Add flags to disable the use of the system keyring, asking to prompt the key password directly instead

pmeunier

Jan 26, 2026, 6:10 PM

MBIKZPCCFYLEX25CKRWTHTVIZX5WYTZYNIIQIZTVHOROJW7KIE4AC

Dependencies

[2] SXEYMYF7 Fixing the bad changes in history (unfortunately, by rebooting).
[3] QL6K2ZM3 Tags
[4] AAXP2534 Tags: completing the subcommand
[5] EEBKW7VT Keys and identities
[6] 4KJ45IJL Implement new identity management
[7] DWSAYGVE Update codebase to use new identity management
[8] 4OJWMSOW Fully replace crate::Identity
[9] YJXRCXOS Disallow overwriting existing identities via `pijul id edit`
[10] DOEG3V7U Only re-write identity data when changed
[11] 5WERCJKL Check if any identities exist before removal
[12] UMF6N7CZ Keyring 2.0
[13] LZOGKBJX new command `pijul client` for authenticating to a HTTP server
[14] QWIYNMI5 Formatting + big-endian Sanakirja
[15] Y6TBQN7M Automatically format `pijul` crate
[16] 4RV7T4SR Migrate from `pijul::config` to `pijul-config`
[17] 32G3GOK7 Migrate from `dialoguer` to `pijul-interaction`
[18] 5Z2Y7VGV Migrate `pijul::identity::Complete::prove` to `pijul::remote::prove`
[19] WTPFQPO5 Add global `no_prompt` flag
[20] EVDH2ECT Migrate from `pijul::identity` to `pijul_identity`
[21] HKHMES6T Solving conflicts
[22] HJVWPKWV Migrate crates to edition 2024
[23] N26HD5PF Replace `chrono` with `jiff`
[24] Q7LEDPIW Refactor tag command's handling of repo and channel
[25] VQACP66G Add cmd flags to support histogram diff algorithm
[26] FDEVV5NG Tag check
[27] BV4PLHOV Remove dependency on `once_cell`
[28] A3RM526Y Integrating identity malleability
[29] WMS44NF5 Require --no-prompt for --read-password
[30] KKNMDXAI Tweak identity subcommand
[31] 5RSZPNQR Upgrade `clap` 3.2 -> 4.3
[32] C267PHOH Tags: dropping useless Hashes in favour of Merkles
[33] OU243LAB Support for staging
[34] 44RUBHRE Only re-prove identity when credentials change

Change contents

edit in pijul-remote/src/lib.rs at line 72

[18.285]

[18.285]

use_keyring: bool,
replacement in pijul-remote/src/lib.rs at line 109

[18.1222]→[18.1222:1257](∅→∅)

.decrypt(&identity.name)?;

[18.1222]

[18.1257]

.decrypt(&identity.name, use_keyring)?;
replacement in pijul-identity/src/repair.rs at line 42

[6.3347]→[19.338:399](∅→∅)

pub async fn fix_identities() -> Result<(), anyhow::Error> {

[6.3347]

[6.3509]

pub async fn fix_identities(use_keyring: bool) -> Result<(), anyhow::Error> {
replacement in pijul-identity/src/repair.rs at line 53

[6.3880]→[8.365:426](∅→∅)

let extraction_result = Complete::from_old_format();

[6.3880]

[6.3945]

let extraction_result = Complete::from_old_format(use_keyring);
replacement in pijul-identity/src/repair.rs at line 63

[6.4220]→[19.400:458](∅→∅)

old_identity.clone().create(true).await?;

[6.4220]

[6.4888]

old_identity.clone().create(true, use_keyring).await?;
replacement in pijul-identity/src/repair.rs at line 89

[6.6256]→[19.459:525](∅→∅)

Complete::default()?.create(true).await?;

[6.6256]

[6.6333]

Complete::default()?.create(true, use_keyring).await?;
replacement in pijul-identity/src/repair.rs at line 101

[6.6618]→[6.6618:6650](∅→∅)

identity.valid_keys()?;

[6.6618]

[6.6650]

identity.valid_keys(use_keyring)?;
replacement in pijul-identity/src/repair.rs at line 109

[6.6735]→[6.6735:6793](∅→∅)

fn valid_keys(&self) -> Result<bool, anyhow::Error> {

[6.6735]

[8.520]

fn valid_keys(&self, use_keyring: bool) -> Result<bool, anyhow::Error> {
replacement in pijul-identity/src/repair.rs at line 111

[8.563]→[8.563:629](∅→∅)

let decryped_public_key = self.decrypt()?.0.public_key();

[8.563]

[6.7160]

let decryped_public_key = self.decrypt(use_keyring)?.0.public_key();
replacement in pijul-identity/src/repair.rs at line 173

[6.9995]→[8.1053:1116](∅→∅)

fn from_old_format() -> Result<Self, IdentityParseError> {

[6.9995]

[6.10086]

fn from_old_format(use_keyring: bool) -> Result<Self, IdentityParseError> {
replacement in pijul-identity/src/repair.rs at line 295

[6.15446]→[6.15446:15482](∅→∅)

if identity.valid_keys()? {

[6.15446]

[6.15482]

if identity.valid_keys(use_keyring)? {
replacement in pijul-identity/src/load.rs at line 68

[6.24577]→[19.526:597](∅→∅)

pub async fn choose_identity_name() -> Result<String, anyhow::Error> {

[6.24577]

[6.24663]

pub async fn choose_identity_name(use_keyring: bool) -> Result<String, anyhow::Error> {
replacement in pijul-identity/src/load.rs at line 75

[6.24848]→[19.598:631](∅→∅)

fix_identities().await?;

[6.24848]

[6.24890]

fix_identities(use_keyring).await?;
replacement in pijul-identity/src/lib.rs at line 114

[8.3255]→[8.3255:3348](∅→∅)

pub fn decrypt(&mut self, name: &str) -> Result<(SKey, Option<String>), anyhow::Error> {

[8.3255]

[8.3348]

pub fn decrypt(
&mut self,
name: &str,
use_keyring: bool,
) -> Result<(SKey, Option<String>), anyhow::Error> {
replacement in pijul-identity/src/lib.rs at line 136

[8.4106]→[14.683:797](∅→∅),[14.797]→[21.2:2](∅→∅),[21.2]→[8.4192:4237](∅→∅),[15.140]→[8.4192:4237](∅→∅),[12.382]→[8.4192:4237](∅→∅),[14.797]→[8.4192:4237](∅→∅),[8.4192]→[8.4192:4237](∅→∅)

if let Ok(password) = keyring::Entry::new("pijul", name).and_then(|x| x.get_password())
{

password_attempt = password;

[8.4106]

[8.4237]

if use_keyring {
if let Ok(password) =
keyring::Entry::new("pijul", name).and_then(|x| x.get_password())
{
password_attempt = password;
}
replacement in pijul-identity/src/lib.rs at line 261

[8.6972]→[8.6972:7111](∅→∅)

pub fn decrypt(&self) -> Result<(SKey, Option<String>), anyhow::Error> {
self.credentials.clone().unwrap().decrypt(&self.name)

[8.6972]

[8.7111]

pub fn decrypt(&self, use_keyring: bool) -> Result<(SKey, Option<String>), anyhow::Error> {
self.credentials
.clone()
.unwrap()
.decrypt(&self.name, use_keyring)
replacement in pijul-identity/src/lib.rs at line 268

[8.7118]→[8.7118:7232](∅→∅)

fn change_password(&mut self) -> Result<(), anyhow::Error> {
let (decryped_key, _) = self.decrypt()?;

[8.7118]

[8.7232]

fn change_password(&mut self, use_keyring: bool) -> Result<(), anyhow::Error> {
let (decryped_key, _) = self.decrypt(use_keyring)?;
edit in pijul-identity/src/create.rs at line 23

[8.8961]

[8.8961]

use_keyring: bool,
replacement in pijul-identity/src/create.rs at line 96

[8.10379]→[8.10379:10424](∅→∅)

new_identity.change_password()?;

[8.10379]

[8.10424]

new_identity.change_password(use_keyring)?;
replacement in pijul-identity/src/create.rs at line 269

[6.38529]→[19.632:713](∅→∅)

pub async fn create(&self, link_remote: bool) -> Result<(), anyhow::Error> {

[6.38529]

[8.14019]

pub async fn create(&self, link_remote: bool, use_keyring: bool) -> Result<(), anyhow::Error> {
replacement in pijul-identity/src/create.rs at line 271

[8.14076]→[19.714:794](∅→∅)

let confirmed_identity = self.prompt_changes(None, link_remote).await?;

[8.14076]

[10.1007]

let confirmed_identity = self.prompt_changes(None, link_remote, use_keyring).await?;
edit in pijul/src/commands/tag.rs at line 43

[23.1255]

[3.1154]

#[clap(long = "no-keyring")]
no_keyring: bool,
edit in pijul/src/commands/tag.rs at line 87

[3.1813]

[4.72]

no_keyring,
replacement in pijul/src/commands/tag.rs at line 114

[3.2976]→[7.59:142](∅→∅)

let header = header(author.as_deref(), message, timestamp).await?;

[3.2976]

[24.1031]

let header = header(author.as_deref(), message, timestamp, !no_keyring).await?;
edit in pijul/src/commands/tag.rs at line 241

[23.1290]

[3.4707]

use_keyring: bool,
replacement in pijul/src/commands/tag.rs at line 249

[16.788]→[20.157:250](∅→∅)

let k = pijul_identity::public_key(&pijul_identity::choose_identity_name().await?)?;

[16.788]

[7.329]

let k =
pijul_identity::public_key(&pijul_identity::choose_identity_name(use_keyring).await?)?;
edit in pijul/src/commands/record.rs at line 60

[25.117]

[2.102757]

/// Use Histogram diff algorithm instead of the default
#[clap(long = "no-keyring")]
pub no_keyring: bool,
replacement in pijul/src/commands/record.rs at line 143

[21.52]→[21.52:168](∅→∅)

let complete =
pijul_identity::Complete::load(&pijul_identity::choose_identity_name().await?)?;

[21.52]

[21.168]

let complete = pijul_identity::Complete::load(
&pijul_identity::choose_identity_name(!self.no_keyring).await?,
)?;
replacement in pijul/src/commands/record.rs at line 147

[21.169]→[21.169:216](∅→∅)

let (secret, _) = complete.decrypt()?;

[21.169]

[5.1910]

let (secret, _) = complete.decrypt(!self.no_keyring)?;
replacement in pijul/src/commands/record.rs at line 219

[21.387]→[21.387:462](∅→∅)

.unwrap_or(pijul_identity::choose_identity_name().await?);

[21.387]

[21.462]

.unwrap_or(pijul_identity::choose_identity_name(!self.no_keyring).await?);
edit in pijul/src/commands/identity.rs at line 105

[6.44190]

[6.44190]

/// Disable the use of the system keyring.
#[clap(long = "no-keyring")]
pub no_keyring: bool,
edit in pijul/src/commands/identity.rs at line 152

[6.45960]

[6.45960]

/// Disable the use of the system keyring.
#[clap(long = "no-keyring")]
pub no_keyring: bool,
replacement in pijul/src/commands/identity.rs at line 163

[6.46167]→[19.1067:1079](∅→∅)

Repair,

[6.46167]

[6.46295]

Repair { no_keyring: bool },
edit in pijul/src/commands/identity.rs at line 171

[13.4441]

[6.46577]

/// Disable the use of the system keyring
no_keyring: bool,
edit in pijul/src/commands/identity.rs at line 187

[6.46997]

[6.46997]

/// Disable the use of the system keyring.
#[clap(long = "no-keyring")]
no_keyring: bool,
replacement in pijul/src/commands/identity.rs at line 264

[6.49307]→[19.1080:1138](∅→∅)

identity.create(!options.no_link).await?;

[6.49307]

[18.1971]

identity
.create(!options.no_link, !options.no_keyring)
.await?;
replacement in pijul/src/commands/identity.rs at line 268

[18.1972]→[18.1972:2063](∅→∅)

if let Err(_) = remote::prove(&identity, None, self.no_cert_check).await {

[18.1972]

[22.4055]

if let Err(_) =
remote::prove(&identity, None, self.no_cert_check, !options.no_keyring).await
{
replacement in pijul/src/commands/identity.rs at line 279

[6.49398]→[19.1139:1198](∅→∅)

SubCommand::Repair => fix_identities().await?,

[6.49398]

[6.49480]

SubCommand::Repair { no_keyring } => fix_identities(!no_keyring).await?,
edit in pijul/src/commands/identity.rs at line 283

[13.4466]

[6.49570]

no_keyring,
replacement in pijul/src/commands/identity.rs at line 285

[6.49589]→[19.1199:1292](∅→∅)

let identity_name = &identity_name.unwrap_or(choose_identity_name().await?);

[6.49589]

[18.2656]

let identity_name =
&identity_name.unwrap_or(choose_identity_name(!no_keyring).await?);
replacement in pijul/src/commands/identity.rs at line 288

[18.2726]→[18.2726:2821](∅→∅)

remote::prove(&loaded_identity, server.as_deref(), self.no_cert_check).await?;

[18.2726]

[6.49763]

remote::prove(
&loaded_identity,
server.as_deref(),
self.no_cert_check,
!no_keyring,
)
.await?;
replacement in pijul/src/commands/identity.rs at line 409

[6.54509]→[19.1293:1343](∅→∅)

choose_identity_name().await?

[6.54509]

[6.54576]

choose_identity_name(!options.no_keyring).await?
replacement in pijul/src/commands/identity.rs at line 429

[9.1054]→[17.2866:2957](∅→∅)

.prompt_changes(Some(old_identity.name.clone()), !options.no_link)

[9.1054]

[9.1138]

.prompt_changes(
Some(old_identity.name.clone()),
!options.no_link,
!options.no_keyring,
)
replacement in pijul/src/commands/identity.rs at line 446

[18.3260]→[18.3260:3393](∅→∅)

let prove_result =
remote::prove(&new_identity, None, self.no_cert_check).await;

[18.3260]

[18.3393]

let prove_result = remote::prove(
&new_identity,
None,
self.no_cert_check,
!options.no_keyring,
)
.await;
edit in pijul/src/commands/identity.rs at line 470

[6.55847]

[6.55847]

no_keyring,
replacement in pijul/src/commands/identity.rs at line 478

[11.176]→[19.1344:1469](∅→∅)

let identity =
Complete::load(&identity_name.unwrap_or(choose_identity_name().await?))?;

[11.176]

[6.56019]

let identity = Complete::load(
&identity_name.unwrap_or(choose_identity_name(!no_keyring).await?),
)?;