Bump keyring from 2.3.0 to 3.6.1

[dependabot]

Bumps keyring from 2.3.0 to 3.6.1.

Release notes

Sourced from keyring's releases.

v3.6.1: Update dependencies

Two of the dependencies (openssl and whoami) were discovered to have vulnerabilities which were fixed in minor or patch releases. This crate has been updated to insist that the minor/patch release number of these dependencies is high enough to ensure use of a patched version.

There is no reason to think that the vulnerabilities in these dependencies could have been exercised through this crate. In addition, builds of clients done after the dependencies were patched would have already picked up the non-vulnerable versions. So this change is simply to ensure that future builds cannot use the vulnerable versions.

There are no code changes in this release.

v3.6.0: Add new combination keystore

This release contains a new credential store for Linux: a combination of keyutils (for use by headless processes) and secret service (for persistence of credentials beyond reboot). Thanks very much to @​soywod for the contribution!

v3.5.0: Add debug logging of internal operations

• Add debug logging of internal operations (thanks to @​soywod).
• Revert iOS security-framework dependency to v2 (see #225).

v3.4.0: allow simultaneous use of secret-service and keyutils

As pointed out in #214, it is possible to use both the secret-service and the keyutils credential stores at the same time, so this should be an allowed combination of specified features. This release allows that combination, selecting the secret-service as the default keystore but also loading the keyutils keystore.

v3.3.0: Support additional credential store attributes

• Add support for credential-store attributes other than those used by this crate. This allows the creation of credentials that are more compatible with 3rd-party clients, such as the OS-provided GUIs over credentials. Fixes #208.
• Make the textual descriptions of entries consistently follow the form user@service (or user@service:target if a target was specified).

v3.2.1: Re-enable access to v1 credentials

The v3.2.0 release, which fixed #204, had an unfortunate side effect: it broke compatibility with credentials that were originally written by a v1.x release (see #207). This bug-fix release restores that compatibility.

With this change, the CLI changes in v3.2.0 have been reverted, because they are no longer necessary.

v3.2.0: Improve secret-service handling of targets

As reported in #201 and now fixed in #204, the secret-service credential store implementation could not disambiguate credentials that were created with different targets unless the collections containing those targets had already been unlocked.

The fix for this issue introduces a compatibility break: secret-service credentials created by the keyring v1 implementation, which were readable using platform-independent code in keyring v2, are no longer readable without using platform-specific code in v3. The necessary platform-specific code is very simple, and it has been added to the CLI (both for documentation purposes and to allow the CLI to access v1 credentials). The comments in issue #204 explain why the decision was made to add this secret-service-specific compatibility break; these include the fact that keyring v2 was released 18 months ago so only those users who haven't changed their password in a very long time would still have a v1 credential in their secret-service store.

The README has been updated to address this compatibility break and to provide recommendations for keyring clients who want to update their code to make sure users with old credentials are not impacted.

v3.1.0: enhance the CLI

As reported in #201, the CLI had a couple of problems:

• It didn't allow empty user names, even on platforms where that's supported.
• Its debugging output on Ambiguous errors provided no information about the underlying platform credentials.

The first issue was just a bug, now fixed.

The second issue stemmed from the fact that platform-independent code couldn't get at the details of the underlying platform-specific credentials. To fix this, the CredentialAPI had to be extended to provide access to the underlying platform credential's implementation of the std::fmt::Debug trait, and each of the keying credential stores extended to implement the new API.

To make this API extension backward-compatible, a default implementation was provided that did what the former code did: it revealed nothing. But that allows this release to be a SerVer-compatible dot release, rather than a major release.

v3.0.5: update docs and clean up dead code

As reported in #132, using the secret-service asynchronously via the keyring wrapper can lead to deadlocks. The docs have been updated to make this clear, and a recommendation has been added to use the sync-secret-service feature so as to avoid any issues related to async runtimes, even if the calling app may already be asynchronous.

While this fix was being made, it was discovered that new clippy lints in Rust 1.80 had been added. These lints revealed some dead code related to windows testing, and some documentation that was "legal" per the markdown spec but slightly ambiguous in intent. Both of these other issues were also fixed.

... (truncated)

Changelog

Sourced from keyring's changelog.

Version 3.6.0

• Add combination keystore of keyutils and secret service (thanks to @​soywod).

Version 3.5.0

• Add debug logging of internal operations (thanks to @​soywod).
• Revert iOS security-framework dependency to v2 (see #225).

Version 3.4.0

• Allow use of both secret-service and keyutils.

Version 3.3.0

• Add support for credential-store attributes other than those used by this crate. This allows the creation of credentials that are more compatible with 3rd-party clients, such as the OS-provided GUIs over credentials.
• Make the textual descriptions of entries consistently follow the form user@service (or user@service:target if a target was specified).

Version 3.2.1

• Re-enable access to v1 credentials. The fixes of version 3.2 meant that legacy credentials with no target attribute couldn't be accessed.

Version 3.2.0

• Improve secret-service handling of targets, so that searches on locked items distinguish items with different targets properly.

Version 3.1.0

• enhance the CLI to allow empty user names and better info about Ambiguous credentials.

Version 3.0.5

• updated docs and clean up dead code. No code changes.

Version 3.0.4

• expose a cross-platform module alias via the default module.

Version 3.0.3

• fix feature linux-native, which was causing compile errors.

Version 3.0.2

• add missing implementations for iOS set_secret and get_secret

Version 3.0.1

• add back missing Sync trait on errors.

Version 3.0.0

• add dbus-secret-service dependency to allow use on *n*x without an async runtime
• (API change) rework feature controls on included keystores: now there is a feature for each keystore, and that keystore is included in a build if and only if its feature is specified and the keystore is supported by the target OS.
• (API change) add direct support for setting and reading binary secret data, not just UTF-8 strings.

Version 2.0.1

• fix the example in the README.

Version 2.0

• (API change) Allow creation of entries to fail.
• (API change) Introduce an ambiguous error on credential lookup.
• (API change) Make the Error enum non-exhaustive.

... (truncated)

Commits

• 779dfe0 Merge pull request #230 from brotskydotcom/master
• 2e646c8 Bump version and update dependencies.
• eb54c80 Merge pull request #229 from brotskydotcom/master
• f18c311 Bump version and update changelog.
• 2e2e915 Merge pull request #222 from soywod/secret-service-with-keyutils
• f59afd5 Updated docs for new keystore.
• 658174e Fix new clippy warning.
• 16236b8 Merge remote-tracking branch 'upstream/master' into secret-service-with-keyutils
• 6df3d93 init doc + unit tests
• 9a4184c Merge pull request #226 from brotskydotcom/release-3.5
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)