Overview Issues Merge Requests

Add Linux keychain unlock support

did:plc:b2mcbcamkwyznc5fkplwlxbf opened this Feb 11, 2026 0 comments
did:plc:b2mcbcamkwyznc5fkplwlxbf opened Feb 11, 2026

Context

Currently the CLI stores credentials in the OS keychain via @napi-rs/keyring, which works cross-platform. However, the keychain unlock flow is macOS-only.

No-ops on Linux

src/utils/auth-helpers.tstryUnlockKeychain():

function tryUnlockKeychain(): boolean {
  if (process.platform !== 'darwin') return false; // no-op on Linux/Windows
  execSync('security unlock-keychain', { stdio: 'inherit' });
  ...
}

On non-darwin, this immediately returns false without attempting an unlock. The error message shown to the user also refers specifically to 'Mac keychain'.

Skipped tests

tests/utils/auth-helpers.test.ts:

it.skipIf(process.platform !== 'darwin')('should unlock keychain and retry when KeychainAccessError is thrown', ...)

This test was skipped because the unlock-and-retry path is macOS-only.

What Linux support would involve

  • Detect a locked keychain on Linux (Secret Service / DBus) when KeychainAccessError is thrown
  • Attempt to unlock via the appropriate Linux mechanism (e.g. gnome-keyring-daemon --unlock, kwallet, or prompting the user)
  • Update error messages to be platform-neutral
  • Re-enable (or add) tests for the Linux unlock path

No activity yet.

Back to issues
cospan · schematic version control on atproto built on AT Protocol