Changelogs » Keyring

PyUp Safety actively tracks 263,166 Python packages for vulnerabilities and notifies you when to upgrade.



  * 431: KWallet backend now supports ``get_credential``.


  * 445: Suppress errors when ``sys.argv`` is not
  a list of at least one element.


  * 440: Keyring now honors XDG_CONFIG_HOME as
  * 452: SecretService ``get_credential`` now returns
  ``None`` for unmatched query.


  * 426: Restored lenience on startup when entry point
  metadata is missing.
  * 423: Avoid RecursionError when initializing backends
  when a limit is supplied.


  * 372: Chainer now deterministically resolves at a lower
  priority than the Fail keyring (when there are no backends
  to chain).
  * 372: Fail keyring now raises a ``NoKeyringError`` for
  easier selectability.
  * 405: Keyring now logs at DEBUG rather than INFO during
  backend startup.


  * Refreshed package metadata.


  * 380: In SecretService backend, close connections after
  using them.


  * Require Python 3.6 or later.


  * 417: Fix TypeError when backend fails to initialize.


  * Extracted ``keyring.testing`` package to contain supporting
  functionality for plugin backends. ``keyring.tests`` has been
  removed from the package.


  * Switch to `importlib.metadata
  for loading entry points. Removes one dependency on Python 3.8.
  * Added new ``KeyringBackend.set_properties_from_env``.
  * 382: Add support for alternate persistence scopes for Windows
  backend. Set ``.persist`` to "local machine" or "session"
  to enable the alternate scopes or "enterprise" to use the
  default scope.
  * 404: Improve import times when a backend is specifically
  configured by lazily calling ``get_all_keyring``.


  * Add support for get_credential() with the SecretService backend.


  * 369: macOS Keyring now honors a ``KEYCHAIN_PATH``
  environment variable. If set, Keyring will use that
  keychain instead of the default.


  * Refresh package skeleton.
  * Adopt `black <>`_ code style.


  * Merge with 18.0.1.


  * 383: Drop support for EOL Python 2.7 - 3.4.


  * 386: ExceptionInfo no longer retains a reference to the


  * 375: On macOS, the backend now raises a ``KeyringLocked``
  when access to the keyring is denied (on get or set) instead
  of ``PasswordSetError`` or ``KeyringError``. Any API users
  may need to account for this change, probably by catching
  the parent ``KeyringError``.
  Additionally, the error message from the underying error is
  now included in any errors that occur.


  * 368: Update packaging technique to avoid 0.0.0 releases.


  * 366: When calling ``keyring.core.init_backend``, if any
  limit function is supplied, it is saved and later honored by
  the ``ChainerBackend`` as well.


  * 345: Remove application attribute from stored passwords
  using SecretService, addressing regression introduced in
  10.5.0 (292). Impacted Linux keyrings will once again
  prompt for a password for "Python program".


  * 362: Fix error on import due to circular imports
  on Python 3.4.


  * Refactor ChainerBackend, introduced in 16.0 to function
  as any other backend, activating when relevant.


  * 319: In Windows backend, trap all exceptions when
  attempting to import pywin32.


  * 357: Once again allow all positive, non-zero priority
  keyrings to participate.


  * 323: Fix race condition in delete_password on Windows.
  * 352: All suitable backends (priority 1 and greater) are
  allowed to participate.


  * 350: Added new API for ``get_credentials``, for backends
  that can resolve both a username and password for a service.


  * 340: Add the Null keyring, disabled by default.
  * 340: Added ``--disable`` option to command-line
  * 340: Now honor a ``PYTHON_KEYRING_BACKEND``
  environment variable to select a backend. Environments
  may set to ``keyring.backends.null.Keyring`` to disable


  Removed deprecated ``keyring.util.escape`` module.
  Fixed warning about using deprecated Abstract Base Classes
  from collections module.


  Removed ``getpassbackend`` module and alias in
  ``keyring.get_pass_get_password``. Instead, just use::
  keyring.get_password(getpass.getuser(), 'Python')


  * 335: Fix regression in command line client.


  * Keyring command-line interface now reads the password
  directly from stdin if stdin is connected to a pipe.


  * 329: Improve output of ``keyring --list-backends``.


  * 327: In kwallet backend, if the collection or item is
  locked, a ``KeyringLocked`` exception is raised. Clients
  expecting a None response from ``get_password`` under
  this condition will need to catch this exception.
  Additionally, an ``InitError`` is now raised if the
  connection cannot be established to the DBus.
  * 298: In kwallet backend, when checking an existing
  handle, verify that it is still valid or create a new


  * Fixed issue in SecretService. Ref 226.


  * 322: Fix AttributeError when ``escape.__builtins__``
  is a dict.
  * Deprecated ``keyring.util.escape`` module. If you use
  this module or encounter the warning (on the latest
  release of your packages), please `file a ticket


  * Unpin SecretStorage on Python 3.5+. Requires that
  Setuptools 17.1 be used. Note that the special
  handling will be unnecessary once Pip 9 can be
  assumed (as it will exclude SecretStorage 3 in
  non-viable environments).


  * Pin SecretStorage to 2.x.


  * 314: No changes except to rebuild.


  * 310: Keyring now loads all backends through entry
  For most users, this release will be fully compatible. Some
  users may experience compatibility issues if entrypoints is
  not installed (as declared) or the metadata on which entrypoints
  relies is unavailable. For that reason, the package is released
  with a major version bump.


  * 312: Use ``entrypoints`` instead of pkg_resources to
  avoid performance hit loading pkg_resources. Adds
  a dependency on ``entrypoints``.


  * 294: No longer expose ``keyring.__version__`` (added
  in 8.1) to avoid performance hit loading pkg_resources.


  * 299: Keyring exceptions are now derived from a base


  * 296: Prevent AttributeError on import when Debian has
  created broken dbus installs.


  * 287: Added ``--list-backends`` option to
  command-line interface.
  * Removed ``logger`` from ``keyring``. See 291 for related
  * 292: Set the appid for SecretService & KWallet to
  something meaningful.


  * 279: In Kwallet, pass mainloop to SessionBus.
  * 278: Unpin pywin32-ctypes, but blacklist known
  incompatible versions.


  * 278: Pin to pywin32-ctypes 0.0.1 to avoid apparent
  breakage introduced in 0.1.0.


  * 267: More leniently unescape lowercased characters as
  they get re-cased by ConfigParser.


  * 266: Use private compatibity model rather than six to
  avoid the dependency.


  * 264: Implement devpi hook for supplying a password when
  logging in with `devpi <>`_
  * 260: For macOS, added initial API support for internet


  * 259: Allow to set a custom application attribute for
  SecretService backend.


  * 253: Backends now expose a '.name' attribute suitable
  for identifying each backend to users.


  * 247: Restored console script.


  * Update readme to reflect test recommendations.


  * Drop support for Python 3.2.
  * Test suite now uses tox instead of pytest-runner.
  Test requirements are now defined in tests/requirements.txt.


  * Link to the new Gitter chat room is now in the
  * Issue 235: ``kwallet`` backend now returns
  string objects instead of ``dbus.String`` objects,
  for less surprising reprs.
  * Minor doc fixes.


  * Issue 161: In SecretService backend, unlock
  individual entries.


  * Issue 230: Don't rely on dbus-python and instead
  defer to SecretStorage to describe the installation


  * Issue 231 via 233: On Linux, ``secretstorage``
  is now a declared dependency, allowing recommended
  keyring to work simply after installation.


  * Issue 83 via 229: ``kwallet`` backend now stores
  the service name as a folder name in the backend rather
  than storing all passwords in a Python folder.


  * Issue 217: Once again, the OS X backend uses the
  Framework API for invoking the Keychain service.
  As a result, applications utilizing this API will be
  authorized per application, rather than relying on the
  authorization of the 'security' application. Consequently,
  users will be prompted to authorize the system Python
  executable and also new Python executables, such as
  those created by virtualenv.
  260: No longer does the keyring honor the ``store``
  attribute on the keyring. Only application passwords
  are accessible.


  * Changelog now links to issues and provides dates of


  * Issue 217: Add warning in OS Keyring when 'store'
  is set to 'internet' to determine if this feature is
  used in the wild.


  * Pull Request 216: Kwallet backend now has lower
  priority than the preferred SecretService backend,
  now that the desktop check is no longer in place.


  * Issue 168: Now prefer KF5 Kwallet to KF4. Users relying
  on KF4 must use prior releases.


  * Pull Request 209: Better error message when no backend is
  available (indicating keyrings.alt as a quick workaround).
  * Pull Request 208: Fix pywin32-ctypes package name in


  * Issue 207: Library now requires win32ctypes on Windows
  systems, which will be installed automatically by
  Setuptools 0.7 or Pip 6 (or later).
  * Actually removed QtKwallet, which was meant to be dropped in
  8.0 but somehow remained.


  * Update readme to include how-to use with Linux
  non-graphical environments.


  * Issue 197: Add ``__version__`` attribute to keyring module.


  * Issue 117: Removed all but the preferred keyring backends
  for each of the major desktop platforms:
  - keyring.backends.kwallet.DBusKeyring
  - keyring.backends.OS_X.Keyring
  - keyring.backends.SecretService.Keyring
  - keyring.backends.Windows.WinVaultKeyring
  All other keyrings
  have been moved to a new package, `keyrings.alt
  <>`_ and
  backward-compatibility aliases removed.
  To retain
  availability of these less preferred keyrings, include
  that package in your installation (install both keyring
  and keyrings.alt).
  As these keyrings have moved, any keyrings indicated
  explicitly in configuration will need to be updated to
  replace "keyring.backends." with "keyrings.alt.". For
  example, "keyring.backends.file.PlaintextKeyring"
  becomes "keyrings.alt.file.PlaintextKeyring".


  * Issue 194: Redirect away from docs until they have something
  more than the changelog. Users seeking the changelog will
  want to follow the `direct link


  * Issue 117: Added support for filtering which
  backends are acceptable. To limit to only loading recommended
  keyrings (those with priority >= 1), call::


  * Pull Request 190: OS X backend now exposes a ``keychain``
  attribute, which if set will be used by ``get_password`` when
  retrieving passwords. Useful in environments such as when
  running under cron where the default keychain is not the same
  as the default keychain in a login session. Example usage::
  keyring.get_keyring().keychain = '/path/to/login.keychain'
  pw = keyring.get_password(...)


  * Issue 186: Removed preference for keyrings based on
  ``XDG_CURRENT_DESKTOP`` as these values are to varied
  to be a reliable indicator of which keyring implementation
  might be preferable.


  * Issue 187: Restore ``Keyring`` name in ``kwallet`` backend.
  Users of keyring 6.1 or later should prefer an explicit reference
  to DBusKeyring or QtKeyring instead.


  * Issue 183 and Issue 185: Gnome keyring no longer relies
  on environment variables, but instead relies on the GnomeKeyring
  library to determine viability.


  * Issue 99: Keyring now expects the config file to be located
  in the XDG_CONFIG_HOME rather than XDG_DATA_HOME and will
  fail to start if the config is found in the old location but not
  the new. On systems where the two locations are distinct,
  simply copy or symlink the config to remain compatible with
  older versions or move the file to work only with 7.0 and later.
  * Replaced Pull Request 182 with a conditional SessionBus
  construction, based on subsequent discussion.


  * Pull Request 182: Prevent DBus from indicating as a viable
  backend when no viable X DISPLAY variable is present.


  * Pull Request 174: Add DBus backend for KWallet, preferred to Qt
  backend. Theoretically, it should be auto-detected based on
  available libraries and interchangeable with the Qt backend.


  * Drop support for Python 2.6.


  * Updated project metadata to match Github hosting and
  generally refreshed the metadata structure to match
  practices with other projects.


  * Issue 177: Resolve default keyring name on Gnome using the API.
  * Issue 145: Add workaround for password exposure through
  process status for most passwords containing simple


  * Allow keyring to be invoked from command-line with
  ``python -m keyring``.


  * Issue 156: Fixed test failures in ``pyfs`` keyring related to
  0.5 release.


  * Pull Request 176: Use recommended mechanism for checking
  GnomeKeyring version.


  * Prefer setuptools_scm to hgtools.


  * Prefer hgtools to setuptools_scm due to `setuptools_scm 21


  * Prefer setuptools_scm to hgtools.


  * Host project at Github (`repo <>`_).


  * Version numbering is now derived from the code repository tags via `hgtools
  * Build and install now requires setuptools.


  * The entry point group must look like a module name, so the group is now


  * Added preliminary support for loading keyring backends through ``setuptools
  entry points``, specifically "keyring backends".


  * Removed ``keyring_path`` parameter from ``load_keyring``. See release notes
  for 3.0.3 for more details.
  * Issue 22: Removed support for loading the config from the current
  directory. The config file must now be located in the platform-specific
  config location.


  * Issue 22: Deprecated loading of config from current directory. Support for
  loading the config in this manner will be removed in a future version.
  * Issue 131: Keyring now will prefer `pywin32-ctypes
  <>`_ to pywin32 if available.


  * Gnome keyring no longer relies on the GNOME_KEYRING_CONTROL environment
  * Issue 140: Restore compatibility for older versions of PyWin32.


  * `Pull Request 1 (github) <>`_:
  Add support for packages that wish to bundle keyring by using relative
  imports throughout.


  * Issue 49: Give the backend priorities a 1.5 multiplier bump when an
  XDG_CURRENT_DESKTOP environment variable matches the keyring's target
  * Issue 99: Clarified documentation on location of config and data files.
  Prepared the code base to treat the two differently on Unix-based systems.
  For now, the behavior is unchanged.


  33: Rely on keyring.testing (keyring 20) for tests.


  * Extracted FileBacked and Encrypted base classes.
  * Add a pyinstaller hook to expose backend modules. Ref 124
  * Pull request 41: Use errno module instead of hardcoding error codes.
  * SecretService backend: correctly handle cases when user dismissed
  the collection creation or unlock prompt.


  In tests, pin keyring major version.


  * Pull request 40: KWallet backend will now honor the ``KDE_FULL_SESSION``
  environment variable as found on openSUSE.


  Drop support for Python 3.5 and earlier.


  * SecretService backend: use a different function to check that the
  backend is functional. The default collection may not exist, but
  the collection will remain usable in that case.
  Also, make the error message more verbose.


  * Issue 120: Invoke KeyringBackend.priority during load_keyring to ensure
  that any keyring loaded is actually viable (or raises an informative
  * File keyring:
  - Issue 123: fix removing items.
  - Correctly escape item name when removing.
  - Use with statement when working with files.
  * Add a test for removing one item in group.
  * Issue 81: Added experimental support for third-party backends. See
  `keyring.core._load_library_extensions` for information on supplying
  a third-party backend.


  In tests, rely on pycryptodome instead of pycrypto for improved
  In tests, rely on pytest instead of unittest.


  31: Trap AttributeError in Gnome backend as in some environments
  it seems that will happen.
  30: Fix issue where a backslash in the service name would cause
  errors on Registry backend on Windows.


  ``keyrings.alt`` no longer depends on the ``keyring.util.escape``


  * Issue 114: Fix logic in pyfs detection.


  * Issue 114: Fix detection of pyfs under Mercurial Demand Import.


  * Simplified the implementation of ``keyring.core.load_keyring``. It now uses
  ``__import__`` instead of loading modules explicitly. The ``keyring_path``
  parameter to ``load_keyring`` is now deprecated. Callers should instead
  ensure their module is available on ``sys.path`` before calling
  ``load_keyring``. Keyring still honors ``keyring-path``. This change fixes
  Issue 113 in which the explicit module loading of keyring modules was
  breaking package-relative imports.


  * Renamed ``keyring.util.platform`` to ``keyring.util.platform_``. As reported
  in Issue 112 and `mercurial_keyring 31
  <>`_ and in `Mercurial
  itself <>`_, Mercurial's Demand
  Import does not honor ``absolute_import`` directives, so it's not possible
  to have a module with the same name as another top-level module. A patch is
  in place to fix this issue upstream, but to support older Mercurial
  versions, this patch will remain for some time.


  * Ensure that modules are actually imported even in Mercurial's Demand Import


  ``keyrings`` namespace should now use the pkgutil native technique
  rather than relying on pkg_resources.


  24: File based backends now reject non-string types for passwords.


  21: Raise ValueError on blank username in plaintext
  keyring, unsupported in the storage format.


  17: Drop dependency on keyring.py27compat and use six
  16: Minor tweaks to file-based backends.


  * Restored Python 2.5 compatibility (lost in 2.0).


  Add persistent scheme and version tags for file based backends.
  Prepare for associated data handling in file based schemes.


  *  Issue 112: Backend viability/priority checks now are more aggressive about
  module presence checking, requesting ``__name__`` from imported modules to
  force the demand importer to actually attempt the import.


  *  Issue 111: Windows backend isn't viable on non-Windows platforms.


  *  Issue 110: Fix issues with ``Windows.RegistryKeyring``.


  12: Drop kwallet support, now superseded by the dual kwallet
  support in keyring.


  * Only include pytest-runner in 'setup requirements' when ptr invocation is
  indicated in the command-line (Issue 105).


  *  GNOME Keyring backend:
  - Use the same attributes (``username`` / ``service``) as the SecretService
  backend uses, allow searching for old ones for compatibility.
  - Also set ``application`` attribute.
  - Correctly handle all types of errors, not only ``CANCELLED`` and ``NO_MATCH``.
  - Avoid printing warnings to stderr when GnomeKeyring is not available.
  * Secret Service backend:
  - Use a better label for passwords, the same as GNOME Keyring backend uses.


  *  SecretService: allow deleting items created using previous python-keyring
  Before the switch to secretstorage, python-keyring didn't set "application"
  attribute. Now in addition to supporting searching for items without that
  attribute, python-keyring also supports deleting them.
  *  Use ``secretstorage.get_default_collection`` if it's available.
  On secretstorage 1.0 or later, python-keyring now tries to create the
  default collection if it doesn't exist, instead of just raising the error.
  *  Improvements for tests, including fix for Issue 102.


  * Switch GnomeKeyring backend to use native libgnome-keyring via
  GObject Introspection, not the obsolete python-gnomekeyring module.


  9: Moved base file backend functionality from 'keyrings.alt.file'
  to 'keyrings.alt.base_file'. This allows the 'Windows' module to
  no longer trigger a circular import with the 'file' module.


  * Fix for Encrypted File backend on Python 3.
  * Issue 97 Improved support for PyPy.


  * Fixed handling situations when user cancels kwallet dialog or denies access
  for the app.


  * Fix for kwallet delete.
  * Fix for OS X backend on Python 3.
  * Issue 84: Fix for Google backend on Python 3 (use of raw_input not caught
  by 2to3).


  Updated project skeleton. Tests now run under tox. Tagged
  commits are automatically released to PyPI.
  6: Added license file.


  * Issue 78: pyfilesystem backend now works on Windows.


  Test cleanup.
  Exclude tests during install.


  FileBacked backends now have a ``repr`` that includes the file path.


  Initial release based on Keyring 7.3.


  * Merged 0.9.3 to include fix for 75.

0.10 not secure

  * Add support for using `Keyczar <>`_ to encrypt
  keyrings. Keyczar is "an open source cryptographic toolkit designed to make
  it easier and safer for developers to use cryptography in their
  * Added support for storing keyrings on Google Docs or any other filesystem
  supported by pyfilesystem.
  * Fixed issue in Gnome Keyring when unicode is passed as the service name,
  username, or password.
  * Tweaked SecretService code to pass unicode to DBus, as unicode is the
  preferred format.
  * Issue 71 - Fixed logic in CryptedFileKeyring.
  * Unencrypted keyring file will be saved with user read/write (and not group
  or world read/write).

0.9.3 not secure

  * Ensure migration is run when get_password is called. Fixes 75. Thanks to
  Marc Deslauriers for reporting the bug and supplying the patch.

0.9.2 not secure

  * Keyring 0.9.1 introduced a whole different storage format for the
  CryptedFileKeyring, but this introduced some potential compatibility issues.
  This release incorporates the security updates but reverts to the INI file
  format for storage, only encrypting the passwords and leaving the service
  and usernames in plaintext. Subsequent releases may incorporate a new
  keyring to implement a whole-file encrypted version. Fixes 64.
  * The CryptedFileKeyring now requires simplejson for Python 2.5 clients.

0.9.1 not secure

  * Fix for issue where SecretServiceBackend.set_password would raise a
  UnicodeError on Python 3 or when a unicode password was provided on Python
  * CryptedFileKeyring now uses PBKDF2 to derive the key from the user's
  password and a random hash. The IV is chosen randomly as well. All the
  stored passwords are encrypted at once. Any keyrings using the old format
  will be automatically converted to the new format (but will no longer be
  compatible with 0.9 and earlier). The user's password is no longer limited
  to 32 characters. PyCrypto 2.5 or greater is now required for this keyring.

0.9 not secure

  * Add support for GTK 3 and secret service D-Bus. Fixes 52.
  * Issue 60 - Use correct method for decoding.

0.8.1 not secure

  * Fix regression in keyring lib on Windows XP where the LOCALAPPDATA
  environment variable is not present.

0.8 not secure

  * Mac OS X keyring backend now uses subprocess calls to the `security`
  command instead of calling the API, which with the latest updates, no
  longer allows Python to invoke from a virtualenv. Fixes issue 13.
  * When using file-based storage, the keyring files are no longer stored
  in the user's home directory, but are instead stored in platform-friendly
  locations (`%localappdata%\Python Keyring` on Windows and according to
  the Base Dir Specification
  (`$XDG_DATA_HOME/python_keyring` or `$HOME/.local/share/python_keyring`)
  on other operating systems). This fixes 21.
  *Backward Compatibility Notice*
  Due to the new storage location for file-based keyrings, keyring 0.8
  supports backward compatibility by automatically moving the password
  files to the updated location. In general, users can upgrade to 0.8 and
  continue to operate normally. Any applications that customize the storage
  location or make assumptions about the storage location will need to take
  this change into consideration. Additionally, after upgrading to 0.8,
  it is not possible to downgrade to 0.7 without manually moving
  configuration files. In 1.0, the backward compatibility
  will be removed.

0.7.1 not secure

  * Removed non-ASCII characters from README and CHANGES docs (required by
  distutils if we're to include them in the long_description). Fixes 55.

0.7 not secure

  * Python 3 is now supported. All tests now pass under Python 3.2 on
  Windows and Linux (although Linux backend support is limited). Fixes 28.
  * Extension modules on Mac and Windows replaced by pure-Python ctypes
  implementations. Thanks to Jerome Laheurte.
  * WinVaultKeyring now supports multiple passwords for the same service. Fixes
  * Most of the tests don't require user interaction anymore.
  * Entries stored in Gnome Keyring appears now with a meaningful name if you try
  to browser your keyring (for ex. with Seahorse)
  * Tests from Gnome Keyring no longer pollute the user own keyring.
  * `keyring.util.escape` now accepts only unicode strings. Don't try to encode
  strings passed to it.

0.6.2 not secure

  * fix compiling on OSX with XCode 4.0


  * Gnome keyring should not be used if there is no DISPLAY or if the dbus is
  not around (
  * Added `keyring.http` for facilitating HTTP Auth using keyring.
  * Add a utility to access the keyring from the command line.

0.5.1 not secure

  * Remove a spurious KDE debug message when using KWallet
  * Fix a bug that caused an exception if the user canceled the KWallet dialog

0.5 not secure

  * Now using the existing Gnome and KDE python libs instead of custom C++
  * Using the getpass module instead of custom code

0.4 not secure

  * Fixed the setup script (some subdirs were not included in the release.)

0.3 not secure

  * Fixed keyring.core when the user doesn't have a cfg, or is not
  properly configured.
  * Fixed escaping issues for usernames with non-ascii characters

0.2 not secure

  * Add support for Python 2.4+
  * Fix the bug in KDE Kwallet extension compiling