Remove debian package dependencies (#1506)

vcheung-stripe · claude · web-flow · commit 739560f13ad8 · 2026-03-23T13:28:18.000-07:00
* Use secret service on Linux, file backend on WSL with deterministic password

On non-WSL Linux, prefer the Secret Service backend (gnome-keyring/KWallet)
with the file backend as a fallback. On WSL, use only the file backend with
a deterministic password derived from the machine ID via HMAC-SHA256, so the
user is never prompted for a password in a headless environment.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
Committed-By-Agent: claude

* Remove debian package dependencies on libsecret and gnome-keyring

The CLI no longer requires these system packages since WSL uses a
file-backed keyring and non-WSL Linux falls back to file if the secret
service is unavailable.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
Committed-By-Agent: claude

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.goreleaser/linux.yml b/.goreleaser/linux.yml
@@ -57,11 +57,6 @@ nfpms:
     license: Apache 2.0
     formats:
       - deb
-    dependencies:
-      - libsecret-1-0
-      - gnome-keyring
-      - libsecret-tools
-      - dbus-x11
   - id: rpm
     package_name: stripe
     vendor: Stripe
diff --git a/pkg/config/profile.go b/pkg/config/profile.go
@@ -1,6 +1,9 @@
 package config
 
 import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -11,7 +14,6 @@ import (
 
 	"github.com/99designs/keyring"
 	"github.com/spf13/viper"
-	"golang.org/x/term"
 
 	"github.com/stripe/stripe-cli/pkg/ansi"
 	"github.com/stripe/stripe-cli/pkg/validators"
@@ -59,23 +61,52 @@ const (
 // KeyRing ...
 var KeyRing keyring.Keyring
 
+func isWSLFromVersion(procVersion string) bool {
+	lower := strings.ToLower(procVersion)
+	return strings.Contains(lower, "microsoft") || strings.Contains(lower, "wsl")
+}
+
+func isWSL() bool {
+	data, err := os.ReadFile("/proc/version")
+	if err != nil {
+		return false
+	}
+	return isWSLFromVersion(string(data))
+}
+
+func wslFilePasswordFromPaths(machineIDPath, bootIDPath string) (string, error) {
+	machineID, err := os.ReadFile(machineIDPath)
+	if err != nil {
+		return "", fmt.Errorf("could not read %s: %w", machineIDPath, err)
+	}
+	bootID, err := os.ReadFile(bootIDPath)
+	if err != nil {
+		return "", fmt.Errorf("could not read %s: %w", bootIDPath, err)
+	}
+	const appKey = "stripe-cli-keyring-v1"
+	mac := hmac.New(sha256.New, []byte(appKey))
+	mac.Write([]byte(strings.TrimSpace(string(machineID))))
+	mac.Write([]byte(strings.TrimSpace(string(bootID))))
+	return hex.EncodeToString(mac.Sum(nil)), nil
+}
+
+func wslFilePassword(_ string) (string, error) {
+	return wslFilePasswordFromPaths("/etc/machine-id", "/proc/sys/kernel/random/boot_id")
+}
+
 func getKeyringConfig() keyring.Config {
 	c := keyring.Config{
 		KeychainTrustApplication: true,
 		ServiceName:              KeyManagementService,
 	}
 
 	if runtime.GOOS == "linux" {
-		c.AllowedBackends = []keyring.BackendType{keyring.FileBackend}
 		c.FileDir = getConfigFolder(os.Getenv("XDG_CONFIG_HOME"))
-		c.FilePasswordFunc = func(prompt string) (string, error) {
-			fmt.Fprintf(os.Stdout, "%s: ", prompt)
-			b, err := term.ReadPassword(int(os.Stdin.Fd()))
-			if err != nil {
-				return "", err
-			}
-			fmt.Println()
-			return string(b), nil
+		c.FilePasswordFunc = wslFilePassword
+		if isWSL() {
+			c.AllowedBackends = []keyring.BackendType{keyring.FileBackend}
+		} else {
+			c.AllowedBackends = []keyring.BackendType{keyring.SecretServiceBackend, keyring.FileBackend}
 		}
 	}
 
diff --git a/pkg/config/wsl_test.go b/pkg/config/wsl_test.go
@@ -0,0 +1,165 @@
+package config
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsWSLFromVersion(t *testing.T) {
+	tests := []struct {
+		name    string
+		content string
+		want    bool
+	}{
+		{
+			name:    "microsoft keyword",
+			content: "Linux version 5.15.0-microsoft-standard-WSL2",
+			want:    true,
+		},
+		{
+			name:    "Microsoft capitalised",
+			content: "Linux version 5.15.0-Microsoft-standard",
+			want:    true,
+		},
+		{
+			name:    "wsl keyword",
+			content: "Linux version 5.15.0 (wsl@build)",
+			want:    true,
+		},
+		{
+			name:    "WSL uppercase",
+			content: "Linux version 5.15.0 (WSL2)",
+			want:    true,
+		},
+		{
+			name:    "plain linux",
+			content: "Linux version 6.1.0-28-amd64 (debian-kernel@lists.debian.org)",
+			want:    false,
+		},
+		{
+			name:    "empty",
+			content: "",
+			want:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			require.Equal(t, tt.want, isWSLFromVersion(tt.content))
+		})
+	}
+}
+
+func TestIsWSL_UnreadableProcVersion(t *testing.T) {
+	// isWSL() returns false when /proc/version cannot be read; we can verify
+	// the helper directly covers that path via isWSLFromVersion with empty input.
+	require.False(t, isWSLFromVersion(""))
+}
+
+func wslExpectedPassword(t *testing.T, machineID, bootID string) string {
+	t.Helper()
+	const appKey = "stripe-cli-keyring-v1"
+	mac := hmac.New(sha256.New, []byte(appKey))
+	mac.Write([]byte(machineID))
+	mac.Write([]byte(bootID))
+	return hex.EncodeToString(mac.Sum(nil))
+}
+
+func TestWslFilePasswordFromPaths_BothFiles(t *testing.T) {
+	dir := t.TempDir()
+	machineIDPath := filepath.Join(dir, "machine-id")
+	bootIDPath := filepath.Join(dir, "boot_id")
+
+	require.NoError(t, os.WriteFile(machineIDPath, []byte("abc123\n"), 0600))
+	require.NoError(t, os.WriteFile(bootIDPath, []byte("def456\n"), 0600))
+
+	got, err := wslFilePasswordFromPaths(machineIDPath, bootIDPath)
+	require.NoError(t, err)
+	require.Equal(t, wslExpectedPassword(t, "abc123", "def456"), got)
+}
+
+func TestWslFilePasswordFromPaths_MachineIDMissing(t *testing.T) {
+	dir := t.TempDir()
+	machineIDPath := filepath.Join(dir, "machine-id") // does not exist
+	bootIDPath := filepath.Join(dir, "boot_id")
+
+	require.NoError(t, os.WriteFile(bootIDPath, []byte("def456\n"), 0600))
+
+	_, err := wslFilePasswordFromPaths(machineIDPath, bootIDPath)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), machineIDPath)
+}
+
+func TestWslFilePasswordFromPaths_BootIDMissing(t *testing.T) {
+	dir := t.TempDir()
+	machineIDPath := filepath.Join(dir, "machine-id")
+	bootIDPath := filepath.Join(dir, "boot_id") // does not exist
+
+	require.NoError(t, os.WriteFile(machineIDPath, []byte("abc123\n"), 0600))
+
+	_, err := wslFilePasswordFromPaths(machineIDPath, bootIDPath)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), bootIDPath)
+}
+
+func TestWslFilePasswordFromPaths_BothMissing(t *testing.T) {
+	dir := t.TempDir()
+	machineIDPath := filepath.Join(dir, "machine-id")
+	bootIDPath := filepath.Join(dir, "boot_id")
+
+	_, err := wslFilePasswordFromPaths(machineIDPath, bootIDPath)
+	require.Error(t, err)
+}
+
+func TestWslFilePasswordFromPaths_Deterministic(t *testing.T) {
+	dir := t.TempDir()
+	machineIDPath := filepath.Join(dir, "machine-id")
+	bootIDPath := filepath.Join(dir, "boot_id")
+
+	require.NoError(t, os.WriteFile(machineIDPath, []byte("stable-id\n"), 0600))
+	require.NoError(t, os.WriteFile(bootIDPath, []byte("stable-boot\n"), 0600))
+
+	first, err := wslFilePasswordFromPaths(machineIDPath, bootIDPath)
+	require.NoError(t, err)
+	second, err := wslFilePasswordFromPaths(machineIDPath, bootIDPath)
+	require.NoError(t, err)
+
+	require.Equal(t, first, second)
+}
+
+func TestWslFilePasswordFromPaths_DifferentIDsDifferentPasswords(t *testing.T) {
+	dir := t.TempDir()
+	bootIDPath := filepath.Join(dir, "boot_id")
+	require.NoError(t, os.WriteFile(bootIDPath, []byte("same-boot\n"), 0600))
+
+	pathA := filepath.Join(dir, "machine-id-a")
+	pathB := filepath.Join(dir, "machine-id-b")
+	require.NoError(t, os.WriteFile(pathA, []byte("id-aaa\n"), 0600))
+	require.NoError(t, os.WriteFile(pathB, []byte("id-bbb\n"), 0600))
+
+	pwA, err := wslFilePasswordFromPaths(pathA, bootIDPath)
+	require.NoError(t, err)
+	pwB, err := wslFilePasswordFromPaths(pathB, bootIDPath)
+	require.NoError(t, err)
+
+	require.NotEqual(t, pwA, pwB)
+}
+
+func TestWslFilePasswordFromPaths_TrimsWhitespace(t *testing.T) {
+	dir := t.TempDir()
+	machineIDPath := filepath.Join(dir, "machine-id")
+	bootIDPath := filepath.Join(dir, "boot_id")
+
+	require.NoError(t, os.WriteFile(machineIDPath, []byte("  trimmed-id  \n"), 0600))
+	require.NoError(t, os.WriteFile(bootIDPath, []byte("  trimmed-boot  \n"), 0600))
+
+	got, err := wslFilePasswordFromPaths(machineIDPath, bootIDPath)
+	require.NoError(t, err)
+	require.Equal(t, wslExpectedPassword(t, "trimmed-id", "trimmed-boot"), got)
+}
