GNOME Keyring is a system to store passwords and other sensitive data in a
standardized way across all GNOME applications.

A keyring stores a collection of encrypted passwords and encrypted information
about those passwords. A user can have multiple keyrings, each for a different
use, but there is a "default" one. There is also a special "session" keyring
which is not stored on disk and goes away when you log out.

When a user logs into GNOME, the keyrings are locked and a master keyring
password has to be provided in order to unlock each of them. A keyring can be
configured to be locked automatically after a period of inactivity (This isn't
actually implemented yet but is coming soon)

The data inside a keyring is stored in "items". An item can be of these types:

	GNOME_KEYRING_ITEM_GENERIC_SECRET
	GNOME_KEYRING_ITEM_NETWORK_PASSWORD
	GNOME_KEYRING_ITEM_NOTE

Notice that we might extend the set of types as necessary.

Each item has a name, such as "university proxy password" or "example.org SSH
private key password", a secret, and an unlimited list of attributes. Each
attribute consists of a name-value pair that is intended to serve as a hint for
the applications (e.g., "user=fer", or "server=example.org"). This enables
applications to find the relevant item in the keyring. All strings are UTF-8.
Attributes can be integers or strings.


Storing a password in a keyring
-------------------------------

Applications should provide the user an opportunity to select the keyring in
which to store the password. The default keyring can be obtained by calling

	gnome_keyring_get_default_keyring

while a list of all available keyrings can be obtained by calling the

	gnome_keyring_list_keyring_names

function. Passing NULL for keyring parameter in any gnome-keyring function
will use the default one.

The example code below demonstrates how to add the new password (and associated
data) into the selected keyring:


	GnomeKeyringAttributeList *attributes;
	GnomeKeyringAttribute attribute;

	attributes = gnome_keyring_attribute_list_new ();

	attribute.name = g_strdup ("user");
	attribute.type = GNOME_KEYRING_ATTRIBUTE_TYPE_STRING;
	attribute.value.string = g_strdup ("gnomer");
	g_array_append_val (attributes, attribute);

	attribute.name = g_strdup ("server");
	attribute.type = GNOME_KEYRING_ATTRIBUTE_TYPE_STRING;
	attribute.value.string = g_strdup ("master.gnome.org");
	g_array_append_val (attributes, attribute);

	attribute.name = g_strdup ("protocol");
	attribute.type = GNOME_KEYRING_ATTRIBUTE_TYPE_STRING;
	attribute.value.string = g_strdup ("ssh");
	g_array_append_val (attributes, attribute);

	gnome_keyring_item_create (NULL, /* Use default keyring */
				   GNOME_KEYRING_ITEM_NETWORK_PASSWORD, /* type */
				   "master.gnome.org SSH password", /* name */
				   attributes, /* attribute list */
				   "mypassword", /* password */
				   TRUE, /* Update if already exists */
				   create_item_cb, NULL, NULL);
	gnome_keyring_attribute_list_free (attributes);


In most cases, applications must use standard attributes. There is a convenience
function in gnome-keyring to aid in setting these attributes:

	gnome_keyring_set_network_password (NULL /* default keyring */,
					    "gnomer" /* user */
					    NULL, /* domain */
					    "master.gnome.org", /* server */
					    NULL, /* object */
					    "ssh", /* protocol */
					    NULL, /* authtype */
					    0, /* port, default */
					    "mypassword", /* password */
					    set_network_cb, NULL, NULL);


Retrieving a password in a keyring
----------------------------------

Typically, applications will search for a password that matches certain
criteria. This is done by providing a list of specific attributes to the

	gnome_keyring_find_items

function. In the common case that an application is searching for a network
password, however, there is a convenience function that can be used instead:


	gnome_keyring_find_network_password_sync ("gnomer", /* user */
						  NULL, /* domain */
						  "master.gnome.org", /* server */
						  NULL, /* object */
						  "ssh", /* protocol */
						  NULL, /* authtype */
						  0, /* port */
						  &list);


In this example, list is a GList containing GnomeKeyringNetworkPasswordData
entries.

The search is performed by the GNOME Keyring daemon, which looks through the
passwords on every keyring. The daemon gathers a list of all of the items
(passwords) that match the specified criteria. The returned list can contain
several matches, for instance {server=foo, user=bar} and {server=foo}. The
daemon always orders these such that the ones that match the least of the
query are returned first.

This is so that you can for instance have two passwords on the same
machine, but say on different ports, and one is the default port (not
set). Then just querying for the server will give you the one without
the additional port.

For each item, it then asks the user whether to allow the application that
requested the item to receive it. Only the items allowed by the user are
given to the application.

Note that multiple ways of approving key usage are provided to the user, such
as "Deny", "Allow this time", "Allow always".


Some notes about gnome-keyring API
----------------------------------

Most GNOME Keyring functions are asynchronous. Because of this, callback
functions should be provided that will be executed when the required operation
has finished. For those that prefer synchronous operation, there are
synchronous variants of common gnome-keyring functions:

	gnome_keyring_find_items_sync
	gnome_keyring_find_itemsv_sync
	gnome_keyring_item_create_sync
	gnome_keyring_find_network_password_sync
	gnome_keyring_set_network_password_sync