../../plugins/shell", version = "2.3.3" }
 tauri-plugin-store = { path = "../../../plugins/store", version = "2.4.1" }
 tauri-plugin-upload = { path = "../../../plugins/upload", version = "2.3.0" }

examples/api/src-tauri/capabilities/base.json

@@ -102,6 +102,10 @@
       "identifier": "opener:allow-open-path",
       "allow": [{ "path": "$APPDATA" }, { "path": "$APPDATA/**" }]
     },
-    "upload:default"
+    "upload:default",
+    "secure-storage:allow-get-string",
+    "secure-storage:allow-set-string",
+    "secure-storage:allow-get-binary",
+    "secure-storage:allow-set-binary"
   ]
 }

examples/api/src-tauri/src/cmd.rs

@@ -14,11 +14,11 @@ pub struct RequestBody {
 
 #[command]
 pub fn log_operation(event: String, payload: Option<String>) {
-    log::info!("{} {:?}", event, payload);
+    log::info!("{event} {payload:?}");
 }
 
 #[command]
 pub fn perform_request(endpoint: String, body: RequestBody) -> String {
-    println!("{} {:?}", endpoint, body);
+    println!("{endpoint} {body:?}");
     "message response".into()
 }

examples/api/src-tauri/src/lib.rs

@@ -38,6 +38,7 @@ pub fn run() {
         .plugin(tauri_plugin_process::init())
         .plugin(tauri_plugin_opener::init())
         .plugin(tauri_plugin_shell::init())
+        .plugin(tauri_plugin_secure_storage::init())
         .plugin(tauri_plugin_store::Builder::default().build())
         .plugin(tauri_plugin_upload::init())
         .setup(move |app| {

examples/api/src/App.svelte

@@ -23,6 +23,7 @@
   import Biometric from './views/Biometric.svelte'
   import Geolocation from './views/Geolocation.svelte'
   import Haptics from './views/Haptics.svelte'
+  import SecureStorage from './views/SecureStorage.svelte'
 
   import { onMount, tick } from 'svelte'
   import { ask } from '@tauri-apps/plugin-dialog'
@@ -103,6 +104,11 @@
       component: Store,
       icon: 'i-codicon-file-code'
     },
+    {
+      label: 'SecureStorage',
+      component: SecureStorage,
+      icon: 'i-codicon-file-code'
+    },
     !isMobile && {
       label: 'Updater',
       component: Updater,
@@ -213,9 +219,9 @@
       ...r,
       {
         html:
-          `<pre><strong class="text-accent dark:text-darkAccent">[${new Date().toLocaleTimeString()}]:</strong> ` +
-          (typeof value === 'string' ? value : JSON.stringify(value, null, 1)) +
-          '</pre>'
+          `<pre><strong class="text-accent dark:text-darkAccent">[${new Date().toLocaleTimeString()}]:</strong> `
+          + (typeof value === 'string' ? value : JSON.stringify(value, null, 1))
+          + '</pre>'
       }
     ])
     await tick()
@@ -229,9 +235,9 @@
       ...r,
       {
         html:
-          `<pre><strong class="text-accent dark:text-darkAccent">[${new Date().toLocaleTimeString()}]:</strong> ` +
-          html +
-          '</pre>'
+          `<pre><strong class="text-accent dark:text-darkAccent">[${new Date().toLocaleTimeString()}]:</strong> `
+          + html
+          + '</pre>'
       }
     ])
     await tick()

examples/api/src/views/SecureStorage.svelte

@@ -0,0 +1,54 @@
+<script>
+  import { onMount } from 'svelte'
+  import { getString, setString } from '@tauri-apps/plugin-secure-storage'
+
+  export let onMessage
+
+  let key
+  let value
+  let output
+
+  async function read(key) {
+    try {
+      output = await getString(key)
+    } catch (error) {
+      onMessage(error)
+    }
+  }
+
+  async function write(key, value) {
+    try {
+      await setString(key, value)
+    } catch (error) {
+      onMessage(error)
+    }
+  }
+
+  function reset() {
+    output = ''
+  }
+</script>
+
+<div class="flex flex-col childre:grow gap-1">
+  <div class="flex flex-col flex-row-md gap-4">
+    <div class="flex items-center gap-1">
+      Key:
+      <input class="grow input" bind:value={key} />
+    </div>
+
+    <div class="flex items-center gap-1">
+      Value:
+      <input class="grow input" bind:value />
+    </div>
+
+    <div>
+      <button class="btn" on:click={() => write(key, value)}>Write</button>
+      <button class="btn" on:click={() => read(key)}>Read</button>
+      <button class="btn" on:click={() => reset()}>Reset Output</button>
+    </div>
+  </div>
+
+  <div>
+    Output: {output}
+  </div>
+</div>

plugins/autostart/permissions/schemas/schema.json

@@ -331,10 +331,10 @@
           "markdownDescription": "Denies the is_enabled command without any pre-configured scope."
         },
         {
-          "description": "This permission set configures if your\napplication can enable or disable auto\nstarting the application on boot.\n\n#### Granted Permissions\n\nIt allows all to check, enable and\ndisable the automatic start on boot.\n\n\n#### This default permission set includes:\n\n- `allow-enable`\n- `allow-disable`\n- `allow-is-enabled`",
+          "description": "This permission set configures if your\r\napplication can enable or disable auto\r\nstarting the application on boot.\r\n\r\n#### Granted Permissions\r\n\r\nIt allows all to check, enable and\r\ndisable the automatic start on boot.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-enable`\n- `allow-disable`\n- `allow-is-enabled`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This permission set configures if your\napplication can enable or disable auto\nstarting the application on boot.\n\n#### Granted Permissions\n\nIt allows all to check, enable and\ndisable the automatic start on boot.\n\n\n#### This default permission set includes:\n\n- `allow-enable`\n- `allow-disable`\n- `allow-is-enabled`"
+          "markdownDescription": "This permission set configures if your\r\napplication can enable or disable auto\r\nstarting the application on boot.\r\n\r\n#### Granted Permissions\r\n\r\nIt allows all to check, enable and\r\ndisable the automatic start on boot.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-enable`\n- `allow-disable`\n- `allow-is-enabled`"
         }
       ]
     }

plugins/biometric/permissions/schemas/schema.json

@@ -319,10 +319,10 @@
           "markdownDescription": "Denies the status command without any pre-configured scope."
         },
         {
-          "description": "This permission set configures which\nbiometric features are by default exposed.\n\n#### Granted Permissions\n\nIt allows acccess to all biometric commands.\n\n\n#### This default permission set includes:\n\n- `allow-authenticate`\n- `allow-status`",
+          "description": "This permission set configures which\r\nbiometric features are by default exposed.\r\n\r\n#### Granted Permissions\r\n\r\nIt allows acccess to all biometric commands.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-authenticate`\n- `allow-status`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This permission set configures which\nbiometric features are by default exposed.\n\n#### Granted Permissions\n\nIt allows acccess to all biometric commands.\n\n\n#### This default permission set includes:\n\n- `allow-authenticate`\n- `allow-status`"
+          "markdownDescription": "This permission set configures which\r\nbiometric features are by default exposed.\r\n\r\n#### Granted Permissions\r\n\r\nIt allows acccess to all biometric commands.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-authenticate`\n- `allow-status`"
         }
       ]
     }

plugins/clipboard-manager/permissions/autogenerated/reference.md

@@ -1,7 +1,7 @@
 ## Default Permission
 
 No features are enabled by default, as we believe
-the clipboard can be inherently dangerous and it is 
+the clipboard can be inherently dangerous and it is
 application specific if read and/or write access is needed.
 
 Clipboard interaction needs to be explicitly enabled.

plugins/clipboard-manager/permissions/default.toml

@@ -2,7 +2,7 @@
 [default]
 description = """
 No features are enabled by default, as we believe
-the clipboard can be inherently dangerous and it is 
+the clipboard can be inherently dangerous and it is
 application specific if read and/or write access is needed.
 
 Clipboard interaction needs to be explicitly enabled.

plugins/clipboard-manager/permissions/schemas/schema.json

@@ -367,10 +367,10 @@
           "markdownDescription": "Denies the write_text command without any pre-configured scope."
         },
         {
-          "description": "No features are enabled by default, as we believe\nthe clipboard can be inherently dangerous and it is \napplication specific if read and/or write access is needed.\n\nClipboard interaction needs to be explicitly enabled.\n",
+          "description": "No features are enabled by default, as we believe\r\nthe clipboard can be inherently dangerous and it is\r\napplication specific if read and/or write access is needed.\r\n\r\nClipboard interaction needs to be explicitly enabled.\r\n",
           "type": "string",
           "const": "default",
-          "markdownDescription": "No features are enabled by default, as we believe\nthe clipboard can be inherently dangerous and it is \napplication specific if read and/or write access is needed.\n\nClipboard interaction needs to be explicitly enabled.\n"
+          "markdownDescription": "No features are enabled by default, as we believe\r\nthe clipboard can be inherently dangerous and it is\r\napplication specific if read and/or write access is needed.\r\n\r\nClipboard interaction needs to be explicitly enabled.\r\n"
         }
       ]
     }

plugins/fs/permissions/autogenerated/reference.md

@@ -1,6 +1,6 @@
 ## Default Permission
 
-This set of permissions describes the what kind of
+This set of permissions describes what kind of
 file system access the `fs` plugin has enabled or denied by default.
 
 #### Granted Permissions

plugins/fs/permissions/default.toml

@@ -2,7 +2,7 @@
 
 [default]
 description = """
-This set of permissions describes the what kind of
+This set of permissions describes what kind of
 file system access the `fs` plugin has enabled or denied by default.
 
 #### Granted Permissions

plugins/fs/permissions/schemas/schema.json

@@ -1945,16 +1945,16 @@
           "markdownDescription": "Denies the write_text_file command without any pre-configured scope."
         },
         {
-          "description": "This permissions allows to create the application specific directories.\n",
+          "description": "This permissions allows to create the application specific directories.\r\n",
           "type": "string",
           "const": "create-app-specific-dirs",
-          "markdownDescription": "This permissions allows to create the application specific directories.\n"
+          "markdownDescription": "This permissions allows to create the application specific directories.\r\n"
         },
         {
-          "description": "This set of permissions describes the what kind of\nfile system access the `fs` plugin has enabled or denied by default.\n\n#### Granted Permissions\n\nThis default permission set enables read access to the\napplication specific directories (AppConfig, AppData, AppLocalData, AppCache,\nAppLog) and all files and sub directories created in it.\nThe location of these directories depends on the operating system,\nwhere the application is run.\n\nIn general these directories need to be manually created\nby the application at runtime, before accessing files or folders\nin it is possible.\n\nTherefore, it is also allowed to create all of these folders via\nthe `mkdir` command.\n\n#### Denied Permissions\n\nThis default permission set prevents access to critical components\nof the Tauri application by default.\nOn Windows the webview data folder access is denied.\n\n#### This default permission set includes:\n\n- `create-app-specific-dirs`\n- `read-app-specific-dirs-recursive`\n- `deny-default`",
+          "description": "This set of permissions describes what kind of\r\nfile system access the `fs` plugin has enabled or denied by default.\r\n\r\n#### Granted Permissions\r\n\r\nThis default permission set enables read access to the\r\napplication specific directories (AppConfig, AppData, AppLocalData, AppCache,\r\nAppLog) and all files and sub directories created in it.\r\nThe location of these directories depends on the operating system,\r\nwhere the application is run.\r\n\r\nIn general these directories need to be manually created\r\nby the application at runtime, before accessing files or folders\r\nin it is possible.\r\n\r\nTherefore, it is also allowed to create all of these folders via\r\nthe `mkdir` command.\r\n\r\n#### Denied Permissions\r\n\r\nThis default permission set prevents access to critical components\r\nof the Tauri application by default.\r\nOn Windows the webview data folder access is denied.\r\n\n#### This default permission set includes:\n\n- `create-app-specific-dirs`\n- `read-app-specific-dirs-recursive`\n- `deny-default`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This set of permissions describes the what kind of\nfile system access the `fs` plugin has enabled or denied by default.\n\n#### Granted Permissions\n\nThis default permission set enables read access to the\napplication specific directories (AppConfig, AppData, AppLocalData, AppCache,\nAppLog) and all files and sub directories created in it.\nThe location of these directories depends on the operating system,\nwhere the application is run.\n\nIn general these directories need to be manually created\nby the application at runtime, before accessing files or folders\nin it is possible.\n\nTherefore, it is also allowed to create all of these folders via\nthe `mkdir` command.\n\n#### Denied Permissions\n\nThis default permission set prevents access to critical components\nof the Tauri application by default.\nOn Windows the webview data folder access is denied.\n\n#### This default permission set includes:\n\n- `create-app-specific-dirs`\n- `read-app-specific-dirs-recursive`\n- `deny-default`"
+          "markdownDescription": "This set of permissions describes what kind of\r\nfile system access the `fs` plugin has enabled or denied by default.\r\n\r\n#### Granted Permissions\r\n\r\nThis default permission set enables read access to the\r\napplication specific directories (AppConfig, AppData, AppLocalData, AppCache,\r\nAppLog) and all files and sub directories created in it.\r\nThe location of these directories depends on the operating system,\r\nwhere the application is run.\r\n\r\nIn general these directories need to be manually created\r\nby the application at runtime, before accessing files or folders\r\nin it is possible.\r\n\r\nTherefore, it is also allowed to create all of these folders via\r\nthe `mkdir` command.\r\n\r\n#### Denied Permissions\r\n\r\nThis default permission set prevents access to critical components\r\nof the Tauri application by default.\r\nOn Windows the webview data folder access is denied.\r\n\n#### This default permission set includes:\n\n- `create-app-specific-dirs`\n- `read-app-specific-dirs-recursive`\n- `deny-default`"
         },
         {
           "description": "This denies access to dangerous Tauri relevant files and folders by default.\n#### This permission set includes:\n\n- `deny-webview-data-linux`\n- `deny-webview-data-windows`",
@@ -1963,16 +1963,16 @@
           "markdownDescription": "This denies access to dangerous Tauri relevant files and folders by default.\n#### This permission set includes:\n\n- `deny-webview-data-linux`\n- `deny-webview-data-windows`"
         },
         {
-          "description": "This denies read access to the\n`$APPLOCALDATA` folder on linux as the webview data and configuration values are stored here.\nAllowing access can lead to sensitive information disclosure and should be well considered.",
+          "description": "This denies read access to the\r\n`$APPLOCALDATA` folder on linux as the webview data and configuration values are stored here.\r\nAllowing access can lead to sensitive information disclosure and should be well considered.",
           "type": "string",
           "const": "deny-webview-data-linux",
-          "markdownDescription": "This denies read access to the\n`$APPLOCALDATA` folder on linux as the webview data and configuration values are stored here.\nAllowing access can lead to sensitive information disclosure and should be well considered."
+          "markdownDescription": "This denies read access to the\r\n`$APPLOCALDATA` folder on linux as the webview data and configuration values are stored here.\r\nAllowing access can lead to sensitive information disclosure and should be well considered."
         },
         {
-          "description": "This denies read access to the\n`$APPLOCALDATA/EBWebView` folder on windows as the webview data and configuration values are stored here.\nAllowing access can lead to sensitive information disclosure and should be well considered.",
+          "description": "This denies read access to the\r\n`$APPLOCALDATA/EBWebView` folder on windows as the webview data and configuration values are stored here.\r\nAllowing access can lead to sensitive information disclosure and should be well considered.",
           "type": "string",
           "const": "deny-webview-data-windows",
-          "markdownDescription": "This denies read access to the\n`$APPLOCALDATA/EBWebView` folder on windows as the webview data and configuration values are stored here.\nAllowing access can lead to sensitive information disclosure and should be well considered."
+          "markdownDescription": "This denies read access to the\r\n`$APPLOCALDATA/EBWebView` folder on windows as the webview data and configuration values are stored here.\r\nAllowing access can lead to sensitive information disclosure and should be well considered."
         },
         {
           "description": "This enables all read related commands without any pre-configured accessible paths.",
@@ -1981,10 +1981,10 @@
           "markdownDescription": "This enables all read related commands without any pre-configured accessible paths."
         },
         {
-          "description": "This permission allows recursive read functionality on the application\nspecific base directories. \n",
+          "description": "This permission allows recursive read functionality on the application\r\nspecific base directories. \r\n",
           "type": "string",
           "const": "read-app-specific-dirs-recursive",
-          "markdownDescription": "This permission allows recursive read functionality on the application\nspecific base directories. \n"
+          "markdownDescription": "This permission allows recursive read functionality on the application\r\nspecific base directories. \r\n"
         },
         {
           "description": "This enables directory read and file metadata related commands without any pre-configured accessible paths.",
@@ -2005,10 +2005,10 @@
           "markdownDescription": "This enables all index or metadata related commands without any pre-configured accessible paths."
         },
         {
-          "description": "An empty permission you can use to modify the global scope.\n\n## Example\n\n```json\n{\n  \"identifier\": \"read-documents\",\n  \"windows\": [\"main\"],\n  \"permissions\": [\n    \"fs:allow-read\",\n    {\n      \"identifier\": \"fs:scope\",\n      \"allow\": [\n        \"$APPDATA/documents/**/*\"\n      ],\n      \"deny\": [\n        \"$APPDATA/documents/secret.txt\"\n      ]\n    }\n  ]\n}\n```\n",
+          "description": "An empty permission you can use to modify the global scope.\r\n\r\n## Example\r\n\r\n```json\r\n{\r\n  \"identifier\": \"read-documents\",\r\n  \"windows\": [\"main\"],\r\n  \"permissions\": [\r\n    \"fs:allow-read\",\r\n    {\r\n      \"identifier\": \"fs:scope\",\r\n      \"allow\": [\r\n        \"$APPDATA/documents/**/*\"\r\n      ],\r\n      \"deny\": [\r\n        \"$APPDATA/documents/secret.txt\"\r\n      ]\r\n    }\r\n  ]\r\n}\r\n```\r\n",
           "type": "string",
           "const": "scope",
-          "markdownDescription": "An empty permission you can use to modify the global scope.\n\n## Example\n\n```json\n{\n  \"identifier\": \"read-documents\",\n  \"windows\": [\"main\"],\n  \"permissions\": [\n    \"fs:allow-read\",\n    {\n      \"identifier\": \"fs:scope\",\n      \"allow\": [\n        \"$APPDATA/documents/**/*\"\n      ],\n      \"deny\": [\n        \"$APPDATA/documents/secret.txt\"\n      ]\n    }\n  ]\n}\n```\n"
+          "markdownDescription": "An empty permission you can use to modify the global scope.\r\n\r\n## Example\r\n\r\n```json\r\n{\r\n  \"identifier\": \"read-documents\",\r\n  \"windows\": [\"main\"],\r\n  \"permissions\": [\r\n    \"fs:allow-read\",\r\n    {\r\n      \"identifier\": \"fs:scope\",\r\n      \"allow\": [\r\n        \"$APPDATA/documents/**/*\"\r\n      ],\r\n      \"deny\": [\r\n        \"$APPDATA/documents/secret.txt\"\r\n      ]\r\n    }\r\n  ]\r\n}\r\n```\r\n"
         },
         {
           "description": "This enables all write related commands without any pre-configured accessible paths.",

plugins/http/permissions/schemas/schema.json

@@ -343,10 +343,10 @@
           "markdownDescription": "Denies the fetch_send command without any pre-configured scope."
         },
         {
-          "description": "This permission set configures what kind of\nfetch operations are available from the http plugin.\n\nThis enables all fetch operations but does not\nallow explicitly any origins to be fetched. This needs to\nbe manually configured before usage.\n\n#### Granted Permissions\n\nAll fetch operations are enabled.\n\n\n#### This default permission set includes:\n\n- `allow-fetch`\n- `allow-fetch-cancel`\n- `allow-fetch-read-body`\n- `allow-fetch-send`",
+          "description": "This permission set configures what kind of\r\nfetch operations are available from the http plugin.\r\n\r\nThis enables all fetch operations but does not\r\nallow explicitly any origins to be fetched. This needs to\r\nbe manually configured before usage.\r\n\r\n#### Granted Permissions\r\n\r\nAll fetch operations are enabled.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-fetch`\n- `allow-fetch-cancel`\n- `allow-fetch-read-body`\n- `allow-fetch-send`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This permission set configures what kind of\nfetch operations are available from the http plugin.\n\nThis enables all fetch operations but does not\nallow explicitly any origins to be fetched. This needs to\nbe manually configured before usage.\n\n#### Granted Permissions\n\nAll fetch operations are enabled.\n\n\n#### This default permission set includes:\n\n- `allow-fetch`\n- `allow-fetch-cancel`\n- `allow-fetch-read-body`\n- `allow-fetch-send`"
+          "markdownDescription": "This permission set configures what kind of\r\nfetch operations are available from the http plugin.\r\n\r\nThis enables all fetch operations but does not\r\nallow explicitly any origins to be fetched. This needs to\r\nbe manually configured before usage.\r\n\r\n#### Granted Permissions\r\n\r\nAll fetch operations are enabled.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-fetch`\n- `allow-fetch-cancel`\n- `allow-fetch-read-body`\n- `allow-fetch-send`"
         }
       ]
     }

plugins/nfc/permissions/schemas/schema.json

@@ -331,10 +331,10 @@
           "markdownDescription": "Denies the write command without any pre-configured scope."
         },
         {
-          "description": "This permission set configures what kind of\noperations are available from the nfc plugin.\n\n#### Granted Permissions\n\nChecking if the NFC functionality is available\nand scanning nearby tags is allowed.\nWriting to tags needs to be manually enabled.\n\n\n#### This default permission set includes:\n\n- `allow-is-available`\n- `allow-scan`",
+          "description": "This permission set configures what kind of\r\noperations are available from the nfc plugin.\r\n\r\n#### Granted Permissions\r\n\r\nChecking if the NFC functionality is available\r\nand scanning nearby tags is allowed.\r\nWriting to tags needs to be manually enabled.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-is-available`\n- `allow-scan`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This permission set configures what kind of\noperations are available from the nfc plugin.\n\n#### Granted Permissions\n\nChecking if the NFC functionality is available\nand scanning nearby tags is allowed.\nWriting to tags needs to be manually enabled.\n\n\n#### This default permission set includes:\n\n- `allow-is-available`\n- `allow-scan`"
+          "markdownDescription": "This permission set configures what kind of\r\noperations are available from the nfc plugin.\r\n\r\n#### Granted Permissions\r\n\r\nChecking if the NFC functionality is available\r\nand scanning nearby tags is allowed.\r\nWriting to tags needs to be manually enabled.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-is-available`\n- `allow-scan`"
         }
       ]
     }

plugins/os/permissions/schemas/schema.json

@@ -391,10 +391,10 @@
           "markdownDescription": "Denies the version command without any pre-configured scope."
         },
         {
-          "description": "This permission set configures which\noperating system information are available\nto gather from the frontend.\n\n#### Granted Permissions\n\nAll information except the host name are available.\n\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`",
+          "description": "This permission set configures which\r\noperating system information are available\r\nto gather from the frontend.\r\n\r\n#### Granted Permissions\r\n\r\nAll information except the host name are available.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This permission set configures which\noperating system information are available\nto gather from the frontend.\n\n#### Granted Permissions\n\nAll information except the host name are available.\n\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`"
+          "markdownDescription": "This permission set configures which\r\noperating system information are available\r\nto gather from the frontend.\r\n\r\n#### Granted Permissions\r\n\r\nAll information except the host name are available.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`"
         }
       ]
     }

plugins/process/permissions/schemas/schema.json

@@ -319,10 +319,10 @@
           "markdownDescription": "Denies the restart command without any pre-configured scope."
         },
         {
-          "description": "This permission set configures which\nprocess features are by default exposed.\n\n#### Granted Permissions\n\nThis enables to quit via `allow-exit` and restart via `allow-restart`\nthe application.\n\n#### This default permission set includes:\n\n- `allow-exit`\n- `allow-restart`",
+          "description": "This permission set configures which\r\nprocess features are by default exposed.\r\n\r\n#### Granted Permissions\r\n\r\nThis enables to quit via `allow-exit` and restart via `allow-restart`\r\nthe application.\r\n\n#### This default permission set includes:\n\n- `allow-exit`\n- `allow-restart`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This permission set configures which\nprocess features are by default exposed.\n\n#### Granted Permissions\n\nThis enables to quit via `allow-exit` and restart via `allow-restart`\nthe application.\n\n#### This default permission set includes:\n\n- `allow-exit`\n- `allow-restart`"
+          "markdownDescription": "This permission set configures which\r\nprocess features are by default exposed.\r\n\r\n#### Granted Permissions\r\n\r\nThis enables to quit via `allow-exit` and restart via `allow-restart`\r\nthe application.\r\n\n#### This default permission set includes:\n\n- `allow-exit`\n- `allow-restart`"
         }
       ]
     }

plugins/secure-storage/Cargo.toml

@@ -0,0 +1,56 @@
+[package]
+name = "tauri-plugin-secure-storage"
+version = "2.0.0"
+edition = { workspace = true }
+rust-version = "1.85"
+authors = { workspace = true }
+license = { workspace = true }
+repository = { workspace = true }
+links = "tauri-plugin-secure-storage"
+description = "Store data in the platforms' keychains."
+
+[package.metadata.docs.rs]
+rustc-args = ["--cfg", "docsrs"]
+rustdoc-args = ["--cfg", "docsrs"]
+
+# Platforms supported by the plugin
+# Support levels are "full", "partial", "none", "unknown"
+# Details of the support level are left to plugin maintainer
+[package.metadata.platforms]
+windows = { level = "full", notes = "Windows' credentials storage only protects from other accounts on that system. The main user and their apps can access your app's data." }
+linux = { level = "full", notes = "May not work in WSL." }
+macos = { level = "full", notes = "May prompt for passwords twice." }
+android = { level = "full", notes = "The implementation is very new and therefore not battle-tested nor audited." }
+ios = { level = "full", notes = "" }
+
+[build-dependencies]
+tauri-plugin = { workspace = true, features = ["build"] }
+
+[features]
+# TODO: docs
+# TODO: Check if protected works on intel as well, otherwise we may have to split this up. using protected for ios and keychain for macos and somehow making protected opt-in for apple silicon macs.
+apple-keychain = ["apple-native-keyring-store/keychain"]
+apple-protected = ["apple-native-keyring-store/protected"]
+
+[dependencies]
+serde = { workspace = true }
+serde_json = { workspace = true }
+tauri = { workspace = true }
+log = { workspace = true }
+thiserror = { workspace = true }
+keyring-core = "0.7"
+
+[target.'cfg(windows)'.dependencies]
+windows-native-keyring-store = "0.2"
+
+[target.'cfg(target_os = "linux")'.dependencies]
+zbus-secret-service-keyring-store = { version = "0.2", features = [
+  "rt-tokio-crypto-rust",
+] }
+
+[target.'cfg(any(target_os = "ios", target_os = "macos"))'.dependencies]
+apple-native-keyring-store = "0.2"
+
+[target.'cfg(target_os = "android")'.dependencies]
+# TODO: upstream is on keyring-core@0.6
+android-native-keyring-store = { git = "https://github.com/FabianLars/android-native-keyring-store" }

plugins/secure-storage/LICENSE.spdx

@@ -0,0 +1,20 @@
+SPDXVersion: SPDX-2.1
+DataLicense: CC0-1.0
+PackageName: tauri
+DataFormat: SPDXRef-1
+PackageSupplier: Organization: The Tauri Programme in the Commons Conservancy
+PackageHomePage: https://tauri.app
+PackageLicenseDeclared: Apache-2.0
+PackageLicenseDeclared: MIT
+PackageCopyrightText: 2019-2022, The Tauri Programme in the Commons Conservancy
+PackageSummary: <text>Tauri is a rust project that enables developers to make secure
+and small desktop applications using a web frontend.
+                </text>
+PackageComment: <text>The package includes the following libraries; see
+Relationship information.
+                </text>
+Created: 2019-05-20T09:00:00Z
+PackageDownloadLocation: git://github.com/tauri-apps/tauri
+PackageDownloadLocation: git+https://github.com/tauri-apps/tauri.git
+PackageDownloadLocation: git+ssh://github.com/tauri-apps/tauri.git
+Creator: Person: Daniel Thompson-Yvetot

plugins/secure-storage/LICENSE_APACHE-2.0

@@ -0,0 +1,177 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

plugins/secure-storage/LICENSE_MIT

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 - Present Tauri Apps Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

plugins/secure-storage/README.md

@@ -0,0 +1,107 @@
+![secure-storage](https://github.com/tauri-apps/plugins-workspace/raw/v2/plugins/secure-storage/banner.png)
+
+Store data in the platforms' keychains.
+
+<!-- TODO: List the keychains we use -->
+
+| Platform | Supported |
+| -------- | --------- |
+| Linux    | ✓         |
+| Windows  | ✓         |
+| macOS    | ✓         |
+| Android  | ✓         |
+| iOS      | ✓         |
+
+## Install
+
+_This plugin requires a Rust version of at least **1.85**_
+
+There are three general methods of installation that we can recommend.
+
+1. Use crates.io and npm (easiest, and requires you to trust that our publishing pipeline worked)
+2. Pull sources directly from Github using git tags / revision hashes (most secure)
+3. Git submodule install this repo in your tauri project and then use file protocol to ingest the source (most secure, but inconvenient to use)
+
+Install the Core plugin by adding the following to your `Cargo.toml` file:
+
+`src-tauri/Cargo.toml`
+
+```toml
+[dependencies]
+tauri-plugin-secure-storage = "2.0.0"
+# alternatively with Git:
+tauri-plugin-secure-storage = { git = "https://github.com/tauri-apps/plugins-workspace", branch = "v2" }
+```
+
+You can install the JavaScript Guest bindings using your preferred JavaScript package manager:
+
+```sh
+pnpm add @tauri-apps/plugin-secure-storage
+# or
+npm add @tauri-apps/plugin-secure-storage
+# or
+yarn add @tauri-apps/plugin-secure-storage
+```
+
+## Usage
+
+First you need to register the core plugin with Tauri:
+
+`src-tauri/src/lib.rs`
+
+```rust
+fn main() {
+    tauri::Builder::default()
+        .plugin(tauri_plugin_secure_storage::init())
+        .run(tauri::generate_context!())
+        .expect("error while running tauri application");
+}
+```
+
+Afterwards all the plugin's APIs are available through the JavaScript guest bindings:
+
+```typescript
+import { setString, getString } from '@tauri-apps/plugin-secure-storage'
+
+await setString('some-key', 'some-secret-value')
+
+const storedData = getString('some-key')
+
+console.log(storedData) // Should return `some-secret-value`
+```
+
+Similarily, the plugin also has Rust APIs:
+
+```rs
+use tauri_plugin_secure_storage::SecureStorageExt;
+
+app.secure_storage().set_string("some-key", "some-secret-value");
+
+let stored_data = app.secure_storage().get_string("some-key");
+```
+
+## Contributing
+
+PRs accepted. Please make sure to read the Contributing Guide before making a pull request.
+
+## Partners
+
+<table>
+  <tbody>
+    <tr>
+      <td align="center" valign="middle">
+        <a href="https://crabnebula.dev" target="_blank">
+          <img src="https://github.com/tauri-apps/plugins-workspace/raw/v2/.github/sponsors/crabnebula.svg" alt="CrabNebula" width="283">
+        </a>
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+For the complete list of sponsors please visit our [website](https://tauri.app#sponsors) and [Open Collective](https://opencollective.com/tauri).
+
+## License
+
+Code: (c) 2015 - Present - The Tauri Programme within The Commons Conservancy.
+
+MIT or MIT/Apache 2.0 where applicable.

plugins/secure-storage/SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+**Do not report security vulnerabilities through public GitHub issues.**
+
+**Please use the [Private Vulnerability Disclosure](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) feature of GitHub.**
+
+Include as much of the following information:
+
+- Type of issue (e.g. improper input parsing, privilege escalation, etc.)
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- The distribution affected or used to help us with reproduction of the issue
+- Step-by-step instructions to reproduce the issue
+- Ideally a reproduction repository
+- Impact of the issue, including how an attacker might exploit the issue
+
+We prefer to receive reports in English.
+
+## Contact
+
+Please disclose a vulnerability or security relevant issue here: [https://github.com/tauri-apps/plugins-workspace/security/advisories/new](https://github.com/tauri-apps/plugins-workspace/security/advisories/new).
+
+Alternatively, you can also contact us by email via [security@tauri.app](mailto:security@tauri.app).

plugins/secure-storage/api-iife.js

@@ -0,0 +1 @@
+if("__TAURI__"in window){var __TAURI_PLUGIN_SECURE_STORAGE__=function(e){"use strict";async function n(e,n={},r){return window.__TAURI_INTERNALS__.invoke(e,n,r)}return"function"==typeof SuppressedError&&SuppressedError,e.getBinary=async function(e){return await n("plugin:secure-storage|set_string",{key:e})},e.getString=async function(e){return await n("plugin:secure-storage|get_string",{key:e})},e.setBinary=async function(e,r){return await n("plugin:secure-storage|set_binary",{key:e,value:r})},e.setString=async function(e,r){return await n("plugin:secure-storage|set_string",{key:e,value:r})},e}({});Object.defineProperty(window.__TAURI__,"secureStorage",{value:__TAURI_PLUGIN_SECURE_STORAGE__})}

plugins/secure-storage/build.rs

@@ -0,0 +1,18 @@
+// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: MIT
+
+const COMMANDS: &[&str] = &["set_string", "get_string", "set_binary", "get_binary"];
+
+fn main() {
+    let result = tauri_plugin::Builder::new(COMMANDS)
+        .global_api_script_path("./api-iife.js")
+        //.android_path("android")
+        //.ios_path("ios")
+        .try_build();
+
+    // when building documentation for Android the plugin build result is always Err() and is irrelevant to the crate documentation build
+    if !(cfg!(docsrs) && std::env::var("TARGET").unwrap().contains("android")) {
+        result.unwrap();
+    }
+}

plugins/secure-storage/guest-js/index.ts

@@ -0,0 +1,39 @@
+// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: MIT
+
+import { invoke } from '@tauri-apps/api/core'
+
+// TODO: functions to delete entries?
+// TODO: docs
+
+/*
+ * Corresponds to [`set_password`](https://docs.rs/keyring-core/latest/keyring_core/struct.Entry.html#method.set_password) in keyring-rs.
+ */
+export async function setString(key: string, value: string) {
+  return await invoke('plugin:secure-storage|set_string', { key, value })
+}
+
+/*
+ * Corresponds to [`get_password`](https://docs.rs/keyring-core/latest/keyring_core/struct.Entry.html#method.get_password) in keyring-rs.
+ */
+export async function getString(key: string): Promise<string> {
+  return await invoke('plugin:secure-storage|get_string', { key })
+}
+
+/*
+ * Corresponds to [`set_secret`](https://docs.rs/keyring-core/latest/keyring_core/struct.Entry.html#method.set_secret) in keyring-rs.
+ */
+export async function setBytes(
+  key: string,
+  value: number[] | Uint8Array | ArrayBuffer
+) {
+  return await invoke('plugin:secure-storage|set_binary', { key, value })
+}
+
+/*
+ * Corresponds to [`get_secret`](https://docs.rs/keyring-core/latest/keyring_core/struct.Entry.html#method.set_password) in keyring-rs.
+ */
+export async function getBytes(key: string): Promise<number[]> {
+  return await invoke('plugin:secure-storage|set_string', { key })
+}

plugins/secure-storage/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@tauri-apps/plugin-secure-storage",
+  "version": "2.0.0",
+  "license": "MIT OR Apache-2.0",
+  "authors": [
+    "Tauri Programme within The Commons Conservancy"
+  ],
+  "repository": "https://github.com/tauri-apps/plugins-workspace",
+  "type": "module",
+  "types": "./dist-js/index.d.ts",
+  "main": "./dist-js/index.cjs",
+  "module": "./dist-js/index.js",
+  "exports": {
+    "types": "./dist-js/index.d.ts",
+    "import": "./dist-js/index.js",
+    "require": "./dist-js/index.cjs"
+  },
+  "scripts": {
+    "build": "rollup -c"
+  },
+  "files": [
+    "dist-js",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "@tauri-apps/api": "^2.8.0"
+  }
+}

plugins/secure-storage/permissions/autogenerated/commands/get_binary.toml

@@ -0,0 +1,13 @@
+# Automatically generated - DO NOT EDIT!
+
+"$schema" = "../../schemas/schema.json"
+
+[[permission]]
+identifier = "allow-get-binary"
+description = "Enables the get_binary command without any pre-configured scope."
+commands.allow = ["get_binary"]
+
+[[permission]]
+identifier = "deny-get-binary"
+description = "Denies the get_binary command without any pre-configured scope."
+commands.deny = ["get_binary"]

plugins/secure-storage/permissions/autogenerated/commands/get_string.toml

@@ -0,0 +1,13 @@
+# Automatically generated - DO NOT EDIT!
+
+"$schema" = "../../schemas/schema.json"
+
+[[permission]]
+identifier = "allow-get-string"
+description = "Enables the get_string command without any pre-configured scope."
+commands.allow = ["get_string"]
+
+[[permission]]
+identifier = "deny-get-string"
+description = "Denies the get_string command without any pre-configured scope."
+commands.deny = ["get_string"]

plugins/secure-storage/permissions/autogenerated/commands/set_binary.toml

@@ -0,0 +1,13 @@
+# Automatically generated - DO NOT EDIT!
+
+"$schema" = "../../schemas/schema.json"
+
+[[permission]]
+identifier = "allow-set-binary"
+description = "Enables the set_binary command without any pre-configured scope."
+commands.allow = ["set_binary"]
+
+[[permission]]
+identifier = "deny-set-binary"
+description = "Denies the set_binary command without any pre-configured scope."
+commands.deny = ["set_binary"]

plugins/secure-storage/permissions/autogenerated/commands/set_string.toml

@@ -0,0 +1,13 @@
+# Automatically generated - DO NOT EDIT!
+
+"$schema" = "../../schemas/schema.json"
+
+[[permission]]
+identifier = "allow-set-string"
+description = "Enables the set_string command without any pre-configured scope."
+commands.allow = ["set_string"]
+
+[[permission]]
+identifier = "deny-set-string"
+description = "Denies the set_string command without any pre-configured scope."
+commands.deny = ["set_string"]

plugins/secure-storage/permissions/autogenerated/reference.md

@@ -0,0 +1,132 @@
+## Default Permission
+
+This permission set configures which
+Secure Storage APIs are available by defaultt.
+
+#### Granted Permissions
+
+In the PoC phase all commands are allowed by default.
+
+#### This default permission set includes the following:
+
+- `allow-arch`
+- `allow-exe-extension`
+- `allow-family`
+- `allow-locale`
+- `allow-os-type`
+- `allow-platform`
+- `allow-version`
+
+## Permission Table
+
+<table>
+<tr>
+<th>Identifier</th>
+<th>Description</th>
+</tr>
+
+
+<tr>
+<td>
+
+`secure-storage:allow-get-binary`
+
+</td>
+<td>
+
+Enables the get_binary command without any pre-configured scope.
+
+</td>
+</tr>
+
+<tr>
+<td>
+
+`secure-storage:deny-get-binary`
+
+</td>
+<td>
+
+Denies the get_binary command without any pre-configured scope.
+
+</td>
+</tr>
+
+<tr>
+<td>
+
+`secure-storage:allow-get-string`
+
+</td>
+<td>
+
+Enables the get_string command without any pre-configured scope.
+
+</td>
+</tr>
+
+<tr>
+<td>
+
+`secure-storage:deny-get-string`
+
+</td>
+<td>
+
+Denies the get_string command without any pre-configured scope.
+
+</td>
+</tr>
+
+<tr>
+<td>
+
+`secure-storage:allow-set-binary`
+
+</td>
+<td>
+
+Enables the set_binary command without any pre-configured scope.
+
+</td>
+</tr>
+
+<tr>
+<td>
+
+`secure-storage:deny-set-binary`
+
+</td>
+<td>
+
+Denies the set_binary command without any pre-configured scope.
+
+</td>
+</tr>
+
+<tr>
+<td>
+
+`secure-storage:allow-set-string`
+
+</td>
+<td>
+
+Enables the set_string command without any pre-configured scope.
+
+</td>
+</tr>
+
+<tr>
+<td>
+
+`secure-storage:deny-set-string`
+
+</td>
+<td>
+
+Denies the set_string command without any pre-configured scope.
+
+</td>
+</tr>
+</table>

plugins/secure-storage/permissions/default.toml

@@ -0,0 +1,23 @@
+"$schema" = "schemas/schema.json"
+
+# TODO: Discuss defaults. Also consider potentional encrypt/decrypt-like functions.
+[default]
+description = """
+This permission set configures which
+Secure Storage APIs are available by defaultt.
+
+#### Granted Permissions
+
+In the PoC phase all commands are allowed by default.
+
+"""
+
+permissions = [
+  "allow-arch",
+  "allow-exe-extension",
+  "allow-family",
+  "allow-locale",
+  "allow-os-type",
+  "allow-platform",
+  "allow-version",
+]

plugins/secure-storage/permissions/schemas/schema.json

@@ -0,0 +1,354 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "PermissionFile",
+  "description": "Permission file that can define a default permission, a set of permissions or a list of inlined permissions.",
+  "type": "object",
+  "properties": {
+    "default": {
+      "description": "The default permission set for the plugin",
+      "anyOf": [
+        {
+          "$ref": "#/definitions/DefaultPermission"
+        },
+        {
+          "type": "null"
+        }
+      ]
+    },
+    "set": {
+      "description": "A list of permissions sets defined",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/PermissionSet"
+      }
+    },
+    "permission": {
+      "description": "A list of inlined permissions",
+      "default": [],
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/Permission"
+      }
+    }
+  },
+  "definitions": {
+    "DefaultPermission": {
+      "description": "The default permission set of the plugin.\n\nWorks similarly to a permission with the \"default\" identifier.",
+      "type": "object",
+      "required": [
+        "permissions"
+      ],
+      "properties": {
+        "version": {
+          "description": "The version of the permission.",
+          "type": [
+            "integer",
+            "null"
+          ],
+          "format": "uint64",
+          "minimum": 1.0
+        },
+        "description": {
+          "description": "Human-readable description of what the permission does. Tauri convention is to use `<h4>` headings in markdown content for Tauri documentation generation purposes.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "permissions": {
+          "description": "All permissions this set contains.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "PermissionSet": {
+      "description": "A set of direct permissions grouped together under a new name.",
+      "type": "object",
+      "required": [
+        "description",
+        "identifier",
+        "permissions"
+      ],
+      "properties": {
+        "identifier": {
+          "description": "A unique identifier for the permission.",
+          "type": "string"
+        },
+        "description": {
+          "description": "Human-readable description of what the permission does.",
+          "type": "string"
+        },
+        "permissions": {
+          "description": "All permissions this set contains.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/PermissionKind"
+          }
+        }
+      }
+    },
+    "Permission": {
+      "description": "Descriptions of explicit privileges of commands.\n\nIt can enable commands to be accessible in the frontend of the application.\n\nIf the scope is defined it can be used to fine grain control the access of individual or multiple commands.",
+      "type": "object",
+      "required": [
+        "identifier"
+      ],
+      "properties": {
+        "version": {
+          "description": "The version of the permission.",
+          "type": [
+            "integer",
+            "null"
+          ],
+          "format": "uint64",
+          "minimum": 1.0
+        },
+        "identifier": {
+          "description": "A unique identifier for the permission.",
+          "type": "string"
+        },
+        "description": {
+          "description": "Human-readable description of what the permission does. Tauri internal convention is to use `<h4>` headings in markdown content for Tauri documentation generation purposes.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "commands": {
+          "description": "Allowed or denied commands when using this permission.",
+          "default": {
+            "allow": [],
+            "deny": []
+          },
+          "allOf": [
+            {
+              "$ref": "#/definitions/Commands"
+            }
+          ]
+        },
+        "scope": {
+          "description": "Allowed or denied scoped when using this permission.",
+          "allOf": [
+            {
+              "$ref": "#/definitions/Scopes"
+            }
+          ]
+        },
+        "platforms": {
+          "description": "Target platforms this permission applies. By default all platforms are affected by this permission.",
+          "type": [
+            "array",
+            "null"
+          ],
+          "items": {
+            "$ref": "#/definitions/Target"
+          }
+        }
+      }
+    },
+    "Commands": {
+      "description": "Allowed and denied commands inside a permission.\n\nIf two commands clash inside of `allow` and `deny`, it should be denied by default.",
+      "type": "object",
+      "properties": {
+        "allow": {
+          "description": "Allowed command.",
+          "default": [],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "deny": {
+          "description": "Denied command, which takes priority.",
+          "default": [],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "Scopes": {
+      "description": "An argument for fine grained behavior control of Tauri commands.\n\nIt can be of any serde serializable type and is used to allow or prevent certain actions inside a Tauri command. The configured scope is passed to the command and will be enforced by the command implementation.\n\n## Example\n\n```json { \"allow\": [{ \"path\": \"$HOME/**\" }], \"deny\": [{ \"path\": \"$HOME/secret.txt\" }] } ```",
+      "type": "object",
+      "properties": {
+        "allow": {
+          "description": "Data that defines what is allowed by the scope.",
+          "type": [
+            "array",
+            "null"
+          ],
+          "items": {
+            "$ref": "#/definitions/Value"
+          }
+        },
+        "deny": {
+          "description": "Data that defines what is denied by the scope. This should be prioritized by validation logic.",
+          "type": [
+            "array",
+            "null"
+          ],
+          "items": {
+            "$ref": "#/definitions/Value"
+          }
+        }
+      }
+    },
+    "Value": {
+      "description": "All supported ACL values.",
+      "anyOf": [
+        {
+          "description": "Represents a null JSON value.",
+          "type": "null"
+        },
+        {
+          "description": "Represents a [`bool`].",
+          "type": "boolean"
+        },
+        {
+          "description": "Represents a valid ACL [`Number`].",
+          "allOf": [
+            {
+              "$ref": "#/definitions/Number"
+            }
+          ]
+        },
+        {
+          "description": "Represents a [`String`].",
+          "type": "string"
+        },
+        {
+          "description": "Represents a list of other [`Value`]s.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Value"
+          }
+        },
+        {
+          "description": "Represents a map of [`String`] keys to [`Value`]s.",
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/Value"
+          }
+        }
+      ]
+    },
+    "Number": {
+      "description": "A valid ACL number.",
+      "anyOf": [
+        {
+          "description": "Represents an [`i64`].",
+          "type": "integer",
+          "format": "int64"
+        },
+        {
+          "description": "Represents a [`f64`].",
+          "type": "number",
+          "format": "double"
+        }
+      ]
+    },
+    "Target": {
+      "description": "Platform target.",
+      "oneOf": [
+        {
+          "description": "MacOS.",
+          "type": "string",
+          "enum": [
+            "macOS"
+          ]
+        },
+        {
+          "description": "Windows.",
+          "type": "string",
+          "enum": [
+            "windows"
+          ]
+        },
+        {
+          "description": "Linux.",
+          "type": "string",
+          "enum": [
+            "linux"
+          ]
+        },
+        {
+          "description": "Android.",
+          "type": "string",
+          "enum": [
+            "android"
+          ]
+        },
+        {
+          "description": "iOS.",
+          "type": "string",
+          "enum": [
+            "iOS"
+          ]
+        }
+      ]
+    },
+    "PermissionKind": {
+      "type": "string",
+      "oneOf": [
+        {
+          "description": "Enables the get_binary command without any pre-configured scope.",
+          "type": "string",
+          "const": "allow-get-binary",
+          "markdownDescription": "Enables the get_binary command without any pre-configured scope."
+        },
+        {
+          "description": "Denies the get_binary command without any pre-configured scope.",
+          "type": "string",
+          "const": "deny-get-binary",
+          "markdownDescription": "Denies the get_binary command without any pre-configured scope."
+        },
+        {
+          "description": "Enables the get_string command without any pre-configured scope.",
+          "type": "string",
+          "const": "allow-get-string",
+          "markdownDescription": "Enables the get_string command without any pre-configured scope."
+        },
+        {
+          "description": "Denies the get_string command without any pre-configured scope.",
+          "type": "string",
+          "const": "deny-get-string",
+          "markdownDescription": "Denies the get_string command without any pre-configured scope."
+        },
+        {
+          "description": "Enables the set_binary command without any pre-configured scope.",
+          "type": "string",
+          "const": "allow-set-binary",
+          "markdownDescription": "Enables the set_binary command without any pre-configured scope."
+        },
+        {
+          "description": "Denies the set_binary command without any pre-configured scope.",
+          "type": "string",
+          "const": "deny-set-binary",
+          "markdownDescription": "Denies the set_binary command without any pre-configured scope."
+        },
+        {
+          "description": "Enables the set_string command without any pre-configured scope.",
+          "type": "string",
+          "const": "allow-set-string",
+          "markdownDescription": "Enables the set_string command without any pre-configured scope."
+        },
+        {
+          "description": "Denies the set_string command without any pre-configured scope.",
+          "type": "string",
+          "const": "deny-set-string",
+          "markdownDescription": "Denies the set_string command without any pre-configured scope."
+        },
+        {
+          "description": "This permission set configures which\r\nSecure Storage APIs are available by defaultt.\r\n\r\n#### Granted Permissions\r\n\r\nIn the PoC phase all commands are allowed by default.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`",
+          "type": "string",
+          "const": "default",
+          "markdownDescription": "This permission set configures which\r\nSecure Storage APIs are available by defaultt.\r\n\r\n#### Granted Permissions\r\n\r\nIn the PoC phase all commands are allowed by default.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-arch`\n- `allow-exe-extension`\n- `allow-family`\n- `allow-locale`\n- `allow-os-type`\n- `allow-platform`\n- `allow-version`"
+        }
+      ]
+    }
+  }
+}

plugins/secure-storage/rollup.config.js

@@ -0,0 +1,7 @@
+// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: MIT
+
+import { createConfig } from '../../shared/rollup.config.js'
+
+export default createConfig()

plugins/secure-storage/src/commands.rs

@@ -0,0 +1,27 @@
+// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: MIT
+
+use tauri::{command, AppHandle, Runtime};
+
+use crate::{Result, SecureStorageExt};
+
+#[command]
+pub(crate) fn set_string<R: Runtime>(app: AppHandle<R>, key: &str, value: &str) -> Result<()> {
+    app.secure_storage().set_string(key, value)
+}
+
+#[command]
+pub(crate) fn get_string<R: Runtime>(app: AppHandle<R>, key: &str) -> Result<String> {
+    app.secure_storage().get_string(key)
+}
+
+#[command]
+pub(crate) fn set_bytes<R: Runtime>(app: AppHandle<R>, key: &str, value: &[u8]) -> Result<()> {
+    app.secure_storage().set_bytes(key, value)
+}
+
+#[command]
+pub(crate) fn get_bytes<R: Runtime>(app: AppHandle<R>, key: &str) -> Result<Vec<u8>> {
+    app.secure_storage().get_bytes(key)
+}

plugins/secure-storage/src/error.rs

@@ -0,0 +1,23 @@
+// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: MIT
+
+use serde::{ser::Serializer, Serialize};
+
+pub type Result<T> = std::result::Result<T, Error>;
+
+#[non_exhaustive]
+#[derive(Debug, thiserror::Error)]
+pub enum Error {
+    #[error(transparent)]
+    Keyring(#[from] keyring_core::Error),
+}
+
+impl Serialize for Error {
+    fn serialize<S>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        serializer.serialize_str(self.to_string().as_ref())
+    }
+}

plugins/secure-storage/src/lib.rs

@@ -0,0 +1,86 @@
+// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: MIT
+
+use keyring_core::{set_default_store, Entry};
+use tauri::{
+    plugin::{Builder, TauriPlugin},
+    AppHandle, Manager, Runtime,
+};
+
+mod commands;
+mod error;
+
+pub use error::{Error, Result};
+
+// TODO: Consider using a worker thread to handle caveats mentioned by keyring-rs
+
+/// Extensions to [`tauri::App`], [`tauri::AppHandle`], [`tauri::WebviewWindow`], [`tauri::Webview`] and [`tauri::Window`] to access the secure-storage APIs.
+pub trait SecureStorageExt<R: Runtime> {
+    fn secure_storage(&self) -> &SecureStorage<R>;
+}
+
+impl<R: Runtime, T: Manager<R>> crate::SecureStorageExt<R> for T {
+    fn secure_storage(&self) -> &SecureStorage<R> {
+        self.state::<SecureStorage<R>>().inner()
+    }
+}
+
+/// Initializes the plugin.
+pub fn init<R: Runtime>() -> TauriPlugin<R> {
+    Builder::new("secure-storage")
+        .invoke_handler(tauri::generate_handler![
+            commands::set_string,
+            commands::get_string,
+            commands::set_bytes,
+            commands::get_bytes
+        ])
+        .setup(|app, _api| {
+            #[cfg(target_os = "android")]
+            set_default_store(android_native_keyring_store::AndroidStore::from_ndk_context()?);
+
+            // TODO: (maybe) config to change used keychain.
+            #[cfg(all(target_vendor = "apple", feature = "apple-keychain"))]
+            set_default_store(apple_native_keyring_store::keychain::Store::new()?);
+
+            // TODO: config. most notably icloud sync and biometrics
+            #[cfg(all(target_vendor = "apple", feature = "apple-protected"))]
+            set_default_store(apple_native_keyring_store::protected::Store::new()?);
+
+            #[cfg(windows)]
+            set_default_store(windows_native_keyring_store::Store::new()?);
+
+            #[cfg(target_os = "linux")]
+            set_default_store(zbus_secret_service_keyring_store::Store::new()?);
+
+            app.manage(SecureStorage(app.clone()));
+            Ok(())
+        })
+        .build()
+}
+
+/// Access to the secure-storage APIs.
+pub struct SecureStorage<R: Runtime>(AppHandle<R>);
+
+// TODO: docs
+impl<R: Runtime> SecureStorage<R> {
+    /// Corresponds to [`set_password`](https://docs.rs/keyring-core/latest/keyring_core/struct.Entry.html#method.set_password) in keyring-rs.
+    pub fn set_string(&self, key: &str, value: &str) -> Result<()> {
+        Ok(Entry::new(&self.0.config().identifier, key)?.set_password(value)?)
+    }
+
+    /// Corresponds to [`get_password`](https://docs.rs/keyring-core/latest/keyring_core/struct.Entry.html#method.get_password) in keyring-rs.
+    pub fn get_string(&self, key: &str) -> Result<String> {
+        Ok(Entry::new(&self.0.config().identifier, key)?.get_password()?)
+    }
+
+    /// Corresponds to [`set_secret`](https://docs.rs/keyring-core/latest/keyring_core/struct.Entry.html#method.set_secret) in keyring-rs.
+    pub fn set_bytes(&self, key: &str, value: &[u8]) -> Result<()> {
+        Ok(Entry::new(&self.0.config().identifier, key)?.set_secret(value)?)
+    }
+
+    /// Corresponds to [`get_secret`](https://docs.rs/keyring-core/latest/keyring_core/struct.Entry.html#method.set_password) in keyring-rs.
+    pub fn get_bytes(&self, key: &str) -> Result<Vec<u8>> {
+        Ok(Entry::new(&self.0.config().identifier, key)?.get_secret()?)
+    }
+}

plugins/secure-storage/tsconfig.json

@@ -0,0 +1,4 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "include": ["guest-js/*.ts"]
+}

plugins/shell/permissions/schemas/schema.json

@@ -355,10 +355,10 @@
           "markdownDescription": "Denies the stdin_write command without any pre-configured scope."
         },
         {
-          "description": "This permission set configures which\nshell functionality is exposed by default.\n\n#### Granted Permissions\n\nIt allows to use the `open` functionality with a reasonable\nscope pre-configured. It will allow opening `http(s)://`,\n`tel:` and `mailto:` links.\n\n#### This default permission set includes:\n\n- `allow-open`",
+          "description": "This permission set configures which\r\nshell functionality is exposed by default.\r\n\r\n#### Granted Permissions\r\n\r\nIt allows to use the `open` functionality with a reasonable\r\nscope pre-configured. It will allow opening `http(s)://`,\r\n`tel:` and `mailto:` links.\r\n\n#### This default permission set includes:\n\n- `allow-open`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This permission set configures which\nshell functionality is exposed by default.\n\n#### Granted Permissions\n\nIt allows to use the `open` functionality with a reasonable\nscope pre-configured. It will allow opening `http(s)://`,\n`tel:` and `mailto:` links.\n\n#### This default permission set includes:\n\n- `allow-open`"
+          "markdownDescription": "This permission set configures which\r\nshell functionality is exposed by default.\r\n\r\n#### Granted Permissions\r\n\r\nIt allows to use the `open` functionality with a reasonable\r\nscope pre-configured. It will allow opening `http(s)://`,\r\n`tel:` and `mailto:` links.\r\n\n#### This default permission set includes:\n\n- `allow-open`"
         }
       ]
     }

plugins/sql/permissions/schemas/schema.json

@@ -343,10 +343,10 @@
           "markdownDescription": "Denies the select command without any pre-configured scope."
         },
         {
-          "description": "### Default Permissions\n\nThis permission set configures what kind of\ndatabase operations are available from the sql plugin.\n\n### Granted Permissions\n\nAll reading related operations are enabled.\nAlso allows to load or close a connection.\n\n\n#### This default permission set includes:\n\n- `allow-close`\n- `allow-load`\n- `allow-select`",
+          "description": "### Default Permissions\r\n\r\nThis permission set configures what kind of\r\ndatabase operations are available from the sql plugin.\r\n\r\n### Granted Permissions\r\n\r\nAll reading related operations are enabled.\r\nAlso allows to load or close a connection.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-close`\n- `allow-load`\n- `allow-select`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "### Default Permissions\n\nThis permission set configures what kind of\ndatabase operations are available from the sql plugin.\n\n### Granted Permissions\n\nAll reading related operations are enabled.\nAlso allows to load or close a connection.\n\n\n#### This default permission set includes:\n\n- `allow-close`\n- `allow-load`\n- `allow-select`"
+          "markdownDescription": "### Default Permissions\r\n\r\nThis permission set configures what kind of\r\ndatabase operations are available from the sql plugin.\r\n\r\n### Granted Permissions\r\n\r\nAll reading related operations are enabled.\r\nAlso allows to load or close a connection.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-close`\n- `allow-load`\n- `allow-select`"
         }
       ]
     }

plugins/stronghold/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "tauri-plugin-stronghold"
 version = "2.3.1"
-description = "Store secrets and keys using the IOTA Stronghold secret management engine."
+description = "Deprecated - Store secrets and keys using the IOTA Stronghold secret management engine."
 authors = { workspace = true }
 license = { workspace = true }
 edition = { workspace = true }

plugins/stronghold/README.md

@@ -1,5 +1,11 @@
 ![plugin-stronghold](https://github.com/tauri-apps/plugins-workspace/raw/v2/plugins/stronghold/banner.png)
 
+## Deprecation Notice
+
+This plugin is deprecated and will be removed in line with Tauri's v3 release. The [Secure Storage] plugin is an alternative for most users.
+
+## Stronghold plugin
+
 Store secrets and keys using the [IOTA Stronghold](https://github.com/iotaledger/stronghold.rs) secret management engine.
 
 | Platform | Supported |

plugins/stronghold/src/lib.rs

@@ -3,6 +3,8 @@
 // SPDX-License-Identifier: MIT
 
 //! Store secrets and keys using the [IOTA Stronghold](https://github.com/iotaledger/stronghold.rs) encrypted database and secure runtime.
+//!
+//! Note that this plugin is deprecated and should not be used!
 
 #![doc(
     html_logo_url = "https://github.com/tauri-apps/tauri/raw/dev/app-icon.png",

plugins/upload/permissions/schemas/schema.json

@@ -319,10 +319,10 @@
           "markdownDescription": "Denies the upload command without any pre-configured scope."
         },
         {
-          "description": "This permission set configures what kind of\noperations are available from the upload plugin.\n\n#### Granted Permissions\n\nAll operations are enabled by default.\n\n\n#### This default permission set includes:\n\n- `allow-upload`\n- `allow-download`",
+          "description": "This permission set configures what kind of\r\noperations are available from the upload plugin.\r\n\r\n#### Granted Permissions\r\n\r\nAll operations are enabled by default.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-upload`\n- `allow-download`",
           "type": "string",
           "const": "default",
-          "markdownDescription": "This permission set configures what kind of\noperations are available from the upload plugin.\n\n#### Granted Permissions\n\nAll operations are enabled by default.\n\n\n#### This default permission set includes:\n\n- `allow-upload`\n- `allow-download`"
+          "markdownDescription": "This permission set configures what kind of\r\noperations are available from the upload plugin.\r\n\r\n#### Granted Permissions\r\n\r\nAll operations are enabled by default.\r\n\r\n\n#### This default permission set includes:\n\n- `allow-upload`\n- `allow-download`"
         }
       ]
     }

pnpm-lock.yaml

@@ -101,6 +101,9 @@ importers:
       '@tauri-apps/plugin-process':
         specifier: ^2.3.1
         version: link:../../plugins/process
+      '@tauri-apps/plugin-secure-storage':
+        specifier: file:../../plugins/secure-storage
+        version: link:../../plugins/secure-storage
       '@tauri-apps/plugin-shell':
         specifier: ^2.3.3
         version: link:../../plugins/shell
@@ -279,6 +282,12 @@ importers:
         specifier: ^2.8.0
         version: 2.9.0
 
+  plugins/secure-storage:
+    dependencies:
+      '@tauri-apps/api':
+        specifier: ^2.8.0
+        version: 2.9.0
+
   plugins/shell:
     dependencies:
       '@tauri-apps/api':
@@ -2347,14 +2356,13 @@ snapshots:
       picocolors: 1.1.1
       sisteransi: 1.0.5
 
-  '@covector/apply@0.10.0(mocha@10.8.2)':
+  '@covector/apply@0.10.0':
     dependencies:
       '@covector/files': 0.8.0
       effection: 2.0.8(mocha@10.8.2)
       semver: 7.7.1
     transitivePeerDependencies:
       - encoding
-      - mocha
 
   '@covector/assemble@0.12.0':
     dependencies:
@@ -2371,7 +2379,7 @@ snapshots:
       - encoding
       - supports-color
 
-  '@covector/changelog@0.12.0':
+  '@covector/changelog@0.12.0(mocha@10.8.2)':
     dependencies:
       '@covector/files': 0.8.0
       effection: 2.0.8(mocha@10.8.2)
@@ -2381,6 +2389,7 @@ snapshots:
       unified: 9.2.2
     transitivePeerDependencies:
       - encoding
+      - mocha
       - supports-color
 
   '@covector/command@0.8.0':
@@ -3285,9 +3294,9 @@ snapshots:
   covector@0.12.4(mocha@10.8.2):
     dependencies:
       '@clack/prompts': 0.7.0
-      '@covector/apply': 0.10.0(mocha@10.8.2)
+      '@covector/apply': 0.10.0
       '@covector/assemble': 0.12.0
-      '@covector/changelog': 0.12.0
+      '@covector/changelog': 0.12.0(mocha@10.8.2)
       '@covector/command': 0.8.0
       '@covector/files': 0.8.0
       effection: 2.0.8(mocha@10.8.2)

shared/template/Cargo.toml

@@ -2,6 +2,7 @@
 name = "tauri-plugin-PLUGIN_NAME"
 version = "1.0.0"
 edition = { workspace = true }
+rust-version = { workspace = true }
 authors = { workspace = true }
 license = { workspace = true }
 repository = { workspace = true }

shared/template/package.json

@@ -24,6 +24,6 @@
     "LICENSE"
   ],
   "dependencies": {
-    "@tauri-apps/api": "^2.6.0"
+    "@tauri-apps/api": "^2.8.0"
   }
 }